[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Douglas Otis dotis at mail-abuse.org
Wed Sep 28 01:46:33 CEST 2011


On 9/27/11 12:36 PM, Fernando Gont wrote:

Fernando,
>  That depends on what you mean by "simplify", or *what* (specifically)
>  you want to simplify. e.g., DHCPv6 makes logging trivial. However,
>  SLAAC+Privacy Extensions makes it rather difficult (at least with
>  publicly available tools).

Cramming a growing list of options into DHCP packets has always stifled 
innovation.  Security obtained by injecting options into DHCP then 
picked up via snooping is not without issues.  This approach is neither 
ideal or the simpler option.  Especially when DHCP can no longer be 
relied upon as being relied upon.  Some systems may ignore RA 
recommendations for stateful Address configuration, especial for devices 
that do not support DHCPv6.

> > RFC5006 introduced RDNSS in 2007, and was upgraded to standards
> > track in 2010 where DNS Search Lists (DNSSL) option was also
> > included. It should also be noted a large IPv6 provider's CPE
> > supported the RDNSS option for years with their 6RD deployment.
>
>  Last time I checked (1-2 years ago), neither Windows, nor any of the
>  open source OSes I was using supported RDNSS by default.

Check again:

Cisco IOS, Fedora, HP-UX, iOS, OS X, MeeGo, Red Hat, Suse, Ubuntu, and 
even FreeBSD (as of June 6) support RDNSS, as does Apple routers, 
FreeBox, OpenWRT, etc.

> > Real LAN based security remains possible with SeND,
>  ... if only one could deploy it for the general case.

Again, SeND does not require support by all devices.  At least 
deployment at the switch and router by either Cisco or Juniper offers 
protection for an important portion of the infrastructure.  Such use 
also provides OS independent meansto identify rogue routers using Java 
based SeND lite. :^)

How is security improved by allowing Windows or OS X to set standards at 
the lowest denominator?  Be bold.  Parity with IPv4 is not good enough.

-Doug




More information about the Ipv6hackers mailing list