[ipv6hackers] IPv6 security (slides and training)

Douglas Otis dotis at mail-abuse.org
Thu Nov 10 03:07:53 CET 2011


On 11/9/11 11:46 AM, Geoff Huston wrote:
> On 09/11/2011, at 2:12 PM, Douglas Otis wrote:
>
>> Page 5 "(current estimations are that IPv6 traffic is less than 1% of total traffic)"
>>
>> This estimation is problematic and ignores massive growth in actual IPv6 deployment.
> Are you able to cite your measurement sources?
Geoff,

This was citing statistics collected on your website.  You are right, 
the term deployment grossly overstates BGP announcements converted to 
/64 equivalent prefixes.  This was being viewed from the aspect of 
security, where the scale indicates there will be an eventual need to 
adopt different defensive strategies.  Rather than complaining about the 
amount of IPv6 traffic being low and manageable for various reasons, new 
strategies will be needed to effectively react to distributed sources of 
abuse.  The size of this threat can quickly exceed resources currently 
defending services.

One solution might be services are defended by a Kerberos that confirms 
domain certificates, perhaps those of a CA or DANE.  Once confirmed, 
Kerberos reports the domain to the service provider.  The service 
provider may then obtain the addresses to be used, perhaps in the form 
of APL RRsets.  The service provider could then open firewalls or routes 
for the domain, and even confirm traffic using the Kerberos ticket 
hashes.  This approach could deal with exchanges carried over LSNs as 
well.  Perhaps this would leave Kerberos enduring the vastness of IPv6 
sources.
> (I have heard this claim of "massive growth in actual IPv6<foo>" for many years, and I have yet to be able to see such measurements of<foo>  or be able to replicate them myself. The measurements I have been undertaking point to a relatively flat line of IPv6 adoption that encompasses around 0.3% - 0.4% of the client base. It leads me to the conclusion that in spite of the principles of faith-based transformation, constant repetition of this particular mantra of the "massive growth in IPv6 deployment" does not make it true!)
I also have sought better data regarding IPv6/IPv4 traffic.  These 
potentials remain unknown for various reasons.  Even so, such statistics 
would not reflect whether IPv6 can be utilized internally in a manner 
that improves security.  Whether IPv6 will improve security goes to the 
heart of IPv6 adoption.

-Doug



More information about the Ipv6hackers mailing list