Disabling ipv6
Fernando Lozano
fernando at lozano.eti.br
Fri Jul 12 14:17:45 UTC 2013
Hi,
>> You keep talking about IPv6 security risks (over IPv4), but haven't
>> cited any.
> While I don't know of security risks of IPv6, itself, there is this:
If you follow IPv6 on the net you should have found lots of articles
about this, and how it affects specially home users and SMBs. Here are
some introductory links:
http://thepcsecurity.com/ipv6-security-issues-concerns-transition/
http://searchsecurity.techtarget.com/tip/Analysis-Vast-IPv6-address-space-actually-enables-IPv6-attacks
http://searchsecurity.techtarget.com/tip/IPv6-myths-Debunking-misconceptions-regarding-IPv6-security-features
Most vendors and ISPs won't talk about his -- IPv6 is a selling point --
but here's buried inside an AT&T white paper:
http://www.webtorials.com/main/resource/papers/att/paper28/IPv6_impact_network.pdf
"According to the National Institute of Standards and Technology (NIST):
Prevention of unauthorized access to IPv6 networks will likely be
more difficult in the early years of IPv6 deployments. IPv6 adds more
components to be filtered than IPv4, such as extension headers,
multicast addressing, and increased use of ICMP. These extended
capabilities of IPv6, as well as the possibility of an IPv6 host
having a number of global IPv6 addresses, potentially provides an
environment that will make network-level access easier for attackers
due to improper deployment of IPv6 access controls. Moreover,
security related tools and accepted best practices have been slow
to accommodate IPv6. Either these items do not exist or have not
been stress tested in an IPv6 environment"
For more techinical content, you can visit
http://www.gont.com.ar/
which is Fernando Gont home page (author of some IETF RFCs), and see
theslides at
http://www.si6networks.com/presentations/ipv6kongress/mhfg-ipv6-kongress-ipv6-security-assessment.pdf
> How is your firewall set up?
That's not the question. I am an experienced sysadmin and networking
expert, I know where to search for information and what to look for. But
today most computer users, not just Fedora users, do not have this
expertise and won't spend enough time researching. They expect to get
minimally secure default from vendors and open source projects.
something most DO NOT provide currenty, regarding IPv6. :-(
The fact is: today, even most experienced network admins do not know
enough about IPv6 security. Most ones I talked to still believe "IPv6 is
more secure by design" which it isn't.
[]s, Fernando Lozano
More information about the users
mailing list