[ipv6hackers] IPv6 security (slides and training)

Owen DeLong owend at he.net
Sat Nov 12 02:27:35 CET 2011


On Nov 11, 2011, at 4:09 PM, Doug Barton wrote:

> On 11/11/2011 16:05, Douglas Otis wrote:
>> On 11/11/11 2:40 PM, Doug Barton wrote:
>>>> I think that the IPv4 folks will quickly have problems
>>>> communicating with
>>>>> their partners and customers running IPv6.
>>> ... which is one of the big motivations to not be a first-mover to
>>> IPv6 in the first place.
>>> 
>> Doug,
>> 
>> Disagree.  These partners also likely represent the land of
>> opportunity.  Rather than receiving a growing portion of traffic over
>> LSNs, offering IPv6 connectivity conveys better information when
>> deciding which exchanges to permit.  In addition, direct access better
>> prevents MitM and broken double NAT issues.
> 
> You guys keep missing the part where *I* agree with you.
> 
> The question isn't, "Is IPv6 the right answer?" The question is, "Why do
> so many organizations believe that CGN is a better answer?"
> 

My best guesses in no particular order, but, based on the feedback I receive
from many of these organizations when I talk to them at a variety of trade shows
and conferences:

1.	Inertia
2.	Fear of the unknown (We don't know IPv6. IPv4 NAT is familiar. The
	devil we know...)
3.	Misunderstandings
	a.	"There is no multihoming solution in IPv6"
	b.	"The lack of NAT in IPv6 makes it fundamentally insecure"
	c.	"We could never implement a protocol without address obfuscation"
	d.	"PCI requires us to use NAT" (There is actually a proviso in PCI
		for equivalent compensating controls).
	etc.
4.	They went to someone's IPv6 security lecture and came away with
	the sound bite "Don't deploy IPv6 on any production network unless
	you absolutely have to."

I'm sure these are just a few of the reasons. Notice that most of them can
be solved primarily by education which is why I spend most of my time
working on IPv6 education. However, it is exceedingly hard to teach those
unwilling to learn and corporate IT departments seem to specialize in
having a tremendous resistance to learning anything that doesn't look
like their current environment.

Owen




More information about the Ipv6hackers mailing list