[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
jim.small at cdw.com
Sun Sep 2 20:06:48 CEST 2012
> Fore those who might be interested in our experience with deploying
> IPv6 within university campus we sum upt it in
> (and related presentation:
> There are described some of the biggest troubles that we had during
> deploying IPv6.
I looked at your presentation, thanks for sharing. A few questions/comments:
1) Do you believe there is a compelling case for RDNSS/RFC 6106? I personally like it but when I have spoken to vendors they pointed out that most things do or will support stateless DHCPv6 and they don't see any reason to add RDNSS support. Can you give me some strong cases I can take back to vendors for RDNSS? I want to emphasize that this is not an idle promise - any strong case will go straight to the parties who can effect change at the vendors.
2) For privacy addresses, isn't stateful DHCPv6 the solution?
3) For end user accountability/host tracking the best solution is probably 802.1X, granted that likely is not workable in your situation. That said there have been tremendous strides in this space and I have deployed some nice solutions that go a long way in facilitating this.
4) For stateless DHCPv6 support (slide 8), current Apple iOS versions support it. It is still missing in Android as per this specific feature request: http://code.google.com/p/android/issues/detail?id=32621 That is pretty sad, especially since Google has some major IPv6 advocates. That said, as you know Apple iOS 6 will and Android 4.0+ does support IPv6 for cellular connections. Expect some major progress in this area this fall. T-Mobile USA for example has fully deployed IPv6 within their network and is looking to go IPv6 only. This will bring a resurgence in interest to the mobile space.
You're in a tough situation as you are almost stuck having to support everything - an impossible situation. In general I advise people to try to support Apple iOS and Android. That's the overwhelming majority of the mobile space. You could also make an argument for RIM although I rarely hear one. Anyone else (e.g. Windows Mobile) is insignificant in terms of Market share. Can you put in your network support policy that we support this and this and anything else is limited best effort support?
As for XP even Microsoft seems to have given up here for IPv6. If you look at their latest Microsoft Press book, Understanding IPv6 3e, it discounts anything before Vista. XP is totally unsupported in April of 2014, so if you have to support it for now it will be dual stack. Not only does it not support DHCPv6, but I thought it wasn't capable of doing IPv6 DNS either?
5) First Hop Security Threats - there are some vendors who have solutions to all of these (though limited availability for some of them to a few high end products for now)
6) Slide 19 - I agree, this is very sad
7) Slide 21 - rogue IPv6 routers (Vista ICS), can't you use port ACLs to deal with this or RA guard if available? I thought every decent switch at least supports port ACLs - not the case? You seem to imply this later but wondering why you don't mention here.
8) Slide 27 - first hop security countermeasures:
SeND - will probably never happen. Microsoft and Apple have no interest in doing this and that pretty much kills it.
RA-Guard/PACLs - these work. It's true you can use a tool to defeat these with fragmentation but that requires actively attacking the infrastructure with an attack tool (would never be by accident which is mostly what you run into). If I look at the IPv4 world, it is rare that people deploy DHCP snooping/DAI/IPSG because it can break protocols that can't deal with security (e.g. Apple's). Therefore while I would like to see a solution to this I wonder how many people will actually use it.
9) slide 28 - SeND is not the only way to deal with malicious RAs. There will be improved versions of RA Guard coming thanks to Fernando and there are ways to block the fragmentation attacks now. That said, I'm not sure if blocking the fragmentation attacks breaks other things - it may.
10) Slide 38 - Implied message is no business case for IPv6. I think this is leaving out some important details. Since this is a very technical list I will get to the point - we have < 141 million IPv4 addresses left at a burn rate of around 200 million IPv4 addresses/year. Everyone on this list agrees CGN sucks. In addition, it has been clearly shown that it is cheaper for an ISP to deploy IPv6 then CGN. Therefore the future of the Internet is clearly IPv6. So let's ask this question - how many of your users value having Internet connectivity? If you look at it from this vantage point I think everything else on that list pales in comparison. In Europe RIPE enters depletion this month or next - this is not some far off event. It's here now.
11) Slide 41 - IPv6 is a massive topic. We're talking about the underpinnings of global communication. I think it's important to split IPv6 up into different areas such as Internet of Things, Internet connectivity, Business/Organization Internal, Consumer Internal. For some things like the Internet of Things, SmartGrid and other solutions in this category there is no IPv4, but only IPv6. So even with saying IPv6 is something for the future is only true in certain contexts. If you're an ISP for example and haven't started deploying IPv6 you're in trouble. Specifically for the Internet connectivity area, the compelling case is business continuity. Most of your users probably don't understand IPv4/IPv6 and don't want to. But if they need to get somewhere on the Internet and have poor performance (CGN) or can't reach it (IPv6 only) they will be incensed. There are some Internet applications that are IPv4 only but this will change in the next few years as usage ramps up. As for internal applications that don't use the Internet, I agree with you that support is lacking. However, for this area I don't see a big demand or need yet.
12) Slide 44 - this is awesome. There has to be a better way to track issues. What about a Wiki page to track IPv6 operational and security issues along with progress in the IETF and with vendors. What gets measured gets done - what do you think?
More information about the Ipv6hackers