[ipv6hackers] IPv6 security (slides and training)

Owen DeLong owend at he.net
Sun Nov 13 09:09:35 CET 2011 

On Nov 12, 2011, at 7:30 PM, Fernando Gont wrote:

> On 11/11/2011 10:07 PM, Owen DeLong wrote:
>> Because at some point, there are no small blocks of IPv4 available to create
>> that border space from.
>> 
>> Because at some point, someone will launch the next gotta-have-it social
>> network, web5.0 application, or whatever, and, there won't be enough IPv4
>> to host their servers on so they WILL be IPv6 only.
> 
> I can see a future with v6-only clients... but doubt there will be a
> time in which we'll have v6-only servers and that'll be a concern (i.e.,
> by the time that happens, v6 will have already been rolled out)
> 
> 
This is a tautology, to a certain extent, and, utterly inaccurate to the
remaining extent.

The more accurate statements:

1. Nobody will remove IPv4 from a server until IPv6 is ubiquitous on clients.

2. People will continue to go to extreme effort to add IPv4 to new servers so
	long as there is any possibility whatsoever to do so and they can somehow
	afford the addresses that are required in order to make it work.

3. A time will come when it is no longer possible to add IPv4 addresses to
	servers in satisfaction of item 2. This time may be before or after
	IPv6 is ubiquitous on clients. Obviously, life is far better for almost
	everyone if IPv6 is ubiquitous on clients before this point.

> 
> 
>>>> I think that the IPv4 folks will quickly have problems communicating with
>>>> their partners and customers running IPv6.
>>> 
>>> ... which is one of the big motivations to not be a first-mover to IPv6
>>> in the first place.
>>> 
>> 
>> Nonsense. I can see it as a motivation not to be the first to turn off IPv4,
>> but, deploying IPv6 along side IPv4 (dual-stack) does not in any way
>> degrade your IPv4 experience. 
> 
> That's not correct. It may, or may not. See RFC5482, or the "happy
> eyeballs" Internet-Draft...
> 

No, if you pay better attention to the "happy eyeballs" draft, you realize
that people with non-functional IPv6 deployments are the clients that
are negatively impacted by deployment of IPv6 on servers. Deployment
of working IPv6 to clients has no negative consequences to IPv4
performance of those clients.

> 
>>> Me too, and I think is going to be one of the things that actually
>>> pushes people to move. But, unfortunately, I think that the failures
>>> here will have to be experienced before the lessons are learned.
>>> 
>> 
>> Unfortunate, indeed, since it takes time to deploy IPv6 in an environment,
>> and, if you wait until IPv4 starts failing, then, you have to live with that failure
>> for the duration of your IPv6 deployment.
> 
> +1
> 
> 
>> 
> 
> 
>> Here you have created your own tautology. We shouldn't deploy it because
>> it's untested. It can be tested until it carries more than 1% of traffic.  Did you
>> consider IPv4 tested 15 years ago? If so, then, consider that IPv6 is already
>> carrying more bits every day than IPv4 was then. Let's face it, e-commerce
>> was getting into pretty good swing 15 years ago. Sure, we've learned even
>> more since then, but, reality is that most people considered IPv4 fairly well
>> tested by that time. IPv6 is already past that point on traffic levels, so, if
>> you think traffic levels are somehow a meaningful part of testing (I don't
>> agree with your premise, but, let's go with it for a moment), then, even that
>> argument doesn't really hold water.
> 
> IMO, testing implies not only interoperability experience, but plenty of
> work on attack tools, etc., that help improve the robustness of IPv6
> implementations.
> 
> I don't think much has been done on the later besides Marc Heuse's work,
> and a project (yet unpublished) I did a few years ago.
> 

Those two statements may be true, but, I don't see them as a reason not to
deploy IPv6 to a much wider environment, especially on the client side
as soon as possible. (See above for additional reasons this should be
considered important).

I think we are mostly in agreement and down to arguing the minutiae.

I don't mind continuing to do so, but, I think both of us have moved significantly
more towards common ground from where we started the discussion.

Owen

More information about the Ipv6hackers mailing list