[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

[Jim Small]

Hi Marc,

> >> what I am talking about is enabling IPv6 internally. There is no need
> >> for this. no business need. So anybody wanting to do this without
> >> necessity should be fired.
> >
> > I see it differently.  While the urgency is for Internet connectivity and
> > not necessarily for internal use, if the Internet is increasingly IPv6
> > and my internal users can't access this how is that good/effective?
> 
> via proxies of course.

Proxies are acceptable as long as the protocols you need to use can be proxied.  This is a great solution for http/https.  However, for multimedia and Unified Communications it is not a complete solution.  However, it sounds like you agree that there needs to be a way for at least a pilot group of users to be able to access the IPv6 Internet.  That's what I'm after right now.


> do you allow your users to connect to internet services without security
> proxies? that would be a very bad call. that would mean your single line
> of defense is the office PC for the content that is carried in the
> connections.
> 
> >> I agree with Cisco, for Microsoft, sorry, no. A company which does >>
> not fix critical local LAN issues because of ego reasons in the
> >> IPv6 stack team - I can't take them seriously.
> > I can't find Microsoft's official response to this (CVE-2010-4669),
> > can't you point me to it?  I need to make sure I understand their
> > position before I approach them and push for a solution.
> 
> http://www.networkworld.com/news/2011/050311-microsoft-juniper-
> ipv6.html

Thank you Marc.  I will see if there's anything I can do on this.


> Am 23.08.2012 16:21, schrieb Owen DeLong:
> > Saying that there is no business case is about as intelligent as
> > saying that everything should move urgently.
> 
> yes, maybe. but where is the business case? if you have one, and the
> business case makes sense financial wise for the hardware and labor - do
> it. But I doubt that any company will have that for the next 2 years.

This is a great question.  At a high level there business case is two fold:
1) Business Continuity.  As I said, there are < 141 million IPv4 addresses left at a burn rate of 200 million/year.  IPv6 is the only viable solution for the continued use and growth of the Internet.
	Please take a moment to review Lee Howard's (The Director of Network Technology at Time Warner Cable, one of the largest residential ISPs in the US) presentation on the TCO for CGN.  What's especially interesting to note is that the forced deployment of CGN because of insufficient IPv4 address space is going to come with a cost.  Not only will it costs end users and carriers more money but it also results in a degraded user experience:
http://www.rmv6tf.org/2012-IPv6-Summit-Presentations/TCO%20of%20CGN.pdf
	You all know about Geoff Huston's site and stats.  What's going to happen in the next year or two when IPv4 addresses become both scarce and expensive?  How is that helping security or the continued prosperity of the Internet?  CGN is a security nightmare.

2) Innovation - while I suspect that we'll have to hit 10% usage of the Internet backbone for IPv6 traffic to see some killer apps; rest assured that they're coming.  IP is fundamentally about communication.  In fact right now I am most grateful that I am able to converse with some of the most talented people scattered all over the planet from the comfort of my desk.  IPv6 allows the possibility of removing NAT and facilitating end to end communication.  Things like global voice and video conferencing become cheap free apps.  Imagine the communications possibilities with a truly global addressing system.
 

> > Additionally, most of the security issues that Mark (and others) keep
> > harping on in IPv6 aren't any worse than the ones we've lived with
> > for years in IPv4.
> 
> no, thats not the point. the point is that the implementations are not
> where they should be for a global productional roleout.
> the firewalls do not have all features required (filtering on options in
> extension headers),

I can't speak for all firewalls but Cisco's supports this now.  I have spent a lot of time working with Cisco and they have been fabulous about supporting IPv6 security.  I'm sure you've seen Eric Vynke's posts here - he has been a tireless advocate for state of the art security and for improving the operational robustness of IPv6.


> OS implementations at various stages what they
> support and what not (any OS beside Ubuntu that can get the DNS server
> from something else than DHCP6?) - and the IPv6 stacks are not well
> tested enough (see the number of issues found of IPv6 security issues
> for example, compared to IPv4 security issues in the top-5 OS used).

I think RDNSS would be nice.  However, I have been challenged by a major router manufacturer to provide a business case for RDNSS.  Everything supports stateless DHCPv6.  While I agree that RDNSS is nice for SOHO environments, Linksys, Dlink, and others will provide GUI interfaces that make it easy to use.  I still would like to see RDNSS support but I'm having trouble thinking of a strong business case to advocate for it.  Can you help me out here?  If you can provide the business case I will make sure it's heard.

 
> thats why things should not be rushed.

I don't get this - how are we going to deal with IPv4 depletion?  What's your strategy for sustaining the growth of the Internet?


> but I agree to:
> > "let's stop deploying anything that doesn't include IPv6 today."
> 
> 
> and finally:
> 
> > In fact, DHCPv4 doesn't even have the equivalent of RA Guard
> > available.
> 
> its called dhcp snooping


This is an excellent point.  IPv6 has not achieved full parity with IPv4 security features but this is coming very soon.  However, speaking as someone who deploys networks for a living I can tell you that < 1% of companies actually use any of these features.  So I disagree that it's a reason not to deploy IPv6.  There are reasonable work arounds available today.  I realize these can be bypassed, but Marc I'm sure you'd agree that if you can get network access inside any company you can shortly own their infrastructure today without IPv6.  Deploying IPv6 is not going to significantly weaken current business security infrastructure.

 
Respectfully,
  --Jim