[ipv6hackers] my IPv6 insecurity slides

Fabian Wenk fabian at wenks.ch
Thu Dec 1 01:54:25 CET 2011


Hello Owen

On 30.11.2011 20:19, Owen DeLong wrote:
> Whitelisting sucks!
>
> However, if you can convince Lorenzo to add your resolver, you do get:

As I wrote in the other mail, I probably need some side channel 
to get this for my private IPv6 network. Could you give me a 
contact to Lorenzo?


> And yet they buy insurance, even though the river above them
> is not flooding yet, the building is not yet on fire, the
> tornado has not yet removed the roof, and the earthquake has
> not yet caused the building to collapse.
>
> Why is it that they can see the business continuity issues
> with not having insurance, but, we have not been able to
> properly convey the very same issues with failing to deploy
> IPv6?

Probably the wrong people do the decisions where to spend the money.

>> I did see some strange behavior with IPv6. One just recently
>> with sending e-mails to an other dual stacked mail server.
>> And the second with the IDLE function between my mail client
>> and my IMAP server. As far as I know, the version of
>> Thunderbird (3.1.16) I am using fails, so I force it to
>> IPv4. It is fixed in newer versions, but I do not like to
>> upgrade to the fast release cycle of TB and I am waiting
>> until the Extended Support Release is available.
>>
>
> Care to provide any details on the server side email issue?

It was to a domain which only has one MX entry in DNS (but with 
both IPv4 and IPv6 entries). The mail was stuck in the queue with 
connection timeouts (over IPv6). Manual testing with telnet 
showed, that the connection was working. I could send a small 
test e-mail trough telnet, but a larger mail failed. A traceroute 
or mtr showed, that a few hosts before the destination servers 
probably ICMP was filtered. I guess it was a problem with the MTU 
somewhere around there. A few days later it was working again. 
IPv4 would have worked, but my server did not fall back to this, 
as the connection to the same server could be initiated on IPv6.

For my own mail server I have 3 MX entries (all pointing to the 
same physical server), the one with the lowest priority has both 
IPv4 and IPv6 entries, the middle with only an IPv4 entry and the 
highest with only IPv6 entry (to fool spam bots which are on IPv4 
only). I think that such an setup could have helped on the 
receiving side, so that my server would have tried on a different 
MX (with only IPv4) to send the mail.

>> Who thinks that IPv6 will fix basic problems like spam and
>> botnets? I do not thinks so, why should this fix it? It even
>> will not fix phishing and other social engineering tricks
>> done nowadays. They will also move to IPv6 as soon as they
>> see enough business there.
>>
>
> In fact, IPv6 may make it harder to combat spam and botnets in some ways
> due to the vast amount of address space and commensurate complication
> of maintaining useful reputation systems due to database size issues and rapid
> address mobility.

This is true and still a very large issue. From this point of 
view, it is a "good" thing, that normal end users do not have 
IPv6 yet. Who is going to teach the users do keep their system 
and software up to date and not click on any random .pdf.exe 
attachment they receive? This would probably stop the spam too.


>> I even see new devices sold today, which are not able to run
>> IPv6. Modern home cinema equipment (eg. A/V receiver, TV,
>> media player) come with WLAN or LAN, but are not able to use
>> IPv6. I am happy that my internal network also does support
>> IPv4 behind NAT. :)
>
> The question is do you buy them? I have started telling

Yes, I did. :(
I have replaced my very old 4:3 CRT TV with a new flat screen. 
And on the TV my preferences were on the picture quality, which I 
really like with the intelligent back light LED (not edge LED) 
which gives true black where it has to be black. The support of 
IPv6 was not really important to me. This new TVs do have a lot 
of Internet gimmicks like Skype, Youtube and a browser, but I do 
not use them. I just use it to watch TV or as a large screen for 
content from other devices. So the Internet connection on the TV 
is only used for firmware updates. I should probably create a 
IPv6 only network and connect the TV to it and then call support 
because the network setup (even automatic) is not working...

> vendors of such equipment that I will not buy their product
> until it includes IPv6 support. In a few cases, making this
> statement and waiting a year has yielded an IPv6-capable
> product. The more people who start telling vendors this, the
> more products we will see get updated with IPv6 support.

Sure, this should be done, and I do it with "real" IT equipment.


bye
Fabian



More information about the Ipv6hackers mailing list