[LACNIC/Seguridad] Fwd: RFC 6434 on IPv6 Node Requirements (IPSec en IPv6)

Mar Dic 27 11:39:02 BRST 2011

I don't buy that IPv6 currently gives anyone a false sense of security.
It has been argued in the past (wrongly) that IPv6 was to be more
secure/fast/generally_nicer/<insert whatever here> than IPv4, when
obviously it's not. But no one on the IPv6 camp is arguing that now.

However, I do keep hearing that NAT provides security and it seems only
a few of us feel, or at least dare to argue publicly,  that NAT does
indeed provide a *very* false sense of security.

IPv6 creates new attack surface, that is very true. However *any new*
technology / application that comes into wide use creates new attack
surface, yet we keep deploying new technologies and using new applications.

Facebook and friends have created not only new attack surface but also
countless opportunities for social engineering attacks and privacy
concerns. Yet if you "disable facebook" until all concerns have been
addressed, you will have 800 million screaming banshees around the
world. And rigthly so.

Should IPv6 be any different ? If you add to the mix that the lion's
share of new attacks and exploits are application-layer based, I really
don't think so. We have a lot more to lose by *not* deploying IPv6  in
terms of lost opportunities and a generally poorer and more restricted
Internet. There are a lot of players out there who stand to win *a lot*
should IPv6 deployment fail or suffer large delays.

Warm regards,

Carlos

On 12/26/11 12:33 AM, Arruda, Julio wrote:
> As Gont own work, and others, proved, over and again, IPv6 is NOT more
> secure, by some magic.
> There are obvious new surface attacks, and the whole extension headers
> nightmare, I will assume, is the recipe for disasters.
> I'm by no means an IPv6 expert like many here, but I saw enough to say
> that 'false sense of security', that IPv6 give to the uninformed, has huge
> problems.
> While the sky isn't falling, for sure is a new playing field. And we know
> how fast are the miscreants to explore these new playing fields.
> Include <disclaimer.h> The opinions expressed here are my own, not of my
> employer.
>
>
>
>
>
>
> On 12/25/11 7:09 PM, "Fernando Gont" <fgont en si6networks.com> wrote:
>
>> On 12/25/2011 07:54 PM, Victor Hugo dos Santos wrote:
>>>> Como nota relacionada, en la comunidad de RIPE se está discutiendo el
>>>> update del documento "RIPE-501", y pareciera que se va a optar por lo
>>>> mismo (no poner la implementación de IPsec como algo "mandatorio").
>>> Pero cual es la opnion de ustedes ???
>> Mi opinion personal sobre IPsec es que solo se utiliza en aplicaciones o
>> entornos especificos (por ej., VPNs), pero no como mecanismo "general".
>> Y nada indica que eso vaya a cambiar.
>>
>>
>>
>>> sirve de algo el IPSec ?? considerando
>>> hardware/tiempo/configuraciones/ventajas/etc/etc o solo esta/estaba de
>>> adorno ??
>> Servir, sirve. Pero, nuevamente, el punto es que su uso se limita a
>> aplicaciones especificas.
>>
>> Personalmente creo que no hay motivos para esperar un uso mayor notable
>> de IPsec.
>>
>>
>>> Se no me falla la memoria usted (Gont) no estaba muy feliz con IPSec y
>>> creo que Jordi apoyaba a IPSec.
>> No, no es así. No es que yo "no esté feliz con IPsec". Simplemente creo
>> que no existen motivos para esperar mayor uso de IPsec, y que mucha
>> gente fomenta dicha falacia para concluir que tendremos mayor seguridad
>> con IPv6 (como argumento de "venta"):
>>
>> El razonamiento falaz usualmente es/era:
>> "El Node Requirements RFC hace dice que IPsec es mandatorio" -> "Todas
>> las implementaciones de IPv6 tendrán IPsec" -> "Todos usaremos IPsec" ->
>> "Tendremos mayor seguridad con IPv6".
>>
>> Lo unico "indiscutible" de dicho razonamiento es que el RFC
>> correspondiente decía que IPsec era mandatorio. Nada mas. El resto
>> eran/son falacias.
>>
>> Es interesante citar a Bertrand Russell (hablando de otro tema, pero
>> cuya filosofia es util y aplicable al caso):
>>
>> ---- cut here ----
>> Q: Do you think there¹s a practical reason for having a religious
>> belief, for many people?
>>
>> Russell: Well, there can¹t be a practical reason for believing what
>> isn¹t true. That¹s quite... at least, I rule it out as impossible.
>> Either the thing is true, or it isn¹t. If it is true, you should believe
>> it, and if it isn¹t, you shouldn¹t. And if you can¹t find out whether
>> it¹s true or whether it isn¹t, you should suspend judgment. But you
>> can¹t... it seems to me a fundamental dishonesty and a fundamental
>> treachery to intellectual integrity to hold a belief because you think
>> it¹s useful, and not because you think it¹s true.
>> ---- cut here ----
>>
>> Fuente: <http://adirayubi.com/weblog/levensbeschouwing/81>
>>
>> P.S.: Personalmente creo en Dios, pero eso es otra cuestión, "off-topic"
>> para esta discusión... ;-)
>>
>> Un abrazo, y Feliz Navidad para todos!
>> -- 
>> Fernando Gont
>> SI6 Networks
>> e-mail: fgont en si6networks.com
>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>
>>
>>
>> _______________________________________________
>> Seguridad mailing list
>> Seguridad en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/seguridad
> _______________________________________________
> Seguridad mailing list
> Seguridad en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/seguridad

-- 

--
Carlos M. Martinez
LACNIC R+D
http://www.labs.lacnic.net