From owner-freebsd-stable@FreeBSD.ORG  Thu Mar  6 00:00:28 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1DAB31065679;
	Thu,  6 Mar 2008 00:00:28 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org
	[IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc])
	by mx1.freebsd.org (Postfix) with ESMTP id D4F4B8FC14;
	Thu,  6 Mar 2008 00:00:27 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.14.2/8.14.1) with ESMTP id m2600LIC078420;
	Thu, 6 Mar 2008 11:00:21 +1100 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200803060000.m2600LIC078420@drugs.dv.isc.org>
To: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
From: Mark Andrews <Mark_Andrews@isc.org>
In-reply-to: Your message of "Wed, 05 Mar 2008 17:44:03 CDT."
	<87800D7B-3866-4FC0-B757-BF2AB808920E@ece.cmu.edu> 
Date: Thu, 06 Mar 2008 11:00:21 +1100
Sender: marka@isc.org
Cc: Vadim Goncharov <vadim_nuclight@mail.ru>,
	Jeremy Chadwick <koitsu@freebsd.org>,
	FreeBSD Stable <freebsd-stable@freebsd.org>
Subject: Re: INET6 -- and why I don't use it 
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2008 00:00:28 -0000


> On Mar 5, 2008, at 17:31 , Mark Andrews wrote:
> 
> >
> >> On Wed, Mar 05, 2008 at 03:00:29PM +0000, Vadim Goncharov wrote:
> >>> * The last I read about IPv6 in mainstream news, there were major
> >> concerns cited over some of the security aspects of the protocol.  I
> >> also remember reading somewhere that IPv6 was supposed to address  
> >> issues
> >> like packet spoofing and DoS -- what became of this?
> >
> > 	Someone was feeding you a load of horse @$$!.
> 
> When Marcus Ranum is one of those questioning its security, I'm  
> inclined to believe him.  (Google "mjr ipv6 security" --- his point  
> in a nutshell is that we're going to be fixing old IPv4 holes in new  
> guises for a while.)

	Unless you implement BCP 38 you won't prevent spoofed packets
	leaving your network.  Nothing prevents someone injecting
	spoofed packets.  It's just a matter of how far they travel.

	Unless you enable IPSEC for all your communication partners
	you won't be able to detect spoofed packets arriving.

	There is nothing anyone can really do to prevent a DoS attack.

	These statements are as true for IPv4 as they are for IPv6.

	IPv6 still has a MUST against IPSEC against this though people
	are arguing that it should become a SHOULD.  That MUST indicates
	code support not enabling.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org