[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Fernando Gont fgont at si6networks.com
Thu Aug 23 20:35:39 CEST 2012

On 08/23/2012 11:21 AM, Owen DeLong wrote:
> Additionally, most of the security issues that Mark (and others) keep
> harping on in IPv6 aren't any worse than the ones we've lived with
> for years in IPv4. 

Maybe some get frustrated that after 30+ of IPv4, we're going through
all the hassle of deploying a somewhat similar protocol, with no
improvements in areas where its predecessor (IPv4) failed.... just for
the longer addresses.

> addressing them in IPv4), I don't think it makes sense to stand in
> front of the internet and say "stop growing until we fix this."
> (which is effectively what you say when you say only do limited
> deployments).

That depends on who you work for or who you're consulting for. If Mark
(or anyone else) is doing security consulting, they go with "hey, deploy
v6!", and their client gets into trouble with not apparent benefit from
deploying v6, they might be in trouble.

> I do like that the article thinks IPv6 only provides trillions of
> addresses. Certainly in that case, it might be hardly worth the
> effort. ;-) Fortunately, as you know, it's quite a bit larger than
> that.

And of course que also know that we shouldn't cound 2**64 addresses in
each /64, because no one is going to have such a huge number of nodes in
a single subnet.

> The fake router RA vulnerabilities are well known and relatively well
> understood. Vendors are working on it and most have reasonable
> initial solutions with progress being made towards more complete
> solutions.

This is not the message that I got the last time I talk with some
well-known desktop os vendor.

> However, I do not see this as being any worse in most
> cases than a rogue DHCP server which is a vulnerability in IPv4 that
> has not been fixed even to this day. 

My understanding is that you cannot crash a host with forged DHCP
responses, but that you *can* do taht with forged RAs.

> In fact, DHCPv4 doesn't even
> have the equivalent of RA Guard available.

As noted already, it's called dhcp snooing.

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list