Re: OMB: IPv6 by June 2008
On Fri, 1 Jul 2005, Mohacsi Janos wrote:
This keeps coming up in each discussion about v6, 'what security measures' is never really defined in any real sense. As near as I can tell it's level of 'security' is no better (and probably worse at the outset, for the implementations not the protocol itself) than v4. I could be wrong, but I'm just not seeing any 'inherent security' in v6, and selling it that way is just a bad plan.
Just name a few: - Possibility to end-to-end IPSec.
exists in v4
- Not feasible scanning of subnets remotely
eh... maybe, I'm not convinced this matters anyway.
- Privacy enhanced addresses - not tracking usage based on addresses
dhcp can do this for you (v4 has mechanisms for this)
- Better ingress filtering
right... because gear that filters so well in v4-land will filter so much better in v6-land? you == crazy. All those objections aside, I'd love to see v6 more fully deployed. I'm not sure I see how it's going to get beyond 'research' or 'play' land, except for some small cases, for quite some time. It's interesting that the flood gates on ip space are openning at IANA though, that should hasten the v6 takeup/deployment :)
On Fri, Jul 01, 2005 at 02:54:30PM +0000, Christopher L. Morrow wrote:
On Fri, 1 Jul 2005, Mohacsi Janos wrote:
This keeps coming up in each discussion about v6, 'what security measures' is never really defined in any real sense. As near as I can tell it's level of 'security' is no better (and probably worse at the outset, for the implementations not the protocol itself) than v4. I could be wrong, but I'm just not seeing any 'inherent security' in v6, and selling it that way is just a bad plan.
Just name a few: - Possibility to end-to-end IPSec.
exists in v4
- Not feasible scanning of subnets remotely
eh... maybe, I'm not convinced this matters anyway.
- Privacy enhanced addresses - not tracking usage based on addresses
dhcp can do this for you (v4 has mechanisms for this)
- Better ingress filtering
right... because gear that filters so well in v4-land will filter so much better in v6-land? you == crazy.
All those objections aside, I'd love to see v6 more fully deployed. I'm not sure I see how it's going to get beyond 'research' or 'play' land, except for some small cases, for quite some time. It's interesting that the flood gates on ip space are openning at IANA though, that should hasten the v6 takeup/deployment :)
Perhaps paraphrasing what Chris just said: At the end of the day, it is very difficult to make the case that IPv6 offers anything that IPv4 doesn't other than a larger address space. Dave
Christopher L. Morrow wrote:
On Fri, 1 Jul 2005, Mohacsi Janos wrote:
This keeps coming up in each discussion about v6, 'what security measures' is never really defined in any real sense. As near as I can tell it's level of 'security' is no better (and probably worse at the outset, for the implementations not the protocol itself) than v4. I could be wrong, but I'm just not seeing any 'inherent security' in v6, and selling it that way is just a bad plan.
Just name a few: - Possibility to end-to-end IPSec.
exists in v4
- Not feasible scanning of subnets remotely
eh... maybe, I'm not convinced this matters anyway.
If your argument is that it is "to hard" to scan that many addresses, do you really think that in an age of 100Gbps broadband 100ghrz home PC's that will really be the barrier you think it is? Or better put: Over the possible lifetime of v6 will that barrier remain real? And the scanner merely has to get lucky once. Or they can have a zombie army of scanners that will be statistically guaranteed to get lucky at least once.
- Privacy enhanced addresses - not tracking usage based on addresses
As if they need to keep 128 bits for the tracking to be accurate. If everybody gets /64 then I am certain trackers will be quite happy to limit their tracking to that, it will serve them the same purpose.
dhcp can do this for you (v4 has mechanisms for this)
- Better ingress filtering
right... because gear that filters so well in v4-land will filter so much better in v6-land? you == crazy.
All those objections aside, I'd love to see v6 more fully deployed. I'm not sure I see how it's going to get beyond 'research' or 'play' land, except for some small cases, for quite some time. It's interesting that the flood gates on ip space are openning at IANA though, that should hasten the v6 takeup/deployment :)
IPv6 is a classic "second system". And now we are stuck with it.
Thus spake "Joe Maimon" <jmaimon@ttec.com>
Christopher L. Morrow wrote:
On Fri, 1 Jul 2005, Mohacsi Janos wrote:
- Not feasible scanning of subnets remotely
eh... maybe, I'm not convinced this matters anyway.
If your argument is that it is "to hard" to scan that many addresses, do you really think that in an age of 100Gbps broadband 100ghrz home PC's that will really be the barrier you think it is? Or better put: Over the possible lifetime of v6 will that barrier remain real? And the scanner merely has to get lucky once.
At 100Gbps, you can send about 2^28 probes per second. To scan a /64 subnet would take 2^36 seconds -- 2177 years. I'm pretty sure that's not within IPv6's lifetime.
Or they can have a zombie army of scanners that will be statistically guaranteed to get lucky at least once.
The bandwidth into that subnet will be the limiting factor, but let's somehow assuming you could get 100Gbps for _each_ attacker. You'd need to commandeer 2^31 hosts (difficult, but not impossible) connected at 100Gbps and coordinate them all probing the same subnet without duplication to scan it within one minute. More than a few hosts per subnet would bring that number down a bit, but not enough to make it feasible for worms to spread via scanning. What this really does is change the detection method. Instead of scanning randomly, you sit and watch what other IP addresses the local host communicates with (on- and off-subnet), and attack each of them. How many degrees of separation are there really between any two unrelated computers on the Internet? You could probably collect half of all addresses in use just by infecting Google... S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov
Stephen Sprunk wrote:
What this really does is change the detection method. Instead of scanning randomly, you sit and watch what other IP addresses the local host communicates with (on- and off-subnet), and attack each of them. How many degrees of separation are there really between any two unrelated computers on the Internet? You could probably collect half of all addresses in use just by infecting Google...
Or just send email with IMG SRC tag pointing to a server you control and harvest the addresses from there? Pete
* jmaimon@ttec.com (Joe Maimon) [Fri 01 Jul 2005, 17:38 CEST]:
On Fri, 1 Jul 2005, Mohacsi Janos wrote:
- Privacy enhanced addresses - not tracking usage based on addresses As if they need to keep 128 bits for the tracking to be accurate.
If everybody gets /64 then I am certain trackers will be quite happy to limit their tracking to that, it will serve them the same purpose.
With solely EUI-64 assigned addresses tracking stations across networks would be easy. Hence the privacy extensions. -- Niels. -- The idle mind is the devil's playground
participants (6)
-
Christopher L. Morrow -
David Meyer -
Joe Maimon -
Niels Bakker -
Petri Helenius -
Stephen Sprunk