[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods
Jim Small
jim.small at cdw.com
Mon Apr 15 04:43:12 CEST 2013
Hi Sander,
> But we need IPv6 deployment *now*, at least on publicly visible services and
> access lines (well, we needed that years ago, but that ship has sailed), but
> only if deployed in a professional way. Staying under the radar is not an
> option anymore.
I agree and am actively helping people deploy IPv6 today. However, I think it's important to demonstrate the security issues (e.g. Windows 8 vulnerabilities) clearly. Once the issues are understood, the focus needs to be showing the countermeasures. So while Windows 8 may be vulnerable, any decent access layer device can protect against the attacks. There are many claims about why you shouldn't deploy IPv6. To me that's a call for help - how do we counteract those threats. To the best of my knowledge though, all the hyped up IPv6 "issues" have working countermeasures today.
One value of this list is clearly articulating the issues and weaknesses of IPv6. Of course we will never reach a protocol without flaws (just like v4 still has issues), but it's good to strive for that. I would also point out if IPv6 is so weak and insecure that we can't openly discuss its flaws then is it really not ready for prime time? I don't think this is the case. So, we need to frankly discuss and dissect the issues. Then we need to address them with countermeasures and if necessary with specification updates.
When Marc wrote about taking out the network at the conference I thought it was hilarious. I have been to SANS training where the instructors took out the environmental controls, computers, crashed the network, and did all kinds of mischief with no IPv6 in sight. But no one got defensive. Instead the SANS instructors would then show how to lock everything down so no one else could do that. Even in terms of crashing "production" grade systems - they still do it to this day. But then they help the vendor fix the issue. To me, IPv6 is no different.
--Jim
More information about the Ipv6hackers
mailing list