[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Jean-Michel Combes jeanmichel.combes at gmail.com
Thu Sep 22 00:36:17 CEST 2011


Hi Fernando,

At first thanks for the slides! Great job summarizing the state of the
art about IPv6 security!

Now, I have comments:
-  Address resolution
"SEND is very difficult to deploy (it requires a PKI)"
AFAIK, you don't need a PKI. CGA is enough to secure NS/NA exchanges.
Now, the main issue, IMHO, is hard-coded crypto algorithms: SHA-1,
that should be replaced by the future SHA-3, and RSA, which is not
very well adapted to constrained devices like sensors.
- Auto-configuration
"SEND is very difficult to deploy (it requires a PKI)"
s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
http://www.rpki.net for ARIN) and openssl already allows to generate
the needed certificates. Now I agree there is still work to deploy
this technology in product networks.
- IPsec Support
"The IETF has acknowledged this fact, and is currently changing IPsec
support in IPv6 to “optional”"
Sorry, but IPsec support is still a "SHOULD" (v.s. "MAY" meaning
optional) and so IPsec is not optional unless specific constraints
(like sensors).
Now, as raised many times, the main issue with IPsec is Key Management
(e.g., pre-shared key, certs, EAP).

Best regards.

JMC.

2011/9/21 Fernando Gont <fgont at si6networks.com>:
> Folks,
>
> We have uploaded the slides of the IPv6 Security talk I gave at Hack.lu
> 2011. The slides are available at:
> <http://www.si6networks.com/presentations/hacklu2011/fgont-hacklu2011-ipv6-security.pdf>
>
> If there are any topics in the slides that that you think might benefit
> from debate/discussion/brainstorming, please feel free to post to the list.
>
> Thanks!
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>



More information about the Ipv6hackers mailing list