[ipv6hackers] IPv6 security (slides and training)

Fred Bovy fred at fredbovy.com
Fri Nov 11 00:14:42 CET 2011


I am definitely with you CarlosŠ

You mentioned the ping of death for IPv4 but crashing Windows box
including Servers was (may be it is still the case but I am too old to
play this game now) also a piece of cake! I remember once I crashed the
whole company LAN station by station including servers just with a NESSUS
security scan! And nobody was even thinking about stopping Windows
production!!!!

This transition to IPv6 more and more reminds me the Y2KŠ Which was just a
non-event!

It is the first time in the Networking history that we have so many tools,
protocols and endless discussions for migrating to a new network protocol!


I started to work in the Networking industry about 25 years ago and I have
seen many protocols which were major changes like X.25, ATM, TCP/IP
(IPv4), OSI and Decnet Phase V, LU6.2 APPN for IBMŠ

They were all revolutionary and supposed to become #1 to federate all
networks at least for ATM or OSI in the 90s...

It seems that IPv6 is winning over ATM (fair enough) or OSI which could
have been the successor for IPv4 with its 160 bits address and was
perceived as the best successor for IPv4...

The Airlines had mission critical transactional applications on mainframes
with dumb terminal generating $$$... They migrated to NETBIOS LAN Based
solution, then to TCP/IP... No problem!

All the highly mission critical transactional applications for Banks or
Assurance from IBM migrated from SNA hierarchical to APPN LU6.2 then to
TCP/IP... No problem!

Digital Equipments migrated from Decnet Phase IV to Phase V (OSI), then to
TCP/IPŠ no problem!

All the time we have see mission critical applications migrated it was
just no problem...


God save transition to IPv6 it is good for our jobs, for the SPs and for
the Network vendors who can sell products and servicesŠ.
O don't believe that IPv6 is one of the biggest, major change in
(Inter)networking in 25 years but it is definitely the major opportunity
to generate $$$Š.
 


http://lnkd.in/-Yjn5K


Fred



>// rant alert :-)
>
>I sometimes wonder about all this perceived risks/vulns affecting
>IPv6. There were *a lot* of similar vulns in IPv4 back in the time.
>You could remotely crash a host with a single command (ping-of-death
>anyone? that was really fun :-) ), yet luckily no one at the time
>thought that postponing Internet deployment indefinitely until all
>IPv4 and network related bugs were patched was a viable alternative.
>We patched vulns and moved on, waiting for the next one.
>
>Now, on the other hand, we seem to feel that dying the slow death of
>CGN is a preferable alternative to deploying IPv6 (with its bugs and
>all). When did we as a community became so risk-averse ?
>
>I had a very heated argument some time ago with one person that said
>that deploying IPv6 was an unacceptable proposition to him because
>some ICMP messages had to be let through filters. The mentality of
>"security tramples everything, no matter what" is doing more harm than
>good to the whole Internet ecosystem.
>
>Security measures are almost always recommended without proper risk
>assessments and without evaluating the real adversaries and the actual
>threats a site faces. ICMP filtering seems now to be written in stone
>for some folk. In said argument, I was called "crazy" because my linux
>home server was pingable over v4 and v6. Yet I can happily say that in
>10 years I have had only one compromise (related to the infamous
>rpc-statd bug in RedHat 6)
>
>Sure, if your adversary is the Chinese government, or the FBI, you
>must be extra-careful. Sure, maybe you should not IPv6-enable your
>nuclear plant just yet, our your air-traffic control system. But
>c'mon, how really critical are 99% of networks out there? Regardless
>how paranoid we feel, neither of those adversaries are coming after
>99% of people anytime soon. I'm more scared of phishers and banking
>trojans and DNS poisoning, really. And those have nothing to do with
>IPv6.
>
>I do believe that research into IPv6 bugs is valuable, and that effort
>must be put into fixing all issues, but on the other hand I believe
>that the actual risk for a large percentage of users is being
>magnified and is much lower than the risk they face from other
>threats. The actual harm done by NOT deploying IPv6 in the name of
>security will be far worse in the long term for the very people we
>claim we want to protect.
>
>If you kept reading this far, I owe you a beer. Make me remember next
>time we meet ;)
>
>Carlos
>
>On Wed, Nov 9, 2011 at 8:53 PM, Fernando Gont <fgont at si6networks.com>
>wrote:
>> On 11/09/2011 02:06 PM, Owen DeLong wrote:
>>
>>>>> Your presentation makes dismissive statements regarding IPv6
>>>>>deployment.
>>>>
>>>> Are you arguing that there's lots of IPv6 traffic, and that IPv6 is
>>>> widely deployed?
>>>>
>>> Depends on your definition of "widely". We run IPv6 on three continents
>>> with more tens of thousands of end sites served. While it's not yet
>>> ubiquitous, I would say that an argument can be made for "widely
>>> deployed".
>>
>> I should have said "widely deployed/widely used" (and the answer is
>> obviously "no").
>>
>>
>>
>>>>> Page 5 "(current estimations are that IPv6 traffic is less than 1% of
>>>>> total traffic)"
>>>>>
>>>>> This estimation is problematic and ignores massive growth in actual
>>>>>IPv6
>>>>> deployment.
>>>>
>>>> If that was the case, we wouldn't be having this argument in the first
>>>> place. :-)
>>>
>>> Claiming that IPv6 is less than 1% really depends on where you are
>>> looking from. Certainly there are many parts of the internet (including
>>> some major backbones) where it is more.
>>
>> I fully agree with Geoff regarding this point (fwiw, the guys at AMS-IX
>> and DEC-IX seem to agree, too).
>>
>>
>>
>>>> However, the numbers are simply indicative... i.e., "we're far from
>>>> where we'd like to be". That's it.
>>>
>>> I agree that we're far from where we'd like to be. I also think that
>>>some
>>> of the security fear-mongering about some of the more esoteric
>>> (read non-issue/easily mitigated in most scenarios) issues like
>>> ping-pong (router bug solved by most vendors already) and
>>> neighbor exhaustion attacks (unlikely to provide enough value to
>>> the attacker and unlikely to actually deny service on most
>>> networks likely to be vulnerable) is not helping the situation.
>>
>> Have you done any actual hacking with these issues? Because I have, and
>> it's pretty trivial to DoS any vulnerable host connected to the local
>> network. The effect of scanning attacks on the Neighbor Cache are also
>>real.
>>
>> I believe it is pretty unfair (non-serious, actually) to blame IPv6
>> security research for the lack of IPv6 deployment.
>>
>> Rather than blaming the people researching vulnerabilities, please blame
>> vendors who sit on their a**es for wait too long without implementing
>> fixes for them.
>>
>> Also, as noted on slide 6 of my slideware, what *has* had a negative
>> impact are all these myths (whether "traffic numbers", security
>> properties, or whatever) that have been build up (probably in the hopes
>> that that would help v6 deployment).
>>
>>
>>> I'm not saying that these issues don't need to get addressed, but, I
>>> am saying that the security community tends to look at security
>>> to the exclusion of all else and often fails to communicate
>>> risk analysis in a manner that provides a clear idea of the level
>>> of risk in context of the other risks such as the risks of utterly
>>> failing to deploy IPv6 in a given environment.
>>
>> The risks the security community talks about are *security* risks. The
>> risks you're referring to are mostly business/economic risks, or
>> whatever you want to call them.
>>
>>
>>> Statements like "don't run IPv6 unless you absolutely have to",
>>> for example, are very counterproductive.
>>
>> You're taking that statement our of context.
>>
>> In a critical network, yes: "don't run X unless you absolutely have to"
>> (whether "X" is IPv6 or anything else).
>>
>> In other networks, the analysis can be different. For example, we run
>> IPv6 at www.si6networks.com, even when we "don't have to".
>>
>>
>>>>> IPsec obstacles are also overblown and fail to envision superior
>>>>> deployments currently in use that do not depend upon end-to-end
>>>>> connectivity.
>>>>
>>>> Not sure what you mean. Are you expecting increased IPsec use? If so,
>>>> why, and how?
>>>
>>> I already see increased IPsec use on IPv6 due to built-in optimistic
>>> IPsec usage by a couple of major applications (Back2MyMac,
>>> M$ DirectConnect).
>>
>> What do you mean by "optimistic IPsec usage"? FWIW, I don't see the
>> increased IPsec usage you're referring to.
>>
>>
>>>>> The use of IPv6
>>>>> can easily extend security to the host, even when traversing a NAT
>>>>>in a
>>>>> manner that also supports access point mobility.
>>>>
>>>> There's IPsec over UDP, BTW...
>>>
>>> Yes, but one of the major advantages to IPv6 with IPsec is that you can
>>> do IPsec directly in the packet header rather than having to hack up
>>> a tunnel, reduce MTUs accordingly, etc.
>>
>> You'll probably have to do at least part of this to get IPv6 runnung,
>> anyway.
>>
>>
>>> If you don't allow IPv6 native
>>> IPsec end-to-end to function where it is desirable, then, you are doing
>>> your network and your users a disservice. Especially if it's a
>>>situation
>>> where you allow it over UDP.
>>
>> Agreed. But who was arguing about filtering IPsec?
>>
>>
>>>>>> Again, I do not necessarily advocate that. However, there are some
>>>>>> scenarios (defense networks, for example) in which you don't won't
>>>>>> to deploy IPv6 unless you really need it.
>>>>>
>>>>> This is where we disagree.  I have seen government defense networks
>>>>>leak
>>>>> IPv6 traffic due to internally compromised systems.
>>>>
>>>> I'm talking about operations networks, in which you don't put
>>>>additional
>>>> stuff unless you really need it.
>>>
>>> The problem is that's not what your statement conveys and the subtlety
>>> is lost in the soundbite where what gets translated and more widely
>>> repeated becomes "don't deploy IPv6 unless you really need it".
>>
>> That's "out of scope" for my presentation -- I cannot be blamed for what
>> people may misunderstand and possibly repeat.
>>
>>
>>
>>>>> IPv6 deployed
>>>>> properly can improve security over what is possible using IPv4.
>>>>
>>>> Can you please elaborate? All these claims of improved security
>>>>without
>>>> any rationale don't make much sense.
>>>
>>> For one thing, end-to-end addressing means that your audit trails and
>>> attempts at event correlation are much better. This alone is a major
>>> boon to security according to most of the security professionals I've
>>> discussed the topic with.
>>
>> Privacy/temporary addresses don't help this "event correlation", I
>> should say.
>>
>>
>>
>>>> That aside, I'd argue that many IPv6 implementations are hitting the
>>>> same sort of problems that v4 implementations hit many years ago.
>>>>
>>>
>>> Yes, IPv6 is a 20 year old protocol that the IETF decided was done
>>> and then let sit on the shelf while IPv4 advanced. We're going to be
>>> playing catch-up on that for a little while as IPv6 gets deployed. This
>>> is the price we pay for being so utterly inattentive to this issue as
>>>an
>>> industry pretending that NAT was our salvation for so long.
>>
>> There are not going to be many improvements unless people stop making up
>> numbers and properties, and do more hacking.
>>
>> Those being blamed for discussing security issues are the ones trying to
>> get vendors patch their implementations.
>>
>>
>>
>>> Now, we've got some baggage from our earlier mis-steps:
>>>
>>>       1.      We've got an entire generation of enterprise
>>>administrators
>>>               that don't understand that RFC-1918 and NAT doe not
>>>               provide security, they just provide address conservation
>>>               and obfuscation.
>>
>> We have yet another generation that doesn't understand that NAT devices
>> provide (security-wise) the same functionality as a stateful firewall
>> that only allows return traffic.
>>
>>
>>
>>>       2.      We didn't deploy IPv6 while we still had enough IPv4 to
>>>make
>>>               the transition relatively painless, so, now we're going
>>>through
>>>               a much more painful transition and some people are still
>>>               in denial about whether IPv6 is even necessary.
>>
>> +1
>>
>>
>>
>>>> So... Yes, it's great to deploy v6 for the general case (for instance
>>>> 'dig www.si6networks.com aaaa'). But you don't want a critical network
>>>> to be hacked just because you thought deploying v6 was cool, but
>>>>didn't
>>>> care about or consider the implications.
>>>
>>> One should always carefully consider the implications of any action
>>>taken
>>> on a critical network. Deploying IPv6 is no exception. However, the
>>> simple reality is that failing to deploy IPv6 even on those critical
>>>networks
>>> also comes with a set of risks and these risks should all be evaluated
>>> together in context to provide a complete risk assessment picture.
>>
>> Could you clarify what are the risks that you're referring to for such
>> networks?
>>
>>
>>>>> Clinging to IPv4 is not the safe path forward.
>>>>
>>>> I do not advocate sticking to IPv4 for a general user that wants to
>>>> browse the web or the like (that'd be non-sensical). But it's equally
>>>> non-sensical to deploy immature implementations on critical networks.
>>>
>>> Again, this depends a lot on the context of the critical network. For
>>> example, if part of what is critical to you is to communicate with
>>> users in Asia, then, very likely you risk disconnecting critical users
>>> if you fail to deploy IPv6.
>>
>> Unfortunately, users in Asia will have to find their way to access
>> IPv4-only systems, since most of them are not IPv4-enabled.
>>
>> Not that I like it, but... that doesn't make "truth" go away.
>>
>> Thanks,
>> --
>> Fernando Gont
>> SI6 Networks
>> e-mail: fgont at si6networks.com
>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>
>>
>>
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>>
>
>
>
>-- 
>--
>=========================
>Carlos M. Martinez-Cagnazzo
>http://cagnazzo.name
>=========================
>_______________________________________________
>Ipv6hackers mailing list
>Ipv6hackers at lists.si6networks.com
>http://lists.si6networks.com/listinfo/ipv6hackers





More information about the Ipv6hackers mailing list