[ale] IPv6 vs IPv4 (was: uptime)

Jim Popovitch jimpop at gmail.com
Thu Mar 18 07:13:21 EDT 2010


On Wed, Mar 17, 2010 at 22:42, Michael H. Warfield <mhw at wittsend.com> wrote:
> On Wed, 2010-03-17 at 22:03 -0400, Jim Popovitch wrote:
>> Well, that brings up the usual IPv4 vs IPv6 interest :-). So a measure
>> of security comes from IPv4 but not IPv6...yet another reason to delay
>> IPv6 :-)
>
> Fraid not.  You don't really have a choice.  It's far far more difficult
> and expensive to prevent or obstruct IPv6 than it is to provide it.  I
> haven't accessed IPv6 from an aircraft yet (but that would be trivial)
> but I have done a half a dozen cruise ships at sea and from several
> continents (Asia, Europe, South America, and all over the US, Canada,
> Mexico, Central America, and the Carribean).  Behind NAT devices and
> behind firewalls.  We've found it deep in labs communicating with Teredo
> servers out on the Internet (Windows Vista, Windows 7, and a surprising
> number of Windows XP systems that nobody can explain).  I have yet to
> find a place where I could not reach IPv6 if I really wanted it.  And
> the bad guys know this.  Russia and the Ukraine are #1 and #2 on
> Google's list of v6 deployment.  Think about that.  In fact, I would
> honestly say, if you have access to DNS then someone has access to IPv6
> from where you are (look up Iodine, DNScat, and OpenVPN and think about
> it).  Time for burying your head in the sand was gone a long time ago.
> The important point is that you don't know.  You won't know.  It doesn't
> ring any big red bells and announce itself.  It just works and you are
> none the wiser.

I think you are missing my point ;-)

> You say another reason to "delay" IPv6?  And exactly WHAT have you done
> to delay it?  If the answer is nothing, you're not even a speed bump.
> If you are not actively checking for it and blocking it, how are you
> delaying it?  Even if you are actively trying to detect it, it's now
> common on all modern Linux boxes and Mac books and you can't disable it
> on Vista or Windows 7 (and it's really difficult to disable it on Linux
> by intent and design).  At least some of the IPv6 protocols should be
> present on virtually every modern network at this time (globals may not
> be actively routed but RD, and ND should certainly be present and maybe
> even RA).  Have been for many many years and here you sit oblivious to
> it all.  Delaying it is too late when it's been sitting on your network
> for 5 years or more and you still have no clue.

:-)

-Jim P.



More information about the Ale mailing list