nanog mailing list archives
Re: IPv6 Security [Was: Re: misunderstanding scale]
From: Owen DeLong <owen () delong com>
Date: Mon, 24 Mar 2014 18:18:16 -0700
On Mar 23, 2014, at 2:45 PM, Paul Ferguson <fergdawgster () mykolab com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 3/23/2014 2:27 PM, Timothy Morizot wrote:On Mar 23, 2014 11:27 AM, "Paul Ferguson" <fergdawgster () mykolab com <mailto:fergdawgster () mykolab com>> wrote:Also, IPv6 introduces some serious security concerns, and until they are properly addressed, they will be a serious barrier to even considering it.And that is pure FUD. The sorts of security risks with IPv6 are mostly in the same sorts of categories as those with IPv4 and have appropriate mitigations available. Moreover, by not enabling and controlling IPv6 on their networks, an operator is actually markedly more vulnerable to IPv6 attacks, not less.Only if end-points are unaware of dual-stack capabilities. Also, neighbor discovery, for example, can be dangerous (admittedly, so can ARP spoofing in IPv4). And aside from the spoofable ability of ND, robust DHCPv6 is needed for enterprises for sheer operational continuity.
DHCPv6 is no less robust in my experience than DHCPv4. ARP and ND have mostly equivalent issues.
And that's only a "half" example. I haven't even mentioned spam management in v6, which will become a nightmare if people have been relying on IP BL's or similar.
IP reputation didn’t really scale to IPv4 and was only practical because we were willing to toss out vast swaths of hosts just because they were unfortunately behind the same NATed address as some host that did something wrong some time. So far, it’s proven to be the worst possible solution to SPAM except for all the others. Nonetheless, yes, we’re going to have to come up with a better way in IPv6. OTOH, we will also have better end-to-end accountability in IPv6, so that might actually help make new solutions more feasible. Owen
Current thread:
- Re: misunderstanding scale, (continued)
- Re: misunderstanding scale Doug Barton (Mar 22)
- Re: misunderstanding scale Nick Hilliard (Mar 23)
- Re: misunderstanding scale Paul Ferguson (Mar 23)
- Re: misunderstanding scale Timothy Morizot (Mar 23)
- IPv6 Security [Was: Re: misunderstanding scale] Paul Ferguson (Mar 23)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Timothy Morizot (Mar 23)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Dobbins, Roland (Mar 23)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Mark Tinka (Mar 23)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Timothy Morizot (Mar 24)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Mark Tinka (Mar 24)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Owen DeLong (Mar 24)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Paul Ferguson (Mar 24)
- RE: IPv6 Security [Was: Re: misunderstanding scale] Naslund, Steve (Mar 24)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Lee Howard (Mar 25)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Lamar Owen (Mar 25)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Luke S. Crawford (Mar 26)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Jack Bates (Mar 26)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Mohacsi Janos (Mar 26)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Matt Palmer (Mar 26)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Luke S. Crawford (Mar 26)
- Re: IPv6 Security [Was: Re: misunderstanding scale] Timothy Morizot (Mar 26)