[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Arturo Servin aservin at lacnic.net
Thu Sep 22 02:37:11 CEST 2011


On 21 Sep 2011, at 19:36, Jean-Michel Combes wrote:

> Hi Fernando,
> At first thanks for the slides! Great job summarizing the state of the
> art about IPv6 security!
> Now, I have comments:
> -  Address resolution
> "SEND is very difficult to deploy (it requires a PKI)"
> AFAIK, you don't need a PKI. CGA is enough to secure NS/NA exchanges.
> Now, the main issue, IMHO, is hard-coded crypto algorithms: SHA-1,
> that should be replaced by the future SHA-3, and RSA, which is not
> very well adapted to constrained devices like sensors.
> - Auto-configuration
> "SEND is very difficult to deploy (it requires a PKI)"
> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
> http://www.rpki.net for ARIN) and openssl already allows to generate
> the needed certificates. Now I agree there is still work to deploy
> this technology in product networks.

   I think your are mixing concepts. RPKI does have to do anything with SEND.

   Regarding SEND AFAIK, you need a certificate in each device requesting network information to validate the source. For that requirement only, SEND is not easy to deploy.

> - IPsec Support
> "The IETF has acknowledged this fact, and is currently changing IPsec
> support in IPv6 to “optional”"
> Sorry, but IPsec support is still a "SHOULD" (v.s. "MAY" meaning
> optional)

	MAY is optional, SHOULD recommended and MUST is mandatory. (RFC2119)

	RFC4294 has IPSec (rfc4301) as MUST. But that's going to change soon:


"Previously, IPv6 mandated implementation of IPsec and recommended the
   key management approach of IKE.  This document updates that
   recommendation by making support of the IP Security Architecture [RFC
   4301] a SHOULD for all IPv6 nodes. "

	So, it is as Fernando say. It is MUST but it's going to be SHOULD.

> and so IPsec is not optional unless specific constraints
> (like sensors).
> Now, as raised many times, the main issue with IPsec is Key Management
> (e.g., pre-shared key, certs, EAP).

> Best regards.
> JMC.


More information about the Ipv6hackers mailing list