[170178] in North American Network Operators' Group
Re: misunderstanding scale
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Mar 24 21:39:58 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAN3um4wnMPW=BQ6ec_=NH-Ua50Nn3QL9T+NXdo-ADNzCJHKQYQ@mail.gmail.com>
Date: Mon, 24 Mar 2014 18:30:29 -0700
To: Mike Hale <eyeronic.design@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 23, 2014, at 5:24 PM, Mike Hale <eyeronic.design@gmail.com> =
wrote:
> "I wasn't aware that calling out FUD was derisive, but whatever."
> It's derisive because you completely dismiss a huge security issue
> that, given the state of IPv6 adoption, a great majority of companies
> are facing.
I would say that calling it FUD was fair game in this case.
Ferg claimed it was a =93new unrelated attack=94.
In reality, it=92s pretty much the same attack as most ARP attacks that =
exist in IPv4
and there are well known mitigations just as in IPv4 with similar =
difficulties and
tradeoffs in their deployment.
Sure, having 18 quintillion host addresses on a subnet vs. <254 creates =
some
differences in the scale at which some of these attacks can be carried =
out, but
that=92s more a matter of scale than a matter of radically different =
attack surface.
> Calling it FUD is completely wrong because it *is* a legitimate
> security issue for most businesses. Sure, you've got the few who have
> been able to properly plan for and secure their networks against the
> increased attack surface of IPv6, but again...most companies haven=92t.
It=92s no more legitimate than the similar issues in IPv4. IPv6 doesn=92t =
actually
present a significantly increased attack surface, it presents a very =
similar attack
surface. The shape is a little different in some of the details, but the =
overall size and
shape is pretty similar to IPv4.
> Slinging false proclamations of FUD is as harmful as FUD itself.
I wouldn=92t say that either set of statements was 100% FUD or 100% =
non-FUD.
I will say that vendors making hay out of IPv6 vulnerabilities as if =
they were novel
or different from existing wide-spread IPv4 vulnerabilities in order to =
increase profits
or reduce demands for IPv6 in their products is a fairly common practice =
that has
been far more harmful than any IPv6 attack surface overall.
Owen
>=20
> On Sun, Mar 23, 2014 at 4:49 PM, Timothy Morizot <tmorizot@gmail.com> =
wrote:
>> On Mar 23, 2014 6:21 PM, "Paul Ferguson" <fergdawgster@mykolab.com> =
wrote:
>>> Says you.
>>=20
>> And many others. My comments were actually reiterating what I =
commonly see
>> presented today.
>>=20
>>> On the other hand, there are beaucoup enterprise networks unwilling =
to
>>> consider to moving to v6 until there are management, control,
>>> administrative, and security issues addressed.
>>=20
>> Whereas there are other enterprise networks, including mine, who are
>> actively deploying IPv6 and have been for a number of years now. So =
unless
>> you can come up with something truly novel that we haven't already =
dealt
>> with, I'll stick by my use of FUD.
>>=20
>>> You can continue to deride our issues, and make derisive comments
>>> until your heart's content, but it does not change reality.
>>=20
>> I wasn't aware that calling out FUD was derisive, but whatever.
>>=20
>> Cheers,
>>=20
>> Scott
>=20
>=20
>=20
> --=20
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
