[ipv6hackers] my IPv6 insecurity slides

Cameron Byrne cb.list6 at gmail.com
Mon Nov 28 20:49:32 CET 2011


On Mon, Nov 28, 2011 at 12:18 AM, Beat Rubischon <beat at 0x1b.ch> wrote:
> Hi Fred!
>
> On 26.11.11 01:22, Frederic Bovy wrote:
>> Le 25 nov. 2011 à 05:55, Marc Heuse a écrit :
>
>>> But anybody who introduces IPv6 in the internal network without a
>>> business need should be fired. for a waste of human resource, harder
>>> troubleshooting, more error prone networks - and increased security risks.
>> Do you recommend  Application Layer Proxies,  NAT46 or NAT-PT for these users ?
>
> It's really a good question. Today we have good rules of thumb how to
> operate a company IPv4 network. Use a NAT firewall, internal DHCP and
> DNS, probably some ActiveDirectory and Exchange. This is the "way to go".
>
> When deploying IPv6 in such an environment you have a bunch of open
> questions:
>
> - How to convince the management the firewall is working?
> - How to convince the users their privacy is guaranteed?
> - How to handle DNS? Expose the internal DNS to the IPv6 world? Fake PTR
> records for the external world? Don't care about name resolution?
> - What about all those Windows 2003 and XP based systems? Run them IPv4
> only and hope the ActiveDirectory won't fail?
>
> I'm running my home network dual stack for more then 6 years. An
> "academic like setup" where most of my boxes have public IPv4/IPv6
> addresses. But the upper questions stops me from deploying IPv6 in my
> employers network...
>
> The only way I see currently is a deployment in large scale companies
> where the border between the internet and the internal network is
> already realized by proxies. You have a clean separation between the
> internal infrastructure and the world. You may start by enabling the
> proxies to ask for IPv6 content - you may start by enabling RFC4193
> addresses inside. But for the classic small company with one to a few
> hundreds employees? No chance. You will be a trendsetter which will make
> a lot of mistakes and invest a lot of time and money.
>
> But of course, the main motivation is missing. There is no need to run
> IPv6. No content is IPv6 _only_. Additional there is no longer a need to
> be reachable to provide content to the internet - just post your holiday
> pictures on one of the famous Web2.0 services. The people learned to
> accept to be NATed from their fancy mobile devices. They learned that
> they have to roll out a VPN when accessing their office documents.
>
> The migration to IPv6 was probably started to late. It is basically
> killed by Web2.0 (the second "new internet") and the smartphones.
>

trying to resist the need to send email....giving up...

I would say the Smartphones on IPv6 are one of the reasons to go to IPv6.

It is not servers (content) running out of IPv4 addresses that is the
issue.  It is that the network edge of eyeballs that is growing
fast... More people are coming online and more people have 2,3,4
devices that need IP addresses.

People will not go to IPv6 to access new and better content.

People (eyeballs) will be given IPv6 addresses because IPv4 has
(already) run out.

Content folks will want to provide parity to IPv4, IPv6, and
dual-stack eyeballs, so that is why content will go to IPv6.

User go to IPv6 because they have no choice (addresses run out, many
people, many devices)

Content go to IPv6 to reach the users.

done and done.

> I assume IPv6 will stay a toy for geeks like us. The 99% will be happy
> when their ISPs annouces "hey, from tomorrow you are firewalled" and
> accept that a public IP will cost some additional $$$. They won't care
> about it and we'll have enough address range for the next years.
>
> Sounds a bit disaffected? Yes. Hopefully the world will tell me the
> contrary :-)
>
> Beat
>
> --
>     \|/                           Beat Rubischon <beat at 0x1b.ch>
>   ( 0-0 )                             http://www.0x1b.ch/~beat/
> oOO--(_)--OOo---------------------------------------------------
> Meine Erlebnisse, Gedanken und Traeume: http://www.0x1b.ch/blog/
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>



More information about the Ipv6hackers mailing list