Re: [v4tov6transition] Ways to break IPv6

Tim Chown <tjc@ecs.soton.ac.uk> Wed, 13 October 2010 09:45 UTC

Return-Path: <tjc@ecs.soton.ac.uk>
X-Original-To: v4tov6transition@core3.amsl.com
Delivered-To: v4tov6transition@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 922163A6974 for <v4tov6transition@core3.amsl.com>; Wed, 13 Oct 2010 02:45:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.517
X-Spam-Level:
X-Spam-Status: No, score=-2.517 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibQFh2w1vqjr for <v4tov6transition@core3.amsl.com>; Wed, 13 Oct 2010 02:45:34 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [152.78.68.146]) by core3.amsl.com (Postfix) with ESMTP id 6FB163A67DB for <v4tov6transition@ietf.org>; Wed, 13 Oct 2010 02:45:32 -0700 (PDT)
Received: from falcon.ecs.soton.ac.uk (localhost [127.0.0.1]) by falcon.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id o9D9jgIn001558 for <v4tov6transition@ietf.org>; Wed, 13 Oct 2010 10:45:42 +0100
X-DKIM: Sendmail DKIM Filter v2.8.2 falcon.ecs.soton.ac.uk o9D9jgIn001558
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ecs.soton.ac.uk; s=200903; t=1286963142; bh=+RUGXlLgwf0GOyX0ZnBYhGadOPU=; h=Mime-Version:Subject:From:In-Reply-To:Date:References:To; b=rUvGm8gUCanrUMPZ1yow9fknvy4KBjbwrFGlR/3WOMTkVffp3Z9pqpY7DPW4z4YGt rU55z8gIKtvor3oaw5jgspLa0ZxgilouJtFIfnSc5TamikVfRa61p7ljQgz+ZGjgrF jpL0QVpZlTKfsD7w19vZgK9eOAxL+Lh/ewZ0JSFQ=
Received: from gander.ecs.soton.ac.uk (gander.ecs.soton.ac.uk [2001:630:d0:f102::25d]) by falcon.ecs.soton.ac.uk (falcon.ecs.soton.ac.uk [2001:630:d0:f102::25e]) envelope-from <tjc@ecs.soton.ac.uk> with ESMTP id m9CAjg2308237506hg ret-id none; Wed, 13 Oct 2010 10:45:42 +0100
Received: from tjc-vpn.ecs.soton.ac.uk (tjc-vpn.ecs.soton.ac.uk [152.78.236.241]) (authenticated bits=0) by gander.ecs.soton.ac.uk (8.13.8/8.13.8) with ESMTP id o9D9jdrA014303 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <v4tov6transition@ietf.org>; Wed, 13 Oct 2010 10:45:39 +0100
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1081)
From: Tim Chown <tjc@ecs.soton.ac.uk>
In-Reply-To: <1593A30D-A5EE-4FEE-9C0F-DF01D5F7F570@bogus.com>
Date: Wed, 13 Oct 2010 10:45:39 +0100
Content-Transfer-Encoding: quoted-printable
Message-ID: <EMEW3|e1d69ee194dd88e609f0f9bc9b8e0675m9CAjg03tjc|ecs.soton.ac.uk|77302F73-8B39-4417-91C8-334B06964EF9@ecs.soton.ac.uk>
References: <4CB51C1D.7040104@sri.com> <1593A30D-A5EE-4FEE-9C0F-DF01D5F7F570@bogus.com> <77302F73-8B39-4417-91C8-334B06964EF9@ecs.soton.ac.uk>
To: v4tov6transition@ietf.org
X-Mailer: Apple Mail (2.1081)
X-ECS-MailScanner: Found to be clean, Found to be clean
X-smtpf-Report: sid=m9CAjg230823750600; tid=m9CAjg2308237506hg; client=relay,ipv6; mail=; rcpt=; nrcpt=1:0; fails=0
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: o9D9jgIn001558
X-ECS-MailScanner-From: tjc@ecs.soton.ac.uk
Subject: Re: [v4tov6transition] Ways to break IPv6
X-BeenThere: v4tov6transition@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <v4tov6transition.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/v4tov6transition>, <mailto:v4tov6transition-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v4tov6transition>
List-Post: <mailto:v4tov6transition@ietf.org>
List-Help: <mailto:v4tov6transition-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v4tov6transition>, <mailto:v4tov6transition-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 09:45:40 -0000

On 13 Oct 2010, at 07:49, Joel Jaeggli wrote:

> I love how we talk about what they will do in the future tense. They do this today. my corporate laptops have had v6 broken in various sundry ways by bad policy and retarded security products across three employers since 2007. As long as v6 has been enabled in systems  people have been disabling it deliberately, or worse, breaking it in ways that make you wonder how these companies keep v4 working, in point of fact sometimes they don't. 

Disabling IPv6 administratively is probably quite wise, until you're ready to do a managed deployment.     Even in supposed IPv4-only networks issues like rogue RAs can cause problems for hosts with IPv6 enabled.    We surveyed a local reasonable size wireless network for example and 50% of the time a host somewhere on it was issuing rogue RAs; that was over 6 months of data.

Tim