[ipv6hackers] IPv6 security (slides and training)

Douglas Otis dotis at mail-abuse.org
Tue Nov 8 20:50:46 CET 2011

On 11/8/11 8:44 AM, Fernando Gont wrote:
> Folks,
> We have uploaded the slides of my IPv6 Security presentation at H2HC
> 2011. -- The slides are available at:
> <http://www.si6networks.com/presentations/h2hc2011/fgont-h2hc2011-ipv6-security.pdf>.

Clearly, networks are more secure not connecting to the Internet, but in 
most cases that is not practical.

A retreat to IPv4 will not provide safer access to the Internet, whether 
one were to consider IPv6 security a myth or not.  Currently, there is 
65,000 times more IPv6 /64 prefixes announced than IPv4 /32 addresses 
within the entire 3.8 billion IPv4 unicast space.  This space is growing 
geometrically with the graph becoming nearly vertical.  A rough guess 
might be announcements will soon slow at 1.4 quadrillion (1000 trillion) 
IPv6 /64 prefixes.  Retaining IPv4 only local networks means Internet 
traffic must be carried over Large Scale NATs (LSNs) offering unknown 
and insecure end points.

IPsec is not the only way to implement end-to-end security.  Security 
related assumptions premised on use of IPv4 must be questioned, just as 
they should be for IPv6.  As a general rule, no OS unable to properly 
handle IPv6 should be used.  Even so, coping with the size of Today's 
Internet remains a challenge.  The size of the Internet demands adoption 
of better end-to-end security strategies.  These strategies could 
include Kerberos services that simply authenticate clients.  Kerberos is 
not encumbered and is adopted by most OS vendors.

This RFC illustrates how Kerberos and other standard protocols can 
establish security _anywhere_.

IMHO, this scheme should be further enhanced.  Kerberos could offer a 
strategy for opening Firewalls that protect less robust services based 
upon authentication of domain certificates, such as PKI or DANE.  After 
which, subsequent sessions can be confirmed using simple and fast ticket 
verifications.  An inter-realm exchange sharing which domains received 
tickets could then inform firewalls.  Kerberos could act to guard 
against various attacks simply by unblocking desired domains and 
ensuring problematic domains remain blocked.  A strategy able to operate 
cryptographically at the domain would better ensure security remains 
independent of trust misplaced on any IP address.


More information about the Ipv6hackers mailing list