[ipv6hackers] IPv6 security (slides and training)

Carlos Martinez-Cagnazzo carlosm3011 at gmail.com
Fri Nov 18 04:41:50 CET 2011


Skype is not all there is to p2p. My bt downloads all have ipv6 peers
nowadays, which his a clear change from say 1 year ago. Momentum is
building, although not at the pace we would like.

Btw, calling nat444 "scalable" must be some kind of joke right? :-)

C.
On Nov 18, 2011 12:20 AM, "Cameron Byrne" <cb.list6 at gmail.com> wrote:

> On Nov 17, 2011 5:09 PM, "fred bovy" <fred at fredbovy.com> wrote:
> >
> >
> >
> > Le 17/11/11 19:28, << Cameron Byrne >> <cb.list6 at gmail.com> a écrit :
> >
> > >On Nov 17, 2011 3:47 PM, "fred bovy" <fred at fredbovy.com> wrote:
> > >>
> > >>
> > >>
> > >> Le 12/11/11 01:09, << Doug Barton >> <dougb at dougbarton.us> a écrit :
> > >>
> > >> >On 11/11/2011 16:05, Douglas Otis wrote:
> > >> >> On 11/11/11 2:40 PM, Doug Barton wrote:
> > >> >>> > I think that the IPv4 folks will quickly have problems
> > >> >>> > communicating with
> > >> >>> >> their partners and customers running IPv6.
> > >> >>>  ... which is one of the big motivations to not be a first-mover
> to
> > >> >>>  IPv6 in the first place.
> > >> >>>
> > >> >> Doug,
> > >> >>
> > >> >> Disagree.  These partners also likely represent the land of
> > >> >> opportunity.  Rather than receiving a growing portion of traffic
> over
> > >> >> LSNs, offering IPv6 connectivity conveys better information when
> > >> >> deciding which exchanges to permit.  In addition, direct access
> > >>better
> > >> >> prevents MitM and broken double NAT issues.
> > >> >
> > >> >You guys keep missing the part where *I* agree with you.
> > >> >
> > >> >The question isn't, "Is IPv6 the right answer?" The question is, "Why
> > >>do
> > >> >so many organizations believe that CGN is a better answer?"
> > >>
> > >>
> > >> REALLY???? So give me some references of SP who have deployed
> NAT444???
> > >>
> > >> I am curiousŠ
> > >>
> > >> Fred
> > >>
> > >>
> > >
> > >Many mobile providers provide mifi hotspots or hotspots on phones that
> are
> > >effectively Nat444.
> >
> >
> > Ok Mobile provide wifi or hotspots... terrific!
> > Maybe it can also help Internet Cafe but is there any enterprise
> > interested to get connected via NAT444?
> > But even home users will not benefit from NAT444.` If the SP can't figure
> > out how many real users sit behind an IP address how can the SP will do
> > the capacity planning to put enough memory to handle the translations and
> > the states needed. No way! Ok NAT444 may help when you can figure out how
> > many real users sit behind an address like a smartphone... but even
> > smartphones n
> >
> > ow can have a router function and provide access to many users and each
> > user may watch many video.... The NAT444 will have to be provisioned with
> > enough memory to manage all the states....d
> >
> > But NAT444 is good new for hackers, DoS attacks will never be easier and
> > with the translation logs as the only means to track users, hackers can
> > sleep easy!
> >
> > No enterprise will never want to get connected via NAT444...
> >
>
> Maybe. Maybe not. Depends how you define enterprise.  Mobile enterprise
> users are a key customer group of mobile hotspots. I am not saying it is
> good, I am saying it exists at large scale.
>
> > With NAT444 you cannot run anymore a server using s static translation as
> > we do with NAT!
> >
>
> Right. That is why people have the "cloud" ...sarcasm ....
>
> > With NAT444, it the user configures an IPv5 private address which is
> being
> > used between the CPE and the SP we have a duplicate address issue.
> >
> > With NAT444 is two customers are locally connected, NAT of the source
> > address must be performed otherwise the packet will get back to the
> > customer with a private source address which will be filtered by the
> > customer firewall.
> >
> > With NAT444, if the LSN reload, all the customers will have to restart
> > their sessions...
> >
> > NAT444 has not been tested since 1996... Mabe the 6BONE was not heavily
> > tested but some tests have been run with high load of IPv6 traffic and
> has
> > shown that IPv6 was no problem/
> >
> > I have been a dev-tester for 6 years so don't tell me that IPv6 was never
> > tested under very loaded traffic... It is too funny :-)
> >
> > NAT444 is a much better, scalable and proven solution than IPv6, there is
> > no doubt about his!
> >
>
> If you are looking for an echo of "yes, Nat444 is bad and ipv6 is good".
> You are probably in the right place.
>
> Is there another point you are trying to make ?  Yes, ipv6 is technically
> better than Nat444, but that alone does not get it on store shelves .....
> Even the great NAT traversing p2p software Skype does not support ipv6
> ..... P2p is an obvious beneficial use case of ipv6, right ?   Yet, no
> support.
>
> Cb
>
> Ps. In case it is not clear, I spend a lot of time deploying and advocating
> for ipv6.
>
> > Fred
> >
> >
> > >
> > >The mobile provider does Nat44 in their core and the android phone or
> mifi
> > >does nat44 providing addresses to the tethered clients / WLAN
> > >
> > >Cb
> > >>
> > >>
> > >>
> > >> >
> > >> >--
> > >> >
> > >> >               "We could put the whole Internet into a book."
> > >> >               "Too practical."
> > >> >
> > >> >       Breadth of IT experience, and depth of knowledge in the DNS.
> > >> >       Yours for the right price.  :)  http://SupersetSolutions.com/
> > >> >
> > >> >_______________________________________________
> > >> >Ipv6hackers mailing list
> > >> >Ipv6hackers at lists.si6networks.com
> > >> >http://lists.si6networks.com/listinfo/ipv6hackers
> > >>
> > >>
> > >> _______________________________________________
> > >> Ipv6hackers mailing list
> > >> Ipv6hackers at lists.si6networks.com
> > >> http://lists.si6networks.com/listinfo/ipv6hackers
> > >_______________________________________________
> > >Ipv6hackers mailing list
> > >Ipv6hackers at lists.si6networks.com
> > >http://lists.si6networks.com/listinfo/ipv6hackers
> >
> >
> > _______________________________________________
> > Ipv6hackers mailing list
> > Ipv6hackers at lists.si6networks.com
> > http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>



More information about the Ipv6hackers mailing list