[ipv6hackers] my IPv6 insecurity slides

[Carlos M. Martinez]

I agree with the principle of  "disabling what is not needed". I
profoundly disagree with you with the fact that IPv6 is not needed
nowadays in *any internal* networks.

If by "internal networks" you mean *corporate workstation networks*,
then we have a different situation and we might even agree on the point.
Those networks are already buried deeply behind proxies, websenses and
whatnots. Corporate LAN admins  are scared that someone could inject a
fragmented RA in their networks.

Regarding the venue of the presentations, well, the problem I have with
blank "disable this or that" recommendations is that even if talks were
created with a specific communities in mind, they end up being indexed
by Google and popup when someone searches for "ipv6 security". What do
they get? A pdf saying they should disable IPv6 altogether. Not good at
all, and also not true for 80-90% of folks out there.

Also, the philosophy of blank turning-off things is in some sense flawed
as well. I'm glad doctors and surgeons do not (usually) think like that.
Otherwise I would be missing an arm and some toes by now.

Finally, I still believe that whole risk analysis that leads to
corporate lan walled gardens is fundamentally flawed (and driven by the
so-called "security industry"), and my operational experience tends to
confirm this belief, but it's a discussion for a different venue (and
preferably over beer).

Even more, in most cases, this risk analysis is never actually perfomed
but the whole decision on how to protect the netowrk ends up being
driven by salesmen and FUD. Those of you who have worked for corporate
IT depts know this first hand.

And, if people did not get fired for sticking to Windows XP SP1 and
Internet Explorer 6 in corporate networks, it would be deeply ironic if
they god fired for enabling IPv6. But given the sorry state of the
security industry, it would be hardly surprising.

regards

Carlos


On 11/25/11 8:55 AM, Marc Heuse wrote:
> to the opinions that shot into the same direction like
>
> Am 23.11.2011 18:42, schrieb Arturo Servin:
>> My biggest disagreement is to recommend people to disable IPv6, that will take us no-where.
>> I agree that some environments should not enable v6 for some reasons,
> but to generalise
>> the practice seems wrong to me.
> Am 24.11.2011 21:35, schrieb Owen DeLong:
>> turn IPv6 off is still not the appropriate countermeasure
>> for a general recommendation these days.
> please remember, this is ipv6-hackers and not ipv6-ops.
> in security, one of the most fundamental guidline is "disable what is
> not required".
>
> My recommendation to disable IPv6 on internal networks is simply that.
> In my opinion, nobody needs IPv6 internally now and the next years. Why
> should anybody? They already have security proxies etc. so it is not
> important if the outside world is ipv4 or ipv6.
> And if you dont need it, then you should disable it. Its another attack
> factor thats totally unneeded, therefore measures should be taken.
>
> I recommend to use IPv6 - but only in the internet facing DMZ.
> Thats where the business need will be.
>
> But anybody who introduces IPv6 in the internal network without a
> business need should be fired. for a waste of human resource, harder
> troubleshooting, more error prone networks - and increased security risks.
>
> Greets,
> Marc
>
> --
> Marc Heuse
> www.mh-sec.de
>
> Ust.-Ident.-Nr.: DE244222388
> PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers


-- 

--
Carlos M. Martinez
LACNIC R+D
http://www.labs.lacnic.net