Re: [v4tov6transition] Ways to break IPv6

Joel Jaeggli <joelja@bogus.com> Wed, 13 October 2010 06:48 UTC

Return-Path: <joelja@bogus.com>
X-Original-To: v4tov6transition@core3.amsl.com
Delivered-To: v4tov6transition@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5FD0F3A68E4 for <v4tov6transition@core3.amsl.com>; Tue, 12 Oct 2010 23:48:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.342
X-Spam-Level:
X-Spam-Status: No, score=-102.342 tagged_above=-999 required=5 tests=[AWL=0.257, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28wadCa424sJ for <v4tov6transition@core3.amsl.com>; Tue, 12 Oct 2010 23:48:28 -0700 (PDT)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by core3.amsl.com (Postfix) with ESMTP id AC5E93A68C7 for <v4tov6transition@ietf.org>; Tue, 12 Oct 2010 23:48:27 -0700 (PDT)
Received: from [192.168.1.240] (c-98-234-104-156.hsd1.ca.comcast.net [98.234.104.156]) (authenticated bits=0) by nagasaki.bogus.com (8.14.4/8.14.4) with ESMTP id o9D6ncM0019475 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 13 Oct 2010 06:49:42 GMT (envelope-from joelja@bogus.com)
References: <4CB51C1D.7040104@sri.com>
Message-Id: <1593A30D-A5EE-4FEE-9C0F-DF01D5F7F570@bogus.com>
From: Joel Jaeggli <joelja@bogus.com>
To: Ed Jankiewicz <edward.jankiewicz@sri.com>
In-Reply-To: <4CB51C1D.7040104@sri.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
X-Mailer: iPad Mail (7B405)
Mime-Version: 1.0 (iPad Mail 7B405)
Date: Tue, 12 Oct 2010 23:49:46 -0700
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (nagasaki.bogus.com [147.28.0.81]); Wed, 13 Oct 2010 06:49:43 +0000 (UTC)
Cc: "v4tov6transition@ietf.org" <v4tov6transition@ietf.org>
Subject: Re: [v4tov6transition] Ways to break IPv6
X-BeenThere: v4tov6transition@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <v4tov6transition.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/v4tov6transition>, <mailto:v4tov6transition-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v4tov6transition>
List-Post: <mailto:v4tov6transition@ietf.org>
List-Help: <mailto:v4tov6transition-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v4tov6transition>, <mailto:v4tov6transition-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 06:48:30 -0000

I love how we talk about what they will do in the future tense. They do this today. my corporate laptops have had v6 broken in various sundry ways by bad policy and retarded security products across three employers since 2007. As long as v6 has been enabled in systems  people have been disabling it deliberately, or worse, breaking it in ways that make you wonder how these companies keep v4 working, in point of fact sometimes they don't. 

Joel's widget number 2

On Oct 12, 2010, at 19:40, Ed Jankiewicz <edward.jankiewicz@sri.com> wrote:

> this is not a surprise, it is something that has been predicted by many as one of the "growing pains" of IPv6 transition.  Firewalls and other security software will "support" IPv6 initially by just blocking it - too much work (and too little demand) for a real implementation.
> 
> Just loaded an updated version of the commercial anti-virus package that I've been using, let it remain nameless, it is certainly not the only offender in this area.  Unlike the previous version this includes an enhancement - it blocks all IPv6 and IPv6 over IPv4 traffic by default.  The firewall rule can be disabled.
> 
> If you are a network operator, there is a lot of mischief that can be done by software that the end-user downloads onto their machines that can make IPv6 appear broken.  This is another area that should get some attention - how will customer service and help desk people be trained to deal with "connectivity" problems the user can cause themselves?
> 
> It took me a while to figure this out, and I'm one of the people who frequently predicted this would happen.  Imagine your average end-user who knows nothing about IPv6 and expects that "it just works".  Also, many books, websites and other security advice says "when in doubt, turn off IPv6".  At least in the foreseeable future, this will continue to be impedance against the uptake of IPv6.
> 
> 
> -- 
> Ed Jankiewicz - SRI International
> Fort Monmouth Branch Office - IPv6 Research
> Supporting DISA Standards Engineering Branch
> 732-389-1003 or  ed.jankiewicz@sri.com
> 
> _______________________________________________
> v4tov6transition mailing list
> v4tov6transition@ietf.org
> https://www.ietf.org/mailman/listinfo/v4tov6transition
>