[AusNOG] My Predictions for the ISP Industry
Mark Newton
newton at atdot.dotat.org
Thu Mar 15 14:21:47 EST 2012
On Thu, Mar 15, 2012 at 01:22:05PM +1100, Eric Pinkerton wrote:
> One of the things that I haven't seen much discussed about is that
> in turning on dual stack you are obviously increasing your attack
> surface.
Your attack surface is probably already increased, because autotunnelling
protocols mean your users are quite probably already running IPv6 behind
your back without even realizing it.
I did a presso that touched on that at AusCERT last year.
> of course because many of the current defensive measures are
> behind the curve here.
At a network level, why would the defensive measures be any differnent?
Mirror your IPv4 ACLs with IPv6 ACLs; your dual-stack firewall appliance
is probably already controlling both protocols.
> Also you can draw your own conclusions about the efficacy of current
> LI solutions where IPV6 is concerned.
Again: Why would they change?
> There are number exploits specifically targeting weaknesses within
> IPV6 and ICMP6 protocols, and research has put pay to earlier
> misguided perceptions that IPV6 is inherently more secure that
> its predecessor.
I don't think anyone ever seriously believed that IPv6 was or could
be inherently more secure than its predecessor. I mean, sure,
there've been a lot of years featuring a lot of people who don't
know what they're talking about saying a lot of things, but nobody
has actually listened to them, right?
> Add to this an increase in the opportunity for configuration
> mistakes and you start to appreciate why many organisations are
> in 'wait and see what everyone else does' mode.
Ah, right -- so that's how professionals in this industry deal with
things they don't know how to do these days, is it?
Despair.
- mark
More information about the AusNOG
mailing list