[ipv6hackers] my IPv6 insecurity slides

Cameron Byrne cb.list6 at gmail.com
Fri Nov 25 15:11:57 CET 2011

On Nov 25, 2011 2:55 AM, "Marc Heuse" <mh at mh-sec.de> wrote:
> to the opinions that shot into the same direction like
> Am 23.11.2011 18:42, schrieb Arturo Servin:
> > My biggest disagreement is to recommend people to disable IPv6, that
will take us no-where.
> > I agree that some environments should not enable v6 for some reasons,
> but to generalise
> > the practice seems wrong to me.
> Am 24.11.2011 21:35, schrieb Owen DeLong:
> > turn IPv6 off is still not the appropriate countermeasure
> > for a general recommendation these days.
> please remember, this is ipv6-hackers and not ipv6-ops.
> in security, one of the most fundamental guidline is "disable what is
> not required".

Agreed.  Not needef features should be turned off.  But, for fast growing
edges such as Mobile, cloud, and m2m / grid, ipv6 is required.  After all,
ipv4 is already run out from a strategic perspective.

short discussion at http://t.co/bTttUTab

> My recommendation to disable IPv6 on internal networks is simply that.

Internal network?  What is that ? :)

> In my opinion, nobody needs IPv6 internally now and the next years. Why
> should anybody? They already have security proxies etc. so it is not
> important if the outside world is ipv4 or ipv6.
> And if you dont need it, then you should disable it. Its another attack
> factor thats totally unneeded, therefore measures should be taken.

The fact that ipv4 has already run out is the issue why anyone is doing
ipv6. I did ipv6 last in 2002 for fun, now I do it to reduce business risk
from ipv4 exhaust.

And the growth rates of grid, Mobile, and cloud are so fast that ipv4 is
not even a legit option.

> I recommend to use IPv6 - but only in the internet facing DMZ.
> Thats where the business need will be.

Is your scope only enterprise networks in OECD counties that need to
communicate with OECD counties? If so, ok.  If you need people to access
your website from mobiles in apnic region, you may have a connectivity
issue in the short term..... But nobody does business in Asia, right ?  ;)

All kidding aside, your dmz approach is a correct first step for
traditional OECD enterprise networks.

Proxies and Nat64 may help, but they have their set of risks which likely
need further study before saying they are less risk.

> But anybody who introduces IPv6 in the internal network without a
> business need should be fired. for a waste of human resource, harder
> troubleshooting, more error prone networks - and increased security risks.

Agreed. But networks that scope for ipv4-only are decreasing.  Only the
most boring and stagnant networks are in this category.


> Greets,
> Marc
> --
> Marc Heuse
> www.mh-sec.de
> Ust.-Ident.-Nr.: DE244222388
> PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list