misunderstanding scale

Timothy Morizot tmorizot at gmail.com
Mon Mar 24 01:25:35 UTC 2014


On Mar 23, 2014 7:54 PM, "Mike Hale" <eyeronic.design at gmail.com> wrote:
> "unless by few you simply mean a minority"
> Which I do.

Then that's fine. But there are numerous enterprises in that minority and
it includes some pretty large enterprises. My own enterprise organization
has more than 600 sites, 100k employees, and thousands of contractors.

> "appropriately mitigating the security risks shows the claim that
> there are security weaknesses in IPv6 preventing its adoption is
> false."
> No.  It doesn't.  It's not the sole reason, but it's a huge factor to
consider.

Logic 101? If security-conscious enterprises have successfully implemented
IPv6 while mitigating the security risks, then there aren't any inherent
security weaknesses preventing its adoption by enterprises. A non-FUD
statement would be that we've assessed our infrastructure and preparedness
for IPv6 and aren't yet in a position where we can safely deploy IPv6. A
FUD statement is the assertion that there are inherent security weaknesses
in the protocol preventing enterprises from deploying it.

> There is because it doubles your attack surface at the very least.  At
> the worst, it increases it exponentially since suddenly all your
> internal devices (that were never configured to be public-facing) are
> suddenly accessible from everywhere.

It's an IPv6 world. Your attack surface has already expanded whether or not
you deploy IPv6. In fact, an enterprise will be making itself increasingly
vulnerable to IPv6 attacks by refusing to deploy it than by securely
enabling and controlling the protocol.

And if an enterprise doesn't have firewalls in place, then their devices
are already accessible. NAT44 doesn't provide any meaningful security
protection. If you have firewalls with appropriate policies, then it's
silly to claim your internal devices are suddenly accessible from
everywhere. My organization is particularly strict at our perimeter.
Everything is default deny in both directions for both protocols and we
very carefully open holes. We also allow very little unproxied access to
the Internet. (DNS, SMTP, and HTTP/HTTPS being the most common services
provided in our Internet access points.)

> None of this isn't preventable, by the way.  There are a myriad of
> solutions that can and do mitigate these risks.  But to simply dismiss
> the security considerations is, I think, incredibly naïve and
> unrealistic.

Nowhere have I dismissed security considerations for either IPv4 or IPv6.
I've simply pointed out that it really isn't any harder to plan and manage
for v6 than for v4. And we currently live in a dual-protocol Internet.
Simply pretending that if you don't enable IPv6, you're somehow immune from
IPv6 threats is naive.

Scott


More information about the NANOG mailing list