[ipv6hackers] my IPv6 insecurity slides
dotis at mail-abuse.org
Wed Nov 23 20:36:25 CET 2011
On 11/23/11 9:04 AM, Marc Heuse wrote:
> Hi guys,
> I did a lot of presentations on my IPv6 security research since 2005.
> I condensed most if it into a 2h presentation I performed at the IPv6
> congress in Frankfurt, Germany in May.
> I updated the information, and if you are interested in the slides, here
> is the direct link:
> On a side note, I plan the next thc-ipv6 (will be 2.0) release
> containing all and every tool (no more private version) to be between
> March and May 2012.
Without a doubt, IPv6 is challenging. Nevertheless IPv6 is a reality.
However, tunneling or translating this traffic will make the problem
worse. Also, recursive DNS servers and domain search lists are
supported in RAs.
Disabling IPv6 because local networks can't be trusted would be an over
reaction. Local networks could never be trusted. Reliance must be
placed on cryptographic validation of end points, whether over IPv4 or
IPv6. IPv6 better ensures actual host validation remains practical, and
not involve other (IPv4 or IPv6) insecure routing techniques.
Spoofing threats occur in IPv4 via ARP spoofing, etc. Your tools are
great, but rather than making apocalyptic assertions, recommending
improved tracking techniques seems like a better strategy. Of course,
this effort should be done in conjunction with greater dependence upon
cryptographic host confirmations. RFC6281 offers an important example.
Indeed, trusting local networks has been problematic with either IPv4 or
IPv6. Clearly, local networks offering Internet access or those exposed
to mobile devices should not be trusted. Security must depend upon
cryptography, not encryption. Privacy depends upon encryption. Of
course current filtering methods will be unable to scale, and this needs
to be resolved.
By the way, where has white-listing of the entire IPv4 been practical?
IMHO, the real issue is that block lists will soon be unable to scale
and requires different strategies. Perhaps Kerberos as a service that
signals domains confirmed using DANE where their APL RRsets are applied
to access firewalls might represent a new type of security industry
waiting to happen. :^)
I know of an update to RFC3041. This update offers user controls for
temporary addresses. Will this satisfy the privacy concerns raised?
IMHO, privacy on the Internet requires greater efforts. Dynamically
assigned addresses offered by providers rarely changing seem like a
benefit, where privacy requires efforts analogous that found with Tor
(the onion router).
More information about the Ipv6hackers