Disabling ipv6

Fernando Lozano fernando at lozano.eti.br
Fri Jul 12 16:01:03 UTC 2013


I took me time to recover this one, another more techinical content 
about IPv6 security:


[]s, Fernando Lozano

> Hi,
>>> You keep talking about IPv6 security risks (over IPv4), but haven't
>>> cited any.
>> While I don't know of security risks of IPv6, itself, there is this:
> If you follow IPv6 on the net you should have found lots of articles 
> about this, and how it affects specially home users and SMBs. Here are 
> some introductory links:
> http://thepcsecurity.com/ipv6-security-issues-concerns-transition/
> http://searchsecurity.techtarget.com/tip/Analysis-Vast-IPv6-address-space-actually-enables-IPv6-attacks 
> http://searchsecurity.techtarget.com/tip/IPv6-myths-Debunking-misconceptions-regarding-IPv6-security-features 
> Most vendors and ISPs won't talk about his -- IPv6 is a selling point 
> -- but here's buried inside an AT&T white paper:
> http://www.webtorials.com/main/resource/papers/att/paper28/IPv6_impact_network.pdf 
> "According to the National Institute of Standards and Technology (NIST):
> Prevention of unauthorized access to IPv6 networks will likely be
> more difficult in the early years of IPv6 deployments. IPv6 adds more
> components to be filtered than IPv4, such as extension headers,
> multicast addressing, and increased use of ICMP. These extended
> capabilities of IPv6, as well as the possibility of an IPv6 host
> having a number of global IPv6 addresses, potentially provides an
> environment that will make network-level access easier for attackers
> due to improper deployment of IPv6 access controls. Moreover,
> security related tools and accepted best practices have been slow
> to accommodate IPv6. Either these items do not exist or have not
> been stress tested in an IPv6 environment"
> For more techinical content, you can visit
> http://www.gont.com.ar/
> which is Fernando Gont home page (author of some IETF RFCs), and see 
> theslides at
> http://www.si6networks.com/presentations/ipv6kongress/mhfg-ipv6-kongress-ipv6-security-assessment.pdf 
>> How is your firewall set up?
> That's not the question. I am an experienced sysadmin and networking 
> expert, I know where to search for information and what to look for. 
> But today most computer users, not just Fedora users, do not have this 
> expertise and won't spend enough time researching. They expect to get 
> minimally secure default from vendors and open source projects. 
> something most DO NOT provide currenty, regarding IPv6. :-(
> The fact is: today, even most experienced network admins do not know 
> enough about IPv6 security. Most ones I talked to still believe "IPv6 
> is more secure by design" which it isn't.
> []s, Fernando Lozano

More information about the users mailing list