[ipv6hackers] IPv6 security (slides and training)
Douglas Otis
dotis at mail-abuse.org
Tue Nov 8 20:50:46 CET 2011
On 11/8/11 8:44 AM, Fernando Gont wrote:
> Folks,
>
> We have uploaded the slides of my IPv6 Security presentation at H2HC
> 2011. -- The slides are available at:
> <http://www.si6networks.com/presentations/h2hc2011/fgont-h2hc2011-ipv6-security.pdf>.
Fernando,
Clearly, networks are more secure not connecting to the Internet, but in
most cases that is not practical.
A retreat to IPv4 will not provide safer access to the Internet, whether
one were to consider IPv6 security a myth or not. Currently, there is
65,000 times more IPv6 /64 prefixes announced than IPv4 /32 addresses
within the entire 3.8 billion IPv4 unicast space. This space is growing
geometrically with the graph becoming nearly vertical. A rough guess
might be announcements will soon slow at 1.4 quadrillion (1000 trillion)
IPv6 /64 prefixes. Retaining IPv4 only local networks means Internet
traffic must be carried over Large Scale NATs (LSNs) offering unknown
and insecure end points.
IPsec is not the only way to implement end-to-end security. Security
related assumptions premised on use of IPv4 must be questioned, just as
they should be for IPv6. As a general rule, no OS unable to properly
handle IPv6 should be used. Even so, coping with the size of Today's
Internet remains a challenge. The size of the Internet demands adoption
of better end-to-end security strategies. These strategies could
include Kerberos services that simply authenticate clients. Kerberos is
not encumbered and is adopted by most OS vendors.
http://tools.ietf.org/html/rfc6281
This RFC illustrates how Kerberos and other standard protocols can
establish security _anywhere_.
IMHO, this scheme should be further enhanced. Kerberos could offer a
strategy for opening Firewalls that protect less robust services based
upon authentication of domain certificates, such as PKI or DANE. After
which, subsequent sessions can be confirmed using simple and fast ticket
verifications. An inter-realm exchange sharing which domains received
tickets could then inform firewalls. Kerberos could act to guard
against various attacks simply by unblocking desired domains and
ensuring problematic domains remain blocked. A strategy able to operate
cryptographically at the domain would better ensure security remains
independent of trust misplaced on any IP address.
-Doug
More information about the Ipv6hackers
mailing list