Comments on ipSpace.net: IPv6 myths

Thanks for the list. I like the "you can have...

2010-03-16T19:58:28.000+01:00

Thanks for the list. I like the "you can have 'babe' and 'b00b' in your IP address" part ;) He forgot to mention you there's also 'c0ffee' (if you need it) and 'beef' (if you're really hungry) :-D

Another short list :-) http://www.ismyipv6working...

2010-03-16T18:34:18.000+01:00

Another short list :-)

http://www.ismyipv6working.com/the_truth/

I would love to hear where you've found the bi...

2010-03-16T18:21:28.000+01:00

I would love to hear where you've found the bias. Also, in polite societies (and blogs) people tend to introduce themselves before judging other people's work.

Very biased article. Many assumptions are made wit...

2010-03-16T16:22:41.000+01:00

Very biased article.
Many assumptions are made without thinking that the way the Internet works has changed and will change in future.

Where were you during the last 3 weeks, I've b...

2010-03-16T07:11:59.000+01:00

Where were you during the last 3 weeks, I've been waiting for you ;) Somehow I've managed to stumble across that one as well; it's included in the more detailed article:

http://blog.ioshints.info/2010/03/more-details-seven-ipv6-myths.html

What about mobility?!

2010-03-15T14:47:48.000+01:00

What about mobility?!

Flow label is only useful if you do per-flow QoS, ...

2010-03-06T09:46:08.000+01:00

Flow label is only useful if you do per-flow QoS, which is not scalable at the line speeds we have today (it could have been useful at T1/E1 and below).

It all depends on how it is presented or when that...

2010-03-05T17:00:06.000+01:00

It all depends on how it is presented or when that pitch was made (e.g. - QoS. Yes, today QoS is 99% identical between IPv4 and IPv6 (the other 1% has to due with a better chance of uniquely identifying the true SRC and DST, which is a Good Thing). However, moving forward, that Flow Label (not useful today) may make QoS much better ... while routing table bloat was semi-solved through Forced Aggregation, but now PI space has undone that (but 'solved' multi-homing, for now).)

Major bonus points for "Anyone who thinks NAT is a security feature deserves to become part of a botnet." :)

/TJ

99% of NAT on earth is Dynamic NAT. that's wha...

2010-03-04T11:53:22.000+01:00

99% of NAT on earth is Dynamic NAT. that's what i was talking about. and you say it provides some degree of security. Ok, so we agree. You can join the botnet.

@Jan Zorz: Both IPv4 and IPv6 provide an 8-bit fie...

2010-03-02T17:40:34.000+01:00

@Jan Zorz: Both IPv4 and IPv6 provide an 8-bit field dedicated for QoS marking. Use of this field in either protocol is completely optional. See http://tools.ietf.org/html/rfc2460#section-7

IVAN I agree with all the myths except LISP and n...

2010-02-27T07:04:47.000+01:00

IVAN

I agree with all the myths except LISP and not able to understand what exactly the problem is? I think more discussion and debate on LISP will get some fruitful results. O:-)

@Ole: I prefer IPv6 statefull fireewalls instead o...

2010-02-26T22:12:45.000+01:00

@Ole: I prefer IPv6 statefull fireewalls instead of NAT. Which solution breaks end2end more?

@Ivan: Agree with most of the explanations except:

IPv6 has better quality of service - that's standard in the header, not just recomandation as in v4.

IPv6 has better security - partially agree - in v4 ipsec is in userspace, in v6 in stack. Huge difference.

Overall I agree with Ivan. I specially like the last myth. The last myth to break remains ICMP role in networks - in general. That's hard to understand for some people, specially ones coming strictly from v4 world :)

Jan

What about enhanced Multicast? I think it's g...

2010-02-26T22:05:36.000+01:00

What about enhanced Multicast?

I think it's great on a site-local level, it's gonna be huge on a global level.

"Anyone who thinks NAT is a security feature ...

2010-02-26T18:34:25.000+01:00

"Anyone who thinks NAT is a security feature deserves to become part of a botnet."

I love it!

For those who aren't getting it: NAT by itself does not provide security. Dynamic NAT (aka PAT, aka overloaded NAT, aka multiplexing multiple conversations onto a single layer 3 address using layer 4 port translations) provides some degree of security because it has the side effect of creating state. You will need to run a simple stateful firewall in front of IPv6 clients to get the same effect. This is not a hard problem. Stateful firewalls have no place in front of servers in the first place; owners of IPv6 server farms will need to ensure that their vendor supports stateless ACLs in hardware for IPv6 just like they do for IPv4.

1) adding a stateful FW in low-end CPEs probably m...

2010-02-26T14:03:07.000+01:00

1) adding a stateful FW in low-end CPEs probably means more bugs for the end user :)

2) vulnerable how exactly? what can the attacker inject from the outside besides packets from the UDP flow?

note that you add a condition "as soon as ...". With ipv6, no condition required, I can send all the bad packets I want to my target since its address is public.

i don't think the way we learn the ipv6 addres...

2010-02-26T13:54:59.000+01:00

i don't think the way we learn the ipv6 address of the host matters... it could be via bittorrent, webserver logs, whatever... your discussion is about ipv6 vs ipv4, not about browser vulns vs os/apps vulns, right?

I'm trying to come up with an argument against...

2010-02-26T13:52:15.000+01:00

I'm trying to come up with an argument against a firewall by default. That breaks the end to end model, and would make deploying new applications almost as hard with IPv6 as it is with IPv4.

Modern hosts have grown up in the jungle, and my laptop I take around with me anywhere. Certainly to unprotected networks. What value does that firewall give me anyway? Most of the 'security' issues in the home aren't things which are caught by a firewall anyway.

If you are concerned about simpler devices like printers and sensors; one could give them only a ULA address and virtually keep them off the big bad Internet.

BTW, to answer your original question: * statefu...

2010-02-26T13:44:04.000+01:00

BTW, to answer your original question:

* stateful FW (or at least a reasonable ACL) will have to become a default configuration of low-end ($2.99 ;) CPE routers.
* consumer NAT (not the Cisco IOS implementation) makes inside host vulnerable as soon as it opens an outbound session (at least on UDP).

And how would you know the IPv6 address of the hos...

2010-02-26T13:39:57.000+01:00

And how would you know the IPv6 address of the host? If you've gleaned it from web server logs, it's (recently) way easier to download malware through the browser than through OS vulnerability.

I assume we know the ipv6 address of the host behi...

2010-02-26T13:31:07.000+01:00

I assume we know the ipv6 address of the host behind the CPE. I agree that scanning an ipv6 subnet is more pain than scanning an ipv4 subnet.

And how long would it take you to scan 2^64 addres...

2010-02-26T12:42:19.000+01:00

And how long would it take you to scan 2^64 addresses?

И таки нат хоть и небольшая, но подпорка к секьюри...

2010-02-26T12:17:33.000+01:00

И таки нат хоть и небольшая, но подпорка к секьюрити...

with no security config on the CPE (no port forwar...

2010-02-26T11:37:43.000+01:00

with no security config on the CPE (no port forwarding, no ACL, no FW, ...), it is easier to scan a public ipv6 address than a private ipv4 address (from the outside). therefore, NAT is more secure :) you can add me to your botnet now :)