[76839] in North American Network Operators' Group
Re: IPv6, IPSEC and deep packet inspection
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Fri Dec 31 17:23:19 2004
In-Reply-To: <016f01c4ef81$7139ce90$6401a8c0@stephen>
Cc: North American Noise and Off-topic Gripes <nanog@merit.edu>
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Fri, 31 Dec 2004 23:22:46 +0100
To: "Stephen Sprunk" <stephen@sprunk.org>
Errors-To: owner-nanog-outgoing@merit.edu
On 31-dec-04, at 22:08, Stephen Sprunk wrote:
>> An IPv6 network is sufficiently different from IPv4 that I encourage
>> folks to not simply slap an IPv4 security model onto future IPv6
>> networks.
> The links, routers, switches, applications, admins, and budget are all
> the
> same, and layers 3 and 4 only have marginal differences.
The link behavior is radically different: broadcasts are out the
window, there is stateless autoconfiguration, scoped addressing...
99% of the time this doesn't matter much, but the trouble with security
is that 99% doesn't buy you anything. (Well, it buys you more than in
IPv4 as the bad guys can't just scan for that 1%, but still...)
> If you expect
> people to treat IPv6 any differently than IPv4, you'll need to be very
> explicit in what the differences are (or can be) and what the benefits
> are
> to throwing out a decade or more of experience and retraining everyone.
The main thing you have to look out for is nastiness that can happen if
an attacker has access to the subnet where your IPv6 hosts are, since
then scanning is again an option and she can inject false router
advertisements. Another thing everyone needs to be aware of is that
when a host has IPv6 enabled, it will always have link local addresses
so anyone on the same subnet can connect to any services that are
IPv6-ready EVEN THOUGH THE BOX DOESN'T HAVE A "REAL" IPV6 ADDRESS. And
it's not uncommon for these services to be firewaled in IPv4 but not in
IPv6 as packet filters typically only address one IP version.
