In the interest of fair and balanced discussion.
Cheers,
Sabahattin
--- Begin Message ---
Folks,
I thought you might enjoy the slides of a talk about IPv6 security I
gave last week at LACNOG (http://www.lacnog.org). The slides are
available at:
http://www.gont.com.ar/talks/lacnog2010/fgont-lacno
I'm not a security guru, and will step aside instantly if someone with those
credentials says I'm wrong. However, from my perspective, the assertion that
IPv6 had any security properties that differed from IPv4 *at*all* has never
made any sense. It is essentially a marketing claim, and - well, w
On Tue, Oct 26, 2010 at 10:39 PM, Fred Baker wrote:
> In the scope of things, wh does having one of out of the many needed tools
> make
> IPv6 different than IPv4, especially given that the indicated tool is present
> in both
> IPv4 and IPv6 implementations?
>
> Scratch-a-my-head. I don't see i
Roger Jørgensen wrote:
> Sent: Tuesday, October 26, 2010 1:53 PM
> To: Fred Baker; IETF Discussion
> Subject: Re: [Full-disclosure] IPv6 security myths
>
> On Tue, Oct 26, 2010 at 10:39 PM, Fred Baker wrote:
>
> > In the scope of things, wh does having one of out of the
Hi, Tony,
>> I have a feeling the idea that IPv6 add something to security might
>> be linked back to the IPsec focus real early on in the IPv6 era,
>> like years and years ago. Why it happen or how, I don't really
>> know.
>
> How it happened? --- Ever heard of NAT? At the time IPsec through
>
Hi, Fred,
> I'm not a security guru, and will step aside instantly if someone
> with those credentials says I'm wrong. However, from my perspective,
> the assertion that IPv6 had any security properties that differed
> from IPv4 *at*all* has never made any sense. It is essentially a
> marketing cl
On Oct 25, 2010, at 5:46 AM, Masataka Ohta wrote:
> Sabahattin Gucukoglu wrote:
>
>> In the interest of fair and balanced discussion.
>
> It is of course that, merely because IPv6 makes IPsec mandatory,
> IPv6 can not be more secure than IPv4.
>
> But, the real problem of IPsec is that it expe
> "Fred" == Fred Baker writes:
Fred> I'm not a security guru, and will step aside instantly if
Fred> someone with those credentials says I'm wrong. However, from
Fred> my perspective, the assertion that IPv6 had any security
Fred> properties that differed from IPv4 *at*all* ha
On 10/26/2010 3:05 PM, Michael Richardson wrote:
The major*security* advantage of IPv6 is that it removes 90% of
complexity of IPv4 networks that results from layers of NAT, and then
series of port-forwards through them.
That's an operational hope, not a technical or operational fact.
It i
On Oct 26, 2010, at 14:18, Fernando Gont wrote:
>
> Sorry, but I don't follow. If the problem with widespread deployment of
> IPsec was NAT traversal, why didn't we see widespread IPsec deployment
> (for the general case) e.g. once RFC 3948 was published?
RFC 3498 really only made a variant of tu
> "Fernando" == Fernando Gont writes:
>> How it happened? --- Ever heard of NAT? At the time IPsec
>> through nat did not widely exist, and even implementations that
>> figured out udp had the problem that the cert often included a
>> 1918 address which didn't match the packe
On Tue, 26 Oct 2010, Michael Richardson wrote:
> Partly. I also expect "VPN" use to get reduced, since 90% of VPNs are
> really just remote-access systems necessary due to NAT, not security.
In my experince, VPNs are used for secure connections between two private
networks ... the existance of
Michael,
> The major *security* advantage of IPv6 is that it removes 90% of
> complexity of IPv4 networks that results from layers of NAT, and then
> series of port-forwards through them.
You seem to be assuming that there will not be middle-boxes with IPv6.
-- NAT64, for example, doesn't seem to
Michael Richardson wrote:
> The major *security* advantage of IPv6 is that it removes 90% of
> complexity of IPv4 networks that results from layers of NAT, and then
> series of port-forwards through them.
See page 13 of the slide of Gont stating:
Ironically, NAT66 is one of the most freq
> "Fred" == Fred Baker writes:
Fred> By the way, I don't buy the assertion that the PKI has to be
Fred> global; if it did have to be global, I suspect one would have
Fred> come into existence.
Quite a number of ideas and protocols have suffered because of the lack
of such a thing
> "David" == David Morris writes:
>> Partly. I also expect "VPN" use to get reduced, since 90% of VPNs
>> are really just remote-access systems necessary due to NAT, not
>> security.
David> In my experince, VPNs are used for secure connections between
David> two private n
> "Dave" == Dave CROCKER writes:
>> The major*security* advantage of IPv6 is that it removes 90% of
>> complexity of IPv4 networks that results from layers of NAT, and
>> then series of port-forwards through them.
Dave> That's an operational hope, not a technical or operation
Michael,
> For instance, a reason to create a new network "zone" is because we
> don't provide printers with decent access control lists (authorization),
> instead, we make them wide open and then throw WPA on the wireless so
> that it's "secure", and then assume if you've authenticated, you are
>
I would be quite curious to know your definition of failure, given that
IPsec is currently deployed, and working in "more than a few" deployments
...
On a possibly related note, IPv6 use deployed and working too ...
/TJ
On Oct 27, 2010 12:08 PM, "Masataka Ohta"
wrote:
> Steven Bellovin wrote:
>
> TJ [trej...@gmail.com] wrote:
> I would be quite curious to know your definition of failure, given
that
> IPsec is currently deployed, and working in "more than a few"
deployments
> On a possibly related note, IPv6 use deployed and working too ...
Failure means that, I leave in the capital city
TJ wrote:
> I would be quite curious to know your definition of failure, given that
> IPsec is currently deployed, and working in "more than a few" deployments
> ...
Sorry for lack of clarification.
My context is IPsec in the Internet, which excludes VPNs.
Do you know some major application over
In your previous mail you wrote:
My context is IPsec in the Internet, which excludes VPNs.
=> this is a bit unfair: VPNs are the natural model for IPsec use
(putting back an uniform I could talk about red and black :-).
Do you know some major application over the Internet using IPsec
Francis Dupont wrote:
> In your previous mail you wrote:
>
> My context is IPsec in the Internet, which excludes VPNs.
>
> => this is a bit unfair: VPNs are the natural model for IPsec use
> (putting back an uniform I could talk about red and black :-).
It's fair as we are talking about
If you mean widespread, point to point / peer to peer IPsec - yes, there is
a distinct lack of (free, easy, global) PKI out there.
There are steps in the right direction though, such as MS's Direct Access
...
/TJ
On Oct 31, 2010 12:02 AM, "Masataka Ohta"
wrote:
> TJ wrote:
>> I would be quite cu
On Oct 31, 2010, at 12:00 AM, Masataka Ohta wrote:
> TJ wrote:
>> I would be quite curious to know your definition of failure, given that
>> IPsec is currently deployed, and working in "more than a few" deployments
>> ...
>
> Sorry for lack of clarification.
> My context is IPsec in the Internet
Hadriel Kaplan wrote:
>> Do you know some major application over the Internet using IPsec
>> with transport mode?
>
> Yes: SIP. SIP/UDP over IPsec in transport mode on the Internet
> is not uncommon. Arguably more common than SIP over TLS,
> anyway... though that's expected to change. (and of c
> "Masataka" == Masataka Ohta writes:
Masataka> My context is IPsec in the Internet, which excludes VPNs.
Masataka> Do you know some major application over the Internet using
Masataka> IPsec with transport mode?
Why the restriction of *over*?
Dozens of IETF specifications are no
Michael Richardson wrote:
>> "Masataka" == Masataka Ohta writes:
> Masataka> My context is IPsec in the Internet, which excludes VPNs.
>
> Masataka> Do you know some major application over the Internet using
> Masataka> IPsec with transport mode?
>
> Why the restriction of
Sabahattin Gucukoglu wrote:
> In the interest of fair and balanced discussion.
It is of course that, merely because IPv6 makes IPsec mandatory,
IPv6 can not be more secure than IPv4.
But, the real problem of IPsec is that it expected some PKI
could have provided the end to end security.
However
Hi, Masataka,
>> In the interest of fair and balanced discussion.
>
> It is of course that, merely because IPv6 makes IPsec mandatory,
> IPv6 can not be more secure than IPv4.
That was indeed the point of that slide. -- that aside, IPsec is a
"SHOULD" (rather than a "MUST") in the latest node-re
Fernando Gont wrote:
> IPsec is a
> "SHOULD" (rather than a "MUST") in the latest node-reqs-bis document
Too late, too little.
> []
>> For the end to end security, only the end systems requiring the
>> security are required to deploy mechanisms for the security,
>> which means it is not nece
Perhaps I should have said deployable ... Although it is deployed in some
places, and growing rapidly - I'd be surprised if your situation didn't
change over then next 12-15 months ...
/TJ
On Oct 30, 2010 11:28 PM, "Michel Py"
wrote:
>> TJ [trej...@gmail.com] wrote:
>> I would be quite curious t
32 matches
Mail list logo