[ipv6hackers] IPv6 security (slides and training)
Fernando Gont
fgont at si6networks.com
Wed Nov 9 00:27:21 CET 2011
On 11/08/2011 04:50 PM, Douglas Otis wrote:
> Clearly, networks are more secure not connecting to the Internet, but in
> most cases that is not practical.
>
> A retreat to IPv4 will not provide safer access to the Internet, whether
> one were to consider IPv6 security a myth or not.
Which part of the presentation gave you the idea that I'm advocating a
retreat to IPv4???
For the record: I'm not.
Address exhaustion is a real problem, and the only solution on the table
is IPv6. That's the reason to deploy it. -- And my presentation didn't
argue against that.
> Currently, there is
> 65,000 times more IPv6 /64 prefixes announced than IPv4 /32 addresses
> within the entire 3.8 billion IPv4 unicast space. This space is growing
> geometrically with the graph becoming nearly vertical. A rough guess
> might be announcements will soon slow at 1.4 quadrillion (1000 trillion)
> IPv6 /64 prefixes. Retaining IPv4 only local networks means Internet
> traffic must be carried over Large Scale NATs (LSNs) offering unknown
> and insecure end points.
Again, I do not necessarily advocate that. However, there are some
scenarios (defense networks, for example) in which you don't won't to
deploy IPv6 unless you really need it.
> IPsec is not the only way to implement end-to-end security.
Not only that. In some cases it may be undesirable, or may not provide
what you want (e.g., you may want to authenticate a user, rather than
the end-point itself).
> Security
> related assumptions premised on use of IPv4 must be questioned, just as
> they should be for IPv6. As a general rule, no OS unable to properly
> handle IPv6 should be used.
Under your general rule, people should probably use only OpenBSD.
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
More information about the Ipv6hackers
mailing list