[ipv6hackers] my IPv6 insecurity slides

Beat Rubischon beat at 0x1b.ch
Mon Nov 28 09:18:28 CET 2011


Hi Fred!

On 26.11.11 01:22, Frederic Bovy wrote:
> Le 25 nov. 2011 à 05:55, Marc Heuse a écrit :

>> But anybody who introduces IPv6 in the internal network without a
>> business need should be fired. for a waste of human resource, harder
>> troubleshooting, more error prone networks - and increased security risks.
> Do you recommend  Application Layer Proxies,  NAT46 or NAT-PT for these users ?

It's really a good question. Today we have good rules of thumb how to
operate a company IPv4 network. Use a NAT firewall, internal DHCP and
DNS, probably some ActiveDirectory and Exchange. This is the "way to go".

When deploying IPv6 in such an environment you have a bunch of open
questions:

- How to convince the management the firewall is working?
- How to convince the users their privacy is guaranteed?
- How to handle DNS? Expose the internal DNS to the IPv6 world? Fake PTR
records for the external world? Don't care about name resolution?
- What about all those Windows 2003 and XP based systems? Run them IPv4
only and hope the ActiveDirectory won't fail?

I'm running my home network dual stack for more then 6 years. An
"academic like setup" where most of my boxes have public IPv4/IPv6
addresses. But the upper questions stops me from deploying IPv6 in my
employers network...

The only way I see currently is a deployment in large scale companies
where the border between the internet and the internal network is
already realized by proxies. You have a clean separation between the
internal infrastructure and the world. You may start by enabling the
proxies to ask for IPv6 content - you may start by enabling RFC4193
addresses inside. But for the classic small company with one to a few
hundreds employees? No chance. You will be a trendsetter which will make
a lot of mistakes and invest a lot of time and money.

But of course, the main motivation is missing. There is no need to run
IPv6. No content is IPv6 _only_. Additional there is no longer a need to
be reachable to provide content to the internet - just post your holiday
pictures on one of the famous Web2.0 services. The people learned to
accept to be NATed from their fancy mobile devices. They learned that
they have to roll out a VPN when accessing their office documents.

The migration to IPv6 was probably started to late. It is basically
killed by Web2.0 (the second "new internet") and the smartphones.

I assume IPv6 will stay a toy for geeks like us. The 99% will be happy
when their ISPs annouces "hey, from tomorrow you are firewalled" and
accept that a public IP will cost some additional $$$. They won't care
about it and we'll have enough address range for the next years.

Sounds a bit disaffected? Yes. Hopefully the world will tell me the
contrary :-)

Beat

-- 
     \|/                           Beat Rubischon <beat at 0x1b.ch>
   ( 0-0 )                             http://www.0x1b.ch/~beat/
oOO--(_)--OOo---------------------------------------------------
Meine Erlebnisse, Gedanken und Traeume: http://www.0x1b.ch/blog/



More information about the Ipv6hackers mailing list