[ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions

Mark ZZZ Smith markzzzsmith at yahoo.com.au
Sun Oct 18 07:10:57 CEST 2015





----- Original Message -----
From: Marc Heuse <mh at mh-sec.de>
To: IPv6 Hackers Mailing List <ipv6hackers at lists.si6networks.com>; Enno Rey <erey at ernw.de>
Cc: 
Sent: Sunday, 18 October 2015, 2:26
Subject: Re: [ipv6hackers] thc-ipv6 v3.0, IPv6 complexity and evasions


>> On Sat, Oct 17, 2015 at 08:51:25AM +0200, Enno Rey wrote:
>>> except for the IP version that kinda deprecates fragmentation, that is IPv6.
>>
<snip>

*because* the networks must support fragmention, it is important that
there is RFC that is more tight on extension headers as well as that
security products must look deeply into the packets.

* I think here is the fundamentally flawed assumption or belief - that the network is the best and only place to do host and application security.

>From one of the inventors of network located firewalls, and from 16 years ago,

"Conventional firewalls rely on the notions of restricted topology and controlled entry points to function. More precisely, they rely on the assumption that everyone on one side of the entry point--the firewall--is to be trusted, and that anyone on the other side is, at least potentially, an enemy. The vastly expanded Internet connectivity in recent years has called that assumption into question."

"Distributed Firewalls" by Steven M. Bellovin

https://www.cs.columbia.edu/~smb/papers/distfw.html


Encryption and multi-pathing are only going to seal the deal.




Greets,
Marc

--
Marc Heuse
www.mh-sec.de

PGP: AF3D 1D4C D810 F0BB 977D  3807 C7EE D0A0 6BE9 F573

_______________________________________________
Ipv6hackers mailing list
Ipv6hackers at lists.si6networks.com
http://lists.si6networks.com/listinfo/ipv6hackers


More information about the Ipv6hackers mailing list