[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Fri Aug 24 01:36:30 CEST 2012

On Aug 23, 2012, at 11:35 , Fernando Gont <fgont at si6networks.com> wrote:

> On 08/23/2012 11:21 AM, Owen DeLong wrote:
>> 
>> Additionally, most of the security issues that Mark (and others) keep
>> harping on in IPv6 aren't any worse than the ones we've lived with
>> for years in IPv4. 
> 
> Maybe some get frustrated that after 30+ of IPv4, we're going through
> all the hassle of deploying a somewhat similar protocol, with no
> improvements in areas where its predecessor (IPv4) failed.... just for
> the longer addresses.
> 

Tough... You had 20+ years to propose improvements to IPv6 to resolve
those issues. Somehow that didn't happen. Now, we urgently need
bigger addresses. IPv6 is going to get deployed because without it,
the internet is going to break badly. Get over it and move on. Try to
find the best and most effective ways to deploy IPv6 rather than whining
aout its shortcomings and trying to stall its deployment. Work on fixing
the problems.

> 
>> addressing them in IPv4), I don't think it makes sense to stand in
>> front of the internet and say "stop growing until we fix this."
>> (which is effectively what you say when you say only do limited
>> deployments).
> 
> That depends on who you work for or who you're consulting for. If Mark
> (or anyone else) is doing security consulting, they go with "hey, deploy
> v6!", and their client gets into trouble with not apparent benefit from
> deploying v6, they might be in trouble.
> 

As a consultant, your job is to provide the information to your client
so that they can make an informed decision, not make the decision
for them.

Yes, there are some limited circumstances where it makes sense to
delay IPv6 deployment for security considerations. However, putting
that out as general advice in a magazine article (or online equivalent)
is irresponsible at best.

> 
>> I do like that the article thinks IPv6 only provides trillions of
>> addresses. Certainly in that case, it might be hardly worth the
>> effort. ;-) Fortunately, as you know, it's quite a bit larger than
>> that.
> 
> And of course que also know that we shouldn't cound 2**64 addresses in
> each /64, because no one is going to have such a huge number of nodes in
> a single subnet.
> 

Sure, but there are more than a trillion /64s in IPv6. A few million trillion as
a matter of fact.

>> The fake router RA vulnerabilities are well known and relatively well
>> understood. Vendors are working on it and most have reasonable
>> initial solutions with progress being made towards more complete
>> solutions.
> 
> This is not the message that I got the last time I talk with some
> well-known desktop os vendor.
> 

If you managed to find an OS vendor that is asleep at the switch, good for you,
you got an opportunity to educate someone. Nonetheless, the data has been
well published and I know most of the switch/router vendors either have running
code to (mostly) solve the problem or are working on it as we speak.

> 
>> However, I do not see this as being any worse in most
>> cases than a rogue DHCP server which is a vulnerability in IPv4 that
>> has not been fixed even to this day. 
> 
> My understanding is that you cannot crash a host with forged DHCP
> responses, but that you *can* do taht with forged RAs.
> 

I'm not sure I buy either one of those assertions.

Owen