> "There is no reason to believe that IPv6 will result in an increased use > of IPsec." > > Bull. The biggest barrier to IPsec use has been NAT! If an intermediate > router has to rewrite the packet to change the apparent source and/or > destination addresses, then the cryptographic signature will show it, > and the packet will be correctly identified as having been tampered with! >
It's hardly difficult to get around that now is it. You are wrong the biggest barrier is that it is not desirable to do this as there are many reasons for firewalls to inspect incoming packets. I don't agree with things like central virus scanning especially by damn ISPs using crappy Huawei hardware, deep inspection traffic shaping rather than pure bandwidth usage tracking or active IDS myself but I do agree with scrubbing packets. > With IPsec, NAT is unnecessary. (You can still use it if you need > it...but please try to avoid it!) > Actually it is no problem at all and is far better than some of the rubbish ipv6 encourages client apps to do. (See the links I sent in the other mail) > Re "DNS support for IPv6" > > "Increased size of DNS responses due to larger addresses might be > exploited for DDos attacks" > > That's not even significant. Have you looked at the size of DNS > responses? The increased size of the address pales in comparison to the > amount of other data already stuffed into the packet. It's been ages since I looked at that link and longer addresses would certainly be needed anyway but certainly with DNSSEC again concocted by costly unthoughtful and unengaging groups who chose to ignore DJB and enable amplification attacks. His latest on the "DNS security mess" http://cr.yp.to/talks/2013.02.07/slides.pdf > "An attacker can connect to an IPv4-only network, and forge IPv6 Router > Advertisement messages. (*)" > Again, this depends on them being on the same layer 2 network segment. > The same class of attacks would be possible for any IPv4 successor that > implemented either RAs or DHCP. Neither of which I use. As I said we would be here all day and that link wasn't as good as the one I was actually looking for. local NAT done right is no problem and actually a good thing and I have no issues playing games, running servers or anything else behind NAT. Global NAT works well enough but isn't a good thing and wouldn't exist if they had simply added more addresses quickly. The hardware uptake would have been no issue rather than a decade of pleads. We haven't even touched on the code yet and so all the vulnerable especially home hardware which yes often has vulnerable sps anyway but by no way just home hardware. The ipvshit links give an insight into the code complexity. Note OpenBSDs kernel which is very secure (unlike Linux whose primary goal is function) and has had just a few remote holes in well over a decade, one of which was in ipv6 and which I had avoided without down time because I won't and what's more shouldn't use ipv6 wherever possible and had actually removed it from the kernel all together. If I am Trolling rather than simply trying to make people aware then stating ipv6 is wonderful is Trolling just as much or more. Regards, Kc -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________
