[ipv6hackers] IPv6 security (slides and training)
dotis at mail-abuse.org
Thu Nov 10 03:07:53 CET 2011
On 11/9/11 11:46 AM, Geoff Huston wrote:
> On 09/11/2011, at 2:12 PM, Douglas Otis wrote:
>> Page 5 "(current estimations are that IPv6 traffic is less than 1% of total traffic)"
>> This estimation is problematic and ignores massive growth in actual IPv6 deployment.
> Are you able to cite your measurement sources?
This was citing statistics collected on your website. You are right,
the term deployment grossly overstates BGP announcements converted to
/64 equivalent prefixes. This was being viewed from the aspect of
security, where the scale indicates there will be an eventual need to
adopt different defensive strategies. Rather than complaining about the
amount of IPv6 traffic being low and manageable for various reasons, new
strategies will be needed to effectively react to distributed sources of
abuse. The size of this threat can quickly exceed resources currently
One solution might be services are defended by a Kerberos that confirms
domain certificates, perhaps those of a CA or DANE. Once confirmed,
Kerberos reports the domain to the service provider. The service
provider may then obtain the addresses to be used, perhaps in the form
of APL RRsets. The service provider could then open firewalls or routes
for the domain, and even confirm traffic using the Kerberos ticket
hashes. This approach could deal with exchanges carried over LSNs as
well. Perhaps this would leave Kerberos enduring the vastness of IPv6
> (I have heard this claim of "massive growth in actual IPv6<foo>" for many years, and I have yet to be able to see such measurements of<foo> or be able to replicate them myself. The measurements I have been undertaking point to a relatively flat line of IPv6 adoption that encompasses around 0.3% - 0.4% of the client base. It leads me to the conclusion that in spite of the principles of faith-based transformation, constant repetition of this particular mantra of the "massive growth in IPv6 deployment" does not make it true!)
I also have sought better data regarding IPv6/IPv4 traffic. These
potentials remain unknown for various reasons. Even so, such statistics
would not reflect whether IPv6 can be utilized internally in a manner
that improves security. Whether IPv6 will improve security goes to the
heart of IPv6 adoption.
More information about the Ipv6hackers