[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Jean-Michel Combes jeanmichel.combes at gmail.com
Thu Sep 22 20:31:50 CEST 2011

Hi Arturo,

2011/9/22 Arturo Servin <aservin at lacnic.net>:
> Jean,
> On 21 Sep 2011, at 19:36, Jean-Michel Combes wrote:
>> Hi Fernando,
>> At first thanks for the slides! Great job summarizing the state of the
>> art about IPv6 security!
>> Now, I have comments:
>> -  Address resolution
>> "SEND is very difficult to deploy (it requires a PKI)"
>> AFAIK, you don't need a PKI. CGA is enough to secure NS/NA exchanges.
>> Now, the main issue, IMHO, is hard-coded crypto algorithms: SHA-1,
>> that should be replaced by the future SHA-3, and RSA, which is not
>> very well adapted to constrained devices like sensors.
>> - Auto-configuration
>> "SEND is very difficult to deploy (it requires a PKI)"
>> s/PKI/RPKI (cf. draft-ietf-csi-send-cert)
>> And again, AFAIK, RIRs are currently working to deploy RPKI (e.g.,
>> http://www.rpki.net for ARIN) and openssl already allows to generate
>> the needed certificates. Now I agree there is still work to deploy
>> this technology in product networks.
>   I think your are mixing concepts. RPKI does have to do anything with SEND.

Please, read the draft and you should see the relationship with SIDR
WG works and so RPKI.

>   Regarding SEND AFAIK, you need a certificate in each device requesting network information to validate the source. For that requirement only, SEND is not easy to deploy.
>> - IPsec Support
>> "The IETF has acknowledged this fact, and is currently changing IPsec
>> support in IPv6 to “optional”"
>> Sorry, but IPsec support is still a "SHOULD" (v.s. "MAY" meaning
>> optional)
>        MAY is optional, SHOULD recommended and MUST is mandatory. (RFC2119)

Agree :)

>        RFC4294 has IPSec (rfc4301) as MUST. But that's going to change soon:
> http://tools.ietf.org/html/draft-ietf-6man-node-req-bis-11
> "Previously, IPv6 mandated implementation of IPsec and recommended the
>   key management approach of IKE.  This document updates that
>   recommendation by making support of the IP Security Architecture [RFC
>   4301] a SHOULD for all IPv6 nodes. "
>        So, it is as Fernando say. It is MUST but it's going to be SHOULD.

Please, read again what I said in my previous email :)

Best regards.


>> and so IPsec is not optional unless specific constraints
>> (like sensors).
>> Now, as raised many times, the main issue with IPsec is Key Management
>> (e.g., pre-shared key, certs, EAP).
>> Best regards.
>> JMC.
> Regards,
> /as
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list