nanog mailing list archives
Re: NIST IPv6 document
From: William Allen Simpson <william.allen.simpson () gmail com>
Date: Thu, 06 Jan 2011 15:47:58 -0500
On 1/6/11 1:47 AM, Paul Ferguson wrote:
As someone who has been immersed in security for many years now, and having previously been very intimately involved in the network ops community for equally many years, I have to agree with Roland here. Just because a lot of smart people have worked on IPv6 for many years does not mean that the security issues have been equally well thought out. ... This is not meant as a slight to anyone -- just a realization of looking at security from a real-world perspective. It seems to always have to get "bolted on" as an afterthought, instead of baked-in from the beginning.
I've not read everything in this thread yet. So, this may have already been mentioned. But Security *was* baked-in from the beginning of IPv6. IT WAS TAKEN OUT! I was one of the original IPng PIPE->SIP->SIPP->IPv6 designers. We knew about *all* of these problems mentioned thus far in this thread. IPsec was originally designed for SIP->SIPP->IPv6, and I back-ported it to IPv4 after IPv6 was hijacked by committee. As to Neighbor Discovery, the original specifications eliminated ARP, DHCP, and OSPF, *and* routers knew all hosts on the local net, *and* both hosts and routers automatically renumbered. Everything that folks have asked for thus far. Google tells me that draft-ietf-sip-discovery-03.txt is still on-line. I've not found my -04, -05, or -06 on-line, so I've occasionally been looking through old backups lately as time allows. Sadly, those systems are long dead, and finding actual systems to read my old data makes the recovery process rather slow. Anyway, don't blame the original designers. We knew what we were doing! Blame the vendors (and their lackeys) that had vested interests in making IPv6 into IPv4 with bigger addresses, and *removing* security.
Current thread:
- Re: NIST IPv6 document, (continued)
- Re: NIST IPv6 document Dobbins, Roland (Jan 06)
- Re: NIST IPv6 document Joe Greco (Jan 06)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Message not available
- Re: NIST IPv6 document Tim Chown (Jan 07)
- Re: NIST IPv6 document Jack Bates (Jan 07)
- Re: NIST IPv6 document Jeff Wheeler (Jan 05)
- Message not available
- NIST IPv6 document Jeff Wheeler (Jan 05)
- Re: NIST IPv6 document Joe Greco (Jan 05)
- Re: NIST IPv6 document Dobbins, Roland (Jan 05)
- Re: NIST IPv6 document Paul Ferguson (Jan 05)
- Re: NIST IPv6 document William Allen Simpson (Jan 06)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Re: NIST IPv6 document Joel Jaeggli (Jan 05)
- Re: NIST IPv6 document Paul Ferguson (Jan 05)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Re: NIST IPv6 document Marcel Plug (Jan 06)
- Re: NIST IPv6 document Jack Bates (Jan 06)
- Re: NIST IPv6 document Lamar Owen (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Re: NIST IPv6 document Owen DeLong (Jan 06)
- Re: NIST IPv6 document Jeff Wheeler (Jan 06)