[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
jim.small at cdw.com
Thu Aug 23 23:08:43 CEST 2012
> > Additionally, most of the security issues that Mark (and others) keep
> > harping on in IPv6 aren't any worse than the ones we've lived with
> > for years in IPv4.
> Maybe some get frustrated that after 30+ of IPv4, we're going through
> all the hassle of deploying a somewhat similar protocol, with no
> improvements in areas where its predecessor (IPv4) failed.... just for
> the longer addresses.
Being a history fan, it is not so easy to achieve consensus on improvements. However, I know I'm preaching to the choir here...
> > addressing them in IPv4), I don't think it makes sense to stand in
> > front of the internet and say "stop growing until we fix this."
> > (which is effectively what you say when you say only do limited
> > deployments).
> That depends on who you work for or who you're consulting for. If Mark
> (or anyone else) is doing security consulting, they go with "hey, deploy
> v6!", and their client gets into trouble with not apparent benefit from
> deploying v6, they might be in trouble.
Deploying something just for the sake of doing it is irresponsible. I'm advocating a thoughtful pilot project for organization to learn IPv6.
> > I do like that the article thinks IPv6 only provides trillions of
> > addresses. Certainly in that case, it might be hardly worth the
> > effort. ;-) Fortunately, as you know, it's quite a bit larger than
> > that.
> And of course que also know that we shouldn't cound 2**64 addresses in
> each /64, because no one is going to have such a huge number of nodes in
> a single subnet.
But this is addressed beautifully in Radia Perlman's Interconnections book. This talks about how various protocols got developed and compares IPX/IPX+/CLNP/IP/IPv6/AppleTalk. For those that remember IPX it was a great LAN protocol. Fast and easy to roll out. IPv6 was trying to emulate many of these features. Since the IEEE was assigning 48 and 64 bit MACs (even over 10 years ago!), the idea with a 64bit node address was to make IPv6 auto-configuring based on the MAC address just like IPX and CLNP. While you could argue about this now it takes over 10 years to develop and roll out a protocol. If you don't like IPv6 you're welcome to start on the next generation protocol. All you have to do is convince everyone to use and deploy it. :-)
> > The fake router RA vulnerabilities are well known and relatively well
> > understood. Vendors are working on it and most have reasonable
> > initial solutions with progress being made towards more complete
> > solutions.
> This is not the message that I got the last time I talk with some
> well-known desktop os vendor.
FWIW I'll see if I can do anything or get a status. I'm praying that this is fixed in Windows 8/Server 2012 RTM but I don't know.
> > However, I do not see this as being any worse in most
> > cases than a rogue DHCP server which is a vulnerability in IPv4 that
> > has not been fixed even to this day.
> My understanding is that you cannot crash a host with forged DHCP
> responses, but that you *can* do taht with forged RAs.
More information about the Ipv6hackers