[LACNIC/Seguridad] Fwd: Re: [v6ops] IPv6 transition technologies vs MITM (DEFCON)
fgont en si6networks.com
Mie Ago 28 03:14:19 BRT 2013
Discusión similar, en el v6ops wg de IETF...
-------- Original Message --------
From: Tim Chown <tjc en ecs.soton.ac.uk>
In-Reply-To: <52165DC0.7090406 en scea.com>
Date: Thu, 22 Aug 2013 21:51:18 +0100
<EMEW3|aa8823c39ca54364e45099ae590c0046p7LLpN03tjc|ecs.soton.ac.uk|CFF483B5-E780-4D8F-B2B4-2F9AE19A4147 en ecs.soton.ac.uk>
References: <52165DC0.7090406 en scea.com>
<CFF483B5-E780-4D8F-B2B4-2F9AE19A4147 en ecs.soton.ac.uk>
To: Tom Perrine <tperrine en scea.com>
Cc: IETF v6ops list <v6ops en ietf.org>
Subject: Re: [v6ops] IPv6 transition technologies vs MITM (DEFCON)
On 22 Aug 2013, at 19:51, Tom Perrine <tperrine en scea.com
<mailto:tperrine en scea.com>> wrote:
> There's been a fair amount of debate on the list about the merits of
> using the transition technologies vs an aggressive
> move to native IPv6 (usually dual-stack). We keep coming back to (as
> we have for 10+ years) to finding business reasons
> to transition.
> In parallel, there's been a goodly amount of poking around IPv6, "the
> real world" and those transition technologies.
> The MITM attack demonstrated at DEFCON this year was nothing new.
> While it was widely covered as an "IPv6 security
> flaw", it was really taking advantage of the well-known "RA problem"
> and the behavior of an IPv6-capable node on a
> nominally IPv4-only network.
> Frankly, while it was a nice "one click" automation of an
> already-recognized exploit, there wasn't really anything new.
> But, what I'm seeing is that no one is talking about how the
> transition strategies will not address this attack at all,
> at least as far as I can tell. They all seem to seek to leave
> (allegedly) IPv4-only nodes in place and work at one or
> more hops away from those nodes. This ignores that so many nodes
> really aren't IPv4-only. They are really dual-stack
> nodes that are waiting for the IPv6 configuration to be completed. And
> you can complete that configuration, or your
> attacker will!
> I see two ways to mitigate this attack: turn off IPv6 on all modern
> OSes, or fully deploy IPv6. Guess which one I
> don't want to see advocated :-)
> Am I missing something, or is this one more point to add to the
> "deploy IPv6 now, deploy native, skip the transition
> technologies" ? (I'm including dual-stack in the native strategy.)
There's lots of work within the IETF on this, e.g. take a look
The sunset4 WG is also quite interesting.
I'm surprised an event like DEFCON presented something that old.
Más información sobre la lista de distribución Seguridad