[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Jean-Michel Combes jeanmichel.combes at gmail.com
Thu Sep 22 20:48:33 CEST 2011


Hi Jim,

2011/9/22 Jim Small <jim.small at cdw.com>:
> The problem with SeND is limited O/S implementations.

Yes, I agree. And, crypto algorithm constraints (i.e., SHA-1, RSA)
don't help too ... patch needed if CGA specifications are updated
resulting extra cost, plus interoperability issues between RFC3972
implementations and RFC3972bis implementations.

> I know there is Linux support,

AFAIK, SEND/CGA is better implemented on FreeBSD (i.e., the kernel has
been modified, IMHO, what is needed to be fully compliant with
SEND/CGA)

> but Windows doesn't support it and I don't believe OS X does either.  There are many ideas for IPv6 security, mobility (MIPv6), and multi-homing (SHIM6) - but without mainstream native O/S support they seem to be limited to a lab.

+1 :s

Best regards.

JMC.

> My impression is that Microsoft and Apple have essentially no interest in these areas.
>
> --Jim
>
> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-bounces at lists.si6networks.com] On Behalf Of Jean-Michel Combes
> Sent: Wednesday, September 21, 2011 6:36 PM
> To: IPv6 Hackers Mailing List
> Subject: Re: [ipv6hackers] IPv6 security presentation at Hack.lu 2011
>
> Hi Fernando,
>
> At first thanks for the slides! Great job summarizing the state of the
> art about IPv6 security!
>
> Now, I have comments:
> -  Address resolution
> "SEND is very difficult to deploy (it requires a PKI)"
> AFAIK, you don't need a PKI. CGA is enough to secure NS/NA exchanges.
> Now, the main issue, IMHO, is hard-coded crypto algorithms: SHA-1,
> that should be replaced by the future SHA-3, and RSA, which is not
> very well adapted to constrained devices like sensors.
> - Auto-configuration
> "SEND is very difficult to deploy (it requires a PKI)"
> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
> http://www.rpki.net for ARIN) and openssl already allows to generate
> the needed certificates. Now I agree there is still work to deploy
> this technology in product networks.
> - IPsec Support
> "The IETF has acknowledged this fact, and is currently changing IPsec
> support in IPv6 to "optional""
> Sorry, but IPsec support is still a "SHOULD" (v.s. "MAY" meaning
> optional) and so IPsec is not optional unless specific constraints
> (like sensors).
> Now, as raised many times, the main issue with IPsec is Key Management
> (e.g., pre-shared key, certs, EAP).
>
> Best regards.
>
> JMC.
>
> 2011/9/21 Fernando Gont <fgont at si6networks.com>:
>> Folks,
>>
>> We have uploaded the slides of the IPv6 Security talk I gave at Hack.lu
>> 2011. The slides are available at:
>> <http://www.si6networks.com/presentations/hacklu2011/fgont-hacklu2011-ipv6-security.pdf>
>>
>> If there are any topics in the slides that that you think might benefit
>> from debate/discussion/brainstorming, please feel free to post to the list.
>>
>> Thanks!
>> --
>> Fernando Gont
>> SI6 Networks
>> e-mail: fgont at si6networks.com
>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>
>>
>>
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>


More information about the Ipv6hackers mailing list