[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

Sander Steffann sander at steffann.nl
Mon Apr 15 12:44:09 CEST 2013


> I agree and am actively helping people deploy IPv6 today.  However, I think it's important to demonstrate the security issues (e.g. Windows 8 vulnerabilities) clearly.  Once the issues are understood, the focus needs to be showing the countermeasures.  So while Windows 8 may be vulnerable, any decent access layer device can protect against the attacks.  There are many claims about why you shouldn't deploy IPv6.  To me that's a call for help - how do we counteract those threats.  To the best of my knowledge though, all the hyped up IPv6 "issues" have working countermeasures today.
> One value of this list is clearly articulating the issues and weaknesses of IPv6.  Of course we will never reach a protocol without flaws (just like v4 still has issues), but it's good to strive for that.  I would also point out if IPv6 is so weak and insecure that we can't openly discuss its flaws then is it really not ready for prime time?  I don't think this is the case.  So, we need to frankly discuss and dissect the issues.  Then we need to address them with countermeasures and if necessary with specification updates.

Definitely! I was only referring to spreading raw research data without context to clueless people. Before publishing about security issues we need add context to the raw data.

> When Marc wrote about taking out the network at the conference I thought it was hilarious.

Indeed :-)

> I have been to SANS training where the instructors took out the environmental controls, computers, crashed the network, and did all kinds of mischief with no IPv6 in sight.  But no one got defensive.  Instead the SANS instructors would then show how to lock everything down so no one else could do that.  Even in terms of crashing "production" grade systems - they still do it to this day.  But then they help the vendor fix the issue.  To me, IPv6 is no different.

Yes. I am doing some testing of equipment with a vendor. The vendors *need* IPv6 specialists to help them.

Met vriendelijke groet,
Sander Steffann

More information about the Ipv6hackers mailing list