[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Eric Vyncke (evyncke) evyncke at cisco.com
Thu Sep 22 09:35:11 CEST 2011


Indeed, right to the spot: SEND per se works (and CGA does not require PKI) but it not implemented in Windows & Apple (and AFAIK they have little incentive to do it: IPv6 parity with IPv4 where ARP was wide open to attack). I am afraid that OS vendors simply rely on network/switch vendors to come with a security mitigation technique (à la SAVI)

-éric

> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Jim Small
> Sent: jeudi 22 septembre 2011 02:21
> To: IPv6 Hackers Mailing List
> Subject: Re: [ipv6hackers] IPv6 security presentation at Hack.lu 2011
> 
> The problem with SeND is limited O/S implementations.  I know there is Linux
> support, but Windows doesn't support it and I don't believe OS X does
> either.  There are many ideas for IPv6 security, mobility (MIPv6), and
> multi-homing (SHIM6) - but without mainstream native O/S support they seem
> to be limited to a lab.  My impression is that Microsoft and Apple have
> essentially no interest in these areas.
> 
> --Jim
> 
> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Jean-Michel Combes
> Sent: Wednesday, September 21, 2011 6:36 PM
> To: IPv6 Hackers Mailing List
> Subject: Re: [ipv6hackers] IPv6 security presentation at Hack.lu 2011
> 
> Hi Fernando,
> 
> At first thanks for the slides! Great job summarizing the state of the
> art about IPv6 security!
> 
> Now, I have comments:
> -  Address resolution
> "SEND is very difficult to deploy (it requires a PKI)"
> AFAIK, you don't need a PKI. CGA is enough to secure NS/NA exchanges.
> Now, the main issue, IMHO, is hard-coded crypto algorithms: SHA-1,
> that should be replaced by the future SHA-3, and RSA, which is not
> very well adapted to constrained devices like sensors.
> - Auto-configuration
> "SEND is very difficult to deploy (it requires a PKI)"
> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
> http://www.rpki.net for ARIN) and openssl already allows to generate
> the needed certificates. Now I agree there is still work to deploy
> this technology in product networks.
> - IPsec Support
> "The IETF has acknowledged this fact, and is currently changing IPsec
> support in IPv6 to "optional""
> Sorry, but IPsec support is still a "SHOULD" (v.s. "MAY" meaning
> optional) and so IPsec is not optional unless specific constraints
> (like sensors).
> Now, as raised many times, the main issue with IPsec is Key Management
> (e.g., pre-shared key, certs, EAP).
> 
> Best regards.
> 
> JMC.
> 
> 2011/9/21 Fernando Gont <fgont at si6networks.com>:
> > Folks,
> >
> > We have uploaded the slides of the IPv6 Security talk I gave at Hack.lu
> > 2011. The slides are available at:
> > <http://www.si6networks.com/presentations/hacklu2011/fgont-hacklu2011-
> ipv6-security.pdf>
> >
> > If there are any topics in the slides that that you think might benefit
> > from debate/discussion/brainstorming, please feel free to post to the
> list.
> >
> > Thanks!
> > --
> > Fernando Gont
> > SI6 Networks
> > e-mail: fgont at si6networks.com
> > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
> >
> >
> >
> > _______________________________________________
> > Ipv6hackers mailing list
> > Ipv6hackers at lists.si6networks.com
> > http://lists.si6networks.com/listinfo/ipv6hackers
> >
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers



More information about the Ipv6hackers mailing list