[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

[Tor Houghton]

On Fri, Mar 08, 2013 at 03:12:00AM +0000, Jim Small wrote:

> I'm working on a presentation for practical IPv6 security countermeasures.
> I've reviewed the latest presos from Fernando, Marc, Antonios, and Éric
> Vyncke to compile a list of security vulnerabilities.  Here's a somewhat
> subjective list of what I feel are "scary" attacks for those new to IPv6:
> 
> [snip]
> 
> So what do you think?  Are these the most concerning security issues for
> those looking to deploy IPv6?  Any thoughts greatly appreciated either on or
> off list.

Are you at all worried about whether or not you can detect IPv6 in your
network (considering that most, if not all, the attacks using IPv6 require
LAN access)?

I think one should be worried, or at least have some sort of plan, because
there's likely no cheap or quick fix if the infrastructure has any
complexity to it.  New hardware is often required to know whether or not
your datacentre is full of stray v6 traffic (e.g., the situation where a
host compromised via v4 can communicate undetected east-west on v6 because
the infrastructure can't give you the flows you need).

Just a thought - it's not just about the shortcomings of IPv6 because it was
designed in an age when the LAN was considered "safe". What controls can you
put in place today that will at least give you some sort of idea how v6 is
being used in your network; because chances are, it's already there, even if
you haven't "deployed" it yet (as has been discussed previously on the list
:-).

BUT. This might be off topic for your presentation, and known to all on the
list. So I'll apologise if that's the case.

Tor