[ipv6hackers] IPv6 security presentation at Hack.lu 2011

[Jim Small]

I just wanted to point out on this thread:

> In addition it would be appropriate to assume there WILL be an IPv6
> firewall when IPv6 is enabled.  Alternatively, it would be wrong to
> assume any effective IPv6 firewall exists otherwise.  Perhaps you could
> replace "disable IPv6" with "disable Protocol 41" instead. :^)

"Disable proto 41" sounds good for referring to packets being filtered
at a firewall. However, other (not mutually exclusive) options are
avialable, such as disabling v6 suppport at the OS.

[JRS>] -and-

> Exactly.  Any compromised system within a LAN can easily set up IPv6
> connectivity, specifically because a lax approach was taken where not
> enabling IPv6 was seen as offering improved security. :^(

If you disable IPv6 in the sense of removing support for it, that attack
is not possible.


[JRS>] Specifically with Windows Vista/7/Server 2008/R2 and later IPv6 is a core part of the Operating System.  Many features require IPv6 and will not work if you disable it including HyperV, TMG, Exchange, SBS Server, DirectAccess, HomeGroups, and Peer-to-Peer Networking.

I think we all agree there is a clear need for IPv6 and IPv4 is reaching the limits of its scalability.  I like Fernando's approach of submitting drafts with suggestions where issues are discovered.  I believe the focus should be on encouraging vendors to adopt existing solutions, maintain or achieve parity with IPv4 features, address limitations/vulnerabilities discovered, and actively participate in the IETF and other forums to drive and improve IPv6.

--Jim