[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
Owen DeLong
owend at he.net
Wed Aug 29 06:52:06 CEST 2012
On Aug 28, 2012, at 21:42 , Jim Small <jim.small at cdw.com> wrote:
>> Do not ignore the fact that we are running out of IPv4 addresses.
>> Do not ignore the fact that no matter how problematic the security issues
>> you have raised with IPv6 (which I think in a real-world evaluation
>> are relatively low risk) may be, the bigger risk to the functionality
>> of the internet in general is widespread NAT444/CGN.
>> Do not ignore the fact that just the geolocation implications of NAT444
>> are nearly enough to give one pause.
>> Do not ignore the security implications from an audit and event correlation
>> perspective that are inherent in CGN.
>
> Amen. The only solution going forward is to deploy IPv6. I think its important to discuss the risks and mitigations but to tell people they need to move forward. Telling them to start with a pilot before moving to production is prudent and arguably common sense. Telling them they should hold off or delay is unwise at best. How is this helping improve security or addressing IPv4 depletion?
>
>>> As a data-point, look at the lengthy discussions we have had about
>>> RA-Guard, how trivial it is to evade current implementations, and
>>> whether that makes the IPv6 world any worse (or not) than the IPv4 world.
>>
>> Consider this... What fraction of IPv4 networks with DHCP run DHCP
>> snooping? If you can show me that it is even 10%, then, you might
>> have a real world case. My observation in the real world is that it is
>> less than 5%. As such, I don't think that RA without RA Guard is
>> necessarily much worse than the current deployed state of IPv4.
>> RA Guard improves this situation (if people use it). Fixed RA-Guard
>> as you have proposed will improve it even more (if people use it).
>
> I'm sorry to say my broad view of this as a consultant who deploys networks for a living at companies is far lower. I would be surprised if it's even 1%. I think perhaps 5% may start with trying to enable it, but as soon as it breaks something (which it frequently does) then the extra security features are disabled. There are always good intentions to circle back and dig in which unfortunately rarely happen.
I was trying to be somewhat generous and use numbers that were sure to be an overestimation of what the more security zealous among this list would likely see in the environments that they are aware of.
I didn't want one of them to be able to come back and say my estimate was way too low. ;-)
>
>>> If half of the energy spent on convincing people (or pretending) that
>>> there are no problems with v6 was spent in producing tools (such as
>>> THC-IPv6), discussing the problems (to eventually engineer workarounds),
>>> producing proposals for improvements, supporting existing proposals for
>>> improvements, or slapping vendors that essentially refrain from fixing
>>> their own vulnerable stacks, the IPv6 world would certainly be a much
>>> better place.
>>
>> I've never claimed there are no problems with IPv6. I have, however, claimed
>> that the problems created by failing to deploy IPv6 in a timely manner
>> massively outweigh the problems mentioned in IPv6 to date.
>
> Agreed - we need to discuss the risks and mitigations without delaying forward progress. Perhaps we should work on a check list(s) for issues/solutions to firewalls, routers, switches, O/S, etc?
>
Sounds good.
Owen
More information about the Ipv6hackers
mailing list