[ipv6hackers] IPv6 security presentation at Hack.lu 2011
Douglas Otis
dotis at mail-abuse.org
Wed Sep 28 01:46:33 CEST 2011
On 9/27/11 12:36 PM, Fernando Gont wrote:
Fernando,
> That depends on what you mean by "simplify", or *what* (specifically)
> you want to simplify. e.g., DHCPv6 makes logging trivial. However,
> SLAAC+Privacy Extensions makes it rather difficult (at least with
> publicly available tools).
Cramming a growing list of options into DHCP packets has always stifled
innovation. Security obtained by injecting options into DHCP then
picked up via snooping is not without issues. This approach is neither
ideal or the simpler option. Especially when DHCP can no longer be
relied upon as being relied upon. Some systems may ignore RA
recommendations for stateful Address configuration, especial for devices
that do not support DHCPv6.
> > RFC5006 introduced RDNSS in 2007, and was upgraded to standards
> > track in 2010 where DNS Search Lists (DNSSL) option was also
> > included. It should also be noted a large IPv6 provider's CPE
> > supported the RDNSS option for years with their 6RD deployment.
>
> Last time I checked (1-2 years ago), neither Windows, nor any of the
> open source OSes I was using supported RDNSS by default.
Check again:
Cisco IOS, Fedora, HP-UX, iOS, OS X, MeeGo, Red Hat, Suse, Ubuntu, and
even FreeBSD (as of June 6) support RDNSS, as does Apple routers,
FreeBox, OpenWRT, etc.
> > Real LAN based security remains possible with SeND,
> ... if only one could deploy it for the general case.
Again, SeND does not require support by all devices. At least
deployment at the switch and router by either Cisco or Juniper offers
protection for an important portion of the infrastructure. Such use
also provides OS independent meansto identify rogue routers using Java
based SeND lite. :^)
How is security improved by allowing Windows or OS X to set standards at
the lowest denominator? Be bold. Parity with IPv4 is not good enough.
-Doug
More information about the Ipv6hackers
mailing list