[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Marc Heuse mh at mh-sec.de
Thu Aug 23 17:01:25 CEST 2012

a reply to Jim and Owen :-)

>> what I am talking about is enabling IPv6 internally. There is no need
>> for this. no business need. So anybody wanting to do this without
>> necessity should be fired.
> I see it differently.  While the urgency is for Internet connectivity and
> not necessarily for internal use, if the Internet is increasingly IPv6
> and my internal users can't access this how is that good/effective?

via proxies of course.
do you allow your users to connect to internet services without security
proxies? that would be a very bad call. that would mean your single line
of defense is the office PC for the content that is carried in the

>> I agree with Cisco, for Microsoft, sorry, no. A company which does >>
not fix critical local LAN issues because of ego reasons in the
>> IPv6 stack team - I can't take them seriously.
> I can't find Microsoft's official response to this (CVE-2010-4669),
> can't you point me to it?  I need to make sure I understand their
> position before I approach them and push for a solution.


Am 23.08.2012 16:21, schrieb Owen DeLong:
> Saying that there is no business case is about as intelligent as
> saying that everything should move urgently.

yes, maybe. but where is the business case? if you have one, and the
business case makes sense financial wise for the hardware and labor - do
it. But I doubt that any company will have that for the next 2 years.

> Additionally, most of the security issues that Mark (and others) keep
> harping on in IPv6 aren't any worse than the ones we've lived with
> for years in IPv4.

no, thats not the point. the point is that the implementations are not
where they should be for a global productional roleout.
the firewalls do not have all features required (filtering on options in
extension headers), OS implementations at various stages what they
support and what not (any OS beside Ubuntu that can get the DNS server
from something else than DHCP6?) - and the IPv6 stacks are not well
tested enough (see the number of issues found of IPv6 security issues
for example, compared to IPv4 security issues in the top-5 OS used).

thats why things should not be rushed.

but I agree to:
> "let's stop deploying anything that doesn't include IPv6 today."

and finally:

> In fact, DHCPv4 doesn't even have the equivalent of RA Guard
> available.

its called dhcp snooping


Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726

Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin

Ust.-Ident.-Nr.: DE244222388
PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the Ipv6hackers mailing list