Re: [v6ops] IPv6 transition technologies vs MITM (DEFCON)

Tim Chown <> Thu, 22 August 2013 20:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B6CA311E8220 for <>; Thu, 22 Aug 2013 13:51:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EFjwoRMvLoRx for <>; Thu, 22 Aug 2013 13:51:33 -0700 (PDT)
Received: from ( [IPv6:2001:630:d0:f102::25e]) by (Postfix) with ESMTP id D9DBF11E81CD for <>; Thu, 22 Aug 2013 13:51:30 -0700 (PDT)
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id r7MKpNFt013940; Thu, 22 Aug 2013 21:51:23 +0100
X-DKIM: Sendmail DKIM Filter v2.8.2 r7MKpNFt013940
DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple;; s=201304; t=1377204684; bh=1oyUKbxKNOit7OXhuS/BqZ4km9E=; h=Mime-Version:Subject:From:In-Reply-To:Date:Cc:References:To; b=UJEVJG2RCJO80UAPf0iOk2TrWAh2peQQqA93+LTKTwm618hIzeRAGGWYWud3+HXFy QweF9LLoMSoCtPLKyuwT1K89xd5pDYUxoggce//+j5ciU4jzmDRp7mAaZhLEgr5AcJ uR0sTOCCkga5iAnBBbs3oK2MqljayqN5JOHFg7WY=
Received: from ([2001:630:d0:f102:250:56ff:fea0:401]) by ( [2001:630:d0:f102:250:56ff:fea0:68da]) envelope-from <> with ESMTP (valid=N/A) id p7LLpN05445349843s ret-id none; Thu, 22 Aug 2013 21:51:24 +0100
Received: from [] ( []) (authenticated bits=0) by (8.13.8/8.13.8) with ESMTP id r7MKpHVT024984 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 22 Aug 2013 21:51:18 +0100
Content-Type: multipart/alternative; boundary="Apple-Mail=_4F144E0A-E918-4AAE-BB9A-02630968D953"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Tim Chown <>
In-Reply-To: <>
Date: Thu, 22 Aug 2013 21:51:18 +0100
Message-ID: <EMEW3|aa8823c39ca54364e45099ae590c0046p7LLpN03tjc||>
References: <> <>
To: Tom Perrine <>
X-Mailer: Apple Mail (2.1508)
X-ECS-MailScanner: Found to be clean, Found to be clean
X-smtpf-Report: sid=p7LLpN054453498400; tid=p7LLpN05445349843s; client=relay,forged,no_ptr,ipv6; mail=; rcpt=; nrcpt=2:0; fails=0
X-ECS-MailScanner-Information: Please contact the ISP for more information
X-ECS-MailScanner-ID: r7MKpNFt013940
Cc: IETF v6ops list <>
Subject: Re: [v6ops] IPv6 transition technologies vs MITM (DEFCON)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Aug 2013 20:51:35 -0000

On 22 Aug 2013, at 19:51, Tom Perrine <> wrote:

> There's been a fair amount of debate on the list about the merits of using the transition technologies vs an aggressive
> move to native IPv6 (usually dual-stack). We keep coming back to (as we have for 10+ years) to finding business reasons
> to transition.
> In parallel, there's been a goodly amount of poking around IPv6, "the real world" and those transition technologies.
> The MITM attack demonstrated at DEFCON this year was nothing new. While it was widely covered as an "IPv6 security
> flaw", it was really taking advantage of the well-known "RA problem" and the behavior of an IPv6-capable node on a
> nominally IPv4-only network.
> Frankly, while it was a nice "one click" automation of an already-recognized exploit, there wasn't really anything new.
> But, what I'm seeing is that no one is talking about how the transition strategies will not address this attack at all,
> at least as far as I can tell. They all seem to seek to leave (allegedly) IPv4-only nodes in place and work at one or
> more hops away from those nodes. This ignores that so many nodes really aren't IPv4-only. They are really dual-stack
> nodes that are waiting for the IPv6 configuration to be completed. And you can complete that configuration, or your
> attacker will!
> I see two ways to mitigate this attack:  turn off IPv6 on all modern OSes, or fully deploy IPv6.  Guess which one I
> don't want to see advocated :-)
> Am I missing something, or is this one more point to add to the "deploy IPv6 now, deploy native, skip the transition
> technologies" ?  (I'm including dual-stack in the native strategy.)

There's lots of work within the IETF on this, e.g. take a look at

The sunset4 WG is also quite interesting.

I'm surprised an event like DEFCON presented something that old.