[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Fernando Gont fgont at si6networks.com
Thu Aug 30 21:58:34 CEST 2012

On 08/29/2012 11:46 AM, Owen DeLong wrote:
>> And many people might argue that they won't put money for the
>> alleged *potential* for innovation.
> Sure... So ignore that potential and consider just basic business
> continuity.
> Like it or not, IPv4 has been on life-support for years

Agreed. -- the problem is that when the wrong argument is used to "sell"
v6, the important one is lost.

> IPv4 is already dysfunctional and severely degraded from its original
> design and continuing to get worse. 

A large part of this will likely be replicated in v6: -- e.g., replace
the border NAT with an actual firewall.

What will certainly be a great degradation is the use of CGNs and the
like. -- and yes, we need IPv6 to avoid that in the near7long term.

>> I doubt any regular home user will tell his home firewall to pass
>> this or that.
> They do today in IPv4, why wouldn't they do so in IPv6?
> What do you think uPNP/NAT-PMP are?
> What do you think "DMZ Host" features, etc. are?

Does "uncle Joe" know what a DMZ is in the first place?

Regular users just buy a wireless router at Walmart that just works

>>> Yes... This applies very much to things you and Marc tend to
>>> say...
>> I'd argue that 99% of what I've said on the subject has been about 
>> technical aspects of the protocol.
> I would argue that what you have said about what is wrong with the
> protocol (which is about 50% of what you have said) fits into that
> description. The other part, where you start telling people not to
> deploy or to delay deployment, 

I haven't said that -- although I have noted that "what to do" varies
from one case to another.

> OTOH, is fear mongering and ignores
> the very real risks inherent in those actions.

Let me give you a data-point:

OpenBSD has had a reputable history of only a couple of
remotely-exploitable vulnerabilities in the default install for years.
Last one (?), in more than 8 years, was IPv6-based. A server with v6
enabled could have had its super-secure server hacked because of that.
If the oraganization had a good reason for having v6 there, good. If
not, they guy that recommended to have v6 there could be in trouble. --
This is probably where Marc was coming from.

> What is the relative risk to the global internet in general from the
> sum of all of the attacks you've described so far (ND exhaustion, RA,
> RA Guard circumvention, etc.) when compared to the relative risks
> inherent in running IPv4 today?

You should d such risk analysis for the organization that is going to
deploy v6, not for "the global internet".

> Further, what is the relative risk to the global internet in general
> from the sum of all of those attacks compared to the risks inherent
> in attempting to continue running IPv4 with another billion or so
> people connected? How does the risk inherent in IPv6 today compare to
> the risk inherent in things like CGN?

I'd certainly *not* go with CGNs.

>> The real reason for deploying v6 is that we are running out of v4 
>> addresses -- that's enough of a reason, and nobody is arguing
>> against that.
> But when you get headlines like "Do only limited IPv6 deployments",
> the people behind those headlines _ARE_ effectively arguing against
> that, whether they intend to or not.

1) The press is the press, and its not uncommon for reports to come up
with catchy or controversial headlines.

2) Where and when to deploy v6 varies from one case from another.

3) You should not be surprised to hear from a security guy things like
"you should only use/install/deploy this if you really need it" -- KISS

>>> Consider when evaluating IPv6 deployment, not only the facts of
>>> the security issues raised, but also the facts and implications
>>> and consequences of failing to deploy IPv6 in a timely manner.
>> These tends to vary from one case to another.
> Not really... I'm talking about the internet-systemic consequences,
> not just the local consequences.

Humans re generally selfish. Don't be frustrated if people do't do
things for "the common good" -- most companies are there to make money..
not to make the "world" a better place.

> I'm talking about the global consequences of large scale CGN
> deployment. 

I fully agree with this -- but please see my note about the "common good".

>>> I don't think you've ever seen me attempt to squelch such a
>>> discussion. I simply draw the line when you start saying that the
>>> drawbacks you have mentioned to date should be given enough
>>> weight to delay or avoid deploying IPv6 in general.
>> I never made such a claim -- fwiw, the decision of where and when
>> to deploy v6 varies from one case to another.
> But this thread started not from what you said, but in response to an
> article quoting Marc Heuse. You jumped in to defend his position and,
> thus, you get tarred with the same brush.

I jumped to say that there's a valid/understandable point in what Marc
said -- even if such point doesn't make the ipv6 world happy.

> If that article had read "IPv6 has the following flaws, but we have
> to deploy it anyway and fix the flaws ASAP", 

I'd argue that a security guy arguing that should probably be fired. :-)

> My point is that the only way you can claim the IPv4 DHCP situation
> is better than the situation with RAs today is _IF_ you have
> widespread deployment and use of DHCP snooping. 

No. The DHCP situation is worse in v6 than in v4 because in v4, if you
want to mitigate it, you can. In v6, if you want to mitigate it, you can't.

>> Agreed. Although the RAs might have implications on IPv4 in
>> unexpected ways...
> You'd need to elaborate on that one as it currently seems nonsensical
> to me.

I will, in a separate e-mail.

>> Yes -- with the investment of way too much energy, way too many 
>> discussions, and fewer people supporting it than I would have
>> expected.
> Welcome to the real world. 

Welcome to the real world: companies will deploy stuff if it not doing
so will prevent to make money *today*, and not for the "common good".

You may want to refer to: http://www.rfc-editor.org/rfc/rfc1669.txt
-- how IPv6 deployment turned out should not be a "surprise" after
reading RFC1669.

> Most of us recognize that the problem you
> are describing is factual, but most likely more theoretical than
> realized. Evaluating risks in the real world, rather than from the
> security zealot perspective requires incorporating not only the
> possibility of something occurring, but also the difficulty of
> mitigation, the probability of it occurring, the value to the
> would-be attacker, etc.

Exactly. And that varies from organization to organization.

> As a result, IETF consists mostly of academics and vendors.

I'd would expect the ones voicing their irritation about article
headlines to invest that energy in supporting mitigation proposals.

Other than that, I do agree with your assessment about the IETF. :-)

>> Again, whether and where to deploy varies from one case to another
>> -- and in all cases, should all cases, deployment should be done
>> only after proper training.
> While I agree that would be ideal, the reality is that deployment has
> to move forward and deploying IPv6 without proper training 

Deploying v6 without proper training is simply insane. It sounds pretty
much like "let's get on this plane that none knows how to pilot" -- most
likely with similar expected consequences.

Fernando Gont
e-mail: fernando at gont.com.ar || fgont at si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list