Re: IPv6, IPSEC and deep packet inspection

[Iljitsch van Beijnum <iljitsch () muada com>]

On 31-dec-04, at 22:08, Stephen Sprunk wrote:

> > An IPv6 network is sufficiently different from IPv4 that I encourage
> > folks to not simply slap an IPv4 security  model onto future IPv6
> > networks.

> The links, routers, switches, applications, admins, and budget are all 
> the
> same, and layers 3 and 4 only have marginal differences.

The link behavior is radically different: broadcasts are out the 
window, there is stateless autoconfiguration, scoped addressing...

99% of the time this doesn't matter much, but the trouble with security 
is that 99% doesn't buy you anything. (Well, it buys you more than in 
IPv4 as the bad guys can't just scan for that 1%, but still...)

> If you expect
> people to treat IPv6 any differently than IPv4, you'll need to be very
> explicit in what the differences are (or can be) and what the benefits 
> are
> to throwing out a decade or more of experience and retraining everyone.

The main thing you have to look out for is nastiness that can happen if 
an attacker has access to the subnet where your IPv6 hosts are, since 
then scanning is again an option and she can inject false router 
advertisements. Another thing everyone needs to be aware of is that 
when a host has IPv6 enabled, it will always have link local addresses 
so anyone on the same subnet can connect to any services that are 
IPv6-ready EVEN THOUGH THE BOX DOESN'T HAVE A "REAL" IPV6 ADDRESS. And 
it's not uncommon for these services to be firewaled in IPv4 but not in 
IPv6 as packet filters typically only address one IP version.