[ipv6hackers] SLAAC and DHCPv6 support (was Re: IPv6 security presentation at Hack.lu 2011)

[Owen DeLong]

On Sep 28, 2011, at 10:32 PM, Fernando Gont wrote:

> On 09/28/2011 10:10 AM, fred wrote:
>> There is a long list of simple attacks (DoS, MITM,...) which can be done
>> from a local access, IPv4 or IPv6... A very long list! That's why we need
>> IDS to prevent all these attacks and neutralize the attacker...
> 
> An IDS will do little in this case.
> 
> 
>> Did we consider that it was a showstopper for IPv4 ?
> 
> Nobody considered this a showstopper. We simply discussed the
> aforementioned vulnerabilities, and tried to converge on the best
> possible ways to mitigate them.
> 
Right.

> Bottom-line is that we need to get over the idea that discussing
> drawbacks of or vulnerabilities in IPv6 makes us IPv6 heretics.
> 
Agreed, but, to do that responsibly, we need to discuss them with
a reasonable tone. If the vulnerability in IPv6 isn't any worse than the
existing situation in IPv4, we should say that.

A lot of the IPv6 vulnerability stuff I see posted makes it sound like
deploying IPv6 will be the worst security disaster in the history of
the internet.

That's every bit as irresponsible as treating people like heretics
just for discussing vulnerabilities in IPv6.

> We really need to improve the current state of affairs of IPv6 security.
> And that can only be achieved through increased awareness and community
> efforts (.e.g, brainstorming on the best ways to mitigate
> vulnerabilities, etc.)
> 

We also really need to get IPv6 deployed in the real world and hysterics
about security issues that aren't any worse than IPv4 in actual fact are
quite counterproductive in this area.

There's a balance that needs to be struck and we really should make
some effort to be rational and factual in our tone when discussing such
vulnerabilities.

Owen