[ipv6hackers] IPv6 security presentation at Hack.lu 2011

[Douglas Otis]

On 9/27/11 7:17 AM, Fernando Gont wrote:
>  Hi, Enno,
...
>  Yeas ago, you couldn't rely *only* on SLAAC, since it didn't yet
>  support the RDNSS option (which is vital in most network deployments)
>  -- even with RDNSS now *specified*, it is still not widely deployed,
>  and hence you cannot rely on SLAAC alone.
>
>  OTOH, you cannot rely on DHCPv6 alone if you cannot get a default
>  route with it.

DHCP is not needed when there is a desire to simplify the network 
architecture.  RFC5006 introduced RDNSS in 2007, and was upgraded to 
standards track in 2010 where DNS Search Lists (DNSSL) option was also 
included.  It should also be noted a large IPv6 provider's CPE supported 
the RDNSS option for years with their 6RD deployment.  With SRV records 
and DNSSL, there is also no need for service related information to be 
published by DHCP either.  Progress in simplification is being made with 
Free.fr's deployment representing a sizable percentage of the world's 
IPv6 of Internet access traffic.
See http://en.wikipedia.org/wiki/Free_%28ISP%29

http://tools.ietf.org/html/draft-ietf-csi-send-cert-10 can also answer 
the question whether an RA is from an authorized device.

Real LAN based security remains possible with SeND, and eventually DANE 
although this represents a dramatic change.  This feature may be 
obtained from router and switch providers.  Hopefully, OS venders will 
soon build upon this currently "expensive" option, but what is the true 
cost of insecurity?

Compromising a LAN need not be immediate.  IPv4 insecurity often 
represents a race won by compromised systems that can afford to wait.  
Once two systems become compromised, even switches become prone.  When 
their TCAM becomes full, fail-over will likely flood packets to all 
ports when a match is not found.  Hardware based security is not enough.

-Doug