[ipv6hackers] IPv6 security (slides and training)

[Owen DeLong]

On Nov 11, 2011, at 12:31 AM, Doug Barton wrote:

> On 11/09/2011 15:57, Carlos Martinez-Cagnazzo wrote:
>> I sometimes wonder about all this perceived risks/vulns affecting
>> IPv6. There were *a lot* of similar vulns in IPv4 back in the time.
> 
> So please explain to me what the motivation is for an enterprise that
> already has a mature, secure (for their own definition of secure)
> network stack (i.e., v4) to deploy a new, largely untested, immature
> network stack that is not only full of bugs, but still evolving? The
> argument that "IPv6 is as good as IPv4 was 15 years ago!" is a reason
> NOT to deploy it, not the other way around.
> 

The most secure network is one which is not connected to the outside
world.

The motivation to deploy IPv6 is, quite simply, the ability to remain
connected to the outside world. We are running out of IPv4 addresses.
Simple math dictates that they are finite and that there are nowhere
near enough of them to meet growth demands of the internet on
a global scale.

Almost 2/3rds of the world's population lives with less than 1/3rd
of the IPv4 address space. Even in the IPv4-richest part of the
glob where 1/20th of the world's population has consumed
almost 1/5th of the IPv4 address space, we do not have enough
IPv4 to satisfy demand for more than 1-2 more years. 

Whether you and/or your enterprise have enough addresses and/or
only use applications that actually work behind CGN (most applications
actually do not), the simple reality is that more and more of the internet
will be on IPv6 going forward because they won't have the option
of deploying IPv4 due to lack of available addresses.

> Failure to recognize this issue is one of the most important reasons
> that IPv6 adoption is still at pathetically low levels, and CGN is seen
> as the more attractive option. And don't even get me started on all the
> other issues, like lack of DHCP parity.

Failure to recognize that CGN doesn't actually work for the majority of
internet applications is a contributing factor here. IPv4 runout is the
internet equivalent of global warming. In spite of overwhelming
evidence that IPv4 cannot remain viable as a global communications
protocol for much longer, that truth is so inconvenient that some of
us are looking for any possible way to continue to live in denial
as long as possible.

Doing so only increases the cost and pain of the transition process
for you and potentially for those around you.

What you inflict on your client systems within your enterprise is
largely irrelevant to the rest of the world. You can't put your
public facing services behind CGN, so, what do you plan to do
to make those available to (potential) customers that don't
have IPv4 connectivity?

Today, you have the option of ignoring such customers because
they are a tiny fraction of the market. Simple math says that
will not remain the case for too many more years.

Why deploy IPv6? Quite simply, to stay in business. If having
your customers able to reach you via the internet is important
to your business (which seems to be the case for the vast
majority of businesses these days), then failure to deploy IPv6
at least to your public facing services will erode your customer
base.

> Don't get me wrong, I still think that ultimately IPv6 is going to be
> the answer. It's just way past time for us to accept responsibility for
> creating more problems than solutions.
> 

What are your perceived problems with IPv6 that make it so much
worse than CGN? How much experience do you have with both
protocols?

I have extensive experience with IPv4 and IPv6. I run dual stack
networks at home and at work. I will admit that I only have limited
experience with CGN because the few times I have attempted
to use it, it was utterly inadequate to my needs and I went back
to dual-stack native connectivity without NAT instead, but, I do
have some (painful) experience with CGN.

Owen