[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Fri Aug 31 05:17:14 CEST 2012

On Aug 30, 2012, at 12:58 , Fernando Gont <fgont at si6networks.com> wrote:

> On 08/29/2012 11:46 AM, Owen DeLong wrote:
>> 
>>> And many people might argue that they won't put money for the
>>> alleged *potential* for innovation.
>> 
>> Sure... So ignore that potential and consider just basic business
>> continuity.
>> 
>> Like it or not, IPv4 has been on life-support for years
> 
> Agreed. -- the problem is that when the wrong argument is used to "sell"
> v6, the important one is lost.
> 

I disagree... All of the arguments for IPv6 migration are valid. The fact that IPv4 will descend rapidly into madness over the next few years is merely the most compelling of all of them.

> 
>> IPv4 is already dysfunctional and severely degraded from its original
>> design and continuing to get worse. 
> 
> A large part of this will likely be replicated in v6: -- e.g., replace
> the border NAT with an actual firewall.
> 

An actual firewall is not as harmful as NAT and is much more easily corrected if we don't make the addressing mistakes made in IPv4 to support "address compression".

> What will certainly be a great degradation is the use of CGNs and the
> like. -- and yes, we need IPv6 to avoid that in the near7long term.
> 

Yep.

> 
> 
>>> I doubt any regular home user will tell his home firewall to pass
>>> this or that.
>> 
>> They do today in IPv4, why wouldn't they do so in IPv6?
>> 
>> What do you think uPNP/NAT-PMP are?
>> 
>> What do you think "DMZ Host" features, etc. are?
> 
> Does "uncle Joe" know what a DMZ is in the first place?
> 

Depends on whose uncle Joe. However, in actual fact, the vast majority of home routers are not administered by uncle Joe. Uncle Joe usually knows to call nephew Billy, 'cause he understands that thar techknowledgey [sic] stuff.

> Regular users just buy a wireless router at Walmart that just works
> auto-magically.
> 

Some yes, some no. Lots of users have X-Boxes and the like that end up providing users with detailed instructions on how to open up port forwarding or the like to make their games work. It's _ALOT_ more common than you may think.

> 
> 
>>>> Yes... This applies very much to things you and Marc tend to
>>>> say...
>>> 
>>> I'd argue that 99% of what I've said on the subject has been about 
>>> technical aspects of the protocol.
>> 
>> I would argue that what you have said about what is wrong with the
>> protocol (which is about 50% of what you have said) fits into that
>> description. The other part, where you start telling people not to
>> deploy or to delay deployment, 
> 
> I haven't said that -- although I have noted that "what to do" varies
> from one case to another.
> 

You came out in support of Marc Heuse saying it. To me, that's effectively
you repeating it.

> 
>> OTOH, is fear mongering and ignores
>> the very real risks inherent in those actions.
> 
> Let me give you a data-point:
> 
> OpenBSD has had a reputable history of only a couple of
> remotely-exploitable vulnerabilities in the default install for years.
> Last one (?), in more than 8 years, was IPv6-based. A server with v6
> enabled could have had its super-secure server hacked because of that.
> If the oraganization had a good reason for having v6 there, good. If
> not, they guy that recommended to have v6 there could be in trouble. --
> This is probably where Marc was coming from.
> 

I beg to differ...

http://www.signedness.org/advisories/sps-0x1.txt

2005 -- 7 years ago, 802.11 protocol stack regardless of IP version

Yes, the IPv6 mbuf hole was more recent that that. Most likely because BSD did some modification to the IPv6 code.

In reality it's not significantly less likely that some future IPv4 patch could introduce a similar vulnerability in IPv4 and merely a coincidence that this happened to occur in IPv6.

I really don't think it's anything to hang a "IPv6 is more dangerous" hat on. It could very easily have gone the other direction and you wouldn't be willing to accept that as evidence that IPv4 was less secure.

> 
> 
>> What is the relative risk to the global internet in general from the
>> sum of all of the attacks you've described so far (ND exhaustion, RA,
>> RA Guard circumvention, etc.) when compared to the relative risks
>> inherent in running IPv4 today?
> 
> You should d such risk analysis for the organization that is going to
> deploy v6, not for "the global internet".
> 

I disagree. There is an important element of risk to the global internet if enough
organizations fail to deploy IPv6. The more organizations fail to deploy IPv6, the
more inevitable CGN becomes at other places on the internet. That's why I refer
to IPv6 resistance as toxic polluter... An organization choosing not to implement
IPv6 has impact on organizations well outside their borders, even if they do not
feel that impact. Just like dumping toxic sludge into the stream at the edge of
your property affects the people downstream while your cattle don't even get sick.

> 
> 
>> Further, what is the relative risk to the global internet in general
>> from the sum of all of those attacks compared to the risks inherent
>> in attempting to continue running IPv4 with another billion or so
>> people connected? How does the risk inherent in IPv6 today compare to
>> the risk inherent in things like CGN?
> 
> I'd certainly *not* go with CGNs.
> 

Then you, sir, have made my argument for the need to consider the global
risk to the internet as a factor in your decision to implement IPv6 or not.

> 
> 
>>> The real reason for deploying v6 is that we are running out of v4 
>>> addresses -- that's enough of a reason, and nobody is arguing
>>> against that.
>> 
>> But when you get headlines like "Do only limited IPv6 deployments",
>> the people behind those headlines _ARE_ effectively arguing against
>> that, whether they intend to or not.
> 
> 1) The press is the press, and its not uncommon for reports to come up
> with catchy or controversial headlines.
> 

It's not that hard to steer the headlines in most cases. It's not like I'm not
quoted in my share of press interviews.

> 2) Where and when to deploy v6 varies from one case from another.
> 

To some extent, but, if you don't like CGN, there are a lot more places where
IPv6 is really needed than you seem to realize.

> 3) You should not be surprised to hear from a security guy things like
> "you should only use/install/deploy this if you really need it" -- KISS
> principle.
> 

I'm all for the KISS principle. The sooner we stop farting around with this broken
IPv4 crap and move on, the sooner we can have a simple ubiquitous functional
internet that we can focus on improving.

All this energy we are expending trying to avoid deploying IPv6 and keep IPv4
on life support is really complicating the world.

KISS says you should deploy IPv6 everywhere as soon as practicable.

You cannot make a valid argument that IPv4 on life support and/or dual
stack is simpler than IPv6.

> 
> 
>>>> Consider when evaluating IPv6 deployment, not only the facts of
>>>> the security issues raised, but also the facts and implications
>>>> and consequences of failing to deploy IPv6 in a timely manner.
>>> 
>>> These tends to vary from one case to another.
>> 
>> Not really... I'm talking about the internet-systemic consequences,
>> not just the local consequences.
> 
> Humans re generally selfish. Don't be frustrated if people do't do
> things for "the common good" -- most companies are there to make money..
> not to make the "world" a better place.
> 

Yes, I'm well aware of this. However, failing to deploy IPv6 is both toxic
pollution _AND_ self-destructive in the long run.

> 
> 
>> I'm talking about the global consequences of large scale CGN
>> deployment. 
> 
> I fully agree with this -- but please see my note about the "common good".
> 

Your local "good" is also impacted.

> 
> 
>>>> I don't think you've ever seen me attempt to squelch such a
>>>> discussion. I simply draw the line when you start saying that the
>>>> drawbacks you have mentioned to date should be given enough
>>>> weight to delay or avoid deploying IPv6 in general.
>>> 
>>> I never made such a claim -- fwiw, the decision of where and when
>>> to deploy v6 varies from one case to another.
>> 
>> But this thread started not from what you said, but in response to an
>> article quoting Marc Heuse. You jumped in to defend his position and,
>> thus, you get tarred with the same brush.
> 
> I jumped to say that there's a valid/understandable point in what Marc
> said -- even if such point doesn't make the ipv6 world happy.
> 

I understand Marc's point, so, in that sense, yes, it's understandable. However,
he's still flat out wrong.

> 
> 
>> If that article had read "IPv6 has the following flaws, but we have
>> to deploy it anyway and fix the flaws ASAP", 
> 
> I'd argue that a security guy arguing that should probably be fired. :-)
> 

If you made that argument to me, it wouldn't be the security guy that I fired.

> 
> 
>> My point is that the only way you can claim the IPv4 DHCP situation
>> is better than the situation with RAs today is _IF_ you have
>> widespread deployment and use of DHCP snooping. 
> 
> No. The DHCP situation is worse in v6 than in v4 because in v4, if you
> want to mitigate it, you can. In v6, if you want to mitigate it, you can't.
> 

Huh? What can't you mitigate about DHCP in IPv6 that you can mitigate
in IPv4?

> 
> 
>>> Agreed. Although the RAs might have implications on IPv4 in
>>> unexpected ways...
>>> 
>> 
>> You'd need to elaborate on that one as it currently seems nonsensical
>> to me.
> 
> I will, in a separate e-mail.
> 
> 
> 
> 
>>> Yes -- with the investment of way too much energy, way too many 
>>> discussions, and fewer people supporting it than I would have
>>> expected.
>>> 
>> 
>> Welcome to the real world. 
> 
> Welcome to the real world: companies will deploy stuff if it not doing
> so will prevent to make money *today*, and not for the "common good".
> 

I'm well aware of this. Unfortunately, that's short sighted even for the company
in question because by the time it's preventing them from making money, they
will need a year of not making money to get their IPv6 roll-out done, the roll-out
will be less controlled, less planned, and as a result WAY less secure, and will
cost somewhere between 2 and 10 times as much.

As a general rule, when a CFO is faced with a decision that looks like $100 today
for business continuity or wait until it breaks, spend $200 and lose a year of revenue,
it's what the CFO calls a no-brainer. IPv6 is, at this point, financially a no-brainer.

> You may want to refer to: http://www.rfc-editor.org/rfc/rfc1669.txt
> -- how IPv6 deployment turned out should not be a "surprise" after
> reading RFC1669.
> 

How the IPv6 deployment is turning out is not a surprise to me.

Doesn't mean I'm going to stop trying to improve the situation and doesn't
mean that I"m going to stop capitalizing on the opportunities it creates.

> 
> 
>> Most of us recognize that the problem you
>> are describing is factual, but most likely more theoretical than
>> realized. Evaluating risks in the real world, rather than from the
>> security zealot perspective requires incorporating not only the
>> possibility of something occurring, but also the difficulty of
>> mitigation, the probability of it occurring, the value to the
>> would-be attacker, etc.
> 
> Exactly. And that varies from organization to organization.
> 

Not as much as you seem to think (IMHO).

> 
> 
>> As a result, IETF consists mostly of academics and vendors.
> [...]
> 
> I'd would expect the ones voicing their irritation about article
> headlines to invest that energy in supporting mitigation proposals.
> 
> Other than that, I do agree with your assessment about the IETF. :-)
> 

Why? The article headline has a far more negative impact to IPv6 deployment than anything the IETF is doing or failing to do.

If it looked like your draft was going to face defeat in a last call, expire, or get abandoned, I'd jump in. It looks like it's progressing, so bad article headlines are more important use of my time right now.

I guess the importance varies from person to person. ;-)

>>> Again, whether and where to deploy varies from one case to another
>>> -- and in all cases, should all cases, deployment should be done
>>> only after proper training.
>> 
>> While I agree that would be ideal, the reality is that deployment has
>> to move forward and deploying IPv6 without proper training 
> 
> Deploying v6 without proper training is simply insane. It sounds pretty
> much like "let's get on this plane that none knows how to pilot" -- most
> likely with similar expected consequences.
> 

You could have made that argument about IPv4. Indeed, I think NAT and the current state of the IPv4 network could be held up as proof of the validity of the argument as applied to IPv4. Likely it will be proven again with IPv6.

We are on the runway. The runway behind us is on fire and the fire is moving rapidly towards the tail of the IPv6 airplane.

We can either take off or be consumed by the fire.

Owen