[ipv6hackers] my IPv6 insecurity slides

Frederic Bovy fred at fredbovy.com
Sat Nov 26 01:28:15 CET 2011


+1


Le 25 nov. 2011 à 17:56, Owen DeLong a écrit :

> 
> On Nov 25, 2011, at 2:55 AM, Marc Heuse wrote:
> 
>> to the opinions that shot into the same direction like
>> 
>> Am 23.11.2011 18:42, schrieb Arturo Servin:
>>> My biggest disagreement is to recommend people to disable IPv6, that will take us no-where.
>>> I agree that some environments should not enable v6 for some reasons,
>> but to generalise
>>> the practice seems wrong to me.
>> Am 24.11.2011 21:35, schrieb Owen DeLong:
>>> turn IPv6 off is still not the appropriate countermeasure
>>> for a general recommendation these days.
>> 
>> please remember, this is ipv6-hackers and not ipv6-ops.
>> in security, one of the most fundamental guidline is "disable what is
>> not required".
>> 
> 
> Arguing that IPv6 is not required is ignoring modern reality.
> 
>> My recommendation to disable IPv6 on internal networks is simply that.
>> In my opinion, nobody needs IPv6 internally now and the next years. Why
>> should anybody? They already have security proxies etc. so it is not
>> important if the outside world is ipv4 or ipv6.
>> And if you dont need it, then you should disable it. Its another attack
>> factor thats totally unneeded, therefore measures should be taken.
>> 
> 
> In my opinion, that's a very short-sighted and counterproductive world view.
> 
>> I recommend to use IPv6 - but only in the internet facing DMZ.
>> Thats where the business need will be.
>> 
> 
> That's certainly where the earliest need is, but, not the only need.
> 
>> But anybody who introduces IPv6 in the internal network without a
>> business need should be fired. for a waste of human resource, harder
>> troubleshooting, more error prone networks - and increased security risks.
>> 
> 
> 
> I'm just not sure how to respond to that. Assuming the lack of business need
> for IPv6 for a myriad of reasons ignores the facts of the situation:
> 
> +	There is already content that is only available on IPv6.
> +	That will only increase over time.
> +	The time to deploy IPv6 is long enough that waiting for that content
> 	to be relevant to your business will place you at a disadvantage for
> 	some (extended period of) time while you play catch up.
> +	Your staff needs to gain knowledge and proficiency with IPv6.
> 	Training and lab experiments are a great start, but, the reality is that
> 	there is no substitute for dog-fooding.
> 
> Owen
> 
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers




More information about the Ipv6hackers mailing list