User topics

Article topics

Log in Sign up

Defcon speaker calls IPv6 a 'security nightmare'

The internet's next-generation addressing scheme is so radically different from the current one that its adoption is likely to cause severe security headaches for those who adopt it, a researcher said last week. With reserves of older addresses almost exhausted, the roll-out of the new scheme — known as IPv6 or Internet …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Page:

1. Sunday 8th August 2010 08:14 GMT Anonymous Coward
  
  There is plenty of IPv4 space - don't believe the hype
  
  Some of the comments on here from the armchair experts are truly astonishing with most just plain wrong.
  
  IANA doesn't make end user assignments. Slash 32 is the normal allocation to ISPs. Slash 48 is the longest prefix you should expect to see in the global routing table though there are discussions going on for longer prefixes for traffic engineering purposes. LIRs (ISPs) assign to end users. Slash 48 or 56 is what everyone will get at home.
  
  I numbered my p2p links with slash 64s on the ISP backbone according to the RFCs.
  
  Anyone that says IPv4 is running out misunderstands the issue. It is only running out in terms of what IANA has available to allocate to RIRs such as RIPE. What Geoff Huston is monitoring is correct but the interpretation by lay people is wrong.
  
  Many ISPs have large IPv4 allocations which are still unused. Myself included. If the allocations were properly managed back in the Wild West days of the internets then we wouldn't have all this drama and hype now.
  
  I designed and deployed v6 in the main traffic areas on our ISP backbone in a month. Dual stack but only because some customers were asking for reachability to our v6 DNS servers. I haven't yet decided how to deploy to subscribers but if Hurricane Electric are doling out slash 48s I will probably go with that. Sub-netting is essentially a thing of the past. And if I need more, RIPE already have a second slash 32 right next to the first pre-assigned ready for me if I ever need it.
  
  People need to get away from that mentality of address space wastage. It's designed that way. Simplicity is key. From our slash 32 RIPE allocation, I use 16 bits to get 65k slash 48s. I use one of those 48s to subnet again with 16 bits to give me 65k 64s which I use for backbone or Infrastructure data-links. Of which so far I have used around 20 to interconnect IXPs and data-centres. Servers get a slash 64 in a VLAN.
  
  Network Engineers that are dividing up slash 64s into slash 127s for p2p links are being too anal wasting their time and living in the past - though there are security implications for this.
  
  To the person who claims he cannot deploy v6 in dual stack because he has a slash 16 deployed, I would suggest that you shouldn't - among others - be working in IT.
  
  There is no such thing as class A, B or C addressing schemes.
  
  1 0
Saturday 7th August 2010 16:27 GMT Anonymous Coward

letters and/or digits

"Chief among the threats is the issue of incompatible firewalls, intrusion-prevention devices, and other security appliances"

When someone takes a wheel off your car you don't drive off before they put the new one on.

In other words, surely you would just upgrade your firewall?

0 0
Saturday 7th August 2010 16:27 GMT jonfr

Mac address and IPv4

You also can get mac address from IPv4. The only difference is that it is not used to make a IP address like in IPv6, where part of the mac address you have comes from your nic.

But random strings in IPv6 already hide those anyway. So people should be pretty secure with IPv6.

0 0
Saturday 7th August 2010 16:27 GMT Volker Hett

since I first encountered IPv6 mid 90s

I'm under the impression most hardware and software vendors as well as ISPs hope that it vanishes in a puff of smoke when they just ignore it long enough.

0 2
1. Sunday 8th August 2010 08:14 GMT Anonymous Coward
  
  Rubbish
  
  Cisco and Juniper have supported v6 for 10 years. Microsoft and others also.
  
  Currently there is no demand for it. But any ISP worth its salt is or has deployed in readiness.
  
  0 0
  1. Monday 9th August 2010 15:09 GMT Volker Hett
    
    not so rubbish
    
    Cisco and Juniper are fine for the Datacenter but we need it in households and at SMBs.
    
    Where is the Netgear DSL Router with IPv6 and where do I get IPv6 for my home?
    
    0 0
Saturday 7th August 2010 16:29 GMT TonyHoyle

Even sooner than that..

I like to point people at http://www.ipv4depletion.com/?page_id=4

It's a slightly more pessimistic date (there's apparently a good reason for the difference but I'm not a maths whiz).

Saying ipv6 is broken because you have a useless firewall vendor is like saying the motorway is broken when your car breaks down. *All* business vendors should be supporting ipv6 by now - if they don't, get a new vendor.

Consumer routers are the bigger problem. They're done on the cheap so basically all have clones of the same old images with a different web frontend. Even though a lot are linux based.. which supports ipv6 just fine.. they just don't turn it on. That's starting to change - DLink have a couple of ipv6 capable models now.

Personally I don't give a stuff if someone knows my mac address.. what are they expecting to do with it? The mac of one of my servers is 00:50:56:3f:58:50. Go ahead, try hack me based on that information. Or even work out what OS it's running. And if you're that paranoid.. either (a) alter the mac address manually, or (b) switch privacy on.

As for "The big issue though, DNS. How does the computer get DNS servers? It doesn't because there are no DNS servers" I'm not even sure what that's trying to say. even the root nameservers are ipv6 capable now... the major DNS vendors have been ipv6 capable for years. DNS is *not* an issue (other than microsoft not implementing RDNSS yet but that's really a vendor problem).

2 0
1. Saturday 7th August 2010 20:44 GMT Anonymous Coward
  
  Which OS?
  
  > The mac of one of my servers is 00:50:56:3f:58:50. Go ahead, try hack me based on that information. Or even work out what OS it's running.
  
  Linux version 2.6.24-19-lpia (root@sisko) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)
  
  1 0
  1. Saturday 7th August 2010 23:48 GMT Anonymous Coward
    
    Reveals hardware
    
    You should really give us the server's public IP as well as your MAC, cos that's what we'd get with IPv6. Anyway, from that MAC we can tell your machine is a virtual box running in VMware (00:50:56), for whatever that's worth. I would think it makes you more exposed to VMware guest vulns though and also puts other guests on the same host in a weaker position.
    
    For example:
    
    http://www.scmagazineus.com/vmware-patches-new-critical-security-vulnerability/article/130518/
    
    1 0
  2. Sunday 8th August 2010 08:14 GMT Lou Gosselin
    
    Re: Which OS?
    
    "Linux version 2.6.24-19-lpia (root@sisko) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)"
    
    Not bad at all. How about this for the ip?
    
    192.168.44.111
    
    0 0
    1. Sunday 8th August 2010 20:10 GMT Charles 9
      
      That's not a public IP.
      
      192.168/16 is a designated range of IPs meant for use in private networks. It encompasses a span of 256 Class C (/24) blocks. They're the address range of choice for the internal routing of home networks for that reason. Routers are not supposed to pass them along to the greater Internet.
      
      What this seems to indicate is that the VM received the address from a DHCP server in the 192.168.44/24 range (probably 192.168.44.1). This could be your current physical router or a virtual NAT running in the host machine (both setups are possible in VMWare and VirtualBox).
      
      0 0
2. Saturday 7th August 2010 22:47 GMT Lou Gosselin
  
  @TonyHoyle
  
  "The mac of one of my servers is 00:50:56:3f:58:50. Go ahead, try hack me based on that information. Or even work out what OS it's running."
  
  This is registered to vmware. Of course it was wise not to temp fate, but had you provided an ip address, there are tools to profile the ip stack and reliably derive the operating system in use.
  
  1 1
3. Sunday 8th August 2010 16:10 GMT Anonymous Coward
  
  Depending on your IPv6 config
  
  Depending on your IPv6 config, you've just given yourself away...If your switch/router vendor still stuffs the MAC into the IPv6 address. I hope you google'd it before you posted it.
  
  0 0
4. Sunday 8th August 2010 20:31 GMT Charles 9
  
  It boils down to this.
  
  If you use a stateless IPv6 ISP, which means it does not use DHCPv6 (and incidentally, among the things a DHCP connection tells you are the list of DNS servers to use), how does one know which IPv6 points to the local DNSv6 server? In real world terms, how do you find your way around town without a map, but at the same time, how do you get a map without knowing the location of the map store?
  
  0 1
  1. Monday 9th August 2010 20:28 GMT Lou Gosselin
    
    @Charles 9
    
    "If you use a stateless IPv6 ISP, which means it does not use DHCPv6...how does one know which IPv6 points to the local DNSv6 server?"
    
    The answer is very simple, as I've already mentioned, use DHCP.
    
    Ipv6 has an auto ip configuration option, but that doesn't eliminate the need to use "stateless DHCP" for other information.
    
    Stateless DHCP is called this because it doesn't need to track ip addresses. This is not to say that there is no DHCP at all, that's the same mistake made by the OP.
    
    Of course if you disable DHCP entirely, then you'll need to configure your network statically, but this will not be the norm.
    
    0 0
Saturday 7th August 2010 16:29 GMT John Klos

No real content...

They're basically saying that because IPv6 addresses are public, all of the insecure machines which count on being behind NAT and so on will be insecure. This implies that NAT is normal and that the behavior of NAT is what should be expected, but this isn't the case - NAT is an exception, and public, accessible IPs are real life. Thanks, Microsoft!

Telling people that IPv6 is insecure is assuming that we should all cater to the lowest common denominator - the insecurity of Windows - instead of having higher standards which would include assuming that any machine could be on a public IP at any time.

4 0
Saturday 7th August 2010 16:31 GMT Anonymous Coward

Others' experience

Feel free to correct my memory, but I understood that Asian countries had fairly extensive IPV6 networks, as their allocation of V4 was quite small to begin with. Has this researcher checked into their experience, or is this conjecture? I do think he's right to make people aware that the move to IPV6 isn't a drop-in replacement, and a lot of dogma is going to have to be re-learned, but I think there's plenty real-world experience to go on, even if it's not from the Western world.

4 0
1. Monday 9th August 2010 04:20 GMT Allan George Dyer
  
  Not a comprehensive answer...
  
  I'm in Hong Kong and recently asked my ISPs about their IPv6 plans. After the initial, "Huh? What's that", I got past the sales team and got:
  
  ISP 1) None.
  
  ISP 2) That's part our our "Premium Business Plan", that will cost you $$$$
  
  No idea where these Asian countries with masses of IPv6 networks are.
  
  0 0
Saturday 7th August 2010 20:43 GMT John Smith 19

2^48 was more than enough for Ethernet

Wasn't it?

0 0
Sunday 8th August 2010 20:11 GMT Khoos

The real nightmare

The real nightmare is a network security vendor (like a firewall vendor) who can't deliver IPv6-capable firewalls when IPv6 has only been in the making for about 20 years, probably longer than some of those network security vendors have been wrestling with IPv4 insecurities. Why was "IPv6 support" not on the must-have list for any network device being bought for the last 3 years?

0 0
Monday 9th August 2010 04:20 GMT kwah

just thinking out loud..

''It means that everything you send or recieve is labelled with your real MAC address...''

Have we just uncovered the *real* reason Google wanted all those MAC addresses tied to geographic locations?

/me hunts around for my tinfoil hat

0 0
Monday 9th August 2010 09:07 GMT Anonymous Coward

running out?

There are loads of IP addresses that arent in use. Last time i checked IBM, Compaq and GE had literally millions, (entire \8's)

I think its time that someone with a set of b*lls asked them to give some of them back. How many forward facing web and FTP servers do they actually need?

256? possibly, but unlikely. (This is 1/65000 of their IP addresses)

65536? not likely in any way. (This is 1/256 of their IP addresses)

0 0
Monday 9th August 2010 09:53 GMT Christopher E. Stith

I'm scared of the amount of ignorance in this discussion.

I hope only a few of you have anything to do with the industry.

The very idea that more addresses and the option not to use DHCP means there will be no DNS just displays a total lack of understanding. Guess what -- there are options to use other than DHCP now. DNS is needed because people don't remember 32-bit addresses well, even as octets translated to decimal. There's no way it's going to be irrelevant with 2^128 addresses. DNS or some successor will be much more relevant.

The idea that name-based virtual hosting is so much harder than IP-based virtual hosting is laughable.

There certainly won't be a dramatic sudden IPv4 to IPv6 shift in large companies like many of you think. New blocks allocated will be IPv6. Eventually, the IPv4 blocks will be routed through a v4-v6 gateway router. After that, there will be v4 NATed networks behind a v4-v6 gateway that is behind v6 NAT even after v4 isn't publicly routable. The companies will still have v4 equipment internally. It will take years to phase out all the v4 in some organizations, even with v6 being the only newly allocated addresses on the public Internet.

0 0
Monday 9th August 2010 10:22 GMT druck

IPv5

Should have just gone with a small increment to IPv5 and 64 bit addresses, which is plenty until someone discovers more atoms in the universe.

1 0
Monday 9th August 2010 12:03 GMT Anonymous Coward

A solution in search of a problem?

It looks like IPv6 is necessary due to some legacy protocols (like VoIP) which don't play nice with NAT. If the default assumption is that the customer is behind several NAT layers, it would be possible to construct networking protocols that work fine with that.

So instead of the expensive IPv6 rollout, maybe networks and protocols should become more NAT-friendly.

1 1

Page:

This topic is closed for new posts.

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2024