[ipv6hackers] my IPv6 insecurity slides
cb.list6 at gmail.com
Thu Dec 1 02:09:15 CET 2011
On Nov 30, 2011 4:54 PM, "Fabian Wenk" <fabian at wenks.ch> wrote:
> Hello Owen
> On 30.11.2011 20:19, Owen DeLong wrote:
>> Whitelisting sucks!
>> However, if you can convince Lorenzo to add your resolver, you do get:
> As I wrote in the other mail, I probably need some side channel to get
this for my private IPv6 network. Could you give me a contact to Lorenzo?
>> And yet they buy insurance, even though the river above them
>> is not flooding yet, the building is not yet on fire, the
>> tornado has not yet removed the roof, and the earthquake has
>> not yet caused the building to collapse.
>> Why is it that they can see the business continuity issues
>> with not having insurance, but, we have not been able to
>> properly convey the very same issues with failing to deploy
> Probably the wrong people do the decisions where to spend the money.
>>> I did see some strange behavior with IPv6. One just recently
>>> with sending e-mails to an other dual stacked mail server.
>>> And the second with the IDLE function between my mail client
>>> and my IMAP server. As far as I know, the version of
>>> Thunderbird (3.1.16) I am using fails, so I force it to
>>> IPv4. It is fixed in newer versions, but I do not like to
>>> upgrade to the fast release cycle of TB and I am waiting
>>> until the Extended Support Release is available.
>> Care to provide any details on the server side email issue?
> It was to a domain which only has one MX entry in DNS (but with both IPv4
and IPv6 entries). The mail was stuck in the queue with connection timeouts
(over IPv6). Manual testing with telnet showed, that the connection was
working. I could send a small test e-mail trough telnet, but a larger mail
failed. A traceroute or mtr showed, that a few hosts before the destination
servers probably ICMP was filtered. I guess it was a problem with the MTU
somewhere around there. A few days later it was working again. IPv4 would
have worked, but my server did not fall back to this, as the connection to
the same server could be initiated on IPv6.
> For my own mail server I have 3 MX entries (all pointing to the same
physical server), the one with the lowest priority has both IPv4 and IPv6
entries, the middle with only an IPv4 entry and the highest with only IPv6
entry (to fool spam bots which are on IPv4 only). I think that such an
setup could have helped on the receiving side, so that my server would have
tried on a different MX (with only IPv4) to send the mail.
>>> Who thinks that IPv6 will fix basic problems like spam and
>>> botnets? I do not thinks so, why should this fix it? It even
>>> will not fix phishing and other social engineering tricks
>>> done nowadays. They will also move to IPv6 as soon as they
>>> see enough business there.
>> In fact, IPv6 may make it harder to combat spam and botnets in some ways
>> due to the vast amount of address space and commensurate complication
>> of maintaining useful reputation systems due to database size issues and
>> address mobility.
> This is true and still a very large issue. From this point of view, it is
a "good" thing, that normal end users do not have IPv6 yet. Who is going to
teach the users do keep their system and software up to date and not click
on any random .pdf.exe attachment they receive? This would probably stop
the spam too.
>>> I even see new devices sold today, which are not able to run
>>> IPv6. Modern home cinema equipment (eg. A/V receiver, TV,
>>> media player) come with WLAN or LAN, but are not able to use
>>> IPv6. I am happy that my internal network also does support
>>> IPv4 behind NAT. :)
>> The question is do you buy them? I have started telling
> Yes, I did. :(
> I have replaced my very old 4:3 CRT TV with a new flat screen. And on the
TV my preferences were on the picture quality, which I really like with the
intelligent back light LED (not edge LED) which gives true black where it
has to be black. The support of IPv6 was not really important to me. This
new TVs do have a lot of Internet gimmicks like Skype, Youtube and a
browser, but I do not use them. I just use it to watch TV or as a large
screen for content from other devices. So the Internet connection on the TV
is only used for firmware updates. I should probably create a IPv6 only
network and connect the TV to it and then call support because the network
setup (even automatic) is not working...
>> vendors of such equipment that I will not buy their product
>> until it includes IPv6 support. In a few cases, making this
>> statement and waiting a year has yielded an IPv6-capable
>> product. The more people who start telling vendors this, the
>> more products we will see get updated with IPv6 support.
> Sure, this should be done, and I do it with "real" IT equipment.
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
More information about the Ipv6hackers