dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
848
share rss forum feed

DeanD

join:2013-03-22
48067-3579

criticisms of IPv6?

Hello, I work at a fairly big company in metro Detroit. I've been trying to learn more about IPv6 since at least 2008. Typically here in the states working network managers don't seem too interested in IPv6. If they have their 10 dot, they're fine with that. I just had the network manager here say there are new RFCs coming out all the time, it isn't mature, it isn't stable, and likely less secure than v4. He cited arp poisoning as an example. He said the same problem exists in v6, but it is worse. Crackers who know v6 may know it much better than people at companies. So he is happy to not be on IPv6, and wants to wait 5 or 10 years for other people to work out the kinks. Meanwhile no ISP that I know of offers it here. Comcast talked about it but never delivered and they are overpriced.

Anyone have any thoughts, reactions?



Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL

1 recommendation

I think my biggest criticism is not with IPv6 itself, but the fact that hardware vendors are extremely behind with implementing it. I also criticize the userbase for not wanting to let go of NAT (this baffles me) and/or adopting to a different way of thinking when it comes to general networking.

said by DeanD:

Typically here in the states working network managers don't seem too interested in IPv6

That's because we're not truly under the gun to switch to v6 yet. IANA may be out of v4 addresses, but ARIN still has unallocated ranges. There's also v4s still be traded around, so we're not completely out for them... yet...

said by DeanD:

I just had the network manager here say there are new RFCs coming out all the time, it isn't mature, it isn't stable, and likely less secure than v4.

The protocol itself is stable. I have it implemented in a lot of places and it works without issue. It took a lot of hands on work with my hardware vendors to get there though. I believe the security misconceptions of v6 tie hand in hand with the security misconceptions of NAT. People think NAT provides security. It does not. NAT provides obscurity, which is never the best model to use for security.

said by DeanD:

He cited arp poisoning as an example. He said the same problem exists in v6, but it is worse.

I can't really comment on this except for the fact that ARP has been replaced by features built directly into ICMP6. It doesn't make me afraid to use it though. If you have the citation of the issue, I would love to see for my own reference as I'm still in the learning process of v6 myself.

Here are my own criticisms of the v6 protocol as it stands now:
*Router Advertisements are widely used as a replacement for DHCP, but lacks features. A good example of this is the ability to have DNS servers defined in the messages that define your IP address. DHCP does for you. Router Advertisements do not.

*If you don't own your own IP addresses, you're at the mercy of your ISP for your internal network address ranges. I've used Comcast a few times for v6. They typically hand out a /64 prefix of addresses. This means that the first half of your IP address is defined by the ISP. If your ISP decides to give you a different address range, your internal network config is completely botched.

In the end, IPv6 is the inevitable future. It's here to stay and we must start learning to work with it. I feel that the longer you procrastinate implementing it, the further behind you'll be when the time comes where you must implement it.


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

1 recommendation

reply to DeanD

Oh boy, where to start ? I guess I'll work my comments in between yours:

said by DeanD:

I've been trying to learn more about IPv6 since at least 2008.

That is the correct approach to take. Ideally combine the theory with some practical experience as well. The Hurricane Electric free IPv6 certification training and free IPv6 tunnels are highly recommended.
said by DeanD:

Typically here in the states working network managers don't seem too interested in IPv6. If they have their 10 dot, they're fine with that.

You are absolutely correct about that but I don't think that is a good thing.
said by DeanD:

I just had the network manager here say there are new RFCs coming out all the time, it isn't mature, it isn't stable, and likely less secure than v4.

Hmmm, yes there are new RFC's coming out all the time and every once in a while there is an errata for an existing RFC on the Standards Track. A quick look at the IETF or RFC-Editor websites for recent RFCs (last 14 days, 12 most recent) shows none that is specifically related to IPv6.
The fact is that IPv6 is old. A lot of the original ideas have indeed been tried, found wanting and some have been amended or obsoleted. All major operating systems implement IPv6 (for some time now) and whatever may be added to IPv6 in future will have to be compatible with today's standard compliant implementations.
said by DeanD:

He cited arp poisoning as an example. He said the same problem exists in v6, but it is worse.

I wonder in what way spoofing of Neighbor Announcements (a function of ND, Neighbor Discovery) is supposed to be worse then ARP poisoning ?
Both are clearly very similar in nature. Performing such spoofing as an attack in either IPv4 or IPv6 requires a level of access by the attacker that makes it only useful for a malicious insider or someone that has already successfully penetrated your network defenses. In either case you probably have bigger problems then misdirected traffic for a specifically targeted system.
There is a specification for a secure version of neighbor discovery (SEND) that solves that problem in IPv6.
said by DeanD:

Crackers who know v6 may know it much better than people at companies. So he is happy to not be on IPv6, and wants to wait 5 or 10 years for other people to work out the kinks.

There is a definite learning curve to IPv6. It is probably even harder for those of us who are intimately familiar with IPv4 because it is so easy to think it would all be the same, just with a bigger address (only to be tripped up by the differences).
The part about crackers knowing more about IPv6 then most network managers is likely to be true but entirely the fault of those network managers! There is no excuse to wait until circumstances force them to use IPv6. The time to learn IPv6 properly is now while the production use is still on the horizon. It is too late to play catch-up when that day arrives and the network manager is unprepared.
Ignorance of IPv6 does not protect those managers networks. There are already IPv6 related security threads that apply even to networks where routers and firewalls block IPv6 but internal hosts establish opportunistic IPv6 tunnels over the existing IPv4 infrastructure.
said by DeanD:

Meanwhile no ISP that I know of offers it here. Comcast talked about it but never delivered and they are overpriced.

Comcast appears to be the one US ISP serving residential customers that has a good IPv6 strategy and also appears well advanced in implementing it.
For commercial Internet access with IPv6 I would trust Hurricane Electric (he.com) to be the most experienced ISP.
I know AT&T (business, not residential) is still giving me evasive answers every time I bring up the topic of IPv6.
said by DeanD:

Anyone have any thoughts, reactions?

What more ?
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


rchandra
Stargate Universe fan
Premium
join:2000-11-09
14225-2105

1 recommendation

Moreover, I am not aware of any secure ARP analogue to SEND. So arguably, an IPv6 network has the potential to be more secure than an IPv4 one.



dslcreature
Premium
join:2010-07-10
Seattle, WA

1 recommendation

reply to Clever_Proxy

said by Clever_Proxy:

I can't really comment on this except for the fact that ARP has been replaced by features built directly into ICMP6. It doesn't make me afraid to use it though. If you have the citation of the issue, I would love to see for my own reference as I'm still in the learning process of v6 myself.

The implications for compromise whether it is v4's ARP or v6 ND are more or less the same (very bad) .. however we also have to consider amount of existing gear with measures in place to deal with port/ARP based mischief. Sadly almost none of this can be reused to protect IPv6... v6 analogue "RA Guard" usually requires replacing hardware.

Having said this nobody has the choice of ignoring IPv6 outright. You at least have to block it at the switch. If something on the network starts advertising IPv6 then hosts will use it by default over IPv4 with the same consequences ARP security was meant to protect against.

said by Clever_Proxy:

Here are my own criticisms of the v6 protocol as it stands now:
*Router Advertisements are widely used as a replacement for DHCP, but lacks features. A good example of this is the ability to have DNS servers defined in the messages that define your IP address. DHCP does for you. Router Advertisements do not.

Yes, I think of RAs as more of a complement/bootstrap for DHCPv6 and not so much replacement or competition. The M bit within RA is what actually triggers DHCP. There are also deployed extensions (RFC6101) to support DNS within RA except not nearly as useful as DHCPv6 in terms of options for host configuration.

said by Clever_Proxy:

*If you don't own your own IP addresses, you're at the mercy of your ISP for your internal network address ranges. I've used Comcast a few times for v6. They typically hand out a /64 prefix of addresses. This means that the first half of your IP address is defined by the ISP. If your ISP decides to give you a different address range, your internal network config is completely botched.

Hopefully ISPs make v6 more sticky than v4.

A new hazard is IPv6's seemingly infinite address space. It allows someone external to the local network to generate broadcast (cough.. multicast) messages on the local network by flooding a prefix with requests to random addresses. Each address requires an ND query to resolve consuming broadcast bandwidth on the local "wire". If this wire happens to be an ethernet based wireless network with series of low power clients running on batteries it can be problematic.

If I were to lob one criticism of IPv6 it would be the stateless meme I think has been shown to be pointless and dangerous in the real world.


Clever_Proxy
Premium
join:2004-05-14
Villa Park, IL

1 recommendation

said by dslcreature:

Hopefully ISPs make v6 more sticky than v4.

You said the key word: hopefully

What scares me a bit is that ISPs currently have no obligation to keep you on the same prefix - unless you have static prefixes, of course. Granted, Link-Local's utilization is drastically different from v4 so things should technically still work if your Global range gets mucked up. If you're configured as a routed network, you're pretty screwed no matter what...