misunderstanding scale

Naslund, Steve SNaslund at medline.com
Mon Mar 24 03:07:19 UTC 2014


I am not sure I agree with the basic premise here.   NAT or Private addressing does not equal security.

 A globally routable address does not necessarily mean globally accessible.  Any enterprise that cares a wit about network security is going to have a firewall.  If you are relying on NAT to protect hosts that have private addresses then you are already in a world of hurt so it won't matter much that IPv6 increases your attack surface because it is already pretty weak.  In fact the enterprises running v4 better worry there first.  They don't have to worry about the v6 stack too much because their network is not routing v6 yet so are only vulnerable within the network borders or subnets.

 I think even residential users mostly know that a private address does not make you safe.  The same tools that protect your v4 machine are still necessary to protect a v6 machine.

In fact, just because I have an IPv6 allocation does not mean I have to allow the world to route to them.  There is no reason that a proxy cannot be used on the v6 space you have internally and there is no reason I can't point an entire address range at the outside interface of my firewall.  The only difference here is that my firewall no longer has to NAT addresses.  

Thinking of NAT as a security mechanism is not viable for either address space.

An enterprise with a respectable firewall can easily choose to allow or disallow access to any range of addresses that they wish so I don't see much difference between IPv6 and IPv4.  I would think in most enterprise models you would have a group of addresses that can be reached from the outside world according to some policy (the DMZ or public NATs in v4 world) and the remainder only have access outbound according to policy (your private space behind your NAT v4 addresses in that world).  I don't see how v6 massively changes things for the enterprise and the residential user can easily be protected behind a simple consumer firewall.

As far as printers being a more dangerous attack vector than computers, I definitely don't buy that argument.  It does not change in v4 or v6.  Assuming that both stacks are vulnerable to attack I would be less worried about the printer because I am not aware of any of my printers running malware in v4.  I think the PC platform being much more complex and having many more interfaces for active programming like DLLs, Java, ActiveX, etc, are much more the threat.  I personally have not seen a DDoS attack launched by printers (they may exist but I am not aware of them).  If I was going to design an attack for a printer, I would think that data theft would  be the most dangerous.  I have wondered about multifunction printers emailing print data to someone but I have never seen that yet.

Steven Naslund
Chicago IL



On Mar 23, 2014 8:44 PM, "Mike Hale" <eyeronic.design at gmail.com> wrote:
> "Your attack surface has already expanded whether or not you deploy IPv6."
> Not so.  If I don't enable IPv6 on my hosts, the attacker can yammer 
> away via IPv6 all day long with no result.
.




More information about the NANOG mailing list