[ipv6hackers] IPv6 security (slides and training)

Fernando Gont fgont at si6networks.com
Sun Nov 13 04:30:54 CET 2011


On 11/11/2011 10:07 PM, Owen DeLong wrote:
> Because at some point, there are no small blocks of IPv4 available to create
> that border space from.
> 
> Because at some point, someone will launch the next gotta-have-it social
> network, web5.0 application, or whatever, and, there won't be enough IPv4
> to host their servers on so they WILL be IPv6 only.

I can see a future with v6-only clients... but doubt there will be a
time in which we'll have v6-only servers and that'll be a concern (i.e.,
by the time that happens, v6 will have already been rolled out)




>>> I think that the IPv4 folks will quickly have problems communicating with
>>> their partners and customers running IPv6.
>>
>> ... which is one of the big motivations to not be a first-mover to IPv6
>> in the first place.
>>
> 
> Nonsense. I can see it as a motivation not to be the first to turn off IPv4,
> but, deploying IPv6 along side IPv4 (dual-stack) does not in any way
> degrade your IPv4 experience. 

That's not correct. It may, or may not. See RFC5482, or the "happy
eyeballs" Internet-Draft...


>> Me too, and I think is going to be one of the things that actually
>> pushes people to move. But, unfortunately, I think that the failures
>> here will have to be experienced before the lessons are learned.
>>
> 
> Unfortunate, indeed, since it takes time to deploy IPv6 in an environment,
> and, if you wait until IPv4 starts failing, then, you have to live with that failure
> for the duration of your IPv6 deployment.

+1


> 


> Here you have created your own tautology. We shouldn't deploy it because
> it's untested. It can be tested until it carries more than 1% of traffic.  Did you
> consider IPv4 tested 15 years ago? If so, then, consider that IPv6 is already
> carrying more bits every day than IPv4 was then. Let's face it, e-commerce
> was getting into pretty good swing 15 years ago. Sure, we've learned even
> more since then, but, reality is that most people considered IPv4 fairly well
> tested by that time. IPv6 is already past that point on traffic levels, so, if
> you think traffic levels are somehow a meaningful part of testing (I don't
> agree with your premise, but, let's go with it for a moment), then, even that
> argument doesn't really hold water.

IMO, testing implies not only interoperability experience, but plenty of
work on attack tools, etc., that help improve the robustness of IPv6
implementations.

I don't think much has been done on the later besides Marc Heuse's work,
and a project (yet unpublished) I did a few years ago.

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492






More information about the Ipv6hackers mailing list