Five Security Flaws in IPv6

Jun-ichiro itojun Hagino 2.0 itojun at itojun.org
Thu May 10 00:44:50 CEST 2007


	so, social impact would be on ipv6-ops list, and technical on ipv6wg,
	eh?

> What i expect Network Operators to do is use&learn, not judge 
> prematurely&ignore.
> Unfortunately, for now it's so much easier to just ignore IPv6 (the 
> no-killer-application-problem, no need to discuss that here), and if 
> "this IPv6 thing" is "proven to be insecure by big ISP Managers and 
> researchers"... just plays those people into their hands.

	tell people this:
	there are two stopgap measure: max # of hoplimit being 255,
	and routers' forwaring speed is limted (as packet would go into
	slow path).

	IIJ ops guys are preforming quantatitative analysis on the latter
	case.  do not have the result handy, but it is apparent that we
	cannot saturate US-JP link (too fat pipe these days) with 1
	vulnerable node (host or router) in the US and 1 in Japan.
	of course DDoS'ing vulnerable node in the US would increase the pain,
	and if you have multiple machines you can do more damage.  but
	all is limited by routers' forwarding speed.

> But the question remains - what can we do about that?
> I don't usually have any mentionable luck with advocating IPv6 on 
> customer projects or when consulting with ISPs (regardless of size).
> 
> Probably someone with good PR-capabilities should just spread some 
> (better) articles about IPv6 once in a while to counteract such FUD?

	IPv6 forum should take action on this.

> P.S.: Is this off-topic for ipv6-ops now? hm.

	:-)

	can I talk about stockmarket?  i guess companies w/ KAME-based product
	would go skyrocket :-):-)

itojun



More information about the ipv6-ops mailing list