ipv6 question

James McKenzie jjmckenzie51 at earthlink.net
Sat Jan 8 18:27:25 UTC 2011 

On 1/8/11 11:16 AM, Michael H. Warfield wrote:
> On Sat, 2011-01-08 at 10:57 -0700, James McKenzie wrote:
>> On 1/3/11 6:44 PM, Robert Nichols wrote:
>>> On 01/03/2011 06:31 PM, Michael H. Warfield wrote:
>>>> There is a wide spread myth that NAT and the fact that you are on
>>>> different addresses some how bestows upon you some measure of security.
>>>> As a leading security researcher, let me impress upon you that nothing
>>>> could be further from the truth.  You can security from the inherent
>>>> statefulness of your common consumer grade NAT but there are other forms
>>>> of NAT which do not convey this.  Merely the fact that your addresses
>>>> are mapped do not provide you with any protection.  It's the state
>>>> engine and the dynamic mapping that do this.  But, SURPRISE, that
>>>> exactly what's in a stateful firewall.  There is NO intrinsic advantage
>>>> of NAT over a decent stateful firewall.  None.
>>>>
>>>> IPv6 also has a number of security advantages over IPv4, not the least
>>>> of which are "no broadcast address" and "virtually impossible to
>>>> comprehensively brute force scan".  That doesn't mean it can't be
>>>> scanned (the scans have to be more targeted and intelligent),
>>> ...
>>>
>>> The problem that I see is that any system to which I have ever made a
>>> connection now has a nice, routable IPv6 address back to the machine
>>> that made the connection and can start probing that machine to see if
>>> any vulnerable services might have been inadvertently left listening
>>> on that interface.  No problem if it's a well secured file server,
>>> but it could also be an internet-aware HDTV or video recorder where
>>> I have no control over the internal OS.  Sounds like all traffic will
>>> now have to have to be routed through an external IPv6 SPI firewall
>>> appliance.  You no doubt have one of those, but I certainly don't,
>>> and I suspect one would cost a bit more than my $35 NAT router, plus
>>> being a bit beyond the administrative abilities of the average home
>>> user.
>> You really have to look at the IP v6 spec.  First, YOU HAVE to use
>> ipsec.
> Oh lord WHY can we NOT make this myth go away?!?!  The IPv6 spec does
> NOT mandate the USE of IPsec.  It only mandates the SUPPORT of IPsec.
> To be IPv6 compliant you must support it.  You do NOT have to use it.
> The IETF has tried to be very clear on this and I've sat in on some of
> the working groups discussing it.  I've been on the global IPv6 network
> over over a decade now and not used IPsec on IPv6.  I've used IPsec on
> IPv4 (and I'm a code contributer to the Openswan project) to help
> facilitate IPv6 tunnels over firewalls and broken (redundant) NAT
> gateways.  I can use IPsec on IPv6 and, if I use IKE2, I can even tunnel
> IPv6 directly on IPv4 in ESP (with version 1 IKE you have to use SIT on
> top of ESP in order to tunnel IPv6 on IPv4 through IPsec).  But, I don't
> need to so I don't.  You don't have to use IPsec.
>
You had better tell that to (ISC)2 as it is a question on their CISSP exam.

James McKenzie

More information about the users mailing list