[ipv6hackers] my IPv6 insecurity slides

Michael Hartwick hartwick at hartwick.com
Tue Nov 29 19:22:59 CET 2011 

> -----Original Message from Fabian Wenk
> Sent: Tuesday, November 29, 2011 12:03
> To: ipv6hackers at lists.si6networks.com
> Subject: Re: [ipv6hackers] my IPv6 insecurity slides
> 
> They use NAT already, as for the most customers, the ISPs only
assigns 1 IPv4
> address to their connection. And NAT also protects the devices
somehow
> from the outside Internet, which the customers also does appreciate.

NAT doesn't do anything more than a stateful firewall except mangle
the
packet headers which I see as a negative. The customer does not
appreciate NAT. The customer might appreciate their device not having
direct access from the Internet but they are not the same.

> > People will not go to IPv6 to access new and better content.
> >
> > People (eyeballs) will be given IPv6 addresses because IPv4 has
> > (already) run out.
> 
> Or the ISPs start to use NAT also on their network and putting
several
> customers behind one NAT gateway (like they already do with mobile
> internet). Sure when ISPs start using NAT at large on home internet
> connections, this will cause other problems, eg.

And they will start to lose some customers because of this. I have
canceled one supposed provider because they were only providing a
subset of the internet. They were filtering packets which prevented me
from using the connection properly, the result was me canceling. If
providers are insisting on hanging everyone behind NAT then I would
hope that either they would reduce their prices to compensate the
customer for the reduced service being provided or the customers
would change to an actual ISP who provides actual Internet access.
All of the internet is not HTTP or SMTP after all.

> > Content folks will want to provide parity to IPv4, IPv6, and
> > dual-stack eyeballs, so that is why content will go to IPv6.
> 
> Sure, content need to go dual-stacked first.

There is a lot of content already dual-stacked, there is very little
reason not to. I have deployed dual stack without any issues, it
has been very easy and done with very little cost.

> > User go to IPv6 because they have no choice (addresses run out,
many
> > people, many devices)
> 
> But only when they get it from their ISP and everything still can be
reached. If
> they only get IPv6 and no IPv4 today, they will probably complain to
their ISP
> because they are not able to reach some major websites which
currently
> only run on IPv4.

The so-called ISP's need to get their act together and deploy IPv6
to allow dual stacking before the entire IPv4 pool is depleted, that
will allow for a much more seamless transition than the
abomination known as NATxx(xxxx).

> > Content go to IPv6 to reach the users.
> 
> It will be needed.

Everyone seems to think that the Content or the Eyeballs need to
move first. The truth is both can and should move at the same time,
and for that matter should have started years ago. I have been
running dual stack in a Content environment for well over a year,
and even longer in an Eyeball environment. My networks are fairly
small so there is obviously a scale difference which I do understand
exists and influences things. I have not encountered very many
issues on either end with being dual stacked. In fact, I have
encountered more issues with NAT in the Eyeball environment than
I ever have with IPv6.

There is concern about security issues with IPv6, but in all honesty
does anyone expect those issues to be fixed until there are enough
customers demanding the vendor fix them? By everyone avoiding
IPv6 because of security issues (real or theoretical) the customers
are not demanding the vendor fix them. Patiently waiting for a bug
to get fixed is not as effective as hundreds or thousands of customers
 calling their vendor support and/or sales lines to complain that the
bug remains. A lot of the issues that will plague the IPv6 Internet
have not been resolved in the IPv4 Internet so why would anyone
expect a IP version change to magically fix the problem. SPAM,
Botnets etc. will still exist in the IPv6. NAT has done nothing to
help
fix those problems, but it has made it harder to trace the source of
the problem, yet people still want NAT in the IPv6 world.

> Currently there is nothing out there, which gives enough pressure to
content
> providers or / and ISPs to move forward with IPv6. At the current
point it just
> costs money and effort without any real benefit (without looking at
Asia).

With 13 years (RFC2460 is dated December 1998) to replace
equipment to haveIPv6 capabilities there really should not be a huge
capital cost. Most providers on either end will have replaced a lot of
equipment in that time (in some cases several times). As I recalled
dialup was still in the mainstream in 1998 and I don't know of any
dialup gear that supports DSL or cable or cell. So if providers had
been
planning ahead the natural upgrade process could have most gear
being IPv6 capable today without huge extra capital expenses. Did
they do that? It certainly does not look that way. Yes, there is a
cost
to rolling it out in the terms of man power etc., but I suspect that
that cost will need to be incurred at some point whether now or
next year or 5 years from now. You cannot tell me that the CGN's
will pop into existence without both capital and operating costs. The
pressure goes both ways. Eyeballs need content, content needs
eyeballs. So if the question is the "chicken or egg", the easy answer
is do both. Dual stacking does not break IPv4 so the current
functionality continues to happy chug along.

> And as pointed out above, to give internet access to home customers
NAT at
> large could be used, as it is already in operation on the mobile
phone data

So services like Skype can continue to steal my bandwidth because
you are hanging everyone behind NAT? How exactly is that fair? Was
NAT not intended as an address conservation method. It mostly
worked for that, but it has convinced a lot of people that you have
to use NAT for everything which is not aiding in the deployment of
IPv6 which does not benefit from the address conservation that NAT
provides. I for one will shop around for different providers to avoid
NAT.

Michael

----------------------------------------------------------------------
Michael J. Hartwick, VE3SLQ                      hartwick at hartwick.com
Hartwick Communications Consulting                      (519) 396-7719
Kincardine, ON, CA                             http://www.hartwick.com
----------------------------------------------------------------------

More information about the Ipv6hackers mailing list