1 |
> "There is no reason to believe that IPv6 will result in an increased use |
2 |
> of IPsec." |
3 |
> |
4 |
> Bull. The biggest barrier to IPsec use has been NAT! If an intermediate |
5 |
> router has to rewrite the packet to change the apparent source and/or |
6 |
> destination addresses, then the cryptographic signature will show it, |
7 |
> and the packet will be correctly identified as having been tampered with! |
8 |
> |
9 |
|
10 |
It's hardly difficult to get around that now is it. You are wrong the |
11 |
biggest barrier is that it is not desirable to do this as there are |
12 |
many reasons for firewalls to inspect incoming packets. I don't agree |
13 |
with things like central virus scanning especially by damn ISPs using |
14 |
crappy Huawei hardware, deep inspection traffic shaping rather than |
15 |
pure bandwidth usage tracking or active IDS myself but I do agree |
16 |
with scrubbing packets. |
17 |
|
18 |
> With IPsec, NAT is unnecessary. (You can still use it if you need |
19 |
> it...but please try to avoid it!) |
20 |
> |
21 |
|
22 |
Actually it is no problem at all and is far better than some of the |
23 |
rubbish ipv6 encourages client apps to do. (See the links I sent in the |
24 |
other mail) |
25 |
|
26 |
> Re "DNS support for IPv6" |
27 |
> |
28 |
> "Increased size of DNS responses due to larger addresses might be |
29 |
> exploited for DDos attacks" |
30 |
> |
31 |
> That's not even significant. Have you looked at the size of DNS |
32 |
> responses? The increased size of the address pales in comparison to the |
33 |
> amount of other data already stuffed into the packet. |
34 |
|
35 |
It's been ages since I looked at that link and longer addresses would |
36 |
certainly be needed anyway but certainly with DNSSEC again concocted by |
37 |
costly unthoughtful and unengaging groups who chose to ignore DJB |
38 |
and enable amplification attacks. |
39 |
|
40 |
His latest on the "DNS security mess" |
41 |
|
42 |
http://cr.yp.to/talks/2013.02.07/slides.pdf |
43 |
|
44 |
> "An attacker can connect to an IPv4-only network, and forge IPv6 Router |
45 |
> Advertisement messages. (*)" |
46 |
|
47 |
> Again, this depends on them being on the same layer 2 network segment. |
48 |
|
49 |
> The same class of attacks would be possible for any IPv4 successor that |
50 |
> implemented either RAs or DHCP. |
51 |
|
52 |
Neither of which I use. |
53 |
|
54 |
As I said we would be here all day and that link wasn't as good as the |
55 |
one I was actually looking for. |
56 |
|
57 |
local NAT done right is no problem and actually a good thing and I have |
58 |
no issues playing games, running servers or anything else behind NAT. |
59 |
Global NAT works well enough but isn't a good thing and wouldn't exist |
60 |
if they had simply added more addresses quickly. The hardware uptake |
61 |
would have been no issue rather than a decade of pleads. |
62 |
|
63 |
We haven't even touched on the code yet and so all the vulnerable |
64 |
especially home hardware which yes often has vulnerable sps anyway but |
65 |
by no way just home hardware. |
66 |
|
67 |
The ipvshit links give an insight into the code complexity. Note |
68 |
OpenBSDs kernel which is very secure (unlike Linux whose primary goal is |
69 |
function) and has had just a few remote holes in well over a decade, one |
70 |
of which was in ipv6 and which I had avoided without down time because I |
71 |
won't and what's more shouldn't use ipv6 wherever possible and had |
72 |
actually removed it from the kernel all together. |
73 |
|
74 |
If I am Trolling rather than simply trying to make people aware then |
75 |
stating ipv6 is wonderful is Trolling just as much or more. |
76 |
|
77 |
Regards, |
78 |
Kc |
79 |
|
80 |
-- |
81 |
_______________________________________________________________________ |
82 |
|
83 |
'Write programs that do one thing and do it well. Write programs to work |
84 |
together. Write programs to handle text streams, because that is a |
85 |
universal interface' |
86 |
|
87 |
(Doug McIlroy) |
88 |
_______________________________________________________________________ |