[ipv6hackers] SLAAC and DHCPv6 support (was Re: IPv6 security presentation at Hack.lu 2011)

Fernando Gont fgont at si6networks.com
Thu Sep 29 17:30:50 CEST 2011


Hi, Owen,

On 09/29/2011 05:48 AM, Owen DeLong wrote:
>> Bottom-line is that we need to get over the idea that discussing
>> drawbacks of or vulnerabilities in IPv6 makes us IPv6 heretics.
>>
> Agreed, but, to do that responsibly, we need to discuss them with
> a reasonable tone. If the vulnerability in IPv6 isn't any worse than the
> existing situation in IPv4, we should say that.

The situation with IPv6, in general, is much worse than with IPv4. The
reasons are summarized in slide 6 of
<http://www.si6networks.com/presentations/hacklu2011/fgont-hacklu2011-ipv6-security.pdf>.

In particular, ND is much more complex than ARP, and hence there's much
more room for fail. The fact that that policing ARP is trivial, and that
RA-Guard implementations or monitoring tools such as NDPMon are so
trivial to evade should be a hint.

That said, rather than squelching discussion, we should probably support
efforts meant to improve the current state of affairs, such as those
linked in
<http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard.html>




> A lot of the IPv6 vulnerability stuff I see posted makes it sound like
> deploying IPv6 will be the worst security disaster in the history of
> the internet.

It might be a disaster if people turn their look around, and pretend
that everything is just fine, when it isn't.



> That's every bit as irresponsible as treating people like heretics
> just for discussing vulnerabilities in IPv6.

Me, I don't personally care about that. I've done the same sort of
security work for other protocols such as TCP and IPv4 (*). So if *I* am
taking as an IPv6 heretic, somebody doesn't get it. :-)

(*) See e.g.:
http://www.gont.com.ar/papers/index.html
http://www.gont.com.ar/drafts/index.html
http://www.gont.com.ar/rfcs/index.html



>> We really need to improve the current state of affairs of IPv6 security.
>> And that can only be achieved through increased awareness and community
>> efforts (.e.g, brainstorming on the best ways to mitigate
>> vulnerabilities, etc.)
> 
> We also really need to get IPv6 deployed in the real world and hysterics
> about security issues that aren't any worse than IPv4 in actual fact are
> quite counterproductive in this area.

Aee above for a counter-argument. Me, I personally think that deploying
IPv6 without a careful understanding of the corresponding security
implications is simply insane.



> There's a balance that needs to be struck and we really should make
> some effort to be rational and factual in our tone when discussing such
> vulnerabilities.

I couple of days ago you were arguing e.g. that we're just fine if we
deploy RA-Guard. I'd personally fail one the other side: unless
something has been proven to be effective, it isn't.

Ignoring or neglecting security issues might be of some benefit for
envangelization purposes, but is a non-starter for a technical community.

Thanks,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492






More information about the Ipv6hackers mailing list