| 1 |
> "There is no reason to believe that IPv6 will result in an increased use |
| 2 |
> of IPsec." |
| 3 |
> |
| 4 |
> Bull. The biggest barrier to IPsec use has been NAT! If an intermediate |
| 5 |
> router has to rewrite the packet to change the apparent source and/or |
| 6 |
> destination addresses, then the cryptographic signature will show it, |
| 7 |
> and the packet will be correctly identified as having been tampered with! |
| 8 |
> |
| 9 |
|
| 10 |
It's hardly difficult to get around that now is it. You are wrong the |
| 11 |
biggest barrier is that it is not desirable to do this as there are |
| 12 |
many reasons for firewalls to inspect incoming packets. I don't agree |
| 13 |
with things like central virus scanning especially by damn ISPs using |
| 14 |
crappy Huawei hardware, deep inspection traffic shaping rather than |
| 15 |
pure bandwidth usage tracking or active IDS myself but I do agree |
| 16 |
with scrubbing packets. |
| 17 |
|
| 18 |
> With IPsec, NAT is unnecessary. (You can still use it if you need |
| 19 |
> it...but please try to avoid it!) |
| 20 |
> |
| 21 |
|
| 22 |
Actually it is no problem at all and is far better than some of the |
| 23 |
rubbish ipv6 encourages client apps to do. (See the links I sent in the |
| 24 |
other mail) |
| 25 |
|
| 26 |
> Re "DNS support for IPv6" |
| 27 |
> |
| 28 |
> "Increased size of DNS responses due to larger addresses might be |
| 29 |
> exploited for DDos attacks" |
| 30 |
> |
| 31 |
> That's not even significant. Have you looked at the size of DNS |
| 32 |
> responses? The increased size of the address pales in comparison to the |
| 33 |
> amount of other data already stuffed into the packet. |
| 34 |
|
| 35 |
It's been ages since I looked at that link and longer addresses would |
| 36 |
certainly be needed anyway but certainly with DNSSEC again concocted by |
| 37 |
costly unthoughtful and unengaging groups who chose to ignore DJB |
| 38 |
and enable amplification attacks. |
| 39 |
|
| 40 |
His latest on the "DNS security mess" |
| 41 |
|
| 42 |
http://cr.yp.to/talks/2013.02.07/slides.pdf |
| 43 |
|
| 44 |
> "An attacker can connect to an IPv4-only network, and forge IPv6 Router |
| 45 |
> Advertisement messages. (*)" |
| 46 |
|
| 47 |
> Again, this depends on them being on the same layer 2 network segment. |
| 48 |
|
| 49 |
> The same class of attacks would be possible for any IPv4 successor that |
| 50 |
> implemented either RAs or DHCP. |
| 51 |
|
| 52 |
Neither of which I use. |
| 53 |
|
| 54 |
As I said we would be here all day and that link wasn't as good as the |
| 55 |
one I was actually looking for. |
| 56 |
|
| 57 |
local NAT done right is no problem and actually a good thing and I have |
| 58 |
no issues playing games, running servers or anything else behind NAT. |
| 59 |
Global NAT works well enough but isn't a good thing and wouldn't exist |
| 60 |
if they had simply added more addresses quickly. The hardware uptake |
| 61 |
would have been no issue rather than a decade of pleads. |
| 62 |
|
| 63 |
We haven't even touched on the code yet and so all the vulnerable |
| 64 |
especially home hardware which yes often has vulnerable sps anyway but |
| 65 |
by no way just home hardware. |
| 66 |
|
| 67 |
The ipvshit links give an insight into the code complexity. Note |
| 68 |
OpenBSDs kernel which is very secure (unlike Linux whose primary goal is |
| 69 |
function) and has had just a few remote holes in well over a decade, one |
| 70 |
of which was in ipv6 and which I had avoided without down time because I |
| 71 |
won't and what's more shouldn't use ipv6 wherever possible and had |
| 72 |
actually removed it from the kernel all together. |
| 73 |
|
| 74 |
If I am Trolling rather than simply trying to make people aware then |
| 75 |
stating ipv6 is wonderful is Trolling just as much or more. |
| 76 |
|
| 77 |
Regards, |
| 78 |
Kc |
| 79 |
|
| 80 |
-- |
| 81 |
_______________________________________________________________________ |
| 82 |
|
| 83 |
'Write programs that do one thing and do it well. Write programs to work |
| 84 |
together. Write programs to handle text streams, because that is a |
| 85 |
universal interface' |
| 86 |
|
| 87 |
(Doug McIlroy) |
| 88 |
_______________________________________________________________________ |
Archives