[ale] IPv6 vs IPv4 (was: uptime)

Michael H. Warfield mhw at WittsEnd.com
Wed Mar 17 22:42:57 EDT 2010


On Wed, 2010-03-17 at 22:03 -0400, Jim Popovitch wrote: 
> Well, that brings up the usual IPv4 vs IPv6 interest :-). So a measure
> of security comes from IPv4 but not IPv6...yet another reason to delay
> IPv6 :-)

Fraid not.  You don't really have a choice.  It's far far more difficult
and expensive to prevent or obstruct IPv6 than it is to provide it.  I
haven't accessed IPv6 from an aircraft yet (but that would be trivial)
but I have done a half a dozen cruise ships at sea and from several
continents (Asia, Europe, South America, and all over the US, Canada,
Mexico, Central America, and the Carribean).  Behind NAT devices and
behind firewalls.  We've found it deep in labs communicating with Teredo
servers out on the Internet (Windows Vista, Windows 7, and a surprising
number of Windows XP systems that nobody can explain).  I have yet to
find a place where I could not reach IPv6 if I really wanted it.  And
the bad guys know this.  Russia and the Ukraine are #1 and #2 on
Google's list of v6 deployment.  Think about that.  In fact, I would
honestly say, if you have access to DNS then someone has access to IPv6
from where you are (look up Iodine, DNScat, and OpenVPN and think about
it).  Time for burying your head in the sand was gone a long time ago.
The important point is that you don't know.  You won't know.  It doesn't
ring any big red bells and announce itself.  It just works and you are
none the wiser.

You say another reason to "delay" IPv6?  And exactly WHAT have you done
to delay it?  If the answer is nothing, you're not even a speed bump.
If you are not actively checking for it and blocking it, how are you
delaying it?  Even if you are actively trying to detect it, it's now
common on all modern Linux boxes and Mac books and you can't disable it
on Vista or Windows 7 (and it's really difficult to disable it on Linux
by intent and design).  At least some of the IPv6 protocols should be
present on virtually every modern network at this time (globals may not
be actively routed but RD, and ND should certainly be present and maybe
even RA).  Have been for many many years and here you sit oblivious to
it all.  Delaying it is too late when it's been sitting on your network
for 5 years or more and you still have no clue.

> -Jim P.

Mike

> On 2010-03-17, Michael H. Warfield <mhw at wittsend.com> wrote:
> > On Wed, 2010-03-17 at 18:44 -0400, Geoffrey wrote:
> >> Michael H. Warfield wrote:
> >> > On Wed, 2010-03-17 at 16:46 -0400, Geoffrey wrote:
> >> >> Michael H. Warfield wrote:
> >> >>> On Wed, 2010-03-17 at 14:52 -0400, Geoffrey wrote:
> >> >>>> Sean Kilpatrick wrote:
> >> >>>>> And the last time you upgraded the kernel and libraries, and
> >> >>>>> installed
> >> >>>>> needed security patches was . . . ?
> >> >>>> Too long.  Internal box, you can't get to it from there.  I promise.
> >> >>>> ;)
> >> >>> Make sure nobody brings up any IPv6 routing on you.  You could be in
> >> >>> for
> >> >>> a REAL surprise.  You don't get any warning.  Even if you are deep
> >> >>> behind an IPv4 NAT.
> >> >
> >> >> This is a box here at home.  No IPv6 running on any of my boxes.
> >> >
> >> > Make sure you don't have any Mac's or the Mac AirPort Express access
> >> > points either.  Oh, and if you've got any Wifi access points running
> >> > dd-wrt, you might check those versions as well.  You never can
> >> > tell.  :-)
> >> >
> >> > Google discovered an unexpectedly high number of IPv6 users from the
> >> > United States, placing the US in 5th place for IPv6 adoption.  Most of
> >> > that (but not all of that) was from Mac books and Mac Airport Express
> >> > AP's that have IPv6 and 6to4 enabled by default.  And yes, they do
> >> > advertise and yes they do route other devices.  As time goes on, this is
> >> > going to become more and more common.  Even Comcast is opening up a Beta
> >> > program for IPv6.  It's not if.  It's when.  You can expect more and
> >> > more consumer NAT devices and AP's to be picking up the banner.  Doesn't
> >> > cost them a thing to support it.
> >
> >> But I would think that's a good thing.  Just be aware. :)
> >
> > Oh, it is.  It very much so is.  Just be aware that all of your
> > previously unreachable (on IPv4) systems will now have a globally
> > addressable address in the IPv6 global unicast address set.
> >
> > Mike
> > --
> > Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
> >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> >    NIC whois: MHW9          | An optimist believes we live in the best of
> > all
> >  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> >
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20100317/6c3961d5/attachment.bin 


More information about the Ale mailing list