[ipv6hackers] IPv6 security presentation at Hack.lu 2011
Owen DeLong
owend at he.net
Tue Sep 27 03:28:41 CEST 2011
I will point out that NDP spoofing is no worse than ARP spoofing in IPv4,
so, I'm not sure how you can say that it is not an equivalent level of first
hop security.
Owen
On Sep 26, 2011, at 6:26 PM, Jim Small wrote:
>> Rather than making claims about "improved security", we should raise
>> awareness about IPv6 security challenges, such that they are mitigated,
>> and the security level of the involved networks does not *decrease*.
>
> Sure. I try to convince people in every my presentation that IPv6
> doesn't bring any security benefits (instead of sites like ipv6.com).
> The problem is that IPv6 protagonist do not want to hear such arguments
> and always claims that is not too bad etc. As the result of that we can
> see common IT staff very frustrated with IPv6 (Of course, I mean the
> people who have started doing with IPv6). The sad reality that is just
> impossible to properly secure a IPv6 network today. Even mitigation of
> security problems with IPv6 will cost you fortune and still you will not
> have an equivalent security level as in IPv4 - specially in first hop
> security.
>
> [JRS>] IPv6 brings many benefits and the potential for superior security to IPv4. The biggest challenge I see is that in order to achieve increased security all the vendors supporting IPv6 must choose to implement the enhanced security components. SeND is a perfect example. This would neatly solve many if not all of the issues with NDP spoofing. However, to the best of my knowledge it's not even in the mainline Linux/BSD kernels. Microsoft and Apple seem to have no interest in it. So while a solution is available and implemented by some (Cisco) unless all parties choose to implement it enhanced security will remain elusive. The same problem exists for mobility (MIPv6), multihoming (SHIM6), and other solutions (Location/Identity separation options). Any ideas on this?
>
> --Jim
>
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list