[ipv6hackers] IPv6 security (slides and training)

Fernando Gont fgont at si6networks.com
Thu Nov 10 01:35:02 CET 2011 

On 11/09/2011 08:57 PM, Carlos Martinez-Cagnazzo wrote:

> I sometimes wonder about all this perceived risks/vulns affecting
> IPv6. There were *a lot* of similar vulns in IPv4 back in the time.
> You could remotely crash a host with a single command (ping-of-death
> anyone? that was really fun :-) ), yet luckily no one at the time
> thought that postponing Internet deployment indefinitely until all
> IPv4 and network related bugs were patched was a viable alternative.
> We patched vulns and moved on, waiting for the next one.

Yes, but, at the time:

* We didn't depend on the Internet/networks the way we depend today.
* By the time business were on the Internet, the community had quite a
few years of experience with IPv4, already (and many people that should
be deploying v6 have no clue about it)

In any case, I'm not arguing that one should patch all bugs, and only
then deploy IPv6.

I simply argue that there are some networks in which "you don't touch
anything unless it is really necessary". -- And that doesn't have
anything to do with IPv6 in particular.. the same would apply to any
other technology.



> Now, on the other hand, we seem to feel that dying the slow death of
> CGN is a preferable alternative to deploying IPv6 (with its bugs and
> all). When did we as a community became so risk-averse ?

Maybe when the same vendors that pretend to be IPv6 proponents do not
even run v6 on their own sites, and recommend their customers CGN as an
alternative to IPv6 deployment?



> I had a very heated argument some time ago with one person that said
> that deploying IPv6 was an unacceptable proposition to him because
> some ICMP messages had to be let through filters. 

This is pretty dumb, since the same thing applied to IPv4: some messages
-- notably "frag needed and df bit set" -- must not be filtered. It is
filtering such messages that e.g. has led to PMTUD black-holes.



> The mentality of
> "security tramples everything, no matter what" is doing more harm than
> good to the whole Internet ecosystem.

I'm of the idea that everything depends on the context. Taking things to
the extreme in the wrong scenario is clearly dumb.

e.g., if you're browsing the web with IE/Windows, IPv6 should probably
be the last of your concerns. OTOH, in the case of an automation
network, a military (operations) network, or the like, the analysis
would probably be different.



> Sure, if your adversary is the Chinese government, or the FBI, you
> must be extra-careful. Sure, maybe you should not IPv6-enable your
> nuclear plant just yet, our your air-traffic control system. But
> c'mon, how really critical are 99% of networks out there? 

*Exactly*! -- That's why I don't understand that "there are some
scenarios in which you may not want to deploy IPv6" sounds
controversial... since those scenarios clearly represent >5% of networks.


> Regardless
> how paranoid we feel, neither of those adversaries are coming after
> 99% of people anytime soon. I'm more scared of phishers and banking
> trojans and DNS poisoning, really. And those have nothing to do with
> IPv6.

Again, fully agree. In some of my slidewhere I mention exactly this.

However, this problem was probably started by IPv6 "proponents"
themselves, with the claims of all the security improvements we were
going to have.

I think we'd been better off focusing on the fact that IPv6 provides the
extra addresses we need, rather than trying to "sell" the IPv6 idea with
mythology such as "improved security", "improved QoS", etc.

That's exactly when focus is lost...



> I do believe that research into IPv6 bugs is valuable, and that effort
> must be put into fixing all issues, but on the other hand I believe
> that the actual risk for a large percentage of users is being
> magnified and is much lower than the risk they face from other
> threats. 

This is what I've noted above. However, I don't think the low level of
v6 deployment has anything to do with "security".



> If you kept reading this far, I owe you a beer. Make me remember next
> time we meet ;)

Quito 2012? ;-)

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list