Re: Is this true?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Well I really would hope that if there were such an award that the
people awarding it would bother to review the actual presentation
rather than one journalists account of it.

In this case the speaker gives a heads up talk on IPv6 to DEFCON and
instead of thanking him you start accusing him of being ill informed
without bothering to read his presentation. So who is really the
uninformed party here? I did bother to read the slides and they are on
a par with more than a few IETF technical plenary talks I have sat
through.


I would also hope that the security of IPv6 is given rather more
serious review than 'someone is looking at it'. I find that less than
inspiring to be honest. The consensus IETF view of security is not
necessarily my view of security.

In particular, I do not care very much about the theoretical
equivalence of the protocols. Proof by analogy is a very dangerous
form of security argument. It has led to many security catastrophes.
So I would not accept the argument that IPv4=IPv6.

A real security specialist knows that even if IPv6 changes nothing in
principle, its use will exercise new code paths that have seen far
less use than their IPv4 equivalents. That in turn creates new
opportunities for the cracker. The security of a system is the
security of the system as implemented, and not according to the
theory.


The issue of exposing MAC addresses is a very important security
concern. It was not a security issue in OSI or Decnet Phase V because
they were dead as a parrot before the security issues could become
significant.

It is something I would hope that a speaker would raise in a security
talk. He does and he tells people to make sure they have the privacy
shield on so they are not exposing their MAC address - good advice.


The issue about firewalls is that a lot of appliances cannot cope with
IPv6 so they just bypass all IPv6 packets. This creates a real
security hole in many systems that can be exploited as a means of
firewall bypass.

I would imagine that the practical part of the talk involved attacking
actual firewalls that were not quite as IPv6 ready as the
manufacturers claimed. Back in the day more than a few firewalls have
shipped that fail open circuit when overloaded. So all that was
necessary to bypass the firewall was a flooding attack. And the same
is now true of many 'application firewall' products.



On Thu, Aug 26, 2010 at 6:36 PM, Dave Cridland <dave@xxxxxxxxxxxx> wrote:
> On Thu Aug 26 22:37:42 2010, Arnt Gulbrandsen wrote:
>>
>> It's true that someone said all that. It's probably true that the firewall
>> your boss bought in 2006 doesn't support IPv6. It's probably even true that
>> some people consider this a problem of IPv6 rather than of the firewall.
>>
>> The rest is all bullshit.
>>
>> Conferences with presentations should have a "most bullshit per minute"
>> prize, with some sort of plaque.
>
> Could we award it in the plenary, like the Postel Award?
>
> Only problem is who to name it after.
>
> Without being sued for defamation, I mean - there's no shortage of
> candidates.
>
> Dave.
> --
> Dave Cridland - mailto:dave@xxxxxxxxxxxx - xmpp:dwd@xxxxxxxxxxxxxxxxx
>  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
>  - http://dave.cridland.net/
> Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
> _______________________________________________
> Ietf mailing list
> Ietf@xxxxxxxx
> https://www.ietf.org/mailman/listinfo/ietf
>



-- 
Website: http://hallambaker.com/
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]