[LACNIC/Seguridad] Fwd: RFC 6434 on IPv6 Node Requirements (IPSec en IPv6)

Arruda, Julio jarruda en arbor.net
Mar Dic 27 19:02:56 BRST 2011


As recently as 3 months ago, I heard people saying IPv6 is more secure, as
a blanket statement, AND, as ironic as it would be, same people that are
concerned with NAT not being 'common' with IPv6 :-)
Is not the IPv6 champions, is the 'uneducated' mass still. Is new
technology, like you said.
About IPv6 deployment, I fully agree, the sooner the better. And more, I
would say, it IS already too late. Is a race.
We have customers deploying IPv6 as we speak, and in most of them, the
whole process is being given a high priority.

On 12/27/11 8:39 AM, "Carlos M. Martinez" <carlosm3011 en gmail.com> wrote:

>I don't buy that IPv6 currently gives anyone a false sense of security.
>It has been argued in the past (wrongly) that IPv6 was to be more
>secure/fast/generally_nicer/<insert whatever here> than IPv4, when
>obviously it's not. But no one on the IPv6 camp is arguing that now.
>However, I do keep hearing that NAT provides security and it seems only
>a few of us feel, or at least dare to argue publicly,  that NAT does
>indeed provide a *very* false sense of security.
>IPv6 creates new attack surface, that is very true. However *any new*
>technology / application that comes into wide use creates new attack
>surface, yet we keep deploying new technologies and using new
>Facebook and friends have created not only new attack surface but also
>countless opportunities for social engineering attacks and privacy
>concerns. Yet if you "disable facebook" until all concerns have been
>addressed, you will have 800 million screaming banshees around the
>world. And rigthly so.
>Should IPv6 be any different ? If you add to the mix that the lion's
>share of new attacks and exploits are application-layer based, I really
>don't think so. We have a lot more to lose by *not* deploying IPv6  in
>terms of lost opportunities and a generally poorer and more restricted
>Internet. There are a lot of players out there who stand to win *a lot*
>should IPv6 deployment fail or suffer large delays.
>Warm regards,
>On 12/26/11 12:33 AM, Arruda, Julio wrote:
>> As Gont own work, and others, proved, over and again, IPv6 is NOT more
>> secure, by some magic.
>> There are obvious new surface attacks, and the whole extension headers
>> nightmare, I will assume, is the recipe for disasters.
>> I'm by no means an IPv6 expert like many here, but I saw enough to say
>> that 'false sense of security', that IPv6 give to the uninformed, has
>> problems.
>> While the sky isn't falling, for sure is a new playing field. And we
>> how fast are the miscreants to explore these new playing fields.
>> Include <disclaimer.h> The opinions expressed here are my own, not of my
>> employer.
>> On 12/25/11 7:09 PM, "Fernando Gont" <fgont en si6networks.com> wrote:
>>> On 12/25/2011 07:54 PM, Victor Hugo dos Santos wrote:
>>>>> Como nota relacionada, en la comunidad de RIPE se está discutiendo el
>>>>> update del documento "RIPE-501", y pareciera que se va a optar por lo
>>>>> mismo (no poner la implementación de IPsec como algo "mandatorio").
>>>> Pero cual es la opnion de ustedes ???
>>> Mi opinion personal sobre IPsec es que solo se utiliza en aplicaciones
>>> entornos especificos (por ej., VPNs), pero no como mecanismo "general".
>>> Y nada indica que eso vaya a cambiar.
>>>> sirve de algo el IPSec ?? considerando
>>>> hardware/tiempo/configuraciones/ventajas/etc/etc o solo esta/estaba de
>>>> adorno ??
>>> Servir, sirve. Pero, nuevamente, el punto es que su uso se limita a
>>> aplicaciones especificas.
>>> Personalmente creo que no hay motivos para esperar un uso mayor notable
>>> de IPsec.
>>>> Se no me falla la memoria usted (Gont) no estaba muy feliz con IPSec y
>>>> creo que Jordi apoyaba a IPSec.
>>> No, no es así. No es que yo "no esté feliz con IPsec". Simplemente creo
>>> que no existen motivos para esperar mayor uso de IPsec, y que mucha
>>> gente fomenta dicha falacia para concluir que tendremos mayor seguridad
>>> con IPv6 (como argumento de "venta"):
>>> El razonamiento falaz usualmente es/era:
>>> "El Node Requirements RFC hace dice que IPsec es mandatorio" -> "Todas
>>> las implementaciones de IPv6 tendrán IPsec" -> "Todos usaremos IPsec"
>>> "Tendremos mayor seguridad con IPv6".
>>> Lo unico "indiscutible" de dicho razonamiento es que el RFC
>>> correspondiente decía que IPsec era mandatorio. Nada mas. El resto
>>> eran/son falacias.
>>> Es interesante citar a Bertrand Russell (hablando de otro tema, pero
>>> cuya filosofia es util y aplicable al caso):
>>> ---- cut here ----
>>> Q: Do you think there¹s a practical reason for having a religious
>>> belief, for many people?
>>> Russell: Well, there can¹t be a practical reason for believing what
>>> isn¹t true. That¹s quite... at least, I rule it out as impossible.
>>> Either the thing is true, or it isn¹t. If it is true, you should
>>> it, and if it isn¹t, you shouldn¹t. And if you can¹t find out whether
>>> it¹s true or whether it isn¹t, you should suspend judgment. But you
>>> can¹t... it seems to me a fundamental dishonesty and a fundamental
>>> treachery to intellectual integrity to hold a belief because you think
>>> it¹s useful, and not because you think it¹s true.
>>> ---- cut here ----
>>> Fuente: <http://adirayubi.com/weblog/levensbeschouwing/81>
>>> P.S.: Personalmente creo en Dios, pero eso es otra cuestión,
>>> para esta discusión... ;-)
>>> Un abrazo, y Feliz Navidad para todos!
>>> -- 
>>> Fernando Gont
>>> SI6 Networks
>>> e-mail: fgont en si6networks.com
>>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>> _______________________________________________
>>> Seguridad mailing list
>>> Seguridad en lacnic.net
>>> https://mail.lacnic.net/mailman/listinfo/seguridad
>> _______________________________________________
>> Seguridad mailing list
>> Seguridad en lacnic.net
>> https://mail.lacnic.net/mailman/listinfo/seguridad
>Carlos M. Martinez
>Seguridad mailing list
>Seguridad en lacnic.net

Más información sobre la lista de distribución Seguridad