[ipv6hackers] IPv6 security (slides and training)

Doug Barton dougb at dougbarton.us
Fri Nov 11 23:55:09 CET 2011 

On 11/11/2011 06:59, Owen DeLong wrote:
> 
> On Nov 11, 2011, at 12:31 AM, Doug Barton wrote:
> 
>> On 11/09/2011 15:57, Carlos Martinez-Cagnazzo wrote:
>>> I sometimes wonder about all this perceived risks/vulns affecting
>>> IPv6. There were *a lot* of similar vulns in IPv4 back in the time.
>>
>> So please explain to me what the motivation is for an enterprise that
>> already has a mature, secure (for their own definition of secure)
>> network stack (i.e., v4) to deploy a new, largely untested, immature
>> network stack that is not only full of bugs, but still evolving? The
>> argument that "IPv6 is as good as IPv4 was 15 years ago!" is a reason
>> NOT to deploy it, not the other way around.
>>
> 
> The most secure network is one which is not connected to the outside
> world.

EREDHERRING  :)

> The motivation to deploy IPv6 is, quite simply, the ability to remain
> connected to the outside world. We are running out of IPv4 addresses.
> Simple math dictates that they are finite and that there are nowhere
> near enough of them to meet growth demands of the internet on
> a global scale.

And if IPv6 were the only way to address that problem, we wouldn't be
having this conversation.

> Almost 2/3rds of the world's population lives with less than 1/3rd
> of the IPv4 address space. Even in the IPv4-richest part of the
> glob where 1/20th of the world's population has consumed
> almost 1/5th of the IPv4 address space, we do not have enough
> IPv4 to satisfy demand for more than 1-2 more years. 

First, can we please stop with the whole "IPv4 addresses were not fairly
distributed around the world" canard? To summarize:

1. In the very early days a lot of addresses were given out in blocks
larger than they needed to be. Those problems have mostly all been fixed
with CIDR, and people/organizations giving back space they aren't using.
There was no conspiracy, there was no cabal, there was simply lack of
understanding about how valuable the resource was going to turn out to be.

2. Yes, a disproportional number of addresses have been allocated in
North America and Europe, because they had a huge head start in the
early days while they were developing the protocol.

3. That said, up until very recently no one who had a valid reason to
get an IPv4 address block was ever denied one. The fact that we're in
the end stages of IPv4 availability is a well known problem, to which
IPv6 should have been the solution long before now.

> Whether you and/or your enterprise have enough addresses and/or
> only use applications that actually work behind CGN (most applications
> actually do not),

That is factually incorrect. Most Internet traffic is web browsing,
e-mail, and streaming media, all of which will continue to work fine.

> the simple reality is that more and more of the internet
> will be on IPv6 going forward because they won't have the option
> of deploying IPv4 due to lack of available addresses.

We'll see. :)

I'm snipping a bunch because I addressed your questions in my reply to Fred.

> I have extensive experience with IPv4 and IPv6. I run dual stack
> networks at home and at work.

Me too.


Doug

-- 

		"We could put the whole Internet into a book."
		"Too practical."

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

More information about the Ipv6hackers mailing list