Re: [Full-disclosure] IPv6 security myths

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm not a security guru, and will step aside instantly if someone with those credentials says I'm wrong. However, from my perspective, the assertion that IPv6 had any security properties that differed from IPv4 *at*all* has never made any sense. It is essentially a marketing claim, and - well, we all have marketing departments.

>From my perspective - this is what I am saying in the Smart Grid world and related places - security is a matter of reducing the probability and effectiveness of a set of threats to an acceptable level at an acceptable cost. In a network, it starts out with three questions:

  - why do you have access to my [local or network] bandwidth
  - why is your machine talking with my machine
  - why is your application talking with my application

For the application, there are at least two more:
  - why should I <listen to>/<act on>/<divulge to you> what you say
  - How do I know that this message is really from you and is really what you said? In some cases, how will I know next week?

There are also the questions of 
  - obfuscation or encryption, at the application or network layers, 
  - diagnostic tools such as intrusion management
  - attack management tools like uRPF or BGP filters

Reasonable solutions for addressing the questions include (and are obviously not limited to)
  - IEEE 802.1X + EAP-TLS on a LAN, and a firewall on a network
  - IPsec AH or ESP-NULL
  - TLS and friends
  - Application-specific procedures like user-specific credentials
  - DKIM and W3C XML signatures
plus
  - various encryption services include IPsec ESP, SSH, and so on
  - lots of proprietary tools for intrusion management
  - various operational tools for dealing with ddos etc

IPsec was designed for IPv4 and IPv6; it is either a shim header (IPv4) or one of the extension headers (IPv6). Most IPv4 and IPv6 implementations I know of support it, and have for a long time. Yes, the Node Requirements document makes a statement about IPv6 implementations and IPsec that isn't made regarding IPsec/IPv4; as a practical matter, folks that have it implemented for one generally have it for the other.

In the scope of things, wh does having one of out of the many needed tools make IPv6 different than IPv4, especially given that the indicated tool is present in both IPv4 and IPv6 implementations?

Scratch-a-my-head. I don't see it.
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]