[afripv6-discuss] [Lighter Note!] - Proof that IPv6 Enthusiasm is not Religion

Loganaden Velvindron loganaden at gmail.com
Sat Jun 28 16:12:14 SAST 2014 

On Fri, Jun 27, 2014 at 11:07 PM, Mukom Akong T. <mukom.tamon at gmail.com> wrote:
>
>
>> On 27 Jun 2014, at 4:58 PM, Loganaden Velvindron <loganaden at gmail.com> wrote:
>>
>>
>> The ipv6 autoconfiguration exposes around 6000 lines of code, which is
>> a lot of code,
>> if you compare it to the size of the arp code (approximately 200 lines
>> of code).
>
> Autoconfig from which codebase? Is it unreasonable to expect autoconfig to have more lines than arp which is actually more limited with respect to functionality ?

By enabling autoconfig, you "expose" around 6000 lines of the IPv6
stack. OpenBSD suffered its 2nd major
remote vulnerability through the IPv6 stack:

http://www.coresecurity.com/content/open-bsd-advisorie

Implementers would like safer options, like manually bringing up a
network interface with an IPv6 address, instead of
what current specs suggest, as it exposes less of the kernel surface.



>
>
>> The sheer complexity
>> of IPv6 implementations raises quite a few questions about the
>> security of IPv6.
>
> The same can be said of any other complex mechanism.

And hence the lack of confidence of ops for deploying IPv6. They want
more security audits to be carried out, and
security issues such as RA flooding addressed, rather than new specs
that add more options on top of the existing specs.

The IPv6 community needs people who can address those issues to
increase confidence in IPv6 deployment on the operators side.


>
>>
>> IPv6 implementors and spec writers need to think about auditing the
>> IPv6 specs and codebases. Maybe it's time for KAME 2.0 :-)
>
> Excellence isn't an act. I'm sure one way or the other, we'll get the protocol we want.

If the people sitting on large pile of cash aren't willing to fund
Open Source developers who audit the IPv6 code, then
we're going to suffer from "heartbleed-like" and RH0 issues hitting
large scale IPv6 deployment, and being labelled as a "cult".  I'm a
supporter of IPv6 as well, but we're just not getting enough funding
and eyeballs auditing the existing implementations.

Itojun started such an effort back in 2006-2007, but unfortunately he
passed away. We need a new group of IPv6 Samurais :-)


Excellent article by PHK at FreeBSD:

http://queue.acm.org/detail.cfm?id=2636165

This applies to IPv6 too :-)


>
>>
>>
>>
>>
>>
>>
>>
>>
>>>
>>> Well, Andrew, Owen and a couple of others in the room were quite nice in
>>> responding.
>>>
>>> All the time I sat there thinking.... and I came to a conclusion: I know for
>>> sure IPv6 is not a religion and this (that group of enthusiasts) was not an
>>> IPv6 cult because. The reason I'm sure is that the gentleman was not being
>>> lynched!
>>>
>>> For it the group was indeed a cult, his statements would be considered
>>> blasphemous and the response in pure religious fashion would have involved
>>> some combination of pitchforks, fire, linking etc.  :D
>>>
>>> Although I admire the courage it takes a lot of courage (or something else)
>>> to walk into the midst of a religious cult in full session and openly speak
>>> against their deity.
>>>
>>> Keep calm and deploy IPv6 .... Sooner than later.
>>>
>>> ./shalom
>>>
>>> --
>>>
>>> Mukom Akong T.
>>>
>>> http://about.me/perfexcellence |  twitter: @perfexcellent
>>> ------------------------------------------------------------------------------------------------------------------------------------------
>>> “When you work, you are the FLUTE through whose lungs the whispering of the
>>> hours turns to MUSIC" - Kahlil Gibran
>>> -------------------------------------------------------------------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> afripv6-discuss mailing list
>>> afripv6-discuss at afrinic.net
>>> https://lists.afrinic.net/mailman/listinfo.cgi/afripv6-discuss
>>
>>
>>
>> --
>> This message is strictly personal and the opinions expressed do not
>> represent those of my employers, either past or present.
>> _______________________________________________
>> afripv6-discuss mailing list
>> afripv6-discuss at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo.cgi/afripv6-discuss
> _______________________________________________
> afripv6-discuss mailing list
> afripv6-discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/afripv6-discuss



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.

More information about the afripv6-discuss mailing list