[ipv6hackers] IPv6 security (slides and training)

Fernando Gont fgont at si6networks.com
Wed Nov 23 06:37:33 CET 2011

On 11/23/2011 12:42 AM, Owen DeLong wrote:
> Comparing IPv6 statistics today to IPv4 statistics today is about as useful
> as comparing IPv4 statistics today to IPX statistics today.

Comparing IPv4 statistics with IPX statistics may give you an idea of
how much IPX is used.

>>> Comparing IP to that of IPX would have overlooked the need to deal with
>>> external routes.  This need shifted adoption to IP.  Comparing IPv6 to
>>> that of IPv4, there is a need to deal with more than 3.8 billion
>>> external unicast sources.  Announcement growth in IPv6, as measured in
>>> /64 prefix equivalents, has been exponential even though adequate block
>>> assignments allowed routing and network growth to remain fairly linear.
>> And? What we want is traffic, rather than announcements -- announcements
>> are a side effect.
> Announcements are not a side effect, they are a precursor. 

You do announcements because you need them, not because you want them.
If you have plenty of advertisements, but no traffic, that's nothing.

If you have not that many announcements, but lots of traffic, that may
be good enough.

Traffic means usage, which in turn contributes to experience, drives
investments, etc.

> That's OK. It's far more important that it is an available solution than that
> it be the ideal or chosen solution for any particular flow.

Agreed. But announcements do not imply end-to-endness, and hence do not
imply capability, either.

>> v6 doesn't change much with respect to IPsec deployment (when compared
>> to the v4 case). Again, I don't think we'll see increased IPsec usage as
>> a result of IPv6 deployment (in particular when it comes to global traffic).
> It actually does. I would argue that between M$ Direct Connect and iCloud,
> B2MM and MobileMe, there are probably already more IPSEC SAs on
> IPv6 than on IPv4 today. Most of the people using these SAs don't even
> know they are doing so. When was the last time you saw opportunistic
> IPSEC in IPv4? Never? Thought so.

I'd really like to see numbers rather than guesses, but, anyway: what's
the problem being solved, other than "we're using ipsec, which is cool"?

>> You provided a link to a protocol used by APple, which aparently uses
>> IPsec over IPv6. Can you provide a rationale for increased
>> widely/globally-deployed IPsec usage?
> Apple has a lot of customers using iCloud, MobileMe, and B2MM
> all over the world. Can you provide any reason that would not qualify
> as widely, globally-deployed IPsec usage?

Do you have global statistics?

>> And even then, that doesn't make a big deal in terms of security. That
>> doesn't solve malware, etc.
> You can't solve a software problem at the protocol level. That's like trying
> to solve drunk driving by eliminating push-button ignition systems in cars.
> This statement is facially absurd.

No. You will have "improved security" when you actually tackle some of
the big problems, or solve something that has not yet been solved.

Let's assume that you have deployed IPsec. Have you solved anything that
you were not tackling with a different technology? And even then, is is
worth spending resources there, or you're missing bigger issues that
remain unaddressed?

>> I think you're missing the point. A firewall and IPsec serve different
>> purposes.
> Yes and no. His point is that IPsec provides end-to-end privacy and
> authenticity of datagrams. Combined with host level policy, it can,
> in fact, eliminate the need for an intervening firewall. 

Let's say that I have a firewall that performs DPI, and can filter some
malware. IPsec does not help at all in that area. Actually, it prevents
the firewall from doing its job.

Simple example: university network, enterprise network, or whatever.
Most of the time their systems get infected by malware. In most cases,
it is a priority to address *that* issue than providing "privacy" at the
network layer.

And even then, IPsec is *not* truly end-to-end (in the sense of the
Saltzer et al paper that coined the term). PGP or the like *is*.

> The firewall,
> after all, is strictly a middle-box policy enforcement mechanism.
> Moving policy enforcement to the edge, if it can be done in a practical
> and sustainable manner, is actually an improvement.

We all know how well anti-virus and other software that enforce policies
at the host work (the worm itself usually disables the anti-virus).

>>> Nearly every corporate
>>> network contains compromised systems.  As such, security must be
>>> implemented at each host, rather than being placed at elaborate
>>> firewalls where scaling becomes problematic.  
>> Huh? If the host is compromised, what does IPsec offer? IPsec'ed
>> malicious traffic?
> If a host engages in more IPsec conversations and regards conversations
> that are not IPsec with greater suspicion, then, the result is actually a
> host that is less likely to be compromised, no?

What good would be IPsec from preventing malware that arrives through
e-mail, infected web sites, etc.?

>> That's kind of "placebo security": You think that "everything is alright
>> because you're using super-secure IPsec..." but it's not.
> I think you're putting words in his mouth here. IPsec isn't a panacea
> any more than stateful inspection or any other security tool.

*Exactly* They tackle different problems, in different ways.
"Unfortunately", most compromises have to do with layer-7, not with
layer-3. So even if you throw crypto at layer-3, that won't buy you much.

>> That said, firewalls enforce packet filtering policies. They are usually
>> of help to improve security. But that doesn't make compromises
>> impossible (nothing does).
> Arguably better edge security and moving policy enforcement to the
> edge systems would actually do more for improving security than firewalls
> can, if that can be done in a useful and sustainable manner. 

Ok, I could buy this one -- assuming that the trick is in "if it can be
done in a useful and sustainable manner".

>>> When connectivity to the Internet has been lost, external risks are
>>> reduced as well.  Secure methods can be used to access local systems
>>> without external services being present.  For example, mDNS in
>>> conjunction with ssh offers a fallback strategy.
>> IMO, this is nice for a theory book, but is far from practice.
> It works in my environment, so, I'm not sure why you say it is far from
> practice.

There are lots of cool ideas that don't

>>> Only IPv6 is able to eliminate a need for middleboxes such as Network
>>> Address Translations, provide anonymity and security through privacy
>>> extensions, 
>> Oh, c'mon... there are plenty of bibliography on the subject. Privacy
>> extensions basically clear-up the bad idea of including MAC addresses in
>> the INterface-IDs. -- That's it.
> First, I don't accept as postulate that it was a bad idea to use EUI-64 host
> identifiers. 

They hurt privacy, and can simplify host-scanning attacks.

> I think that they are quite useful in a number of environments.
> I would argue that privacy extensions are, in many environments a far
> worse idea than EUI-64 addresses.

What do you mean by "privacy extensions"? The temporary addresses
specified by the IETF? If so, I agree. But there are options other than
privacy addresses and EUI-64 addresses. (e.g., MS's approach).

>>> truly secure local networks when desired, and importantly
>>> establish unique Security Associations.   
>> Use IPsec over UDP.
> To what benefit over native IPSEC in IPv6?

None. The question really is: do you really get *much* more with
IPsec/IPv6 than with IPsec/UDP/IPv4?

>> DO you expect, e.g., hosts in a home network to be globally reachable?
> At least in some cases, yes. People want to be able to host games on their
> XBoX 360, PS3, etc. People want to be able to run their own servers of various
> forms, whether they realize they are servers or not.

I'd argue that form most cases, this is a bad idea. If you need to have
a hole, open it. HOwever, "open by default" is, security-wise, a
really-bad idea.

Unless you want your box owned the next time a remotelly-exploitable
0-day is released.

> Hosts in my home are already globally reachable on both IPv4 and IPv6.

Do you *need* it?

>> Do you expect firewalls to be removed from the edge of enterprise networks?
> I wouldn't expect this for some time because enterprises are notoriously behind
> the times when it comes to security technologies and because many tend to be
> sheep following whatever the auditors, so-called experts, and vendor-paid
> consultants have told them is the best thing to buy. Since sales of firewall
> hardware are lucrative, I expect strong lobbying against the idea of edge-host
> based security models until the industry finds a better way to make that more
> lucrative than firewall sales.

There are idiots and salesmen on both sides. Honestly speaking, I think
you should worry more about the lobbying done by some in favor of CGN as
an *alternative* to IPv6 deployment, than about any possible lobbying
about firewalls. That said, I personally think that there are valid
reasons for deploying host-based firewalls.

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list