[ipv6hackers] IPv6 security presentation at Hack.lu 2011
Douglas Otis
dotis at mail-abuse.org
Tue Sep 27 21:09:02 CEST 2011
On 9/27/11 7:17 AM, Fernando Gont wrote:
> Hi, Enno,
...
> Yeas ago, you couldn't rely *only* on SLAAC, since it didn't yet
> support the RDNSS option (which is vital in most network deployments)
> -- even with RDNSS now *specified*, it is still not widely deployed,
> and hence you cannot rely on SLAAC alone.
>
> OTOH, you cannot rely on DHCPv6 alone if you cannot get a default
> route with it.
DHCP is not needed when there is a desire to simplify the network
architecture. RFC5006 introduced RDNSS in 2007, and was upgraded to
standards track in 2010 where DNS Search Lists (DNSSL) option was also
included. It should also be noted a large IPv6 provider's CPE supported
the RDNSS option for years with their 6RD deployment. With SRV records
and DNSSL, there is also no need for service related information to be
published by DHCP either. Progress in simplification is being made with
Free.fr's deployment representing a sizable percentage of the world's
IPv6 of Internet access traffic.
See http://en.wikipedia.org/wiki/Free_%28ISP%29
http://tools.ietf.org/html/draft-ietf-csi-send-cert-10 can also answer
the question whether an RA is from an authorized device.
Real LAN based security remains possible with SeND, and eventually DANE
although this represents a dramatic change. This feature may be
obtained from router and switch providers. Hopefully, OS venders will
soon build upon this currently "expensive" option, but what is the true
cost of insecurity?
Compromising a LAN need not be immediate. IPv4 insecurity often
represents a race won by compromised systems that can afford to wait.
Once two systems become compromised, even switches become prone. When
their TCAM becomes full, fail-over will likely flood packets to all
ports when a match is not found. Hardware based security is not enough.
-Doug
More information about the Ipv6hackers
mailing list