[ipv6hackers] my IPv6 insecurity slides
owend at he.net
Fri Nov 25 23:56:56 CET 2011
On Nov 25, 2011, at 2:55 AM, Marc Heuse wrote:
> to the opinions that shot into the same direction like
> Am 23.11.2011 18:42, schrieb Arturo Servin:
>> My biggest disagreement is to recommend people to disable IPv6, that will take us no-where.
>> I agree that some environments should not enable v6 for some reasons,
> but to generalise
>> the practice seems wrong to me.
> Am 24.11.2011 21:35, schrieb Owen DeLong:
>> turn IPv6 off is still not the appropriate countermeasure
>> for a general recommendation these days.
> please remember, this is ipv6-hackers and not ipv6-ops.
> in security, one of the most fundamental guidline is "disable what is
> not required".
Arguing that IPv6 is not required is ignoring modern reality.
> My recommendation to disable IPv6 on internal networks is simply that.
> In my opinion, nobody needs IPv6 internally now and the next years. Why
> should anybody? They already have security proxies etc. so it is not
> important if the outside world is ipv4 or ipv6.
> And if you dont need it, then you should disable it. Its another attack
> factor thats totally unneeded, therefore measures should be taken.
In my opinion, that's a very short-sighted and counterproductive world view.
> I recommend to use IPv6 - but only in the internet facing DMZ.
> Thats where the business need will be.
That's certainly where the earliest need is, but, not the only need.
> But anybody who introduces IPv6 in the internal network without a
> business need should be fired. for a waste of human resource, harder
> troubleshooting, more error prone networks - and increased security risks.
I'm just not sure how to respond to that. Assuming the lack of business need
for IPv6 for a myriad of reasons ignores the facts of the situation:
+ There is already content that is only available on IPv6.
+ That will only increase over time.
+ The time to deploy IPv6 is long enough that waiting for that content
to be relevant to your business will place you at a disadvantage for
some (extended period of) time while you play catch up.
+ Your staff needs to gain knowledge and proficiency with IPv6.
Training and lab experiments are a great start, but, the reality is that
there is no substitute for dog-fooding.
More information about the Ipv6hackers