[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Jim Small jim.small at cdw.com
Fri Aug 24 05:45:43 CEST 2012


> >> Started out thinking I knew something, now am confused ;-(.
> >>
> >> Or perhaps the Neighbor Discovery process itself prevents that?  Or do
> we
> >> need to do something like DAI, DNDI?  Most of the MIM tools (I am
> thinking
> >> Cain and Abel & ettercap) send out gratuitous arps.  Is this kind of thing
> >> possible with IPV6 Neighbor Disovery?
> >
> > All the IPv4 equivalents are needed.  Some additional inspections are also
> brought to bear.  If you use all the first hop security features the level of
> security is actually better than IPv4.  That said, as you pointed out this isn't
> available on all platforms.  And realistically not many people will use these
> features.  They're great features, but a lot of protocols and applications mis-
> behave and trying to tweak security protocols to allow poorly behaved
> protocols and applications is often a losing battle...
> >
> 
> Realistically, if you're not a university and you can't trust the people on your
> LAN, you've kind of already lost.

Security is an interesting proposition.  It is expected to be present but not to interfere with anything useful.  It is not appreciated and often bemoaned unless something really bad happens.  Then there is fury that there wasn't enough security until the memory of the bad event fades and then there's annoyance and questioning of why all this irritating security is in place.  This is compounded by the fact the companies like Apple who are wildly successful at marketing to consumers design things that are neither secure nor scalable but expected to be supported because of popularity.  How you balance this all out is something I'm still struggling with.  I would love to hear advice on how to do it.

--Jim




More information about the Ipv6hackers mailing list