[ipv6hackers] IPv6 security (slides and training)

Fernando Gont fgont at si6networks.com
Wed Nov 9 00:27:21 CET 2011

On 11/08/2011 04:50 PM, Douglas Otis wrote:

> Clearly, networks are more secure not connecting to the Internet, but in
> most cases that is not practical.
> A retreat to IPv4 will not provide safer access to the Internet, whether
> one were to consider IPv6 security a myth or not.  

Which part of the presentation gave you the idea that I'm advocating a
retreat to IPv4???

For the record: I'm not.

Address exhaustion is a real problem, and the only solution on the table
is IPv6. That's the reason to deploy it. -- And my presentation didn't
argue against that.

> Currently, there is
> 65,000 times more IPv6 /64 prefixes announced than IPv4 /32 addresses
> within the entire 3.8 billion IPv4 unicast space.  This space is growing
> geometrically with the graph becoming nearly vertical.  A rough guess
> might be announcements will soon slow at 1.4 quadrillion (1000 trillion)
> IPv6 /64 prefixes.  Retaining IPv4 only local networks means Internet
> traffic must be carried over Large Scale NATs (LSNs) offering unknown
> and insecure end points.

Again, I do not necessarily advocate that. However, there are some
scenarios (defense networks, for example) in which you don't won't to
deploy IPv6 unless you really need it.

> IPsec is not the only way to implement end-to-end security.

Not only that. In some cases it may be undesirable, or may not provide
what you want (e.g., you may want to authenticate a user, rather than
the end-point itself).

> Security
> related assumptions premised on use of IPv4 must be questioned, just as
> they should be for IPv6.  As a general rule, no OS unable to properly
> handle IPv6 should be used.  

Under your general rule, people should probably use only OpenBSD.

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list