nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IPv6 Security [Was: Re: misunderstanding scale]

From: Paul Ferguson <fergdawgster () mykolab com>
Date: Mon, 24 Mar 2014 18:39:16 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

It is unsettling to see such dismissive attitudes.

I'll leave it as an exercise for the remainder of... everywhere to
figure out why there is resistance to v6 migration, and it isn't "just
because" people can't be bothered.

Your customers are your compasses. And as Randy Bush always like to
say (paraphrased), "I encourage my competitors to dismiss customer
concerns over IPv6 migration."

Cheers,

- - ferg


On 3/24/2014 6:18 PM, Owen DeLong wrote:



On Mar 23, 2014, at 2:45 PM, Paul Ferguson
<fergdawgster () mykolab com> wrote:


-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

On 3/23/2014 2:27 PM, Timothy Morizot wrote:



On Mar 23, 2014 11:27 AM, "Paul Ferguson" 
<fergdawgster () mykolab com <mailto:fergdawgster () mykolab com>> 
wrote:

Also, IPv6 introduces some serious security concerns, and
until they are properly addressed, they will be a serious
barrier to even considering it.


And that is pure FUD. The sorts of security risks with IPv6
are mostly in the same sorts of categories as those with IPv4
and have appropriate mitigations available. Moreover, by not
enabling and controlling IPv6 on their networks, an operator is
actually markedly more vulnerable to IPv6 attacks, not less.



Only if end-points are unaware of dual-stack capabilities.

Also, neighbor discovery, for example, can be dangerous
(admittedly, so can ARP spoofing in IPv4). And aside from the
spoofable ability of ND, robust DHCPv6 is needed for enterprises
for sheer operational continuity.



DHCPv6 is no less robust in my experience than DHCPv4.

ARP and ND have mostly equivalent issues.


And that's only a "half" example.

I haven't even mentioned spam management in v6, which will become
a nightmare if people have been relying on IP BL's or similar.


IP reputation didn’t really scale to IPv4 and was only practical
because we were willing to toss out vast swaths of hosts just
because they were unfortunately behind the same NATed address as
some host that did something wrong some time.

So far, it’s proven to be the worst possible solution to SPAM
except for all the others. Nonetheless, yes, we’re going to have to
come up with a better way in IPv6.

OTOH, we will also have better end-to-end accountability in IPv6,
so that might actually help make new solutions more feasible.

Owen







- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlMw3kQACgkQKJasdVTchbLrmwEAkjajKru+lEgOO1U1i5c/AEQR
/r8+H3dzeI+IyAKQAu8A/i0HEds8D3iyFnwKzLrUBwqP+Avt51BMW0+f67E4xmsX
=vlZZ
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: