On Mar 23, 2014, at 5:24 PM, Mike Hale <eyeronic.design@gmail.com> wrote:
"I wasn't aware that calling out FUD was derisive, but whatever." It's derisive because you completely dismiss a huge security issue that, given the state of IPv6 adoption, a great majority of companies are facing.
I would say that calling it FUD was fair game in this case. Ferg claimed it was a “new unrelated attack”. In reality, it’s pretty much the same attack as most ARP attacks that exist in IPv4 and there are well known mitigations just as in IPv4 with similar difficulties and tradeoffs in their deployment. Sure, having 18 quintillion host addresses on a subnet vs. <254 creates some differences in the scale at which some of these attacks can be carried out, but that’s more a matter of scale than a matter of radically different attack surface.
Calling it FUD is completely wrong because it *is* a legitimate security issue for most businesses. Sure, you've got the few who have been able to properly plan for and secure their networks against the increased attack surface of IPv6, but again...most companies haven’t.
It’s no more legitimate than the similar issues in IPv4. IPv6 doesn’t actually present a significantly increased attack surface, it presents a very similar attack surface. The shape is a little different in some of the details, but the overall size and shape is pretty similar to IPv4.
Slinging false proclamations of FUD is as harmful as FUD itself.
I wouldn’t say that either set of statements was 100% FUD or 100% non-FUD. I will say that vendors making hay out of IPv6 vulnerabilities as if they were novel or different from existing wide-spread IPv4 vulnerabilities in order to increase profits or reduce demands for IPv6 in their products is a fairly common practice that has been far more harmful than any IPv6 attack surface overall. Owen
On Sun, Mar 23, 2014 at 4:49 PM, Timothy Morizot <tmorizot@gmail.com> wrote:
On Mar 23, 2014 6:21 PM, "Paul Ferguson" <fergdawgster@mykolab.com> wrote:
Says you.
And many others. My comments were actually reiterating what I commonly see presented today.
On the other hand, there are beaucoup enterprise networks unwilling to consider to moving to v6 until there are management, control, administrative, and security issues addressed.
Whereas there are other enterprise networks, including mine, who are actively deploying IPv6 and have been for a number of years now. So unless you can come up with something truly novel that we haven't already dealt with, I'll stick by my use of FUD.
You can continue to deride our issues, and make derisive comments until your heart's content, but it does not change reality.
I wasn't aware that calling out FUD was derisive, but whatever.
Cheers,
Scott
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0