ipv6 question
James McKenzie
jjmckenzie51 at earthlink.net
Sat Jan 8 18:27:25 UTC 2011
On 1/8/11 11:16 AM, Michael H. Warfield wrote:
> On Sat, 2011-01-08 at 10:57 -0700, James McKenzie wrote:
>> On 1/3/11 6:44 PM, Robert Nichols wrote:
>>> On 01/03/2011 06:31 PM, Michael H. Warfield wrote:
>>>> There is a wide spread myth that NAT and the fact that you are on
>>>> different addresses some how bestows upon you some measure of security.
>>>> As a leading security researcher, let me impress upon you that nothing
>>>> could be further from the truth. You can security from the inherent
>>>> statefulness of your common consumer grade NAT but there are other forms
>>>> of NAT which do not convey this. Merely the fact that your addresses
>>>> are mapped do not provide you with any protection. It's the state
>>>> engine and the dynamic mapping that do this. But, SURPRISE, that
>>>> exactly what's in a stateful firewall. There is NO intrinsic advantage
>>>> of NAT over a decent stateful firewall. None.
>>>>
>>>> IPv6 also has a number of security advantages over IPv4, not the least
>>>> of which are "no broadcast address" and "virtually impossible to
>>>> comprehensively brute force scan". That doesn't mean it can't be
>>>> scanned (the scans have to be more targeted and intelligent),
>>> ...
>>>
>>> The problem that I see is that any system to which I have ever made a
>>> connection now has a nice, routable IPv6 address back to the machine
>>> that made the connection and can start probing that machine to see if
>>> any vulnerable services might have been inadvertently left listening
>>> on that interface. No problem if it's a well secured file server,
>>> but it could also be an internet-aware HDTV or video recorder where
>>> I have no control over the internal OS. Sounds like all traffic will
>>> now have to have to be routed through an external IPv6 SPI firewall
>>> appliance. You no doubt have one of those, but I certainly don't,
>>> and I suspect one would cost a bit more than my $35 NAT router, plus
>>> being a bit beyond the administrative abilities of the average home
>>> user.
>> You really have to look at the IP v6 spec. First, YOU HAVE to use
>> ipsec.
> Oh lord WHY can we NOT make this myth go away?!?! The IPv6 spec does
> NOT mandate the USE of IPsec. It only mandates the SUPPORT of IPsec.
> To be IPv6 compliant you must support it. You do NOT have to use it.
> The IETF has tried to be very clear on this and I've sat in on some of
> the working groups discussing it. I've been on the global IPv6 network
> over over a decade now and not used IPsec on IPv6. I've used IPsec on
> IPv4 (and I'm a code contributer to the Openswan project) to help
> facilitate IPv6 tunnels over firewalls and broken (redundant) NAT
> gateways. I can use IPsec on IPv6 and, if I use IKE2, I can even tunnel
> IPv6 directly on IPv4 in ESP (with version 1 IKE you have to use SIT on
> top of ESP in order to tunnel IPv6 on IPv4 through IPsec). But, I don't
> need to so I don't. You don't have to use IPsec.
>
You had better tell that to (ISC)2 as it is a question on their CISSP exam.
James McKenzie
More information about the users
mailing list