[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

[Jim Small]

Hi Tor,

> > I'm working on a presentation for practical IPv6 security countermeasures.
> > I've reviewed the latest presos from Fernando, Marc, Antonios, and Éric
> > Vyncke to compile a list of security vulnerabilities.  Here's a somewhat
> > subjective list of what I feel are "scary" attacks for those new to IPv6:
> >
> > [snip]
> >
> > So what do you think?  Are these the most concerning security issues for
> > those looking to deploy IPv6?  Any thoughts greatly appreciated either on
> or
> > off list.
> 
> Are you at all worried about whether or not you can detect IPv6 in your
> network (considering that most, if not all, the attacks using IPv6 require
> LAN access)?

Agreed - I like NfSen with NetFlow for this.  I can at least mention it, but did I also mention that I only get 40 minutes?  :-)


> I think one should be worried, or at least have some sort of plan, because
> there's likely no cheap or quick fix if the infrastructure has any
> complexity to it.  New hardware is often required to know whether or not
> your datacentre is full of stray v6 traffic (e.g., the situation where a
> host compromised via v4 can communicate undetected east-west on v6
> because
> the infrastructure can't give you the flows you need).

Agreed.
 

> Just a thought - it's not just about the shortcomings of IPv6 because it was
> designed in an age when the LAN was considered "safe". What controls can
> you
> put in place today that will at least give you some sort of idea how v6 is
> being used in your network; because chances are, it's already there, even if
> you haven't "deployed" it yet (as has been discussed previously on the list
> :-).

Agreed - this is especially relevant with tunnels.  I have to pick what I can do in 40 minutes but the backup slides in the appendix can cover other issues.  There is certainly lots to talk about.

--Jim