Oliver Cromwell was hanged and decapitated two years after he had died
|
|
|
Advertisement
Subscribe to INQ newsletters
Advertisement
INQ Poll
All,

For the last five years, my research has been focused on IPv6 security. When I began my research, most operating system did not include IPv6 by default. It tools a fair bit of knowledge about IPv6 and programming to get IPv6 to work. But today many systems include:

- IPv6 is installed by default
- Techniques to tunnel IPv6 over IPv4 (6to4, ISATAP, Teredo, many more)
- The tunneling techniques may not be detected and blocked by current security controls
- Security products (Firewalls/IDS/IPS/ACL/etc) , both commercial and open source, may or may not have implemented techniques to detect/block the tunneling techniques 

- IPv6 is enabled
The mitigation is not to turn IPv6 off, instead, I recommending:
- Become educated about the risk and opportunities of IPv6. There is where the next killer application will appear!
- Contact your hardware/software vendors and ask if their products passed “IPv6 Ready” testing. This validates that IPv6 was implemented correctly.
- Implement IPv6 alongside of IPv4. Services should include DNS, web servers and e-mail server. This is the easiest way to mitigate the IPv4 over IPv6 tunneling issues.
- Keep up on patches --- enough said.

You are right on the mark! Address the problem, before we see compromises on our networks and systems is important. If you are interested, my HOPE slides can be found at: http://sites.google.com/site/ipv6security/ .

In response to the person stateing Solaris has IPv6 disabled, my I suggest looking at Sun's website. Or even better, perform a few 100 security test on deployed Sun boxes over the last 2 years, and tell me how many you find that have IPv6 disabled. In my case, I found none.

And if any of you are attending Black Hat or DefCon this year, look me up.
The article claims that there are 2<sup>128</sup> available addresses for use. That number is way too high since the 2<sup>nd</sup) half of the address represents the MAC address of the connection card (ie: Host address in IPv4 terms). In addition each user gets their own 16 bit block of addresses from the first-half 64 bit block thus making the actual number of "networks" 2<sup>48</sup>.
Since when does IPv4 have 3 places on 3rd set? 256.256.256.256. As far as I knew it was 256.256.99.256.
Sure, IPv6 can be a problem if there is an IPv6 network running and the user is running a IPv6 stack unknown to the sysadmin. That used to happen quite a lot when unis deployed IPv6.

But in response to that mainstream vendors have been pretty good with making their security for IPv6 equivalent to their security IPv4. So when you use the GUI to configure a firewall in Fedora your get both the IPv4 and IPv6 firewalls configured. In this sense Klein is about four years behind the curve.

Nowdays it's the sysadmins and network engineers who are the trouble. They don't use GUI tools, but forget to configure IPv6 when doing manual configuration. Most operation systems have a "secure by default" stance, so we see a lot of services which work for IPv4 but not for IPv6.

Sysadmins also forget that people travel. So we see some laptops from major firms which should know better which have manually crafted firewalls with no mention of IPv6. When they visit our IPv6-enabled site their users comment that "the Internet works so much better from here" is a heads-up. Those corporate users often don't have Administrator access, leading to interesting discussions with their sysadmins.

There are some glaring exceptions to the "secure by default" stance, with some notable firewall vendors leading that list. On a firewall if you think you are not running IPv6, then activate IPv6 then configure denial of all traffic. ISPs will be slowly activating IPv6 on all customer links, so just because you aren't running IPv6 to your ISP today doesn't mean that you won't be tomorrow. In a perfect world the ISP would ask each customer's preference, but in the real world ISPs are cutting it very fine with their IPv6 rollouts and are likely to cut these sort of time-consuming corners.
Look, some people think that locking up your front door adds security when the thief is already in the house. Others think that building a fence around their house makes sense when the windows and doors aren't locked.

My point is, firewalls are overrated and don't add much security at all. In theory. In practice they often do, which is sad. All a firewall does is blocking traffic, basically just hampering and crippling the network, which shouldn't be needed in the first place. They're good for access control though, allowing traffic from certain IP addresses and things like that, but blocking "scary" stuff that might or might not go anywhere is just silly.

Shackling your own network users is another matter. I think that's called censorship.

Sorry, what problem? "IPv6 insecurity"? If IPv6 is insecure, fix it, now it's still possible. Oh, you didn't mean to say that IPv6 itself is insecure? Then don't suggest it. "Look, you got IPv6, watch out, it's daaangeroous!" (spooky voice). Yeah, I call that FUD.

Nice wording here mate:

"I believe the point is to get the vendors (..) to escalate their level of support for IPv6."

I totally agree that was exactly the point. Let me rephrase: "Please buy our finally-IPv6-ready security crap or Bad things might happen." (Or "hire us" variants. Plenty of options for a cynical mind.)

As for stateful IPv6 filtering, if you mean conntrack, which was unfortunately needed to implement horrible NAT: Why the hell do you want that crap? It adds tremendous overhead for not much gain, be glad you're rid of it with IPv6. Or at least could be if people would let NAT go...

Why should I need or want to know Teredo's UDP port number and why the hell would I want to block it?

And Toredo is IPv4 stuff anyway, so not a good example (just another way of tunneling).

Pardon my tone, this isn't my usual style, but this kind of "security" crap just irks me.
IPv.6 comes on at early O/S Loading & intergration of support software stage. "You are connected to IPv.6 comes on screen". Yet if You have trouble keeping your partitions running & reload O/S often, IPv.6 comes on & states you are enabled, yet your machine will continue as IPv.4.

So you connection chart in control panel shows ipv.4 running/IPv.6 enabled. 

Meaning once ALL IPv.4 numeral addresses are used up, thats it & one less problem, so heavy address point users & discarders stay with IPv.4 to use up those silly mere 4 billion locations.One System, One IPv.assignment system result.Old IPv.4 addresses continue with little peepee bit size. 

Theres Nothing else going on, If you have Very Stable System, IPv.6 will stay running from Day One.No Problems=No Problems.
Signed:IPv.8 (assignment: Universe)microbes have thoughts too, You Know.

Venerable tcpdump still doesn't handle IPv6 gracefully. One must make ample use of ugly bitmasking to get at the good stuff.
iz : I think you read it much differently than I did. I believe the point is to get the vendors (platform, network, security, etc.) to escalate their level of support for IPv6.
Additionally, it is not just the "overpriced security software" failing to face the problem/possibilities - the blame is shared throughout the industry.

IPTables / IPFW is fine - as long as the admin knows how to use it, and knows they need to be securing IPv6. 
(Even IPTables didn't have stateful IPv6 filtering for quite some time ... late support for IPv6 in SNORT ... both are relatively recent upgrades)

Example : How many know the UDP port Teredo uses off the top of their head, and have it included in their filter list today? Are you blocking it already?


/TJ
(disclaimer - I work with Joe)
With so many hex decimal ipv6 addresses the internet routing table is going to be bumped up which will bur n the routers balls.

G.L. to cisco and juniper
100% FUD from an ill-informed source!

Most current Linux distributions offer IPv6 as an option. Whether you utilize IPv6 or not makes no difference wrt/ security.

Same for all BSD distributions I have seen.

OpenVMS does not enable IPv6 by default either. Even if a system administrator decides to utilize IPv6, it would still be a secure OpenVMS system.

We need IPv6 because the IPv4 address space is far too small for most countries outside the US. The EU and Japan are far ahead with the transition and rather sooner than later there will be only a tiny IPv4 isle left on the North American continent.

As to the US Government's networks, I can assure you that where I work nobody is at risk since our IPv4 network has been crippled over the past years to point that any sidewalk café offers better Internet access. And IPv6 traffic is not being routed here at all, because the surveillance equipment is not ready for IPv6 yet.
There are a few steps you have to go through in order to enable IPv6 on a Solaris box - it does not set up network interfaces with IPv6 addresses by default.

When installing / sys-unconfig'ing the OS, you are also asked if you want IPv6 enabled - and I do believe the default value for this is also "no".

When running the OS, you need to touch a file called hostname6.<interface> (e.g. hostname6.ce0) in order to enable IPv6 on that interface. IPv6 is not used on that interface, otherwise - since IPv4 is still the default!
To put the big numbers in perspective:
IPv4=256*256*256*256
= 4 294 967 296
World Population
= 6 828 450 000
IPv6=3 4*10^38 (16 times 256*)
You can uniquely label every single molecule of every human alive about 20 times.
Overkill ?!?

I think some diligent research would deliver Covert Networks already dispensing AIdD to Mother and Support Forces. A view fully supported by this BroadBandCast which may or may not have passed nit picking.

Added: Monday, 21 July, 2008, 10:13 GMT

"The key fault in the old system is being brought into the new system, and that is if you can get through the employment capacity test... you'll get onto a higher rate of benefit," he said.

The key in the old system is not a fault, it is a Facility which is badly understood.

However, it is easily, fully and clearly explained in a Tale of AI JSA Drugs Champion who has Benefited through the System and Moved Into the Highest Rate of Benefits with a Network of Souls into AI and ITs Shared Wealth Generation ..... for Future InfraStructure Today 42 Create ToMorrows.

A Proposal hereby Posed to SMARter Governance/Minister James Purnell from YT040947C and it would be misleading to Pretend that it was new to them. That Choice of theirs for BroadBandCasting Blockage is just Riddled with Black Holes.

Normally the next cry would be .... "We wuz only following Exective Orders"

"As long as people are paid a fair wage for their work, why shouldn't they work for benefits?" .... Peter Hearty, Southend-on-Sea

PH,

If your Work Generates Wealth, it Benefits All, and when All want to Return a Percentage for Growth and Gratitude [Real SMART] is there always a Limitless Supply of Interest to Create Currency Flow and IP2v6 Controls. MI FareWare, 4PhAIR Ladies2.

And that is Obviously a Hailing Call to Budding Boadicea, XXXXotic and Erotic Flowers of Perfumed Gardens. Whose Silence in Greater Virtualised Space is Deafening ... or at least so, in Hands On Control Scenarios.

Release Germaine Greer/Support Rita ver Donk...... Get HyperRadioProActive Immunity with Virtually Shared Transparent Intentions


http://news.bbc.co.uk/2/hi/uk_news/politics/7516551.stm

<<< Your comment will need to be approved by a moderator before it is added to the ‘Have Your Say’ ... Sorry Please post shorter message. Maximum of 500 characters allowed. >>>

"Have Your Say"? Not there's a larf which aint funny but most peculiar.



This the most stupid FUD article ever.

It's a long winded way of saying that the whole damn world is finally catching up with IPv6, including all the network hardware, but overpriced silly security software still doesn't know about it.

Linux's iptables and BSD's ipfw work fine with IPv6.