Comments on: IPv6 And Security Architecture Changes http://www.seanconvery.com/weblog/2008/03/31/ipv6-and-security-architecture-changes/ Ruminations on Information Technology Thu, 26 Feb 2009 14:43:38 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Sean http://www.seanconvery.com/weblog/2008/03/31/ipv6-and-security-architecture-changes/comment-page-1/#comment-52 Sean Tue, 29 Apr 2008 21:30:36 +0000 http://www.seanconvery.com/weblog/2008/03/31/ipv6-and-security-architecture-changes/#comment-52 Hi Ed, I think the biggest initial deployment challenge will quite simply be inexperience with the technology. There is very little understanding of IPv6 in the networking community, let alone IPv6 security considerations. I do agree that there will be implementation flaws and we're probably only beginning to detect them. In the meantime, dual-stack systems with IPv4 and IPv6 running concurrently represent a very interesting attack vector as you can use a potentially insecure IPv6 stack to get onto the IPv4 network. In my testing back in 2004 there were instances of personal firewalls only protecting the IPv4 portion of the connectivity and leaving the IPv6 portion completely wide open. Fuzzing IPv6 stacks will certainly yield some flaws, not sure if anyone's done anything comprehensive yet. Hi Ed,

I think the biggest initial deployment challenge will quite simply be inexperience with the technology. There is very little understanding of IPv6 in the networking community, let alone IPv6 security considerations.

I do agree that there will be implementation flaws and we’re probably only beginning to detect them. In the meantime, dual-stack systems with IPv4 and IPv6 running concurrently represent a very interesting attack vector as you can use a potentially insecure IPv6 stack to get onto the IPv4 network. In my testing back in 2004 there were instances of personal firewalls only protecting the IPv4 portion of the connectivity and leaving the IPv6 portion completely wide open.

Fuzzing IPv6 stacks will certainly yield some flaws, not sure if anyone’s done anything comprehensive yet.

]]> By: Edward Vielmetti http://www.seanconvery.com/weblog/2008/03/31/ipv6-and-security-architecture-changes/comment-page-1/#comment-53 Edward Vielmetti Tue, 29 Apr 2008 15:07:04 +0000 http://www.seanconvery.com/weblog/2008/03/31/ipv6-and-security-architecture-changes/#comment-53 Sean - Do you think that the biggest initial deployment security issues in IPv6 will revolve around implementation correctness, and the ability to test for same? What comes to mind quickly is things like IPv6 fuzzing a la http://seclists.org/pen-test/2008/Apr/0136.html which calls for the need for systematic ways to test correctness without knowing a priori what parts of the system are likely to break first. Sean -

Do you think that the biggest initial deployment security issues in IPv6 will revolve around implementation correctness, and the ability to test for same?

What comes to mind quickly is things like IPv6 fuzzing a la

http://seclists.org/pen-test/2008/Apr/0136.html

which calls for the need for systematic ways to test correctness without knowing a priori what parts of the system are likely to break first.

]]>