[ipv6hackers] IPv6 security (slides and training)

Owen DeLong owend at he.net
Thu Nov 10 02:45:49 CET 2011


On Nov 9, 2011, at 4:35 PM, Fernando Gont wrote:

> On 11/09/2011 08:57 PM, Carlos Martinez-Cagnazzo wrote:
> 
>> I sometimes wonder about all this perceived risks/vulns affecting
>> IPv6. There were *a lot* of similar vulns in IPv4 back in the time.
>> You could remotely crash a host with a single command (ping-of-death
>> anyone? that was really fun :-) ), yet luckily no one at the time
>> thought that postponing Internet deployment indefinitely until all
>> IPv4 and network related bugs were patched was a viable alternative.
>> We patched vulns and moved on, waiting for the next one.
> 
> Yes, but, at the time:
> 
> * We didn't depend on the Internet/networks the way we depend today.
> * By the time business were on the Internet, the community had quite a
> few years of experience with IPv4, already (and many people that should
> be deploying v6 have no clue about it)
> 
Bzzzt... Thanks for playing.

Ping of Death survived well into widespread business IPv4 deployment.
> 
> I simply argue that there are some networks in which "you don't touch
> anything unless it is really necessary". -- And that doesn't have
> anything to do with IPv6 in particular.. the same would apply to any
> other technology.
> 

FWIW, this is a much better way to say it. This conveys what you are
trying to say instead of getting auto-filtered into the "don't deploy
IPv6 unless you have to" sound-bite that comes from the other one.

>> I had a very heated argument some time ago with one person that said
>> that deploying IPv6 was an unacceptable proposition to him because
>> some ICMP messages had to be let through filters. 
> 
> This is pretty dumb, since the same thing applied to IPv4: some messages
> -- notably "frag needed and df bit set" -- must not be filtered. It is
> filtering such messages that e.g. has led to PMTUD black-holes.
> 

In case you've been living under a rock, hardly anyone actually expects
IPv4 PMTU-D to work. We've all long-since worked around broken ICMP
filters in IPv4.

Note, I'm not saying this is a good thing, just that it is the reality we are
faced with. I do think we should smack the various Japanese operators
that continue to deliberately break PMTU-D on IPv6 upside the head.
(You know who you are).

Owen





More information about the Ipv6hackers mailing list