On Mar 23, 2014 7:54 PM, "Mike Hale" <eyeronic.design@gmail.com> wrote:
"unless by few you simply mean a minority" Which I do.
Then that's fine. But there are numerous enterprises in that minority and it includes some pretty large enterprises. My own enterprise organization has more than 600 sites, 100k employees, and thousands of contractors.
"appropriately mitigating the security risks shows the claim that there are security weaknesses in IPv6 preventing its adoption is false." No. It doesn't. It's not the sole reason, but it's a huge factor to consider.
Logic 101? If security-conscious enterprises have successfully implemented IPv6 while mitigating the security risks, then there aren't any inherent security weaknesses preventing its adoption by enterprises. A non-FUD statement would be that we've assessed our infrastructure and preparedness for IPv6 and aren't yet in a position where we can safely deploy IPv6. A FUD statement is the assertion that there are inherent security weaknesses in the protocol preventing enterprises from deploying it.
There is because it doubles your attack surface at the very least. At the worst, it increases it exponentially since suddenly all your internal devices (that were never configured to be public-facing) are suddenly accessible from everywhere.
It's an IPv6 world. Your attack surface has already expanded whether or not you deploy IPv6. In fact, an enterprise will be making itself increasingly vulnerable to IPv6 attacks by refusing to deploy it than by securely enabling and controlling the protocol. And if an enterprise doesn't have firewalls in place, then their devices are already accessible. NAT44 doesn't provide any meaningful security protection. If you have firewalls with appropriate policies, then it's silly to claim your internal devices are suddenly accessible from everywhere. My organization is particularly strict at our perimeter. Everything is default deny in both directions for both protocols and we very carefully open holes. We also allow very little unproxied access to the Internet. (DNS, SMTP, and HTTP/HTTPS being the most common services provided in our Internet access points.)
None of this isn't preventable, by the way. There are a myriad of solutions that can and do mitigate these risks. But to simply dismiss the security considerations is, I think, incredibly naïve and unrealistic.
Nowhere have I dismissed security considerations for either IPv4 or IPv6. I've simply pointed out that it really isn't any harder to plan and manage for v6 than for v4. And we currently live in a dual-protocol Internet. Simply pretending that if you don't enable IPv6, you're somehow immune from IPv6 threats is naive. Scott