[ipv6hackers] SLAAC and DHCPv6 support (was Re: IPv6 security presentation at Hack.lu 2011)

[Owen DeLong]

On Sep 29, 2011, at 8:30 AM, Fernando Gont wrote:

> Hi, Owen,
> 
> On 09/29/2011 05:48 AM, Owen DeLong wrote:
>>> Bottom-line is that we need to get over the idea that discussing
>>> drawbacks of or vulnerabilities in IPv6 makes us IPv6 heretics.
>>> 
>> Agreed, but, to do that responsibly, we need to discuss them with
>> a reasonable tone. If the vulnerability in IPv6 isn't any worse than the
>> existing situation in IPv4, we should say that.
> 
> The situation with IPv6, in general, is much worse than with IPv4. The
> reasons are summarized in slide 6 of
> <http://www.si6networks.com/presentations/hacklu2011/fgont-hacklu2011-ipv6-security.pdf>.
> 

We can agree to disagree.

> In particular, ND is much more complex than ARP, and hence there's much
> more room for fail. The fact that that policing ARP is trivial, and that
> RA-Guard implementations or monitoring tools such as NDPMon are so
> trivial to evade should be a hint.
> 

The number of networks that even bother to police ARP in IPv4 being
relatively small leads me to believe that while you may be correct from
a technical puritanical perspective, in terms of real world vulnerability,
we have a long tradition of running insecure networks and that the IPv6
issues will get addressed in a similar manner to the IPv4 issues. As
someone exploits them dramatically, they'll get resolved or worked
around or otherwise mitigated.

> That said, rather than squelching discussion, we should probably support
> efforts meant to improve the current state of affairs, such as those
> linked in
> <http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard.html>
> 

I was not advocating squelching discussion, but, I'm also not in favor
of hysterics. I still think that with RA guard, you're basically no worse
off than ARP in IPv4, just in slightly different ways.

> 
> 
> 
>> A lot of the IPv6 vulnerability stuff I see posted makes it sound like
>> deploying IPv6 will be the worst security disaster in the history of
>> the internet.
> 
> It might be a disaster if people turn their look around, and pretend
> that everything is just fine, when it isn't.
> 

I'm not convinced. We pretended everything was just fine with IPv4
for a long time. We continue to pretend everything is just fine with
IPv4 in many ways. The network still mostly works.
>>> 
>>> We really need to improve the current state of affairs of IPv6 security.
>>> And that can only be achieved through increased awareness and community
>>> efforts (.e.g, brainstorming on the best ways to mitigate
>>> vulnerabilities, etc.)
>> 
>> We also really need to get IPv6 deployed in the real world and hysterics
>> about security issues that aren't any worse than IPv4 in actual fact are
>> quite counterproductive in this area.
> 
> Aee above for a counter-argument. Me, I personally think that deploying
> IPv6 without a careful understanding of the corresponding security
> implications is simply insane.
> 

I think insane is a somewhat strong term, but, I don't entirely disagree
with you here. However, I think that considering them requires a more
balanced evaluation of all of the factors, including the risks involved
in not deploying IPv6 which also are not small.

> 
> 
>> There's a balance that needs to be struck and we really should make
>> some effort to be rational and factual in our tone when discussing such
>> vulnerabilities.
> 
> I couple of days ago you were arguing e.g. that we're just fine if we
> deploy RA-Guard. I'd personally fail one the other side: unless
> something has been proven to be effective, it isn't.
> 

Proving my point that either extreme is useless. Those that are in favor
of IPv6 everywhere no matter what are ignoring the realities of the
need to address these security concerns.

Those claiming that these security concerns are significantly worse
than IPv4 and we should therefore put the internet on hold while
we figure it out are ignoring the risks associated with such an
action (the deployment of vastly larger amounts of CGN, the
destruction of any semblance of an IPv4 audit trail, the costs
associated with these various workarounds, etc.)

Bottom line, it's a tradeoff and focusing on any single issue is a
recipe for making bad choices.

> Ignoring or neglecting security issues might be of some benefit for
> envangelization purposes, but is a non-starter for a technical community.
> 

And yet the technical community has been operating the IPv4 internet
largely ignoring or neglecting security issues for decades.

I'm not advocating such behavior, but, I am pointing out that calling it a
non-starter is ludicrous in the face of the facts.

Owen