1 |
On 03/09/2013 07:53 AM, Kevin Chadwick wrote: |
2 |
>> "There is no reason to believe that IPv6 will result in an |
3 |
>> increased use of IPsec." |
4 |
>> |
5 |
>> Bull. The biggest barrier to IPsec use has been NAT! If an |
6 |
>> intermediate router has to rewrite the packet to change the |
7 |
>> apparent source and/or destination addresses, then the |
8 |
>> cryptographic signature will show it, and the packet will be |
9 |
>> correctly identified as having been tampered with! |
10 |
>> |
11 |
> |
12 |
> It's hardly difficult to get around that now is it. |
13 |
|
14 |
Sure, you can use an IP-in-IP tunnel...but that's retarded. IPSec was |
15 |
designed from the beginning to allow you to do things like sign your IP |
16 |
header and encrypt everything else (meaning your UDP, TCP, SCTP or what |
17 |
have you). |
18 |
|
19 |
Setting up a tunnel just so your IP header can be signed wastes another |
20 |
40 bytes for every non-fragmented packet. Ask someone trying to use data |
21 |
in a cellular context how valuable that 40 bytes can be. |
22 |
|
23 |
> You are wrong the biggest barrier is that it is not desirable to do |
24 |
> this as there are many reasons for firewalls to inspect incoming |
25 |
> packets. I don't agree with things like central virus scanning |
26 |
> especially by damn ISPs using crappy Huawei hardware, deep inspection |
27 |
> traffic shaping rather than pure bandwidth usage tracking or active |
28 |
> IDS myself but I do agree with scrubbing packets. |
29 |
|
30 |
It's not the transit network's job to scrub packets. Do your scrubbing |
31 |
at the VPN endpoint, where the IPSec packets are unwrapped. |
32 |
|
33 |
Trusting the transit network to scrub packets is antithetical to the |
34 |
idea of using security measures to avoid MITM and traffic sniffing |
35 |
attacks in the first place! |
36 |
|
37 |
> |
38 |
>> With IPsec, NAT is unnecessary. (You can still use it if you need |
39 |
>> it...but please try to avoid it!) |
40 |
>> |
41 |
> |
42 |
> Actually it is no problem at all and is far better than some of the |
43 |
> rubbish ipv6 encourages client apps to do. (See the links I sent in |
44 |
> the other mail) |
45 |
|
46 |
Please read the links before you send them, and make specific references |
47 |
to the content you want people to look at. I've read and responded to |
48 |
the links you've offered (which were links to archived messages on |
49 |
mailing lists, and the messages were opinion pieces with little (if any) |
50 |
technical material.) |
51 |
|
52 |
> |
53 |
>> Re "DNS support for IPv6" |
54 |
>> |
55 |
>> "Increased size of DNS responses due to larger addresses might be |
56 |
>> exploited for DDos attacks" |
57 |
>> |
58 |
>> That's not even significant. Have you looked at the size of DNS |
59 |
>> responses? The increased size of the address pales in comparison to |
60 |
>> the amount of other data already stuffed into the packet. |
61 |
> |
62 |
> It's been ages since I looked at that link and longer addresses |
63 |
> would certainly be needed anyway but certainly with DNSSEC again |
64 |
> concocted by costly unthoughtful and unengaging groups who chose to |
65 |
> ignore DJB and enable amplification attacks. |
66 |
|
67 |
What from DJB did they ignore? I honestly don't know what you're talking |
68 |
about. |
69 |
|
70 |
> |
71 |
> His latest on the "DNS security mess" |
72 |
> |
73 |
> http://cr.yp.to/talks/2013.02.07/slides.pdf |
74 |
|
75 |
I've never before in my life seen someone animate slideshow transitions |
76 |
and save off intermediate frames as individual PDF pages. That was painful. |
77 |
|
78 |
So, I read what was discussed there. First, he describes failings of |
79 |
HTTPSEC. I don't have any problem with what he's talking about there, |
80 |
honestly; it makes a reasonable amount of sense, considering |
81 |
intermediate caching servers aren't very common for HTTP traffic, and |
82 |
HTTPS traffic makes intermediate caching impossible. (unless you've |
83 |
already got serious security problems by way of a MITM opening.) |
84 |
|
85 |
Then he turns around and dedicates two slides showing a DNS delegation |
86 |
sequence...and then states in a single slide that DNSSEC has all the |
87 |
same problems as HTTPSEC. |
88 |
|
89 |
DNSSEC doesn't have the same problems as HTTPSEC, because almost *every* |
90 |
recursive resolving DNS server (which is most of the DNS servers on the |
91 |
Internet) employs caching. |
92 |
|
93 |
> |
94 |
>> "An attacker can connect to an IPv4-only network, and forge IPv6 |
95 |
>> Router Advertisement messages. (*)" |
96 |
> |
97 |
>> Again, this depends on them being on the same layer 2 network |
98 |
>> segment. |
99 |
> |
100 |
>> The same class of attacks would be possible for any IPv4 successor |
101 |
>> that implemented either RAs or DHCP. |
102 |
> |
103 |
> Neither of which I use. |
104 |
|
105 |
You're telling me you don't use DHCP? Seriously, that you statically |
106 |
configure the IPv4 addresses of all the hosts on your network? |
107 |
|
108 |
With one exception, I haven't personally seen a network configured in |
109 |
that way since 1998! Certainly, every network has some hosts configured |
110 |
statically, but virtually no network I've observed (and I've seen |
111 |
private networks between 2 and 50 hosts, and commercial networks between |
112 |
5 and 30k hosts) managed completely statically. |
113 |
|
114 |
> |
115 |
> As I said we would be here all day and that link wasn't as good as |
116 |
> the one I was actually looking for. |
117 |
> |
118 |
> local NAT done right is no problem and actually a good thing and I |
119 |
> have no issues playing games, running servers or anything else behind |
120 |
> NAT. |
121 |
|
122 |
See others' responses about port standardization, and about how it |
123 |
enforces a distinction between 'clients' and 'servers' that's |
124 |
unnecessary (and even harmful) for a variety of applications. |
125 |
|
126 |
> Global NAT works well enough |
127 |
|
128 |
With global NAT, anything you do that depends on port forwarding is broken. |
129 |
|
130 |
> but isn't a good thing and wouldn't exist if they had simply added |
131 |
> more addresses quickly. The hardware uptake would have been no issue |
132 |
> rather than a decade of pleads. |
133 |
|
134 |
There's almost nothing you've pointed at so far that would have |
135 |
prevented backbones from IPv6 uptake...and the backbones dragged their |
136 |
heels long enough. IPv4 with expanded address bits would have been |
137 |
worse; IPv6 explicitly includes features intended to ease the strain on |
138 |
the size of a global routing view! |
139 |
|
140 |
> |
141 |
> We haven't even touched on the code yet and so all the vulnerable |
142 |
> especially home hardware which yes often has vulnerable sps anyway |
143 |
> but by no way just home hardware. |
144 |
> |
145 |
> The ipvshit links give an insight into the code complexity. |
146 |
|
147 |
You call that code complex? (and I still don't know what 'ipvshit' is, |
148 |
except possibly one guy's pejorative description of IPv6) |
149 |
|
150 |
> Note OpenBSDs kernel which is very secure (unlike Linux whose |
151 |
> primary goal is function) |
152 |
|
153 |
I have no complaints about OpenBSD. |
154 |
|
155 |
> and has had just a few remote holes in well over a decade, one of |
156 |
> which was in ipv6 |
157 |
|
158 |
So OpenBSD, who you venerate, had a bug in its IPv6 implementation, and |
159 |
for that you view IPv6 as an abomination? Is that it? (Or is it because |
160 |
the guy who wrote the buggy code thinks so, and you venerate him? |
161 |
Because that seems plausible, too.) |
162 |
|
163 |
I like Linux, but I don't hold Linux (or any Linux developer) in |
164 |
veneration. I like Windows, but I don't hold Bill Gates, Balmer or any |
165 |
Microsoft dev in veneration. I like Android, but I don't hold Google or |
166 |
any Google employee in veneration. I dislike Macs, but I don't think of |
167 |
Steve Jobs as evil. |
168 |
|
169 |
> and which I had avoided without down time because I won't and what's |
170 |
> more shouldn't use ipv6 wherever possible |
171 |
|
172 |
Do you mean that as "I'll avoid IPv6 as much as possible" or do you mean |
173 |
that as "I won't use IPv6 in all places where it's possible to use IPv6"? |
174 |
|
175 |
If the latter, I'd agree; there are places you can use IPv6 where it |
176 |
probably won't make a whole lot of sense (i.e. on an HDMI cable, unless |
177 |
you have a particular need to provide network traffic to/from your TV). |
178 |
|
179 |
If the former, I'm afraid I still haven't seen a solid technical case |
180 |
against it. |
181 |
|
182 |
> and had actually removed it from the kernel all together. |
183 |
|
184 |
That's sensible; if you're not going to use code, remove it. |
185 |
|
186 |
> |
187 |
> If I am Trolling rather than simply trying to make people aware then |
188 |
> stating ipv6 is wonderful is Trolling just as much or more. |
189 |
|
190 |
IPv6 fixes things about the Internet that are currently broken by IPv4 |
191 |
address exhaustion. I try to point out where IPv6 fixes things, I try to |
192 |
clear up popular misconceptions about IPv6, and I try to help people |
193 |
understand a thing rather than simply fear it. |
194 |
|
195 |
If you take a highly competent IPv4 network administrator and drop him |
196 |
into IPv6 territory without ensuring that he has knowledge of IPv6 best |
197 |
practices and practical concerns, you're likely to get a broken network |
198 |
out of it. I try to help keep that from happening. |
199 |
|
200 |
The statements you've made that I regarded as trollish where were you |
201 |
made emotional statements and arguments without anything explanatory to |
202 |
back them up. In contrast, I've spent *hours* wading through the links |
203 |
you've thrown at me (without you yourself reading, I suspect), making |
204 |
point-by-point responses. |