[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Eric Vyncke (evyncke) evyncke at cisco.com
Thu Sep 22 09:33:06 CEST 2011

Fernando & Douglas,

Just to focus on the point whether enabling IPv6 is good or not... which is I think the major disagreement that I have with Fernando's points.

I would hate to do 'rogue access points' again but with IPv6. IPv6 is there, whether we like it or not, at the very heart of enterprises data centers thanks to Windows 2008 (there any IPS in the DC will not detect IPv6 attacks between Windows server -- assuming that one has been compromised)

Security people saying 'NO' are looking for trouble, they should say 'YES, BUT' :-)

My point is that indeed organizations should move to IPv6 but this must be planned with training, education, ... then deploying at least IPv6-aware IPS/Netflow/IPFIX/... and buying network devices that could deploy safely IPv6 (including layer-2 mitigation). CISO cannot be blinded.

Then, there are pretty good business reasons to deploy IPv6 in the coming months.

Or did I misread your point?



> > It is wrong to suggest _not_ enabling IPv6
> > in a network offers improved protections.
> Well, I'd not say that it "provides improved protection", but rather
> than "does not increase risk".
> IPv6 (as any technology that you'd enable in addition to what you're
> already using), will add more pieces to the puzzle, increase complexity,
> and increase the number of potential vulnerabilities that could be
> exploited.
> > The statement 'Training is needed for engineers, technicians, security
> > personnel, etc., before the IPv6 network is running.' is also
> > deceptive.  Unless extraordinary measures are taken which are also
> > likely to disable desired functionality, it would be wrong to suggest
> > IPv6 is not enabled in some fashion.  IPv6 must be considered analogous
> > to that of a gun where security demands that it always be considered
> > loaded.
> If I don't know how to handle a gun, I'd probably wouldn't have one in
> the first place. But if I *was* handled one, then I'd probably leave it
> as quite as possible, rather than start loading bullets and playing with
> the trigger, as if I knew what I was doing....

More information about the Ipv6hackers mailing list