Re: [v4tov6transition] Ways to break IPv6

Ed Jankiewicz <edward.jankiewicz@sri.com> Wed, 13 October 2010 14:14 UTC

Return-Path: <edward.jankiewicz@sri.com>
X-Original-To: v4tov6transition@core3.amsl.com
Delivered-To: v4tov6transition@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 672E83A6B86 for <v4tov6transition@core3.amsl.com>; Wed, 13 Oct 2010 07:14:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.563
X-Spam-Level:
X-Spam-Status: No, score=-1.563 tagged_above=-999 required=5 tests=[AWL=0.483, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XhsJ-SdlI4Lk for <v4tov6transition@core3.amsl.com>; Wed, 13 Oct 2010 07:14:36 -0700 (PDT)
Received: from mail1.sri.com (newmail.SRI.COM [128.18.30.17]) by core3.amsl.com (Postfix) with ESMTP id 8C2FF3A6973 for <v4tov6transition@ietf.org>; Wed, 13 Oct 2010 07:12:38 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII; format=flowed
Received: from [192.168.1.144] ([unknown] [68.81.23.3]) by mail.sri.com (Sun Java(tm) System Messaging Server 7u2-7.05 32bit (built Jul 30 2009)) with ESMTPSA id <0LA800MR4FJ461W0@mail.sri.com> for v4tov6transition@ietf.org; Wed, 13 Oct 2010 07:13:53 -0700 (PDT)
Message-id: <4CB5BEA0.2000405@sri.com>
Date: Wed, 13 Oct 2010 10:13:52 -0400
From: Ed Jankiewicz <edward.jankiewicz@sri.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
To: Joel Jaeggli <joelja@bogus.com>
References: <4CB51C1D.7040104@sri.com> <1593A30D-A5EE-4FEE-9C0F-DF01D5F7F570@bogus.com>
In-reply-to: <1593A30D-A5EE-4FEE-9C0F-DF01D5F7F570@bogus.com>
Cc: "v4tov6transition@ietf.org" <v4tov6transition@ietf.org>
Subject: Re: [v4tov6transition] Ways to break IPv6
X-BeenThere: v4tov6transition@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <v4tov6transition.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/v4tov6transition>, <mailto:v4tov6transition-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v4tov6transition>
List-Post: <mailto:v4tov6transition@ietf.org>
List-Help: <mailto:v4tov6transition-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v4tov6transition>, <mailto:v4tov6transition-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 14:14:47 -0000

  Good point, Joel, the future is now.  Some  recognize that IPv6 is 
already here, others see it sometime in the distant future.  Operational 
and security gaps arise from incompatible assumptions.

I haven't investigated what happened between versions of the network 
security package I use, but it looks like it went from "don't care" 
about IPv6, to block all (by default).  It does permit turning off that 
firewall rule, so I can set it back to ignorance like the previous 
version.  Sort of still leaves me without an IPv6 firewall at the 
moment, but no worse than it was before, and I'm just an experimental user.

It does seem that security products, especially those for end-user 
systems, are particularly behind the curve with IPv6 support.

On 10/13/2010 2:49 AM, Joel Jaeggli wrote:
> I love how we talk about what they will do in the future tense. They do this today. my corporate laptops have had v6 broken in various sundry ways by bad policy and retarded security products across three employers since 2007. As long as v6 has been enabled in systems  people have been disabling it deliberately, or worse, breaking it in ways that make you wonder how these companies keep v4 working, in point of fact sometimes they don't.
>
> Joel's widget number 2
>
> On Oct 12, 2010, at 19:40, Ed Jankiewicz<edward.jankiewicz@sri.com>  wrote:
>
>> this is not a surprise, it is something that has been predicted by many as one of the "growing pains" of IPv6 transition.  Firewalls and other security software will "support" IPv6 initially by just blocking it - too much work (and too little demand) for a real implementation.
>>
>> Just loaded an updated version of the commercial anti-virus package that I've been using, let it remain nameless, it is certainly not the only offender in this area.  Unlike the previous version this includes an enhancement - it blocks all IPv6 and IPv6 over IPv4 traffic by default.  The firewall rule can be disabled.
>>
>> If you are a network operator, there is a lot of mischief that can be done by software that the end-user downloads onto their machines that can make IPv6 appear broken.  This is another area that should get some attention - how will customer service and help desk people be trained to deal with "connectivity" problems the user can cause themselves?
>>
>> It took me a while to figure this out, and I'm one of the people who frequently predicted this would happen.  Imagine your average end-user who knows nothing about IPv6 and expects that "it just works".  Also, many books, websites and other security advice says "when in doubt, turn off IPv6".  At least in the foreseeable future, this will continue to be impedance against the uptake of IPv6.
>>
>>
>> -- 
>> Ed Jankiewicz - SRI International
>> Fort Monmouth Branch Office - IPv6 Research
>> Supporting DISA Standards Engineering Branch
>> 732-389-1003 or  ed.jankiewicz@sri.com
>>
>> _______________________________________________
>> v4tov6transition mailing list
>> v4tov6transition@ietf.org
>> https://www.ietf.org/mailman/listinfo/v4tov6transition
>>

-- 
Ed Jankiewicz - SRI International
Fort Monmouth Branch Office - IPv6 Research
Supporting DISA Standards Engineering Branch
732-389-1003 or  ed.jankiewicz@sri.com