[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

[Jim Small]

Hi Tim,

> >> 5)  First Hop Security Threats - there are some vendors who have
> solutions to all of these (though limited availability for some of them to a few
> high end products for now)
> >
> > Many vendors have some solution for this kind of threads (at least some
> > of them), however the price of those devices is much bigger comparing to
> > the devices that have similar security features for IPv4. For example
> > Cisco have this features only in the "big boxes" (6xxx, 49xx, 45xx) that
> > are no suitable as the access switches. Wen we building a new
> > installations we are in very difficult position. It is tough decision
> > whether to buy much more expensive switches that supports IPv6 security
> > features. Another option is to buy cheaper switches that have this
> > features only for IPv4 and in case of massive attack just block whole
> > IPv6 traffic on the access ports.
> 
> We've found the Cisco first hop security implementation in their WLCs
> problematic.  Hopefully the new 7.3 builds just released will fix this.

Just curious, can you share specifics?

 
> >> 8)  Slide 27 - first hop security countermeasures:
> >> SeND - will probably never happen.  Microsoft and Apple have no interest
> in doing this and that pretty much kills it.
> >> RA-Guard/PACLs - these work.  It's true you can use a tool to defeat these
> with fragmentation but that requires actively attacking the infrastructure
> with an attack tool (would never be by accident which is mostly what you run
> into).  If I look at the IPv4 world, it is rare that people deploy DHCP
> snooping/DAI/IPSG because it can break protocols that can't deal with
> security (e.g. Apple's).  Therefore while I would like to see a solution to this I
> wonder how many people will actually use it.
> >
> > I can't agree that features like DHCP snooping are used very rare.
> 
> When I poll audiences of university network people, about half the hands go
> up when I ask who uses DHCP snooping.

I'm actually very happy to hear that.  I am a fan of L2 security as it prevents a lot of threats and problems.  Lately I have experienced a resurgence of interest on the LAN side for 802.1X which I think is great.  The challenge specifically with DHCP snooping/DAI/IPSG is I two fold:
1)  I have seen it break some applications.  For example, I believe we had problems with Bonjour of some Apple protocol/application.  In fact, this was in a large school campus.  The school just wanted to disable the security in favor of all Apple Apps working.  I'm not trying to pick on Apple alone, but this is a common problem.  Convincing customers to dig in and find a solution can be a challenge as sometimes the solutions take a fair amount of time.  How do you deal with protocol/application incompatibilities?
2)  Education - Using things like DHCP snooping/DAI/IPSG requires a better understanding of the network and how things work.  You need to understand DHCP snooping for example if you want to move your DHCP server.  While I can walk someone through how to do this, 6 months later they forgot, lost the documentation and are furious that they're taking an outage because for some reason DHCP doesn't work.

This gets back to the age old question of how do you inspire people to take their game to the next level with their network expertise and to proactively monitor their networks to mitigate security threats.  Any takers?  :-)


--Jim