[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Fernando Gont fgont at si6networks.com
Tue Aug 28 14:13:19 CEST 2012

On 08/23/2012 10:04 AM, Jim Small wrote:
>  Marc - I agree that security could be better and there are still
> some things that need to be addressed.  That said, in the space I
> work in Cisco and Microsoft have done IMHO a pretty good job
> addressing the issues.  

FWIW, in mine, they haven't.

> I also believe there is tremendous benefit for innovation with IPv6.

This has been claimed for ages -- yet we have not had a single killer

> NAT has become a strangle hold choking off innovation.  

At least half of the problems "introduced" by NATs are also introduced
by firewalls that "only allow return traffic"  -- So I don't necessarily
buy the "IPv6 fosters innovation" thing...

> no way.  Deploying IPv6 provides virtually limitless address space
> and makes it far easier for developers to come up with fantastic new
> applications.  

Some might argue "gimme the IPv6 killer app, and I'll do the ipv6
roll-out if the app is good enough".

> I know you're a great guy and I agree the security issues need to be
> fixed, but how is this helping us move forward?

Without necessarily agreeing with eveything that Marc said (or
"allegedly said"), I'd note that opinions should not be judged on the
basis of how happy the make us feel.

Quoting Bertrand Russell:

"When you are studying any matter, or considering any philosophy, ask
yourself only what are the facts and what is the truth that the facts
bear out. Never let yourself be diverted either by what you wish to
believe, or by what you think would have beneficent social effects if it
were believed. But look only, and solely, at what are the facts."

Clearly, if we find any problems, we shouldn't stop there, but that
should be our starting point for engineering solutions. But that
starting point is *needed*.

Most of the time I get the impression that IPv6 proponents essentially
try to squelch any discussions about IPv6
drawbacks/vulnerabilities/problems, yet they fail to support any efforts
in improving the current state of affairs.

As a data-point, look at the lengthy discussions we have had about
RA-Guard, how trivial it is to evade current implementations, and
whether that makes the IPv6 world any worse (or not) than the IPv4 world.

Yet when there was time to support a proposal to fix RA-Guard (now
draft-ietf-v6ops-ra-guard-implementation), there were only a few folks

If half of the energy spent on convincing people (or pretending) that
there are no problems with v6 was spent in producing tools (such as
THC-IPv6), discussing the problems (to eventually engineer workarounds),
producing proposals for improvements, supporting existing proposals for
improvements, or slapping vendors that essentially refrain from fixing
their own vulnerable stacks, the IPv6 world would certainly be a much
better place.

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list