[ipv6hackers] my IPv6 insecurity slides

Douglas Otis doug.mtview at gmail.com
Wed Nov 30 19:32:40 CET 2011

On *Fri Nov 25 11:55:39 CET 2011, Marc *Heuse wrote:

> please remember, this is ipv6-hackers and not ipv6-ops.
> in security, one of the most fundamental guidline is "disable what is
> not required".
> My recommendation to disable IPv6 on internal networks is simply that.
> In my opinion, nobody needs IPv6 internally now and the next years. Why
> should anybody? They already have security proxies etc. so it is not
> important if the outside world is ipv4 or ipv6.
> And if you dont need it, then you should disable it. Its another attack
> factor thats totally unneeded, therefore measures should be taken.
> I recommend to use IPv6 - but only in the internet facing DMZ.
> Thats where the business need will be.
> But anybody who introduces IPv6 in the internal network without a
> business need should be fired. for a waste of human resource, harder
> troubleshooting, more error prone networks - and increased security risks.


In most cases, SOHO/Enterprise IPv4 local networks protected by
firewall/NATs contain one or more compromised systems. :^O

Trust in any end point lacking other forms of verification risk undetected
MitM attack, which could occur with Adobe Flash updates, for example.  Even
when sessions use TLS, protection may not be effective when terminated at
NAT middleboxes.  Most SOHO/Enterprise networks prohibit port mapping, and
yet depend upon some form of push to handle things like updates.  Misplaced
confidence in local networks has made it easy for compromised systems to
spoof other hosts to cascade compromises.

Modern network or OS include routines offering alternate access to the
IPv6, such as 6to4, Teredo, ISATAP, and port mapping for LSNs.  These
strategies are more easily enabled when IPv6 is not available.  These
schemes readily permit data leakage and make spoofing easier over direct
IPv6 use.  This is especially true when IPv6 Security Associations using
existing routines could have validated each end of a session.  Establishing
stable associations for IPv4 hosts isolated within private address space in
comparison is less practical.

With IPv6, NATs are not needed.  Would you consider advocating NATs be
disabled and replaced with IPv6 over IPsec?  There should be no question
which approach would be able to scale and offer better security.  At least,
when there is a problem, data leaks are more likely detected.


More information about the Ipv6hackers mailing list