[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Mrs. Y. networksecurityprincess at gmail.com
Thu Aug 23 20:10:45 CEST 2012 

On that note, the Packetpushers podcast team (of which I am a member) 
just started a security feed called Healthy Paranoia. I've been trying 
to organize an IPv6 security show and am looking for researchers, as 
well as engineers who've done some deployments, to appear on an episode. 
I think it's important to have healthy, respectful conversations 
covering this subject, so that we can continue to improve the quality 
and security profile of our IPv6 deployments. Please feel free to 
contact me offline if you're interested. You can check out the podcast 
and blog site here:

http://packetpushers.net/

Regards,
Michele Chubirka

On 8/23/2012 11:47 AM, daniel.bartram at bt.com wrote:
> Great response Owen, and I completely support your view.
>
> I'd be interested in hearing the challenges (if any) you and/or your organisation experienced with such an early adoption and full rollout, maybe off thread?
>
> Kind Regards,
>
> Dan.
>
> ----- Original Message -----
> From: Owen DeLong [mailto:owend at he.net]
> Sent: Thursday, August 23, 2012 04:42 PM
> To: IPv6 Hackers Mailing List <ipv6hackers at lists.si6networks.com>
> Subject: Re: [ipv6hackers] "Stick to limited IPv6 deployments,	businesses warned"
>
>> Am 23.08.2012 16:21, schrieb Owen DeLong:
>>> Saying that there is no business case is about as intelligent as
>>> saying that everything should move urgently.
>>
>> yes, maybe. but where is the business case? if you have one, and the
>> business case makes sense financial wise for the hardware and labor - do
>> it. But I doubt that any company will have that for the next 2 years.
>>
>
> Bzzt... Thanks for playing, but HE is already fully dual stacked both in terms
> of our internal IT and our external networks. Being ahead of the curve didn't
> cost us all that much (mostly we included it in planned tech refreshes anyway)
> and now we're actually seeing some pretty good benefits from being there.
>
>>> Additionally, most of the security issues that Mark (and others) keep
>>> harping on in IPv6 aren't any worse than the ones we've lived with
>>> for years in IPv4.
>>
>> no, thats not the point. the point is that the implementations are not
>> where they should be for a global productional roleout.
>
> Neither is IPv4... That _IS_ the point. We rolled IPv4 out without worrying
> about it. IPv6 is a rollout to replace IPv4 because IPv4 is dying of several
> other horrible problems on top of its security issues. (address shortage,
> the overhead of NAT, the unsustainable IPv4 routing table and the additional
> fragmentation that will come from ever increasing address density, etc.)
>
> IPv4 has been on life support for more than a decade now. While we can't
> pull the plug just yet, we certainly don't have any time left to fiddle around
> and pretend we don't need something else ready soon.
>
>> the firewalls do not have all features required (filtering on options in
>> extension headers), OS implementations at various stages what they
>> support and what not (any OS beside Ubuntu that can get the DNS server
>> from something else than DHCP6?) - and the IPv6 stacks are not well
>> tested enough (see the number of issues found of IPv6 security issues
>> for example, compared to IPv4 security issues in the top-5 OS used).
>
> Yes... MacOS X gets it quite nicely from static and/or DHCP4. :p
>
> Sure, I know that's not what you meant, you meant specifically any other
> OS that supports RFC 6106, but that's not what you said.
>
> There is, apparently a source tool (rdnssd-win32) for Win32.
>
> Allegedly it is supported in OSX (10.7+) and iOS (5+). I haven't verified these.
>
>> thats why things should not be rushed.
>>
>
> I don't think I said anything about rushing. I believe what I said was that dragging ones feet isn't good advice.
>
>> but I agree to:
>>> "let's stop deploying anything that doesn't include IPv6 today."
>>
>>
>> and finally:
>>
>>> In fact, DHCPv4 doesn't even have the equivalent of RA Guard
>>> available.
>>
>> its called dhcp snooping
>>
>
> I can do the equivalent of that today snooping for RAs. Yes, it's slightly harder than DHCP snooping, but if you really want, it is do-able. If you consider that an adequate solution, then it is already completely solved for IPv6, too.
>
> The reality, however, is that snooping doesn't solve the problem, it just tells you that it is happening.
>
> With RA Guard, we have an actual partial solution which, with some improved handling of Extension Headers and Fragments could become a complete solution.
>
> Owen
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>

More information about the Ipv6hackers mailing list