[ipv6hackers] IPv6 security presentation at Hack.lu 2011
Jim Small
jim.small at cdw.com
Thu Sep 22 02:21:06 CEST 2011
The problem with SeND is limited O/S implementations. I know there is Linux support, but Windows doesn't support it and I don't believe OS X does either. There are many ideas for IPv6 security, mobility (MIPv6), and multi-homing (SHIM6) - but without mainstream native O/S support they seem to be limited to a lab. My impression is that Microsoft and Apple have essentially no interest in these areas.
--Jim
-----Original Message-----
From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-bounces at lists.si6networks.com] On Behalf Of Jean-Michel Combes
Sent: Wednesday, September 21, 2011 6:36 PM
To: IPv6 Hackers Mailing List
Subject: Re: [ipv6hackers] IPv6 security presentation at Hack.lu 2011
Hi Fernando,
At first thanks for the slides! Great job summarizing the state of the
art about IPv6 security!
Now, I have comments:
- Address resolution
"SEND is very difficult to deploy (it requires a PKI)"
AFAIK, you don't need a PKI. CGA is enough to secure NS/NA exchanges.
Now, the main issue, IMHO, is hard-coded crypto algorithms: SHA-1,
that should be replaced by the future SHA-3, and RSA, which is not
very well adapted to constrained devices like sensors.
- Auto-configuration
"SEND is very difficult to deploy (it requires a PKI)"
s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
http://www.rpki.net for ARIN) and openssl already allows to generate
the needed certificates. Now I agree there is still work to deploy
this technology in product networks.
- IPsec Support
"The IETF has acknowledged this fact, and is currently changing IPsec
support in IPv6 to "optional""
Sorry, but IPsec support is still a "SHOULD" (v.s. "MAY" meaning
optional) and so IPsec is not optional unless specific constraints
(like sensors).
Now, as raised many times, the main issue with IPsec is Key Management
(e.g., pre-shared key, certs, EAP).
Best regards.
JMC.
2011/9/21 Fernando Gont <fgont at si6networks.com>:
> Folks,
>
> We have uploaded the slides of the IPv6 Security talk I gave at Hack.lu
> 2011. The slides are available at:
> <http://www.si6networks.com/presentations/hacklu2011/fgont-hacklu2011-ipv6-security.pdf>
>
> If there are any topics in the slides that that you think might benefit
> from debate/discussion/brainstorming, please feel free to post to the list.
>
> Thanks!
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>
_______________________________________________
Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com
http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list