[170188] in North American Network Operators' Group
Re: IPv6 Security [Was: Re: misunderstanding scale]
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Mar 24 21:48:33 2014
From: Owen DeLong <owen@delong.com>
In-Reply-To: <532F55F7.3010802@mykolab.com>
Date: Mon, 24 Mar 2014 18:18:16 -0700
To: Paul Ferguson <fergdawgster@mykolab.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 23, 2014, at 2:45 PM, Paul Ferguson <fergdawgster@mykolab.com> =
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>=20
> On 3/23/2014 2:27 PM, Timothy Morizot wrote:
>=20
>>=20
>> On Mar 23, 2014 11:27 AM, "Paul Ferguson"
>> <fergdawgster@mykolab.com <mailto:fergdawgster@mykolab.com>>
>> wrote:
>>> Also, IPv6 introduces some serious security concerns, and until
>>> they are properly addressed, they will be a serious barrier to
>>> even considering it.
>>=20
>> And that is pure FUD. The sorts of security risks with IPv6 are
>> mostly in the same sorts of categories as those with IPv4 and have
>> appropriate mitigations available. Moreover, by not enabling and
>> controlling IPv6 on their networks, an operator is actually
>> markedly more vulnerable to IPv6 attacks, not less.
>>=20
>=20
> Only if end-points are unaware of dual-stack capabilities.
>=20
> Also, neighbor discovery, for example, can be dangerous (admittedly,
> so can ARP spoofing in IPv4). And aside from the spoofable ability of
> ND, robust DHCPv6 is needed for enterprises for sheer operational
> continuity.
>=20
DHCPv6 is no less robust in my experience than DHCPv4.
ARP and ND have mostly equivalent issues.
> And that's only a "half" example.
>=20
> I haven't even mentioned spam management in v6, which will become a
> nightmare if people have been relying on IP BL's or similar.
IP reputation didn=92t really scale to IPv4 and was only practical =
because we were willing to toss out vast swaths of hosts just because =
they were unfortunately behind the same NATed address as some host that =
did something wrong some time.
So far, it=92s proven to be the worst possible solution to SPAM except =
for all the others. Nonetheless, yes, we=92re going to have to come up =
with a better way in IPv6.
OTOH, we will also have better end-to-end accountability in IPv6, so =
that might actually help make new solutions more feasible.
Owen
