INET6 -- and why I don't use it
Mark Andrews
Mark_Andrews at isc.org
Thu Mar 6 00:00:28 UTC 2008
> On Mar 5, 2008, at 17:31 , Mark Andrews wrote:
>
> >
> >> On Wed, Mar 05, 2008 at 03:00:29PM +0000, Vadim Goncharov wrote:
> >>> * The last I read about IPv6 in mainstream news, there were major
> >> concerns cited over some of the security aspects of the protocol. I
> >> also remember reading somewhere that IPv6 was supposed to address
> >> issues
> >> like packet spoofing and DoS -- what became of this?
> >
> > Someone was feeding you a load of horse @$$!.
>
> When Marcus Ranum is one of those questioning its security, I'm
> inclined to believe him. (Google "mjr ipv6 security" --- his point
> in a nutshell is that we're going to be fixing old IPv4 holes in new
> guises for a while.)
Unless you implement BCP 38 you won't prevent spoofed packets
leaving your network. Nothing prevents someone injecting
spoofed packets. It's just a matter of how far they travel.
Unless you enable IPSEC for all your communication partners
you won't be able to detect spoofed packets arriving.
There is nothing anyone can really do to prevent a DoS attack.
These statements are as true for IPv4 as they are for IPv6.
IPv6 still has a MUST against IPSEC against this though people
are arguing that it should become a SHOULD. That MUST indicates
code support not enabling.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the freebsd-stable
mailing list