[ipv6hackers] my IPv6 insecurity slides

Marc Heuse mh at mh-sec.de
Fri Nov 25 11:55:39 CET 2011

to the opinions that shot into the same direction like

Am 23.11.2011 18:42, schrieb Arturo Servin:
> My biggest disagreement is to recommend people to disable IPv6, that will take us no-where.
> I agree that some environments should not enable v6 for some reasons,
but to generalise
> the practice seems wrong to me.
Am 24.11.2011 21:35, schrieb Owen DeLong:
> turn IPv6 off is still not the appropriate countermeasure
> for a general recommendation these days.

please remember, this is ipv6-hackers and not ipv6-ops.
in security, one of the most fundamental guidline is "disable what is
not required".

My recommendation to disable IPv6 on internal networks is simply that.
In my opinion, nobody needs IPv6 internally now and the next years. Why
should anybody? They already have security proxies etc. so it is not
important if the outside world is ipv4 or ipv6.
And if you dont need it, then you should disable it. Its another attack
factor thats totally unneeded, therefore measures should be taken.

I recommend to use IPv6 - but only in the internet facing DMZ.
Thats where the business need will be.

But anybody who introduces IPv6 in the internal network without a
business need should be fired. for a waste of human resource, harder
troubleshooting, more error prone networks - and increased security risks.


Marc Heuse

Ust.-Ident.-Nr.: DE244222388
PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the Ipv6hackers mailing list