nanog mailing list archives
Re: IPv6, IPSEC and deep packet inspection
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Fri, 31 Dec 2004 23:22:46 +0100
On 31-dec-04, at 22:08, Stephen Sprunk wrote:
An IPv6 network is sufficiently different from IPv4 that I encourage folks to not simply slap an IPv4 security model onto future IPv6 networks.
The links, routers, switches, applications, admins, and budget are all thesame, and layers 3 and 4 only have marginal differences.
The link behavior is radically different: broadcasts are out the window, there is stateless autoconfiguration, scoped addressing...
99% of the time this doesn't matter much, but the trouble with security is that 99% doesn't buy you anything. (Well, it buys you more than in IPv4 as the bad guys can't just scan for that 1%, but still...)
If you expect people to treat IPv6 any differently than IPv4, you'll need to be veryexplicit in what the differences are (or can be) and what the benefits areto throwing out a decade or more of experience and retraining everyone.
The main thing you have to look out for is nastiness that can happen if an attacker has access to the subnet where your IPv6 hosts are, since then scanning is again an option and she can inject false router advertisements. Another thing everyone needs to be aware of is that when a host has IPv6 enabled, it will always have link local addresses so anyone on the same subnet can connect to any services that are IPv6-ready EVEN THOUGH THE BOX DOESN'T HAVE A "REAL" IPV6 ADDRESS. And it's not uncommon for these services to be firewaled in IPv4 but not in IPv6 as packet filters typically only address one IP version.
Current thread:
- IPv6, IPSEC and deep packet inspection Sam Stickland (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Merike Kaeo (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Daniel Roesen (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Merike Kaeo (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Stephen Sprunk (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Rob Thomas (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection william(at)elan.net (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Daniel Roesen (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection bmanning (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Daniel Roesen (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Iljitsch van Beijnum (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Merike Kaeo (Dec 31)
- <Possible follow-ups>
- Re: IPv6, IPSEC and deep packet inspection J. Oquendo (Dec 31)