Nice presentation; thanks for sharing.
And many would be wrong, though it's been 13 years in the making.
Rapid growth of the internet in the face of native v6 being better +
faster + cheaper than carrier NAT is going to change that. IPv4
exhaustion matters.

On the IPSEC front, it might be worth pointing out that the
interesting security issues such as rampant endpoint insecurity
regardless of network protocol, immature v6 protocol stacks, and lack
of v6 feature parity have nothing to do with IPSEC. Meanwhile, if
those living in a Windows monoculture who find "direct access" VPN's
helpful might actually lead to a handful of IPSEC deployments.

In addition to the point that dual-stack hosts create v6
vulnerabilities in supposedly v4-only networks, it might
be worth emphasizing a few more of the implications of
living in a dual-stack world, such as:

* Carrier-grade / Large scale NAT devices mean that v4 forensics
has to change: you can't track an attacker based on IP address
unless you also know the timestamp, protocol, and port numbers.

* v6-mostly web sites aren't yet usually v6-only, so you need dual-
stacked packet traces to see what clients actually pulled down.

* The plethora of protocols and addresses (v4, v6; link-scope,
global-scope; unicast, multicast) in simultaneous use means
network forensics will have to be based on port-snooping.
Anyone willing to bet against "happy eyeballs" (race parallel v6 and
v4, deliver the winner) also being in windows 8, given that Google
Chrome, Firefox, and OS-X 10.7 already have it? I've been pleasantly
surprised by how fast it's deploying.
Amen, brother.

Add AT&T U-verse customers to the list of those about to get IPv6 in
the US, too. World IPv6 day in France saw 3% v6 traffic on the
backbone; French ISP's have been earlier than most in completing v6
rollouts. Sadly, my own ISP is dragging its feet; happily, my
employer already offers a dual-stacked VPN service.

As near as I can tell, if you have Asian customers, Asian supply
chains, mobile customers, or you are an IT supplier to major
governments, you should already have IPv6 rolled out. Assuming
current growth rates, about 15% of the internet is likely to be v6-
only in 2013. Consumer preference is liable to flip as soon as
December 2014, if some hot v6-only electronic toy comes out of a
pacific rim country in time for the holiday shopping season. 99% of
IP traffic could be v6 in 2017; Cisco reported that at Interop and
Cisco Live conferences this summer with a dual-stack native
environment and the current client mix 60% of traffic flipped to v6.
IPv4 backbone routing is likely to turn off in 2020 - and this is
already predicted in AT&T's roadmap. There was no economic incentive
to start rolling out v6, but there is a very strong incentive to stop
routing v4. What does going v6-only save you on DFZ router load,
maybe 50% on memory and 95% on CPU? We're seeing about a 7:1 ratio
between v4 routes and v6 routes currently out of the minority of
dual-stacked autonomous systems, right?

Meanwhile, transition plan A (dual stack "heavy") foundered on lack
of IPv4 address space, and plan B (dual stack lite) seems to be
ignored in favor of plan C: v6-only with NAT64/DNS64 converters to
the legacy v4 internet. Plan C is where the University of Wisconsin
expects to end up once it runs out of v4, probably in 2013. I think
NAT64 is winning because for cell phones it's cheaper to be mono-
stack than dual stack, and for ISP's NAT64 keeps less state than
NAT44, and so scales better. Phone companies and ISP's won't care
that v6-only customers have lousy experiences at v4-only web sites;
all the *big* sites in the US like google, bing, xbox, yahoo, facebook,
cnn,
youtube, netflix, etc. are already dual-stacked, or nearly ready.
Most peer to peer stuff clients and some gaming clients are already
dual-stacked. I know companies with advanced v6 rollout plans who
confidently expect that being early movers is about to yield them
competitive advantages.

I figure the dual-internet interregnum (the period where some people
don't have v4 and others don't have v6) runs 2009-2015. Even if the
last v4 device isn't likely to disappear until 2036 or so, in 2016
pretty much everyone who wants v6 should be able to have it.

The analogy I'm using to explain v4 -> v6 to end users in the US is
that it's like the transition from analog TV to digital TV: new gear
(broadband modems, wifi routers) all around to get mostly the same
content. Given the narrow product range and immaturity of
implementations, especially for DSL modems, I'm telling my fellow
Americans not to replace such gear till 2013, unless they like to
be on the bleeding edge.

v4 and v6 are both packet switched networks with best effort delivery
and next hop routing, so the threat models are basically identical.
The key security differences seem to me to be in areas like:

1) Big v6 address space means reputation lists will have to based
on blacklisting prefixes or whitelisting hosts; merely
blacklisting hosts is not going to cut it. So don't v6-enable
your mail server yet (do enable DNS and Web, obviously).

2) Extend your wired layer 2/3 defenses beyond DHCPv4 spoof
prevention to DHCPv6 and RA spoof prevention. RA's existed in
ICMPv4, but no one ever used them. On Cisco switches this week I
think I like parallel v4 and v6 ACL's on the ports for this.
What are other people using?

3) Block tunnels at your firewalls. If you have native v6 you
don't want them, and if you don't have v6 you probably aren't
ready to cope with them. In any case your network monitoring
probably can't inspect tunnels effectively, even if your
security infrastructure is dual stacked - which it should
already be. Forbidding protocol 41 and port 3544/udp is a very
good start on this.

-- Jim Leinweber
State Laboratory of Hygiene, University of Wisconsin - Madison
<***@slh.wisc.edu> phone +1 608 221 6281
PGP fp: D573 AF7D F484 EE2A F0B6 B7DB A870 7518 F87D A0D1

Indeed.

"Disable proto 41" sounds good for referring to packets being filtered
at a firewall. However, other (not mutually exclusive) options are
avialable, such as disabling v6 suppport at the OS.

[JRS>] -and-
If you disable IPv6 in the sense of removing support for it, that attack
is not possible.


[JRS>] Specifically with Windows Vista/7/Server 2008/R2 and later IPv6 is a core part of the Operating System. Many features require IPv6 and will not work if you disable it including HyperV, TMG, Exchange, SBS Server, DirectAccess, HomeGroups, and Peer-to-Peer Networking.

I think we all agree there is a clear need for IPv6 and IPv4 is reaching the limits of its scalability. I like Fernando's approach of submitting drafts with suggestions where issues are discovered. I believe the focus should be on encouraging vendors to adopt existing solutions, maintain or achieve parity with IPv4 features, address limitations/vulnerabilities discovered, and actively participate in the IETF and other forums to drive and improve IPv6.

--Jim

On 9/25/11 1:03 AM, Fernando Gont wrote:

Hi Fernando,
Some consideration must be given in how to detect hosts when DHCPv6 is
not used. A rouge RA could easily implement Prefix Information and
RDNSS options where monitoring DHCPv6 would then not detect which hosts
were involved. The DUID offered by DHCPv6 will not relate to specific
hosts or their assigned assigned addresses. Remote-ID Option 37
described in RFC4649 might be used to replace DHCPv4 Option 82 to aid
the port/IP address mapping, but then what when DHCPv6 is not used?
NAT mapping rarely offers security. SSL CBC has proven easily
exploitable once a MitM situation is established. NAT use places
reliance on the LAN to avoid address spoofing and related MitM
scenarios, much like that found with XSS. End to End security does not
require use of IPsec, although IPsec would be one such anti-MitM
alternative.
Thoughtful deployment is still a better choice. IPv6 is here now and
the simpler approach is native support on the LAN.
Disabling IPv6 at the host will break services that do not assure
functionality in this downgraded mode. Not deploying IPv6 on the LAN
also invites less secure fallback transitional schemes. When a host is
compromised, is it still safe to assume IPv6 is disabled? Is there
spoofing protection with ISATAP?
When will these issues be resolved to meet your satisfaction? FreeBSD
vendors have already released patches for the issue where perhaps due to
the BSD license, fixes are driven by affected vendors. All the more
reason for the market to insist repairs are made or find alternatives.
Going back to IPv4 is not an alternative at this time.
As in removing it from the Internet, from the router, from the switch?
Providing reasonable security for remote systems is easier using of
end-to-end security methods. IPv4 refers to translated IP address space
full of questionable middle boxes. While indeed IPv6 is not perfect,
IPv6 provides future growth.
Your strongest statements are to disable IPv6 (at the host), as if
practical, possible, or offering better security. Securely using IPv6
is the new cost of doing business, period.
Should everyone stop using SSL because of the CBC issue? Many of these
issues will require improved monitoring over what we have today. Those
that start now will be ready when IPv6 really takes off, as it is about
to do.
More systems will remain vulnerable longer as malefactors take advantage
of "IPv6 broken" networks as they leak data over unseen transitional
protocols. :^(
Exactly. This was tongue in cheek. I even said it would not prevent
any exploits.
There are many exploits that will always remain possible. Whether by
spoofing ARP broadcasts, spanning tree protocols, VLANs, etc. Progress
is made by achieving an environment able to offer end-to-end security.
While not everything needs to operate in this way, it is vitally
important more networks make progress in this direction where data is
secured by direct communication. More work needs to be done on DNSSEC,
SeND, DANE, etc. SeND can work within mixed environments and not be
supported by all hosts. Security can step over less secure hosts for
now and be limited to Cisco and Juniper routers and switches where
security is important.
Additional monitoring will be fairly unlikely when they think no one is
using IPv6.
That is what they said about SSL. :^) One might hope DANE and dynamic
DNSSEC becomes available, where support for SeND then becomes eas to
deploy.
There is no universal defense against ARP or ND spoofing. And it is
common for interfaces to utilize many IP addresses. Using static MAC
tables might help, but often that is not practical. While neither ARP
nor ND traffic can be completely enforced, that was the goal behind
SeND. Do we need to wait for the value of security and cost of the
hardware to become comparable? It is foolish to think either ND or ARP
are secure.
Dropping packets that combine SYN and RST flags seems logical as well,
but even that is not a complete solution.
When done with IPv6, the states are simpler. Far fewer keep-alives and
no dynamic reassignment of the destination address. When a subsequent
middle box is not present, there are fewer opportunities where traffic
can injected within the LAN. There are two types of LAN. Those that
have been compromised, and those that compromise has not yet been
discovered.
Any duration in regard to IPv6 can have much longer periods without any
risk of running out of port resources.
Do we agree NATs offer poor security? To a user, they'll suffer the
same attack. For the attacker, one would hope the LSN has improved
monitoring over what is found in CPE, which is as good a none.
The ability to establish a paradigm of end-to-end security.
It is deployable when security holds enough value for the organization.
Or a practical solution that depends on massive IP address lists. IMHO,
this needs to move to crypto validation and interim tables ASAP, a la DANE.
http://tools.ietf.org/agenda/81/repute.html

Their charter refers to protocols that can not fairly support negative
reputation assessments. I am working on a paper to describe details of
the concerns.

-Doug

Unless you use RA Guard instead.

Owen

[snip]
Last version, so *-10 (which has RFC Ed Queue status).
OK. At first, I am not a PKI expert. Now, from what I understand (PKI
experts, please, don't hesitate to correct me :)):

RPKI is based on SPKI, meaning you don't care who is the owner of the
certificate (i.e., DN) but you only need to know an entity is allowed
to provide a service. This is not the case in a classical PKI (i.e.,
applications check DN in the cert).
RPKI is used to certify resources (i.e., AS and Prefixes). The Trust
Anchors (i.e., CA) are normally the RIRs. So, in a SEND deployment,
the hosts should only store RIRs' certificates to get

I will point out that NDP spoofing is no worse than ARP spoofing in IPv4,
so, I'm not sure how you can say that it is not an equivalent level of first
hop security.

Owen

YMMV... I tried it for a brief time and went back to static. The return to static significantly
reduced my level of pain.

Owen

That depends on what you mean by "simplify", or *what* (specifically)
you want to simplify. e.g., DHCPv6 makes logging trivial. However,
SLAAC+Privacy Extensions makes it rather difficult (at least with
publicly available tools).
Last time I checked (1-2 years ago), neither Windows, nor any of the
open source OSes I was using supported RDNSS by default.
... if only one could deploy it for the general case.


Thanks,

We can agree to disagree.
The number of networks that even bother to police ARP in IPv4 being
relatively small leads me to believe that while you may be correct from
a technical puritanical perspective, in terms of real world vulnerability,
we have a long tradition of running insecure networks and that the IPv6
issues will get addressed in a similar manner to the IPv4 issues. As
someone exploits them dramatically, they'll get resolved or worked
around or otherwise mitigated.
I was not advocating squelching discussion, but, I'm also not in favor
of hysterics. I still think that with RA guard, you're basically no worse
off than ARP in IPv4, just in slightly different ways.
I'm not convinced. We pretended everything was just fine with IPv4
for a long time. We continue to pretend everything is just fine with
IPv4 in many ways. The network still mostly works.
I think insane is a somewhat strong term, but, I don't entirely disagree
with you here. However, I think that considering them requires a more
balanced evaluation of all of the factors, including the risks involved
in not deploying IPv6 which also are not small.
Proving my point that either extreme is useless. Those that are in favor
of IPv6 everywhere no matter what are ignoring the realities of the
need to address these security concerns.

Those claiming that these security concerns are significantly worse
than IPv4 and we should therefore put the internet on hold while
we figure it out are ignoring the risks associated with such an
action (the deployment of vastly larger amounts of CGN, the
destruction of any semblance of an IPv4 audit trail, the costs
associated with these various workarounds, etc.)

Bottom line, it's a tradeoff and focusing on any single issue is a
recipe for making bad choices.
And yet the technical community has been operating the IPv4 internet
largely ignoring or neglecting security issues for decades.

I'm not advocating such behavior, but, I am pointing out that calling it a
non-starter is ludicrous in the face of the facts.

Owen