[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Jim Small jim.small at cdw.com
Tue Sep 27 03:26:23 CEST 2011


> Rather than making claims about "improved security", we should raise
> awareness about IPv6 security challenges, such that they are mitigated,
> and the security level of the involved networks does not *decrease*.

Sure. I try to convince people in every my presentation that IPv6
doesn't bring any security benefits (instead of sites like ipv6.com). 
The problem is that IPv6 protagonist do not want to hear such arguments
and always claims that is not too bad etc. As the result of that we can
see common IT staff very frustrated with IPv6 (Of course, I mean the
people who have started doing with IPv6). The sad reality that is just
impossible to properly secure a IPv6 network today. Even mitigation of
security problems with IPv6 will cost you fortune and still you will not
have an equivalent security level as in IPv4 - specially in first hop
security.

[JRS>] IPv6 brings many benefits and the potential for superior security to IPv4.  The biggest challenge I see is that in order to achieve increased security all the vendors supporting IPv6 must choose to implement the enhanced security components.  SeND is a perfect example.  This would neatly solve many if not all of the issues with NDP spoofing.  However, to the best of my knowledge it's not even in the mainline Linux/BSD kernels.  Microsoft and Apple seem to have no interest in it.  So while a solution is available and implemented by some (Cisco) unless all parties choose to implement it enhanced security will remain elusive.  The same problem exists for mobility (MIPv6), multihoming (SHIM6), and other solutions (Location/Identity separation options).  Any ideas on this?

--Jim






More information about the Ipv6hackers mailing list