Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 06 Mar 2008 11:00:21 +1100
From:      Mark Andrews <Mark_Andrews@isc.org>
To:        "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
Cc:        Vadim Goncharov <vadim_nuclight@mail.ru>, Jeremy Chadwick <koitsu@freebsd.org>, FreeBSD Stable <freebsd-stable@freebsd.org>
Subject:   Re: INET6 -- and why I don't use it 
Message-ID:  <200803060000.m2600LIC078420@drugs.dv.isc.org>
In-Reply-To: Your message of "Wed, 05 Mar 2008 17:44:03 CDT." <87800D7B-3866-4FC0-B757-BF2AB808920E@ece.cmu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 

> On Mar 5, 2008, at 17:31 , Mark Andrews wrote:
> 
> >
> >> On Wed, Mar 05, 2008 at 03:00:29PM +0000, Vadim Goncharov wrote:
> >>> * The last I read about IPv6 in mainstream news, there were major
> >> concerns cited over some of the security aspects of the protocol.  I
> >> also remember reading somewhere that IPv6 was supposed to address  
> >> issues
> >> like packet spoofing and DoS -- what became of this?
> >
> > 	Someone was feeding you a load of horse @$$!.
> 
> When Marcus Ranum is one of those questioning its security, I'm  
> inclined to believe him.  (Google "mjr ipv6 security" --- his point  
> in a nutshell is that we're going to be fixing old IPv4 holes in new  
> guises for a while.)

	Unless you implement BCP 38 you won't prevent spoofed packets
	leaving your network.  Nothing prevents someone injecting
	spoofed packets.  It's just a matter of how far they travel.

	Unless you enable IPSEC for all your communication partners
	you won't be able to detect spoofed packets arriving.

	There is nothing anyone can really do to prevent a DoS attack.

	These statements are as true for IPv4 as they are for IPv6.

	IPv6 still has a MUST against IPSEC against this though people
	are arguing that it should become a SHOULD.  That MUST indicates
	code support not enabling.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803060000.m2600LIC078420>