[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues
torh-ipv6hackers at bogus.net
Mon Mar 11 09:29:13 CET 2013
On Sat, Mar 09, 2013 at 06:50:25PM +0000, Jim Small wrote:
> > Either go IPv4 only (means: disabling IPv6 everywhere)
> I don't see how to do v4 only. Organizations need parts of their networks
> running v6 to develop operational experience. Developers need v6 to develop
> and test mobile/web applications for v6. I can see limiting v6 within a
> network but I don't see how to do v4 only. If an organization stays v4 only
> until say 25% of the Internet is running v6 then they will have no
> security/operational v6 experience. When they finally enable v6 they will
> be far behind on requisite experience/security while attackers will be
> proficient. Doesn't this actually make things worse in the long run?
Instead of "go IPv4 only", I would say "have a clear plan for where you
allow IPv6". If it is not necessary to run IPv6 on a network, why should it
be allowed there?
We operate with the idea of an "internal" and "external" security class,
where production systems that require outside exposure are segmented as
required in the "external" class. The outside interface of this class may
well have a v6 requirement. All internal interfaces in that class, and all
interfaces in the "internal" class do not need v6 -- we switch it off on the
hosts and prevent the network from transporting it across segments.
Again, 2 cents!
More information about the Ipv6hackers