IPv6 Security [Was: Re: misunderstanding scale]

[Paul Ferguson <fergdawgster () mykolab com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 3/23/2014 2:27 PM, Timothy Morizot wrote:

> On Mar 23, 2014 11:27 AM, "Paul Ferguson"
> <fergdawgster () mykolab com <mailto:fergdawgster () mykolab com>>
> wrote:
> > Also, IPv6 introduces some serious security concerns, and until
> > they are properly addressed, they will be a serious barrier to
> > even considering it.
>
> And that is pure FUD. The sorts of security risks with IPv6 are
> mostly in the same sorts of categories as those with IPv4 and have
> appropriate mitigations available. Moreover, by not enabling and
> controlling IPv6 on their networks, an operator is actually
> markedly more vulnerable to IPv6 attacks, not less.

Only if end-points are unaware of dual-stack capabilities.

Also, neighbor discovery, for example, can be dangerous (admittedly,
so can ARP spoofing in IPv4). And aside from the spoofable ability of
ND, robust DHCPv6 is needed for enterprises for sheer operational
continuity.

And that's only a "half" example.

I haven't even mentioned spam management in v6, which will become a
nightmare if people have been relying on IP BL's or similar.


- - ferg


- -- 
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlMvVfcACgkQKJasdVTchbLv0AEAhd/IkA19ssgDW/R+YDWe6YTQ
YRnWIWwiNM+79NuF1EcBAKuMyULkR2hUXdVO7B/IprgpJxrHtzU0mYdTqJJLgnV1
=1iFc
-----END PGP SIGNATURE-----