Chris L. Morrow
christopher.morrow at verizonbusiness.com
Wed May 30 00:52:14 UTC 2007
On Tue, 29 May 2007, JORDI PALET MARTINEZ wrote:
> However, you can *always* turn on IPsec with IPv6, which is not always true
> for IPv4 (NATs, no end-to-end, etc.).
security is not JUST ipsec, and ipsec is not actually included in all
current ipv6 stacks :( (merike has some nice slides on this actually).
Security often is related to the applications using the stack, or the
While I agree that in principle ipv6 with ipsec is nice, I've yet to see
it work reliably in the field, and... it's never going to secure your
communications with yahoo.com (maybe not 'never' but not for a very long
time). So, having a sane discussion about 'security' and ipv6 ends up
being: "Hey, you have the same facilities and issues in ipv4, only the
stack is newer and slightly less baked, but if you have protections at
multiple layers you are on the right track."
> Also, port scanning is not "so simple", and while in IPv6 a /24 can be
> scanned in 5 minutes, a /64 takes 5.3 billion years, and of course, usually
> you will have a /48.
This assumes a single machine scanning, not a botnet of 1000 or even the
1.5m the dutch gov't collected 2 yrs ago. Again, a sane discussion is in
order. Scanning isn't AS EASY, but it certainly is still feasible,
especially if you can enumerate the targets with other methods first to
cut down on the random other scanning efforts.
> So at the time being, it can be considered a bit more difficult to do a
> brute force DoS. Of course, attackers will try some other means, that's why
what?? I can make packets in v6 just as fast as v4... how is it harder
exactly? Given a host connected to gigabit ethernet on a direct native v6
pipe ... packets get made at line-rate... such hosts do exist.
More information about the NANOG