[ipv6hackers] IPv6 security presentation at Hack.lu 2011
jim.small at cdw.com
Tue Sep 27 03:37:31 CEST 2011
I just wanted to point out on this thread:
> In addition it would be appropriate to assume there WILL be an IPv6
> firewall when IPv6 is enabled. Alternatively, it would be wrong to
> assume any effective IPv6 firewall exists otherwise. Perhaps you could
> replace "disable IPv6" with "disable Protocol 41" instead. :^)
"Disable proto 41" sounds good for referring to packets being filtered
at a firewall. However, other (not mutually exclusive) options are
avialable, such as disabling v6 suppport at the OS.
> Exactly. Any compromised system within a LAN can easily set up IPv6
> connectivity, specifically because a lax approach was taken where not
> enabling IPv6 was seen as offering improved security. :^(
If you disable IPv6 in the sense of removing support for it, that attack
is not possible.
[JRS>] Specifically with Windows Vista/7/Server 2008/R2 and later IPv6 is a core part of the Operating System. Many features require IPv6 and will not work if you disable it including HyperV, TMG, Exchange, SBS Server, DirectAccess, HomeGroups, and Peer-to-Peer Networking.
I think we all agree there is a clear need for IPv6 and IPv4 is reaching the limits of its scalability. I like Fernando's approach of submitting drafts with suggestions where issues are discovered. I believe the focus should be on encouraging vendors to adopt existing solutions, maintain or achieve parity with IPv4 features, address limitations/vulnerabilities discovered, and actively participate in the IETF and other forums to drive and improve IPv6.
More information about the Ipv6hackers