[ipv6hackers] SLAAC and DHCPv6 support (was Re: IPv6 security presentation at Hack.lu 2011)

[fred]

Hi Fernando,




>> As protocols like DANE get advanced, the need for
>> PKI related services start to disappear, which removes another
>> impediment against the use of SeND.  Even DANE itself might act as a
>> replacement whenever encryption based upon the certificate at the host
>> is used.
> 
> ... and NATs will disappear with IPv6, and there will be increased use
> of IPsec as a result of IPv6 end-to-end'ness, etc.

SNIP

> 
> For instance, SeND doesn't help much while the DNS is still mostly
> insecure. Rather than bothering with ND spoofing or RA sppofing, an
> attacker could simply spoof DNS responses. -- i.e., the usual "the
> strength of a chain is that of its weakest link".

This is exactly what I said about IPv4...

You can send an ICMP REDIRECT and change the routing of IPv4 end hosts to
any address ! You don't have to have IPv6 and RA do do that ! It seems that
everybody wake up on something which has already be there!

I also said that since day one we can also spoof DNS or DHCP response!
No need for RA to break a Network...

DNSSEC could help but I think it is not compatible with NAT.
And because it is a joke that NAT will disappear one day because people will
never realize that NAT brings much more troubles that it solves problems, we
are having a problem...

So, may be the best is solution may be to just do nothing... Just add some
more NAT as many people think it is the solution and consider that IPv6 was
just a bad idea, an illusion for naive people who thought that an address
for each device which need connectivity on the Internet would be the
solution. An illusion to think about all these applications which requires
direct connections rather than intermediate servers to bypass NAT...





-- 

Fred Bovy
fred at fredbovy.com
Skype: fredericbovy
Mobile: +33676198206
Siret: 5221049000017
Twitter: http://twitter.com/#!/FredBovy
Blog: http://fredbovyipv6.blogspot.com/
ccie #3013