[afripv6-discuss] What are the benefits of IPv6 over IPv4
Heinrich Strauss
heinrich at hstrauss.co.za
Sun Jun 3 21:05:10 SAST 2012
Hi, Kondwani.
On 2012/06/03 19:44, Kondwani C. Hara wrote:
>
> While direct communication seems a good idea, direct communication
> exposes devices to direct attack. Where NAT existed, it was easier to
> limit the attacks by opening up to the public only services that are
> accessible to the public.
>
> Linux or most Unix machines operating as servers, are hardened against
> remote attacks. Workstations are hardened against local access.
> Putting these on ipv6 will leave many workstations very vulnerable.
>
> The attacks on smartphones especially Android, seem to have been worse
> and difficult to manage due the little attention on security they
> might have received owing to the fact that its still work in progress.
>
> Exposing these to the chainability of ipv6 is really a Security disaster.
>
> That's a big bug ipv6 has.
>
Remember that NATv4 is only perceived security; there have been
advancements since its initial inception that tear holes through this
perceived security veil quite invisibly to users (e.g. UPnP), which is
an even bigger security risk, IMO. A big eye-opener was a Defcon18 talk
"How I Met Your Girlfriend" [1] by Samy Kamkar.
For your servers, nothing prevents a sweeping policy like:
For the servers' /64, drop anything that's not HTTP, HTTPS, SMTP to
mailservers, etc
on the border of your network (with a firewall or access-list) and then
routing that to servers or more firewalls.
If clients (who are supposed to get IPv6 allocations) are not known to
be responsible (read: easily bot-infected), notify them of your policy
(law-permitting) and filter outbound SMTP from their networks until they
request it be re-enabled and accept responsibility for the potential
network abuse.
NAT was not intended to be a firewall-replacement; that's just a
side-effect! ;)
Regards,
Heinrich
[1] http://www.youtube.com/watch?v=fEmO7wQKCMw
More information about the afripv6-discuss
mailing list