On 09/11/2016 11:39 PM, Per Jessen wrote:
IPv6's complexity is another issue. What complexity is that? I was going to put a smiley, but seriously, what complexity, Lew? The only added complexity I see is the length of an address. All we have added in terms of infrastructure - radvd and dhcpv6. Both are easy to configure.
I actually lifted the complexity issue from the referenced blackhat link. https://www.blackhat.com/docs/sp-14/materials/arsenal/sp-14-Schaefer-Worksho... It says in summary at one point: Why IPv6 Security Is So Hard? ¬ Trust Model & Provisioning ¬ Crypto-Optimism ¬ Complexity ¬ The State Problem ¬ Stack Heterogeneity ¬ Attack / Defense Asymmetry IPv6’s Trust Model: On the local link we’re all brothers. Certainly taking functions that are provided by external modules in v4 and building them into a monolithic v6 adds complexity. The UNIX philosophy takes many small easily tested modules to build functionality. Everything in one package is the Micro$oft Way, and indeed, certain other contentious core Linux functionality that can't be named here. Then, there's added complexity at the user level. I'm thinking mainly of the requirement to run dual-stacked networks because not all hardware is v6 compatible. I'm sure that things will eventually get better when absolutely everything handles v6, but until then simplicity lives in the v4 natted world. Security is inversely proportional to Complexity, and dual stacked networks increase complexity. To illustrate by personal example, my home system uses a cable modem connected to a Zyxel router/firewall. The Zyxel is a cut above standard home commodity routers and allows full ACLs between subnet segments. I've got an Asus wifi hub on one isolated segment, which has it's own rather good firewall and guest network capability. I've got ACL's set up so that certain protocols (ssh, ipp) can bridge the segments as appropriate. It's all v4 and nat, with default deny between the segments. This dialog caused me to check to see if my ISP even offers v6, they do! And so does the Zyxel. All I have to do is click a check box to turn on v6. I was tempted to do that this past weekend, but then reality started to sink in when I thought about all my devices having direct connection to the Internet. The ACL's between my segments might work, but they'd certainly have to be tested, and I didn't want to take the time to get started. I might also bork The Fetching Mrs. Wolfgang's Tivo connection, and that just wouldn't do. I've been working in IT and networking for decades, and I still claim to be ignorant of many things. How would Joe Six-pack or Grandma Noodle-Soup handle setting up their home v4/v6 dual stacked network? Or, is v6 a clever ruse by state actors to increase the Internet's attack surface? :-) Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org