Hail NANOG!
I am looking for IPv6 security resources to add to:
http://www.internetsociety.org/deploy360/ipv6/security/
These could be best current practice documents, case-studies,
lessons-learned/issues-found, research/evaluations, RFCs, or anything else
focused on IPv6 security really.
I'm not requesting that anyone do any new work, just that you point me to
solid public documents that already exist. Feel free to share on-list or
privately, both documents you may have authored and those you have found
helpful.
Thanks!
~Chris
Note: Not every document shared will get posted to the Deploy360 site.
Chris
Some that come to my mind:
draft-ietf-v6ops-balanced-ipv6-security and (not sure how up to date is
this one) RFC 6092 Recommended Simple Security Capabilities in Customer
Premises Equipment (CPE) for Providing Residential IPv6 Internet Service
RFC 5157 IPv6 Implications for Network Scanning and
draft-ietf-opsec-ipv6-host-scanning
RFC 6104, 6105, 7113 All about Router Advertisement Guard (RA-Guard)
draft-ietf-opsec-v6
RFC 6583 Operational Neighbor Discovery Problems
Regards
as
Hi,
Perhaps https://tools.ietf.org/html/rfc7217 might also fit in the list.
Chris,
Are you aware IPv6 has 3 or arguably 4 major generations of standards?
Each generation requires nuanced defense strategies, based on which clauses
("must" and "should") were implemented. Some of the derived security works,
do not reflect, and in some cases contradict current security
recommendations. The perceived newness of the technology, and ambiguities
of recommendations have resulted in 'pushback' by the security community to
implement IPv6. This has forced us to continue with the implement of IPv6
and 'trust' the vender recommendations, based on the limitations of that
venders products.
In the cracks, between the standards and implementation of these standards,
are where security vulnerabilities exist, compromises lay, and defenses
crumble.
Joe Klein
"Inveniam viam aut faciam"
Hi,
Chris,
Are you aware IPv6 has 3 or arguably 4 major generations of standards?
Each generation requires nuanced defense strategies, based on which clauses
("must" and "should") were implemented. Some of the derived security works,
do not reflect, and in some cases contradict current security
recommendations.
both very good points, Joe, which I fully second.
This is - to some degree - discussed in this talk:
https://www.ernw.de/download/TROOPERS_IPv6SecSummit_ERNW_IPv6_Structural_Deficits.pdf
which I suggest to add to the resource list in compilation.
[disclaimer: I'm the author]
best
Enno
The perceived newness of the technology, and ambiguities
Hi, Chris,
Hail NANOG!
I am looking for IPv6 security resources to add to:
http://www.internetsociety.org/deploy360/ipv6/security/
This is stuff that I've authored or that I've been involved in:
**** Tools ****
* (Open Source) IPv6 Security Toolkit:
<http://www.si6networks.com/tools/ipv6toolkit/index.html>
**** Articles ****
This site links all the articles that I've written so far:
<http://www.si6networks.com/publications/articles.html>.
They tend to cover stuff that I've covered in IETF RFCs, but in a more
synthetic and human-readable way.
Note while stuffed with some adds (Techtarget has to make money
somehow), the full content of the articles is online, without the
requirement of creating an account or anything.... just scroll down.
**** IETF RFCs & Internet Drafts ****
Most of what I've published at the IETF in the last few years is
IPv6-securty related. Please check:
<http://datatracker.ietf.org/doc/search/?name=&rfcs=on&activedrafts=on&olddrafts=on&sort=&by=author&author=Gont>
Of particular interest would be:
* draft-ietf-6man-ipv6-address-generation-privacy
* draft-ietf-opsec-ipv6-host-scanning
* RFC6980
* RFC7112
* RFC7113
* RFC7123
* RFC7217
* RFC7359
**** Presentations (slides & videos) ****
* Slides: <http://www.si6networks.com/presentations/index.html>
(More to be uploaded soon... please re-check in a week or so)
* Videos: <https://www.youtube.com/user/SI6Networks>
**** On-line communities ****
* IPv6 Hackers mailing-list:
<http://lists.si6networks.com/listinfo/ipv6hackers/>
* IPv6 Hackers web site: <http://www.ipv6hackers.org>
This site includes the slideware (and videos) of the first (and so far
only) IPv6 hackers meeting in Berlin 2013.
Thanks!
Best regards,