[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
Jim Small
jim.small at cdw.com
Thu Aug 23 15:55:08 CEST 2012
Marc,
> > "If some network engineer says 'let's make a global company all
> > IPv6', I would fire that guy, because it costs millions and the
> > benefit is zero."
>
> several things in the article wrong and I asked to review the article
> before it goes online (he told me their technical security article
> writer left a week ago), that statemnt is mine however :-)
>
> what I am talking about is enabling IPv6 internally. There is no need
> for this. no business need. So anybody wanting to do this without
> necessity should be fired.
I see it differently. While the urgency is for Internet connectivity and not necessarily for internal use, if the Internet is increasingly IPv6 and my internal users can't access this how is that good/effective? I am not focused on deploying internally per se, but all organizations need to have internal labs setup and should have at least one test/pilot network which has IPv6 Internet access.
> I also always advice that companies should IPv6 enable the front-end
> DMZ. but nothing else.
So how do their internals users, developers, and IT people get at the IPv6 Internet? How do they get operational experience with running and deploying IPv6 if they only do it in one externally facing network? Many companies have older hardware that can't deal with IPv6 which will force things like ISATAP. I agree this isn't desirable but putting your head in the sand and doing the bare minimum is foolish from a security point of view. Did you see this on a panic driven ISP deployment of IPv6 in your own back yard?
http://blog.ioshints.info/2012/07/analyst-driven-ipv6-deployment.html
If companies wait, when they start scrambling to deploy IPv6 how secure will their setup be? It is crucial to act now and deploy IPv6 incrementally and methodically to gain experience and learn how to do it right and securely.
> > That said, in the space I work in Cisco and Microsoft have done IMHO a
> pretty good job addressing the issues.
>
> I agree with Cisco, for Microsoft, sorry, no. A company which does not
> fix critical local LAN issues because of ego reasons in the IPv6 stack
> team - I can't take them seriously.
I agree, that's lame. Windows 8 is available now from MSDN/Technet - have you tested the RTM version?
However, Microsoft has also released what looks to be a pretty nice IPAM solution with Server 2012 and has done a lot to help move IPv6 forward. I will see if I can push for resolution on the RA vulnerability.
--Jim
More information about the Ipv6hackers
mailing list