NIST IPv6 document
William Allen Simpson
william.allen.simpson at gmail.com
Thu Jan 6 14:47:58 CST 2011
On 1/6/11 1:47 AM, Paul Ferguson wrote:
> As someone who has been immersed in security for many years now, and having
> previously been very intimately involved in the network ops community for
> equally many years, I have to agree with Roland here. Just because a lot of
> smart people have worked on IPv6 for many years does not mean that the
> security issues have been equally well thought out.
> This is not meant as a slight to anyone -- just a realization of looking at
> security from a real-world perspective. It seems to always have to get
> "bolted on" as an afterthought, instead of baked-in from the beginning.
I've not read everything in this thread yet. So, this may have already
been mentioned. But Security *was* baked-in from the beginning of IPv6.
IT WAS TAKEN OUT!
I was one of the original IPng PIPE->SIP->SIPP->IPv6 designers. We knew
about *all* of these problems mentioned thus far in this thread.
IPsec was originally designed for SIP->SIPP->IPv6, and I back-ported it to
IPv4 after IPv6 was hijacked by committee.
As to Neighbor Discovery, the original specifications eliminated ARP, DHCP,
and OSPF, *and* routers knew all hosts on the local net, *and* both hosts
and routers automatically renumbered. Everything that folks have asked for
Google tells me that draft-ietf-sip-discovery-03.txt is still on-line.
I've not found my -04, -05, or -06 on-line, so I've occasionally been
looking through old backups lately as time allows. Sadly, those systems
are long dead, and finding actual systems to read my old data makes the
recovery process rather slow.
Anyway, don't blame the original designers. We knew what we were doing!
Blame the vendors (and their lackeys) that had vested interests in making
IPv6 into IPv4 with bigger addresses, and *removing* security.
More information about the NANOG