[ipv6hackers] my IPv6 insecurity slides
Carlos M. Martinez
carlosm3011 at gmail.com
Thu Nov 24 19:54:36 CET 2011
I definitely agree with you on the part that one-size-fits-all are bad,
and that both stances on IPv6 deployment are probably wrong. However,
thanks to your insight I now realize that one of my points there is that
even where both stances are wrong, they are not equally distributed in
the sense that today you can deploy IPv6 securely in probably 80 - 90 %
of common scenarios.
On the needs analysis you mention, I tend to agree with you. However
there is a catch-22 situation here: if you ask people today if they
"need IPv6", the answer will be NO 99.9% of the time. By the time they
are all jailed behind layers and layers of CGN's and they realize that
the IPv6 thing maybe wasn't that bad after all.
The time of "needing" IPv6 is now even if most people do not realize it.
I am basically scared, and not of some IPv6 attacks. I am scared of what
huge economic interests (yes, telcos and larger-than-life ISPs, I'm
looking at you) can make of the Internet if they take this window of
opportunity they have today.
Olaf Kolkman made a far better presentation of this situation than I can
possibly hope to make myself, you can take a look at his slides here:
On 11/24/11 4:03 PM, Fernando Gont wrote:
> On 11/24/2011 11:35 AM, Carlos M. Martinez wrote:
>> If we as practitioners communicate the idea that there is something
>> called IPv6 which seems to be really, really insecure, then the public
>> will still not know what it is, but they sure will reject it.
> I personally think that any "one size fits all" answer is wrong.
> We, "practitioners", first need to assess whether IPv6 deployment for a
> particular scenario makes or does not make sense (*). And in those
> scenarios in which it does make sense, we need to be able to mitigate
> any security implications there may be associated with IPv6.
> If we're good enough at what we do, then we must be able to mitigate
> many/most of the issues involved with IPv6.
> It's as bad to take stance of "deploy v6 everywhere" as it is to take
> the stance of "disable IPv6 everywhere". We first should assess where it
> is needed, and in those networks in which is needed, we must be good
> enough to deploy it in a secure manner with whatever we have at hand.
> I think the aforementioned ideas apply not only to IPv6, but to any
> technology in general (that's "engineering", after all!).
> (*) a discussion of the scenarios in which v6 deployment makes or does
> not make sense is out-of-scope for this particular e-mail...
Carlos M. Martinez
More information about the Ipv6hackers