[ipv6hackers] my IPv6 insecurity slides

Owen DeLong owend at he.net
Fri Nov 25 23:56:56 CET 2011 

On Nov 25, 2011, at 2:55 AM, Marc Heuse wrote:

> to the opinions that shot into the same direction like
> 
> Am 23.11.2011 18:42, schrieb Arturo Servin:
>> My biggest disagreement is to recommend people to disable IPv6, that will take us no-where.
>> I agree that some environments should not enable v6 for some reasons,
> but to generalise
>> the practice seems wrong to me.
> Am 24.11.2011 21:35, schrieb Owen DeLong:
>> turn IPv6 off is still not the appropriate countermeasure
>> for a general recommendation these days.
> 
> please remember, this is ipv6-hackers and not ipv6-ops.
> in security, one of the most fundamental guidline is "disable what is
> not required".
> 

Arguing that IPv6 is not required is ignoring modern reality.

> My recommendation to disable IPv6 on internal networks is simply that.
> In my opinion, nobody needs IPv6 internally now and the next years. Why
> should anybody? They already have security proxies etc. so it is not
> important if the outside world is ipv4 or ipv6.
> And if you dont need it, then you should disable it. Its another attack
> factor thats totally unneeded, therefore measures should be taken.
> 

In my opinion, that's a very short-sighted and counterproductive world view.

> I recommend to use IPv6 - but only in the internet facing DMZ.
> Thats where the business need will be.
> 

That's certainly where the earliest need is, but, not the only need.

> But anybody who introduces IPv6 in the internal network without a
> business need should be fired. for a waste of human resource, harder
> troubleshooting, more error prone networks - and increased security risks.
> 


I'm just not sure how to respond to that. Assuming the lack of business need
for IPv6 for a myriad of reasons ignores the facts of the situation:

+	There is already content that is only available on IPv6.
+	That will only increase over time.
+	The time to deploy IPv6 is long enough that waiting for that content
	to be relevant to your business will place you at a disadvantage for
	some (extended period of) time while you play catch up.
+	Your staff needs to gain knowledge and proficiency with IPv6.
	Training and lab experiments are a great start, but, the reality is that
	there is no substitute for dog-fooding.

Owen

More information about the Ipv6hackers mailing list