Overcoming IPv6 Security Threat
Thanks to everyone who helped out. cheers joe baptista
http://www.circleid.com/articles/2533.asp
Overcoming IPv6 Security Threat
September 12, 2002 | By Joe Baptista
Technology rags and industry pundits see IPv6 (Internet Protocol version 6) as the future of networking, but Daniel Golding a participant of the North American Network Operators' Group (NANOG) thinks it's a "solution in search of a problem". Many others have argued IPv6 is a problem in itself and it is unlikely the protocol will gain wide acceptance in the short term.
IPv6 does solve many of the problems with the current version of IPv4 (Internet Protocol version 4). Its purpose is to expand address space and fix the IPv4 address depletion problem, which many techies claim, was due to mismanagement. The industry's goal is to use the very large address allocation pool in IPv6 to expand the capabilities of the Internet to enable a variety of peer-to-peer and mobile applications including cellular phone technology and home networking.
IPv6, a suite of protocols for the network layer, uses IPv4 gateways to interconnect IPv6 nodes and comes prepackaged with some popular operating systems. This includes almost all Unix flavors, some Windows versions and Mac OS. Some vendors offer upgrades to older operating systems. Trumpet Software International in Tasmania Australia manufactures a Trumpet Winsock version that upgrades old Windows 95/98 and NT systems to the current IPv6 standard.
IPv6 has suffered bad press over privacy issues. Jim Fleming, the inventor of IPv8, a competing protocol, sees many hazards and privacy flaws in existing IPv6 implementations. IPv6 address space in some cases uses an ID (identifier) derived from your hardware or phone "that allows your packets to be traced back to your PC or cell-phone" said Fleming. Potential abuse to user privacy exists as a hardware ID wired into the IPv6 protocol can be used to determine the manufacturer, make and model number, and value of the hardware equipment being used. Fleming warns users to think twice before they buy themselves a used Laptop computer and inherit all the prior surfing history of the previous user!
IPv6 uses 128 bits to provide addressing, routing, and identification information on a computer interface or network card. The 128 bits are divided into the left 64 and the right 64. Some IPv6 systems use the right 64 bits to store an IEEE defined global identifier (EUI64). This identifier is composed of company id value assigned to a manufacturer by the IEEE Registration Authority. The 64-bit identifier is a concatenation of the 24-bit company identification value and a 40-bit extension identifier assigned by the organization with that company identification assignment. The 48-bit MAC address of your network interface card may also be used to make up the EUI64.
In the early stages of IPv6 development, Bill Frezza a General Partner with the venture capital firm, Adams Capital Management warned software developers that if privacy issues are not properly addressed, the migration to IPv6 "will blow up in their face"! Leah Gallegos agrees that while "expanding the address space is necessary the use of the address for ID and tracking is horrific". Gallegos the operator of the top-level domain .BIZ and a Director of the Top Level Domain Association cautions network administrators that they should refuse to implement IPv6 unless these issues are properly addressed.
Privacy concerns prompted the creation of new standards, which provide privacy extensions to IPv6 devices. Thomas Narten and Track Draves of Microsoft Research published a procedure to ensure privacy of IPv6 users. Narten, IBM's technical lead on IPv6 and an Area Director for the Internet Engineering Task Force (IETF), agrees "IPv6 address can, in some cases, include an identifier derived from a hardware address". But Narten points out that a hardware address is not required. "In cases where using a permanent identifier is a problem", said Narten "RFC 3041 addresses should be used".
RFC 3041 titled "Privacy Extensions for Stateless Address Autoconfiguration in IPv6" was published this past January 2001 by the IETF. It is an algorithm developed jointly by Narten and Draves which generates randomized interface identifiers and temporary addressees during a user session. This would eliminate the concerns privacy advocates have with IPv6.
Unfortunately RFC 3041 is not widely implemented. But Narten expects major vendors to incorporate his privacy standard and offered that Microsoft implemented privacy extensions "and apparently intends to make it part of their standard stuff". Narten also assisted in the drafting of recommendations for some second and third generation cellular phones recently approved for publication by the Internet Engineering Steering Group. That document recommends that RFC 3041 be implemented as part of cellular phone technology but he did not know what direction cell phones manufacturers were taking. "I suspect that client vendors will generally implement it because of the potential bad PR if they don't" said Narten.
Another obstacle raised by NANOG operators is that there is currently no commercial demand for IPv6 at this time. Dave Israel, a Data Network Engineer and regular participant on NANOG lists, sees no immediate demand for IPv6 services. "The only people who ask me about IPv6", said Israel "are people who have heard something about it from some tech-magazine and want the newest thing". Israel says he sees no commercial demand for a v6 backbone.
Daniel Golding, another NANOG participant agrees, "v6 deployment is being encouraged by some countries, and the spread of 3G (cellular technology) is helping things along, but we have yet to see really widespread v6 deployments anywhere". Golding sees major backbone networks deploying IPv6 when it makes economic sense for them to do so. "Right now", said Golding "there is no demand and no revenue upside. I don't expect this to change in the near future".
Most on NANOG agree the roadblock seems to be a lack of ISPs that offer IPv6 services. Stephen Sprunk, a Network Design Consultant with Cisco's Advanced Services group sees the "greater adoption of always-on broadband access will be the necessary push" to get IPv6 off the ground. "Enterprise networks will not be the driver for ISPs to go to IPv6" said Sprunk and "NAT is too entrenched". Network Address Translation (NAT) is a method of connecting multiple computers to the Internet (or any other IP network) using one IPv4 address.
Vint Cerf senior vice president of architecture & technology at WorldCom has been using IPv6 for about four years. IPv6 has been a key element for some of WorldCom's Government customers. Cerf thinks IPv6 supporters have a lot of work ahead to achieve successful deployment of the protocol. He expects "that over the next several years we will see a lot of consumer devices set up to work with IPv6" and "cell phones are likely candidates, as are radio-enabled PDAs".
-EOF
The dot.GOD Registry, Limited http://www.dot-god.com/
Joe Baptista wrote:
Thanks to everyone who helped out. But you didn't actually read now did you? Oh well you are a reporter nobody can blame you for doing work ;) But to pull some things straight:
" IPv6, a suite of protocols for the network layer, uses IPv4 gateways to interconnect IPv6 nodes and comes prepackaged with some popular operating systems. " Cool, so *NATIVE* IPv6 doesn't exist? Many transitional techniques use intermediate IPv4 hops to connect IPv6 islands, that doesn't mean everything uses it. http://unfix.org/projects/ipv6/IPv6andIPv4.gif "IPv6 has suffered bad press over privacy issues. Jim Fleming, the inventor of IPv8, a competing protocol, sees many hazards and privacy flaws in existing IPv6 implementations." Competing? There is <yell>no such thing as Jim Flemings IPv8</yell> There is IPv8* but that is PIP (The P Internet Protocol) which is *NOT* the thing Mr. Fla^Heming is spamming about all the time. * = http://www.iana.org/assignments/version-numbers Maybe Mr. Fleming could write up a draft of his 'standard' sometime? I could start shouting that you are bad and that Man.v2 is much better now does that help anywhere? And one can easily change his/her local EUI so where's the problem there? One also mostly comes from the same /48 so where is the problem. "Another obstacle raised by NANOG operators is that there is currently no commercial demand for IPv6 at this time." Which is true in the .US and mostly true in europe, but in Asia there is demand and IPv6 is happening. And that America is lagging behind ah well ;) Next time when you ask things, use them in your articles... Greets, Jeroen
This is scarcely the first time that a "reporter" has taken quotes from NANOG and spliced them together into a news story. Analysts do it too. I guess one of the weaknesses of this kind of forum is that the kooks (Jim Fleming) come off looking as credible as those who have a clue (like Stephen Sprunk or Dave Israel in this case). Now, please pardon me while I write "do not talk to reporters" on the blackboard, 500 times. - Daniel Golding
Jeroen Massar Said..
Joe Baptista wrote:
Thanks to everyone who helped out. But you didn't actually read now did you? Oh well you are a reporter nobody can blame you for doing work ;) But to pull some things straight:
" IPv6, a suite of protocols for the network layer, uses IPv4 gateways to interconnect IPv6 nodes and comes prepackaged with some popular operating systems. "
Cool, so *NATIVE* IPv6 doesn't exist? Many transitional techniques use intermediate IPv4 hops to connect IPv6 islands, that doesn't mean everything uses it.
http://unfix.org/projects/ipv6/IPv6andIPv4.gif
"IPv6 has suffered bad press over privacy issues. Jim Fleming, the inventor of IPv8, a competing protocol, sees many hazards and privacy flaws in existing IPv6 implementations."
Competing? There is <yell>no such thing as Jim Flemings IPv8</yell> There is IPv8* but that is PIP (The P Internet Protocol) which is *NOT* the thing Mr. Fla^Heming is spamming about all the time. * = http://www.iana.org/assignments/version-numbers Maybe Mr. Fleming could write up a draft of his 'standard' sometime? I could start shouting that you are bad and that Man.v2 is much better now does that help anywhere?
And one can easily change his/her local EUI so where's the problem there? One also mostly comes from the same /48 so where is the problem.
"Another obstacle raised by NANOG operators is that there is currently no commercial demand for IPv6 at this time."
Which is true in the .US and mostly true in europe, but in Asia there is demand and IPv6 is happening. And that America is lagging behind ah well ;)
Next time when you ask things, use them in your articles...
Greets, Jeroen
The sad part is that absolutely clueless articles like this one get wider distribution than they deserve, and it takes even more travel and face time to refute the nonsense. In most cases it is hard to tell if the author is really as clueless as the resulting article would lead you to believe, or if they intentionally put in garbage to create an artificial sense of controversy which might lead to even greater distribution. Tony
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Daniel Golding Sent: Thursday, September 12, 2002 10:13 AM To: Jeroen Massar; 'Joe Baptista'; 'NANOG' Subject: RE: Overcoming IPv6 Security Threat
This is scarcely the first time that a "reporter" has taken quotes from NANOG and spliced them together into a news story. Analysts do it too. I guess one of the weaknesses of this kind of forum is that the kooks (Jim Fleming) come off looking as credible as those who have a clue (like Stephen Sprunk or Dave Israel in this case).
Now, please pardon me while I write "do not talk to reporters" on the blackboard, 500 times.
- Daniel Golding
Jeroen Massar Said..
Joe Baptista wrote:
Thanks to everyone who helped out. But you didn't actually read now did you? Oh well you are a reporter nobody can blame you for doing work ;) But to pull some things straight:
" IPv6, a suite of protocols for the network layer, uses IPv4 gateways to interconnect IPv6 nodes and comes prepackaged with some popular operating systems. "
Cool, so *NATIVE* IPv6 doesn't exist? Many transitional techniques use intermediate IPv4 hops to connect IPv6 islands, that doesn't mean everything uses it.
http://unfix.org/projects/ipv6/IPv6andIPv4.gif
"IPv6 has suffered bad press over privacy issues. Jim Fleming, the inventor of IPv8, a competing protocol, sees many hazards and privacy flaws in existing IPv6 implementations."
Competing? There is <yell>no such thing as Jim Flemings IPv8</yell> There is IPv8* but that is PIP (The P Internet Protocol) which is *NOT* the thing Mr. Fla^Heming is spamming about all the time. * = http://www.iana.org/assignments/version-numbers Maybe Mr. Fleming could write up a draft of his 'standard' sometime? I could start shouting that you are bad and that Man.v2 is much better now does that help anywhere?
And one can easily change his/her local EUI so where's the problem there? One also mostly comes from the same /48 so where is the problem.
"Another obstacle raised by NANOG operators is that there is currently no commercial demand for IPv6 at this time."
Which is true in the .US and mostly true in europe, but in Asia there is demand and IPv6 is happening. And that America is lagging behind ah well ;)
Next time when you ask things, use them in your articles...
Greets, Jeroen
On September 12, 2002 07:31 pm, Tony Hain wrote:
The sad part is that absolutely clueless articles like this one get wider distribution than they deserve, and it takes even more travel and face time to refute the nonsense. In most cases it is hard to tell if the author is really as clueless as the resulting article would lead you to believe, or if they intentionally put in garbage to create an artificial sense of controversy which might lead to even greater distribution.
Allow me to remove any doubt. http://www.kkc.net/baptista/ I strongly suggest you just quietly ignore Mr. Baptista. I can assure you that this is my last post on the subject no matter how he tries to bait me. It's the only technique that works with him. -- D'Arcy J.M. Cain <darcy@{druid|vex}.net> | Democracy is three wolves http://www.druid.net/darcy/ | and a sheep voting on +1 416 425 1212 (DoD#0082) (eNTP) | what's for dinner.
On Thu, 12 Sep 2002, D'Arcy J.M. Cain wrote:
I strongly suggest you just quietly ignore Mr. Baptista. I can assure you that this is my last post on the subject no matter how he tries to bait me. It's the only technique that works with him.
Poor D'Arcy - still bitter I see ;) But thats a substandard reference. Major Tom and Uncle Joe are still the best of friends - sort of anyway. Only five years ago major tom helped me liberate some $10,000 worth of hydrophonic marijuana grow equipment from the Adult SuperStore - a front for the outlaw biker community operated by Mark Savary. The story was a plant. Never believe what you read in old rags. Let us not forget my major accomplishments - the distructions of the freedom of information system in ontario (which you complained so much about) - which see; I warned the public http://web.elastic.org/~fche/mirrors/old-usenet/baptista and then i crashed it http://www.ipc.on.ca/english/orders/orders-m/m-618.HTM and then there was the day I liberated Wired Magazine of over $100,000 USG, which see http://www.kkc.net/eye/nv940331.htm And then there was the most famous event of them all. unfortunately I can't mention names because of the court order of judge brown. pity what happens when governments cover up the sexual exploitation of minors by senior governments officials. http://www.brentpayton.com/canada/Toronto%20Police%20Chief%20Sues%20for%20Li... and then there was .... I can go on at length but i think it's best to say that I've had a good time in life. So try not to be bitter D'Arcy or you'll end up aging like those failed drag queens - and those high heels are not your style ;) http://www.google.ca/search?hl=en&ie=ISO-8859-1&q=D%27Arcy+Cain+Baptista&meta= I've been labeled so many times and have used it to my advantage. Which is why I never really pay much attention when people make claims like they do against fleming. In the old days reporting was about investigating the truth - not paying attention to libel and slander. Now a days I find reporters are basically PR queens on a budget. And that's why I got back into the business. I've complained so much about inaccurate reporting that i finally decided to do something about it. You should get active too. cheers joe
This is scarcely the first time that a "reporter" has taken quotes from NANOG and spliced them together into a news story. Analysts do it too. I guess one of the weaknesses of this kind of forum is that the kooks (Jim Fleming) come off looking as credible as those who have a clue (like Stephen Sprunk or Dave Israel in this case).
Since when do we call kooks "reporters"? http://www.kkc.net/baptista/
On Thu, 12 Sep 2002, Jeroen Massar wrote:
Joe Baptista wrote:
Thanks to everyone who helped out. But you didn't actually read now did you? Oh well you are a reporter nobody can blame you for doing work ;) But to pull some things straight:
" IPv6, a suite of protocols for the network layer, uses IPv4 gateways to interconnect IPv6 nodes and comes prepackaged with some popular operating systems. "
Cool, so *NATIVE* IPv6 doesn't exist? Many transitional techniques use intermediate IPv4 hops to connect IPv6 islands, that doesn't mean everything uses it.
I'm sure it does - but i'll be damed if i can find it. I have managed to connect to the 6to4. Would love to connect direct to the 6bone - but have yet to find a means to do it without some ipv4 connectivity.
"IPv6 has suffered bad press over privacy issues. Jim Fleming, the inventor of IPv8, a competing protocol, sees many hazards and privacy flaws in existing IPv6 implementations."
Competing? There is <yell>no such thing as Jim Flemings IPv8</yell> There is IPv8* but that is PIP (The P Internet Protocol) which is *NOT* the thing Mr. Fla^Heming is spamming about all the time. * = http://www.iana.org/assignments/version-numbers Maybe Mr. Fleming could write up a draft of his 'standard' sometime? I could start shouting that you are bad and that Man.v2 is much better now does that help anywhere?
I've heard alot about fleming and have seen alot of his posts. I have heard he's a kook from alot of people but i don't pay much attention to that. So far on the technical end i've had no issue with his claims. And let's not forget - years ago I was also called a net kook - now my name is wispered at various conferences much like priests would speak badly of the creator with claims i'm the most dangerous man in communications. I assume that's a step up when laughter turns to tears ;) Once I'm finished testing IPv6 I do plan to try IPv8 (a la fleming) and once and for all determine if he's actually real - or just a figment of our collective deranged imaginations. I did ask vint if he felt IPv8 was workable. He didn't know. Fleming has made alot of claims respecting vint - which he was in my opinion unable to prove when i asked for supporting evidence. But those claims are mainly personal issues between them. But when I published the article vint announced for the first time that ipv8 existed but they decided instead on ipv6. It's a confusing issue at best but one i'll be looking into.
From what I can see Ipv8 is Ipv6. I still have not figured out what the difference is between these two beasts. Fleming claims IPv8 will work on IPv6 technology.
And one can easily change his/her local EUI so where's the problem there? One also mostly comes from the same /48 so where is the problem.
I know this - but many users don't and thats where the privacy issue begins and ends. I am encouraged by I think rfc 3041 which seems to address the problem.
"Another obstacle raised by NANOG operators is that there is currently no commercial demand for IPv6 at this time."
Which is true in the .US and mostly true in europe, but in Asia there is demand and IPv6 is happening. And that America is lagging behind ah well ;)
correct and thats mainly in G3 which vint addressed. by the way - very nice site. www.unfix.org - i didn't know putty had ipv6 support - so i'm looking forward to testing it. Already have my 6to4 up in amsterdam and hope to have another node in toronto or california next month so the putty program will be useful. It gets boring just playing with ping6. By the way is there any reason why developer have not yet integrated IPv6 into the standard ping program or traceroute. It's a bit of a bother having to ping sites using different programs depending on the protocol. I assume putty handles both IPv4 and IPv6 - or is there a separate putty IPv6 program? regards joe baptista
By the way is there any reason why developer have not yet integrated IPv6 into the standard ping program or traceroute. It's a bit of a bother having to ping sites using different programs depending on the protocol. I assume putty handles both IPv4 and IPv6 - or is there a separate putty IPv6 program?
Read The Source Code. Alex
no fair, i dropped some posts to that discussion, i want my credits too! :) On Thu, 12 Sep 2002, Joe Baptista wrote:
Thanks to everyone who helped out.
cheers joe baptista
http://www.circleid.com/articles/2533.asp
Overcoming IPv6 Security Threat
September 12, 2002 | By Joe Baptista
Technology rags and industry pundits see IPv6 (Internet Protocol version 6) as the future of networking, but Daniel Golding a participant of the North American Network Operators' Group (NANOG) thinks it's a "solution in search of a problem". Many others have argued IPv6 is a problem in itself and it is unlikely the protocol will gain wide acceptance in the short term.
IPv6 does solve many of the problems with the current version of IPv4 (Internet Protocol version 4). Its purpose is to expand address space and fix the IPv4 address depletion problem, which many techies claim, was due to mismanagement. The industry's goal is to use the very large address allocation pool in IPv6 to expand the capabilities of the Internet to enable a variety of peer-to-peer and mobile applications including cellular phone technology and home networking.
IPv6, a suite of protocols for the network layer, uses IPv4 gateways to interconnect IPv6 nodes and comes prepackaged with some popular operating systems. This includes almost all Unix flavors, some Windows versions and Mac OS. Some vendors offer upgrades to older operating systems. Trumpet Software International in Tasmania Australia manufactures a Trumpet Winsock version that upgrades old Windows 95/98 and NT systems to the current IPv6 standard.
IPv6 has suffered bad press over privacy issues. Jim Fleming, the inventor of IPv8, a competing protocol, sees many hazards and privacy flaws in existing IPv6 implementations. IPv6 address space in some cases uses an ID (identifier) derived from your hardware or phone "that allows your packets to be traced back to your PC or cell-phone" said Fleming. Potential abuse to user privacy exists as a hardware ID wired into the IPv6 protocol can be used to determine the manufacturer, make and model number, and value of the hardware equipment being used. Fleming warns users to think twice before they buy themselves a used Laptop computer and inherit all the prior surfing history of the previous user!
IPv6 uses 128 bits to provide addressing, routing, and identification information on a computer interface or network card. The 128 bits are divided into the left 64 and the right 64. Some IPv6 systems use the right 64 bits to store an IEEE defined global identifier (EUI64). This identifier is composed of company id value assigned to a manufacturer by the IEEE Registration Authority. The 64-bit identifier is a concatenation of the 24-bit company identification value and a 40-bit extension identifier assigned by the organization with that company identification assignment. The 48-bit MAC address of your network interface card may also be used to make up the EUI64.
In the early stages of IPv6 development, Bill Frezza a General Partner with the venture capital firm, Adams Capital Management warned software developers that if privacy issues are not properly addressed, the migration to IPv6 "will blow up in their face"! Leah Gallegos agrees that while "expanding the address space is necessary the use of the address for ID and tracking is horrific". Gallegos the operator of the top-level domain .BIZ and a Director of the Top Level Domain Association cautions network administrators that they should refuse to implement IPv6 unless these issues are properly addressed.
Privacy concerns prompted the creation of new standards, which provide privacy extensions to IPv6 devices. Thomas Narten and Track Draves of Microsoft Research published a procedure to ensure privacy of IPv6 users. Narten, IBM's technical lead on IPv6 and an Area Director for the Internet Engineering Task Force (IETF), agrees "IPv6 address can, in some cases, include an identifier derived from a hardware address". But Narten points out that a hardware address is not required. "In cases where using a permanent identifier is a problem", said Narten "RFC 3041 addresses should be used".
RFC 3041 titled "Privacy Extensions for Stateless Address Autoconfiguration in IPv6" was published this past January 2001 by the IETF. It is an algorithm developed jointly by Narten and Draves which generates randomized interface identifiers and temporary addressees during a user session. This would eliminate the concerns privacy advocates have with IPv6.
Unfortunately RFC 3041 is not widely implemented. But Narten expects major vendors to incorporate his privacy standard and offered that Microsoft implemented privacy extensions "and apparently intends to make it part of their standard stuff". Narten also assisted in the drafting of recommendations for some second and third generation cellular phones recently approved for publication by the Internet Engineering Steering Group. That document recommends that RFC 3041 be implemented as part of cellular phone technology but he did not know what direction cell phones manufacturers were taking. "I suspect that client vendors will generally implement it because of the potential bad PR if they don't" said Narten.
Another obstacle raised by NANOG operators is that there is currently no commercial demand for IPv6 at this time. Dave Israel, a Data Network Engineer and regular participant on NANOG lists, sees no immediate demand for IPv6 services. "The only people who ask me about IPv6", said Israel "are people who have heard something about it from some tech-magazine and want the newest thing". Israel says he sees no commercial demand for a v6 backbone.
Daniel Golding, another NANOG participant agrees, "v6 deployment is being encouraged by some countries, and the spread of 3G (cellular technology) is helping things along, but we have yet to see really widespread v6 deployments anywhere". Golding sees major backbone networks deploying IPv6 when it makes economic sense for them to do so. "Right now", said Golding "there is no demand and no revenue upside. I don't expect this to change in the near future".
Most on NANOG agree the roadblock seems to be a lack of ISPs that offer IPv6 services. Stephen Sprunk, a Network Design Consultant with Cisco's Advanced Services group sees the "greater adoption of always-on broadband access will be the necessary push" to get IPv6 off the ground. "Enterprise networks will not be the driver for ISPs to go to IPv6" said Sprunk and "NAT is too entrenched". Network Address Translation (NAT) is a method of connecting multiple computers to the Internet (or any other IP network) using one IPv4 address.
Vint Cerf senior vice president of architecture & technology at WorldCom has been using IPv6 for about four years. IPv6 has been a key element for some of WorldCom's Government customers. Cerf thinks IPv6 supporters have a lot of work ahead to achieve successful deployment of the protocol. He expects "that over the next several years we will see a lot of consumer devices set up to work with IPv6" and "cell phones are likely candidates, as are radio-enabled PDAs".
-EOF
The dot.GOD Registry, Limited http://www.dot-god.com/
participants (8)
-
alex@yuriev.com -
bdragon@gweep.net -
D'Arcy J.M. Cain -
Daniel Golding -
Jeroen Massar -
Joe Baptista -
Stephen J. Wilcox -
Tony Hain