[ipv6hackers] Pros and Cons of Address Randomization
loganaden at gmail.com
Mon Dec 10 19:02:01 CET 2012
On Mon, Dec 10, 2012 at 11:57 AM, Beat Rubischon <beat at 0x1b.ch> wrote:
> I follow your discussion with a lot of interest. One point I like to
> mention is the fact we still need IPv4 for ages on our LANs and a lot of
> interesting concepts provided by IPv6 are meaningless until we have pure
> IPv6 only networks. Dual stack is still the only possibility to keep
> compatibility to the existing internet. I played with NAT-PT, TRT and
> totd and it's still a big hack, nothing I would implement in a
> production environment. There is simply no useful backward compatibility
> built in, something which was pointed out by DJB years ago . No, I
> don't like his fatalism, but this article contains stuff I'm able to assist.
>  http://cr.yp.to/djbdns/ipv6mess.html
> Is address randomization really a solution to convince our CEOs to the
> expose of their personal PC addresses to the world? I'm pretty unsure.
> At least my CEO wouldn't accept this fact.
> In the meantime a lot of good stuff in IPv6 was already killed. There is
> DHCPv6 to provide "static" addresses to the clients - which killed the
> great feature of announcing multiple prefixes and routers to a subnet.
> There are PI networks - they killed the hierarchical routing concept
> which would save a lot of memory in the large border routers. And there
> are gazillions of firewalls preventing end to end connections - why
> should we allow end to end by the network protocol when mostly everybody
> kills it with more or less broken firewalls?
> Applications will have to handle connection refused even in the IPv6
> world. And they will need ways to workaround these problems.
> So lets kill end to end connectivity. Invent NATv6 and allow the
> millions of networks to operate the same way as in the IPv4 world. Yes,
> I know NATv6 is a bad word and most readers here will pick up their
> flame thrower. I would never accept it in networks operated by myself.
> But I see it as the only possibility to migrate millions of SOHO networks.
There is no point in going the NAT route anymore. NAT breaks the way
was designed in the first place.
One of the cheapest phones on the market --Samsung B-7510 -- has
iptables, which is
easy to configure using droidwall. If you're paranoid enough, you can
SSH using dropbear
and configure a very tight-ruleset.
Same goes for low-end PCs. How many of them already run free versions
of firewalls & antiviruses
It's fine if your CEO decides not to go IPv6, but if the customers are
sending mails through ipv6 mail servers,
and you have to do business with other companies which provide new
services through their v6 networks, then
I don't think that staying on v4 was a good decision.
Configuring each network capable device in your network to be patched
properly is a relatively small price to
pay to make the transition to IPv6.
Lastly, bypassing firewalls is possible even with NAT by using reverse
connections through js scripts or email attachments,
as many firewalls do not filter outgoing connections, and even if they
do, I don't know many sysadmins restricting
access to port 80.
> On 04.12.12 22:40, Victor Roemer wrote:
>> Justifying security through obscurity simply because zebra's have stripes,
>> that is funny.
> Well, Zebras are herd animals. It could happen that an individual one is
> killed by a lion, but the species will survive. I learned that computers
> should be handled the same way. Loosing one shouldn't be a problem as
> long as you have others ;-)
> \|/ Beat Rubischon <beat at 0x1b.ch>
> ( 0-0 ) http://www.0x1b.ch/~beat/
> Meine Erlebnisse, Gedanken und Traeume: http://www.0x1b.ch/blog/
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
No bug shall escape my sight,
And those who worship evil's mind,
be wary of my powers,
puffy lantern's light !
More information about the Ipv6hackers