[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Jim Small jim.small at cdw.com
Sat Mar 9 00:11:33 CET 2013


Hi Enno,

> On Sat, Mar 09, 2013 at 08:10:49AM +1100, Karl Auer wrote:
> > On Fri, 2013-03-08 at 15:17 +0000, Jim Small wrote:
> > > > to provide access control in various parts of network for this)
> > > Agreed - you better know 3484 cold.
> >
> > 6724 now. With a few important changes like adding in ULA to the prefs
> > and labels tables, depreferencing 6to4, limiting longest matching prefix
> > comparisons to the actual prefix lengths, preferring temporary over
> > non-temporary, and opening the way for automated updates to the prefs
> > and label tables. And more :-)
> 
> inducing even more complexity into an area where vendors' "RFC
> compliance" is, say, debatable at best.

True - you have to know what the vendor does.  Microsoft for example doesn't completely follow 3484, but they do document where they don't.  You can look in Understanding IPv6 3rd Ed from Microsoft Press - an invaluable reference.  I wish there was something like this for Linux/BSD but it seems like you have to find blogs and the like from the developers where they document what they did.  I don't know of a central resource.


> Quite a few of us have probably have already experienced troubleshooting
> cases where even going manually through all the eight rules from 6724/3484
> source address selection could not explain some given stack's behavior at
> some point of time...

Agreed - a lot of times you just have to try it out and experiment to deduce what the particular device/operating system does.  It doesn't seem like this is too likely to change either.

--Jim




More information about the Ipv6hackers mailing list