[v4tov6transition] Ways to break IPv6

Ed Jankiewicz <edward.jankiewicz@sri.com> Wed, 13 October 2010 02:39 UTC

Return-Path: <edward.jankiewicz@sri.com>
X-Original-To: v4tov6transition@core3.amsl.com
Delivered-To: v4tov6transition@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F3893A6B31 for <v4tov6transition@core3.amsl.com>; Tue, 12 Oct 2010 19:39:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.543
X-Spam-Level:
X-Spam-Status: No, score=-1.543 tagged_above=-999 required=5 tests=[AWL=0.503, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2BPJOuBz3kwm for <v4tov6transition@core3.amsl.com>; Tue, 12 Oct 2010 19:39:18 -0700 (PDT)
Received: from mail1.sri.com (srimail.SRI.COM [128.18.30.17]) by core3.amsl.com (Postfix) with ESMTP id 272883A68BA for <v4tov6transition@ietf.org>; Tue, 12 Oct 2010 19:39:18 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII; format=flowed
Received: from [192.168.1.144] ([unknown] [68.81.23.3]) by mail.sri.com (Sun Java(tm) System Messaging Server 7u2-7.05 32bit (built Jul 30 2009)) with ESMTPSA id <0LA700JVHJFI5VL0@mail.sri.com> for v4tov6transition@ietf.org; Tue, 12 Oct 2010 19:40:31 -0700 (PDT)
Message-id: <4CB51C1D.7040104@sri.com>
Date: Tue, 12 Oct 2010 22:40:29 -0400
From: Ed Jankiewicz <edward.jankiewicz@sri.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
To: v4tov6transition@ietf.org
Subject: [v4tov6transition] Ways to break IPv6
X-BeenThere: v4tov6transition@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <v4tov6transition.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/v4tov6transition>, <mailto:v4tov6transition-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v4tov6transition>
List-Post: <mailto:v4tov6transition@ietf.org>
List-Help: <mailto:v4tov6transition-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v4tov6transition>, <mailto:v4tov6transition-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 02:39:20 -0000

  this is not a surprise, it is something that has been predicted by 
many as one of the "growing pains" of IPv6 transition.  Firewalls and 
other security software will "support" IPv6 initially by just blocking 
it - too much work (and too little demand) for a real implementation.

Just loaded an updated version of the commercial anti-virus package that 
I've been using, let it remain nameless, it is certainly not the only 
offender in this area.  Unlike the previous version this includes an 
enhancement - it blocks all IPv6 and IPv6 over IPv4 traffic by default.  
The firewall rule can be disabled.

If you are a network operator, there is a lot of mischief that can be 
done by software that the end-user downloads onto their machines that 
can make IPv6 appear broken.  This is another area that should get some 
attention - how will customer service and help desk people be trained to 
deal with "connectivity" problems the user can cause themselves?

It took me a while to figure this out, and I'm one of the people who 
frequently predicted this would happen.  Imagine your average end-user 
who knows nothing about IPv6 and expects that "it just works".  Also, 
many books, websites and other security advice says "when in doubt, turn 
off IPv6".  At least in the foreseeable future, this will continue to be 
impedance against the uptake of IPv6.


-- 
Ed Jankiewicz - SRI International
Fort Monmouth Branch Office - IPv6 Research
Supporting DISA Standards Engineering Branch
732-389-1003 or  ed.jankiewicz@sri.com