[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Jean-Michel Combes jeanmichel.combes at gmail.com
Thu Sep 22 20:31:50 CEST 2011 

Hi Arturo,

2011/9/22 Arturo Servin <aservin at lacnic.net>:
> Jean,
>
> On 21 Sep 2011, at 19:36, Jean-Michel Combes wrote:
>
>> Hi Fernando,
>>
>> At first thanks for the slides! Great job summarizing the state of the
>> art about IPv6 security!
>>
>> Now, I have comments:
>> -  Address resolution
>> "SEND is very difficult to deploy (it requires a PKI)"
>> AFAIK, you don't need a PKI. CGA is enough to secure NS/NA exchanges.
>> Now, the main issue, IMHO, is hard-coded crypto algorithms: SHA-1,
>> that should be replaced by the future SHA-3, and RSA, which is not
>> very well adapted to constrained devices like sensors.
>> - Auto-configuration
>> "SEND is very difficult to deploy (it requires a PKI)"
>> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
>> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
>> http://www.rpki.net for ARIN) and openssl already allows to generate
>> the needed certificates. Now I agree there is still work to deploy
>> this technology in product networks.
>
>   I think your are mixing concepts. RPKI does have to do anything with SEND.

Please, read the draft and you should see the relationship with SIDR
WG works and so RPKI.

>
>   Regarding SEND AFAIK, you need a certificate in each device requesting network information to validate the source. For that requirement only, SEND is not easy to deploy.
>
>
>> - IPsec Support
>> "The IETF has acknowledged this fact, and is currently changing IPsec
>> support in IPv6 to “optional”"
>> Sorry, but IPsec support is still a "SHOULD" (v.s. "MAY" meaning
>> optional)
>
>        MAY is optional, SHOULD recommended and MUST is mandatory. (RFC2119)

Agree :)

>
>        RFC4294 has IPSec (rfc4301) as MUST. But that's going to change soon:
>
> http://tools.ietf.org/html/draft-ietf-6man-node-req-bis-11
>
> "Previously, IPv6 mandated implementation of IPsec and recommended the
>   key management approach of IKE.  This document updates that
>   recommendation by making support of the IP Security Architecture [RFC
>   4301] a SHOULD for all IPv6 nodes. "
>
>        So, it is as Fernando say. It is MUST but it's going to be SHOULD.

Please, read again what I said in my previous email :)

Best regards.

JMC.

>
>> and so IPsec is not optional unless specific constraints
>> (like sensors).
>> Now, as raised many times, the main issue with IPsec is Key Management
>> (e.g., pre-shared key, certs, EAP).
>
>>
>> Best regards.
>>
>> JMC.
>
>
> Regards,
> /as
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>

More information about the Ipv6hackers mailing list