[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Owen DeLong owend at he.net
Thu Aug 23 17:42:25 CEST 2012


> Am 23.08.2012 16:21, schrieb Owen DeLong:
>> Saying that there is no business case is about as intelligent as
>> saying that everything should move urgently.
> 
> yes, maybe. but where is the business case? if you have one, and the
> business case makes sense financial wise for the hardware and labor - do
> it. But I doubt that any company will have that for the next 2 years.
> 

Bzzt... Thanks for playing, but HE is already fully dual stacked both in terms
of our internal IT and our external networks. Being ahead of the curve didn't
cost us all that much (mostly we included it in planned tech refreshes anyway)
and now we're actually seeing some pretty good benefits from being there.

>> Additionally, most of the security issues that Mark (and others) keep
>> harping on in IPv6 aren't any worse than the ones we've lived with
>> for years in IPv4.
> 
> no, thats not the point. the point is that the implementations are not
> where they should be for a global productional roleout.

Neither is IPv4... That _IS_ the point. We rolled IPv4 out without worrying
about it. IPv6 is a rollout to replace IPv4 because IPv4 is dying of several
other horrible problems on top of its security issues. (address shortage,
the overhead of NAT, the unsustainable IPv4 routing table and the additional
fragmentation that will come from ever increasing address density, etc.)

IPv4 has been on life support for more than a decade now. While we can't
pull the plug just yet, we certainly don't have any time left to fiddle around
and pretend we don't need something else ready soon.

> the firewalls do not have all features required (filtering on options in
> extension headers), OS implementations at various stages what they
> support and what not (any OS beside Ubuntu that can get the DNS server
> from something else than DHCP6?) - and the IPv6 stacks are not well
> tested enough (see the number of issues found of IPv6 security issues
> for example, compared to IPv4 security issues in the top-5 OS used).

Yes... MacOS X gets it quite nicely from static and/or DHCP4. :p

Sure, I know that's not what you meant, you meant specifically any other
OS that supports RFC 6106, but that's not what you said.

There is, apparently a source tool (rdnssd-win32) for Win32.

Allegedly it is supported in OSX (10.7+) and iOS (5+). I haven't verified these.

> thats why things should not be rushed.
> 

I don't think I said anything about rushing. I believe what I said was that dragging ones feet isn't good advice.

> but I agree to:
>> "let's stop deploying anything that doesn't include IPv6 today."
> 
> 
> and finally:
> 
>> In fact, DHCPv4 doesn't even have the equivalent of RA Guard
>> available.
> 
> its called dhcp snooping
> 

I can do the equivalent of that today snooping for RAs. Yes, it's slightly harder than DHCP snooping, but if you really want, it is do-able. If you consider that an adequate solution, then it is already completely solved for IPv6, too.

The reality, however, is that snooping doesn't solve the problem, it just tells you that it is happening.

With RA Guard, we have an actual partial solution which, with some improved handling of Extension Headers and Fragments could become a complete solution.

Owen




More information about the Ipv6hackers mailing list