Re: misunderstanding scale

[Owen DeLong <owen () delong com>]

On Mar 23, 2014, at 5:24 PM, Mike Hale <eyeronic.design () gmail com> wrote:

> "I wasn't aware that calling out FUD was derisive, but whatever."
> It's derisive because you completely dismiss a huge security issue
> that, given the state of IPv6 adoption, a great majority of companies
> are facing.

I would say that calling it FUD was fair game in this case.

Ferg claimed it was a “new unrelated attack”.

In reality, it’s pretty much the same attack as most ARP attacks that exist in IPv4
and there are well known mitigations just as in IPv4 with similar difficulties and
tradeoffs in their deployment.

Sure, having 18 quintillion host addresses on a subnet vs. <254 creates some
differences in the scale at which some of these attacks can be carried out, but
that’s more a matter of scale than a matter of radically different attack surface.

> Calling it FUD is completely wrong because it *is* a legitimate
> security issue for most businesses.  Sure, you've got the few who have
> been able to properly plan for and secure their networks against the
> increased attack surface of IPv6, but again...most companies haven’t.

It’s no more legitimate than the similar issues in IPv4. IPv6 doesn’t actually
present a significantly increased attack surface, it presents a very similar attack
surface. The shape is a little different in some of the details, but the overall size and
shape is pretty similar to IPv4.

> Slinging false proclamations of FUD is as harmful as FUD itself.

I wouldn’t say that either set of statements was 100% FUD or 100% non-FUD.

I will say that vendors making hay out of IPv6 vulnerabilities as if they were novel
or different from existing wide-spread IPv4 vulnerabilities in order to increase profits
or reduce demands for IPv6 in their products is a fairly common practice that has
been far more harmful than any IPv6 attack surface overall.

Owen

> On Sun, Mar 23, 2014 at 4:49 PM, Timothy Morizot <tmorizot () gmail com> wrote:
> > On Mar 23, 2014 6:21 PM, "Paul Ferguson" <fergdawgster () mykolab com> wrote:
> > > Says you.
> >
> > And many others. My comments were actually reiterating what I commonly see
> > presented today.
> >
> > > On the other hand, there are beaucoup enterprise networks unwilling to
> > > consider to moving to v6 until there are management, control,
> > > administrative, and security issues addressed.
> >
> > Whereas there are other enterprise networks, including mine, who are
> > actively deploying IPv6 and have been for a number of years now. So unless
> > you can come up with something truly novel that we haven't already dealt
> > with, I'll stick by my use of FUD.
> >
> > > You can continue to deride our issues, and make derisive comments
> > > until your heart's content, but it does not change reality.
> >
> > I wasn't aware that calling out FUD was derisive, but whatever.
> >
> > Cheers,
> >
> > Scott
>
>
>
> -- 
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0