OMB: IPv6 by June 2008

Fri Jul 1 15:56:27 UTC 2005

On Fri, 1 Jul 2005, Mohacsi Janos wrote:

>
>
>
>
> On Fri, 1 Jul 2005, Christopher L. Morrow wrote:
>
> >
> > On Fri, 1 Jul 2005, Mohacsi Janos wrote:
> >>>
> >>> This keeps coming up in each discussion about v6, 'what security measures'
> >>> is never really defined in any real sense. As near as I can tell it's
> >>> level of 'security' is no better (and probably worse at the outset, for
> >>> the implementations not the protocol itself)  than v4. I could be wrong,
> >>> but I'm just not seeing any 'inherent security' in v6, and selling it that
> >>> way is just a bad plan.
> >>>
> >>
> >> Just name a few:
> >> - Possibility to end-to-end IPSec.
> >
> > exists in v4
>
> Not exactly. Try to setup IPSec nodes behind NAT boxes. IPSec is speaking
> about possibility of e2e security.

this changes how in v6+nat?

>
> >
> >> - Not feasible scanning of subnets remotely
> >
> > eh... maybe, I'm not convinced this matters anyway.
> >
> >> - Privacy enhanced addresses - not tracking usage based on addresses
> >
> > dhcp can do this for you (v4 has mechanisms for this)
>
> DHCP does not provide privacy, just address management. Can you
> communicate on IPv4 the following way?: - different service - different
> source IP address?
>

yes. look at bitchx, or ssh ... corner cases to be sure, but still
feasible. (or simple example: vhosted webserver) As to dhcp, it can
provide the address privacy you seek, just use very short leases. (yes,
it's messy, but it'd work mostly)

> >
> >> - Better ingress filtering
> >>
> >
> > right... because gear that filters so well in v4-land will filter so much
> > better in v6-land? you == crazy.
>
> No because your address space not scattered in IPv6. Try to setup ingress
> filtering in IPv4 if you have a network that was setup several disjoint
> /24 and /26s. This is not exceptional in some cases, after mergers, two
> sites joined etc. With IPv6 you can re-engineer your network!
>

that'd be fine if filtering worked reliably... I'd be that ingress
filtering (or egress filtering) will eventually be as 'easy' in v6 as it
is in v4. I'd say that for now, with the wierd multi-homing setup in v6
it's even harder initially...

> Anyway you have to wash you mouth.
>
>
> +
>
> Have you tried to find out in a IPv4 NAT environment where the virus/worm
> flood is coming? - Most of the situation it is coming from the NAT box -

actually that's kind of my daily job... it seems to work fine for me so
far.

> not because NAT box was infected, but because nodes behind NAT was
> infected. Most of the cases admins of the networks behind NAT boxes not
> knowledgeable enough where to look in this cases. So IPv6 can improve e2e
> accountability that is part of the security.
>

because it removes the 'requirement' for NAT? or in some other magical
way? If you look/listen to the users of NAT, a large proportion of them
will continue to use NAT in v6 (or have stated they will)... I'm not sure
your above arguement is as valid as you'd like it to be :(

> >
> >
> > All those objections aside, I'd love to see v6 more fully deployed. I'm
> > not sure I see how it's going to get beyond 'research' or 'play' land,
> > except for some small cases, for quite some time. It's interesting that
> > the flood gates on ip space are openning at IANA though, that should
> > hasten the v6 takeup/deployment :)
>
> This will be be fall of MCI....

this and the 11B fraud and the crooked execs and what else?  I'm not sure
why v6 will be anymore of a fall for mci then any of the previously
mentioned locusts-o-doom.... but predict away, it's fun and we add these
to our office pool :)