Hail NANOG! I am looking for IPv6 security resources to add to: http://www.internetsociety.org/deploy360/ipv6/security/ These could be best current practice documents, case-studies, lessons-learned/issues-found, research/evaluations, RFCs, or anything else focused on IPv6 security really. I'm not requesting that anyone do any new work, just that you point me to solid public documents that already exist. Feel free to share on-list or privately, both documents you may have authored and those you have found helpful. Thanks! ~Chris Note: Not every document shared will get posted to the Deploy360 site. -- @ChrisGrundemann http://chrisgrundemann.com
On Nov 25, 2014, at 12:32 PM, Chris Grundemann <cgrundemann@gmail.com> wrote:
Hail NANOG!
I am looking for IPv6 security resources to add to: http://www.internetsociety.org/deploy360/ipv6/security/
These could be best current practice documents, case-studies, lessons-learned/issues-found, research/evaluations, RFCs, or anything else focused on IPv6 security really.
https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Inbound_IPv6_Policy_Iss...
Chris Some that come to my mind: draft-ietf-v6ops-balanced-ipv6-security and (not sure how up to date is this one) RFC 6092 Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service RFC 5157 IPv6 Implications for Network Scanning and draft-ietf-opsec-ipv6-host-scanning RFC 6104, 6105, 7113 All about Router Advertisement Guard (RA-Guard) draft-ietf-opsec-v6 RFC 6583 Operational Neighbor Discovery Problems Regards as On Tue Nov 25 2014 at 8:34:16 PM Chris Grundemann <cgrundemann@gmail.com> wrote:
Hail NANOG!
I am looking for IPv6 security resources to add to: http://www.internetsociety.org/deploy360/ipv6/security/
These could be best current practice documents, case-studies, lessons-learned/issues-found, research/evaluations, RFCs, or anything else focused on IPv6 security really.
I'm not requesting that anyone do any new work, just that you point me to solid public documents that already exist. Feel free to share on-list or privately, both documents you may have authored and those you have found helpful.
Thanks! ~Chris
Note: Not every document shared will get posted to the Deploy360 site.
-- @ChrisGrundemann http://chrisgrundemann.com
Hi, Perhaps https://tools.ietf.org/html/rfc7217 might also fit in the list. -- Marco Arturo Servin schreef op 26-11-14 om 10:28:
Chris
Some that come to my mind:
draft-ietf-v6ops-balanced-ipv6-security and (not sure how up to date is this one) RFC 6092 Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service RFC 5157 IPv6 Implications for Network Scanning and draft-ietf-opsec-ipv6-host-scanning RFC 6104, 6105, 7113 All about Router Advertisement Guard (RA-Guard) draft-ietf-opsec-v6 RFC 6583 Operational Neighbor Discovery Problems
Regards as
On Tue Nov 25 2014 at 8:34:16 PM Chris Grundemann <cgrundemann@gmail.com> wrote:
Hail NANOG!
I am looking for IPv6 security resources to add to: http://www.internetsociety.org/deploy360/ipv6/security/
These could be best current practice documents, case-studies, lessons-learned/issues-found, research/evaluations, RFCs, or anything else focused on IPv6 security really.
I'm not requesting that anyone do any new work, just that you point me to solid public documents that already exist. Feel free to share on-list or privately, both documents you may have authored and those you have found helpful.
Thanks! ~Chris
Note: Not every document shared will get posted to the Deploy360 site.
-- @ChrisGrundemann http://chrisgrundemann.com
-- Marco Davids
Chris, Are you aware IPv6 has 3 or arguably 4 major generations of standards? Each generation requires nuanced defense strategies, based on which clauses ("must" and "should") were implemented. Some of the derived security works, do not reflect, and in some cases contradict current security recommendations. The perceived newness of the technology, and ambiguities of recommendations have resulted in 'pushback' by the security community to implement IPv6. This has forced us to continue with the implement of IPv6 and 'trust' the vender recommendations, based on the limitations of that venders products. In the cracks, between the standards and implementation of these standards, are where security vulnerabilities exist, compromises lay, and defenses crumble. Joe Klein "Inveniam viam aut faciam" On Tue, Nov 25, 2014 at 3:32 PM, Chris Grundemann <cgrundemann@gmail.com> wrote:
Hail NANOG!
I am looking for IPv6 security resources to add to: http://www.internetsociety.org/deploy360/ipv6/security/
These could be best current practice documents, case-studies, lessons-learned/issues-found, research/evaluations, RFCs, or anything else focused on IPv6 security really.
I'm not requesting that anyone do any new work, just that you point me to solid public documents that already exist. Feel free to share on-list or privately, both documents you may have authored and those you have found helpful.
Thanks! ~Chris
Note: Not every document shared will get posted to the Deploy360 site.
-- @ChrisGrundemann http://chrisgrundemann.com
Hi, On Wed, Nov 26, 2014 at 08:54:07AM -0500, Joe Klein wrote:
Chris,
Are you aware IPv6 has 3 or arguably 4 major generations of standards?
Each generation requires nuanced defense strategies, based on which clauses ("must" and "should") were implemented. Some of the derived security works, do not reflect, and in some cases contradict current security recommendations.
both very good points, Joe, which I fully second. This is - to some degree - discussed in this talk: https://www.ernw.de/download/TROOPERS_IPv6SecSummit_ERNW_IPv6_Structural_Def... which I suggest to add to the resource list in compilation. [disclaimer: I'm the author] best Enno The perceived newness of the technology, and ambiguities
of recommendations have resulted in 'pushback' by the security community to implement IPv6. This has forced us to continue with the implement of IPv6 and 'trust' the vender recommendations, based on the limitations of that venders products.
In the cracks, between the standards and implementation of these standards, are where security vulnerabilities exist, compromises lay, and defenses crumble.
Joe Klein "Inveniam viam aut faciam"
On Tue, Nov 25, 2014 at 3:32 PM, Chris Grundemann <cgrundemann@gmail.com> wrote:
Hail NANOG!
I am looking for IPv6 security resources to add to: http://www.internetsociety.org/deploy360/ipv6/security/
These could be best current practice documents, case-studies, lessons-learned/issues-found, research/evaluations, RFCs, or anything else focused on IPv6 security really.
I'm not requesting that anyone do any new work, just that you point me to solid public documents that already exist. Feel free to share on-list or privately, both documents you may have authored and those you have found helpful.
Thanks! ~Chris
Note: Not every document shared will get posted to the Deploy360 site.
-- @ChrisGrundemann http://chrisgrundemann.com
-- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ======================================================= Blog: www.insinuator.net || Conference: www.troopers.de Twitter: @Enno_Insinuator =======================================================
Hi, Chris, On 11/25/2014 05:32 PM, Chris Grundemann wrote:
Hail NANOG!
I am looking for IPv6 security resources to add to: http://www.internetsociety.org/deploy360/ipv6/security/
This is stuff that I've authored or that I've been involved in: **** Tools **** * (Open Source) IPv6 Security Toolkit: <http://www.si6networks.com/tools/ipv6toolkit/index.html> **** Articles **** This site links all the articles that I've written so far: <http://www.si6networks.com/publications/articles.html>. They tend to cover stuff that I've covered in IETF RFCs, but in a more synthetic and human-readable way. Note while stuffed with some adds (Techtarget has to make money somehow), the full content of the articles is online, without the requirement of creating an account or anything.... just scroll down. **** IETF RFCs & Internet Drafts **** Most of what I've published at the IETF in the last few years is IPv6-securty related. Please check: <http://datatracker.ietf.org/doc/search/?name=&rfcs=on&activedrafts=on&olddrafts=on&sort=&by=author&author=Gont> Of particular interest would be: * draft-ietf-6man-ipv6-address-generation-privacy * draft-ietf-opsec-ipv6-host-scanning * RFC6980 * RFC7112 * RFC7113 * RFC7123 * RFC7217 * RFC7359 **** Presentations (slides & videos) **** * Slides: <http://www.si6networks.com/presentations/index.html> (More to be uploaded soon... please re-check in a week or so) * Videos: <https://www.youtube.com/user/SI6Networks> **** On-line communities **** * IPv6 Hackers mailing-list: <http://lists.si6networks.com/listinfo/ipv6hackers/> * IPv6 Hackers web site: <http://www.ipv6hackers.org> This site includes the slideware (and videos) of the first (and so far only) IPv6 hackers meeting in Berlin 2013. Thanks! Best regards, -- Fernando Gont e-mail: fernando@gont.com.ar || fgont@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
participants (7)
-
Arturo Servin -
Chris Grundemann -
Enno Rey -
Fernando Gont -
Franck Martin -
Joe Klein -
Marco Davids