[ipv6hackers] IPv6 security presentation at Hack.lu 2011
jim.small at cdw.com
Tue Sep 27 04:30:42 CEST 2011
05/2011 IPv6 - Security Issues - IPSec does "solve" everything
09/2011 Deploying IPv6 in University Campus Network
(starting slide 26 there are touched some issues that we feel them as
are very problematic - specially in a security area).
[JRS>] For problem 1, very nice write up and demonstration of the complexities/issues with address auto-configuration. For problem 2, impact on existing IPv4 infrastructure - for the most part this exists today. You can do ARP poisoning/spoofing and you can just as easily enable a rogue DHCPv4 server. The only real difference here is that because you can fragment NDP a malicious attacker is much harder to block. For someone accidentally enabling RAs/DHCPv6 this can be blocked with RA Guard/Port ACLs. For problem 3 - as has been discussed and shown there are solutions but the question remains will they be adopted/implemented? I do not agree with your conclusion for problem number 4. There are many benefits to IPv6. IPv4+NAT smothers innovation, especially for communications. It is ironic that the Internet was created for communication and yet IPv4+NAT makes this very difficult and requires 3rd party gateways. IPv6 restores this, at least partially by removing the need for NAT. For number 5 it really depends on who. Actually Cisco and Microsoft has excellent IPv6 VPN solutions. Cisco is closing in on feature parity between IPv4 and IPv6. Microsoft has also done fairly well in this regard. But you are correct in that some solutions/vendors have poor IPv6 support. For problem 6, privacy extensions can be disabled although this can be an issue for non-managed devices. I'm not sure what you mean by Netflow - v9/IPFIX support IPv6. DHCPv6 does have issues to work through but I think you captured this in problem 1. NAT is its own topic but where you talk about the benefits (and there are some), you should also talk about the drawbacks which are just as numerous. IPv6 tends to result in more tunnels too, but this really isn't a new issue - these exist today in IPv4. I will say that on a decent sized network with IPv6 IPAM becomes a necessity. Problem 7 is an issue. I think it is likely IPv4 will disappear off the Internet in less than 10 years. However, within our intranets it will likely persist for a long time most likely out lasting all of us. :-) This is added complexity but I think it's unlikely a solution will emerge to eliminate it. Just like with AppleTalk, IPX, SNA, DECnet and other legacy protocols as long as it is needed it will persist. I do not agree with problem 8. Newer development languages abstract addressing. If you use the right development tools you will most likely be oblivious to the addressing system. This is really only an issue for network administrators and people who write device drivers and the like. I like the presentation overall and agree that we need to have frank discussions and push vendors to solve existing problems.
More information about the Ipv6hackers