[LAC-TF] [LACNIC/Seguridad] Fwd: RFC 6434 on IPv6 Node Requirements (IPSec en IPv6)

Fernando Gont fgont at si6networks.com
Tue Dec 27 16:57:58 BRST 2011

On 12/27/2011 10:39 AM, Carlos M. Martinez wrote:
> I don't buy that IPv6 currently gives anyone a false sense of security.

It's not IPv6 itself... it's rather about all the nonsense that it's
usually said about it....

> It has been argued in the past (wrongly) that IPv6 was to be more
> secure/fast/generally_nicer/<insert whatever here> than IPv4, when
> obviously it's not. But no one on the IPv6 camp is arguing that now.

Some of that can be found here: http://t.co/iu2g1LiW (a thread on the
ipv6hackers mailing-list). Sometimes the nonsense is in the form of
"IPv6 is more secure/nice/QoS", while others it comes in the form of
"there's the potential of" (the latter being far less annoying than the
former, of course).

Not to mention the "it's impossible to scan IPv6 networks" which is even
argued in IETF circles...

That I aside I could mention that #1/#2 in the ranking of questions
pre-ipv6-security talks is "Is IPv6 more secure than IPv4?".

I could also mention that a few hours ago I was preparing the contents
of a customized training, based on the request of a client, and the
proposal included "New IPv6 features: IPv6 security and QoS".

As with almost everything, as long as something gets repeated over and
over again, it doesn't matter whether it's true or not: it's taken as a
fact, and it takes a lot of work to dysmantle those myths.

> However, I do keep hearing that NAT provides security and it seems only
> a few of us feel, or at least dare to argue publicly,  that NAT does
> indeed provide a *very* false sense of security.

NAT provides packet filtering. Whether packet filtering == security,
it's a different question, but it's usually argued that at the very
least it improves security.

-- the usual argument being that if a system is not directly reachable
on the Internet, there are some attacks that you cannot perform.

> IPv6 creates new attack surface, that is very true. However *any new*
> technology / application that comes into wide use creates new attack
> surface, yet we keep deploying new technologies and using new applications.

The discussion of IPv6 security should not be taken as an argument
against deploying IPv6, but rather as trying to stay close to facts
rather than faith.

> Facebook and friends have created not only new attack surface but also
> countless opportunities for social engineering attacks and privacy
> concerns. 

But nobody argued that the Internet is faster when you ahve a browser on
facebook, or that facebook is a green technology (!?), or that facebook
improves security...

> Should IPv6 be any different ? If you add to the mix that the lion's
> share of new attacks and exploits are application-layer based, I really
> don't think so. We have a lot more to lose by *not* deploying IPv6  in
> terms of lost opportunities and a generally poorer and more restricted
> Internet. There are a lot of players out there who stand to win *a lot*
> should IPv6 deployment fail or suffer large delays.

We should name names. It's quite frustrating that people working on
improving the current state-of-affairs are "the IPv6 heretics", and that
vendors that are filling their money by promoting and selling CGN (not
even deploying v6 on their own web sites) are the ones who "promote v6".

Just to mention a concrete proposal: Why not start an "IPv6 wall of
shame" on the LACTF/IPV6TF web sites, listing all those networking
vendors that have not deployed v6 on their public-facing web site?

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the LACTF mailing list