[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
owend at he.net
Fri Aug 24 04:13:38 CEST 2012
>> Started out thinking I knew something, now am confused ;-(.
>> Or perhaps the Neighbor Discovery process itself prevents that? Or do we
>> need to do something like DAI, DNDI? Most of the MIM tools (I am thinking
>> Cain and Abel & ettercap) send out gratuitous arps. Is this kind of thing
>> possible with IPV6 Neighbor Disovery?
> All the IPv4 equivalents are needed. Some additional inspections are also brought to bear. If you use all the first hop security features the level of security is actually better than IPv4. That said, as you pointed out this isn't available on all platforms. And realistically not many people will use these features. They're great features, but a lot of protocols and applications mis-behave and trying to tweak security protocols to allow poorly behaved protocols and applications is often a losing battle...
Realistically, if you're not a university and you can't trust the people on your LAN, you've kind of already lost.
More information about the Ipv6hackers