On 23 mar 2010, at 16.48, Rémi Denis-Courmont wrote: >> >> It was also argued that attacks of this kind simply don't exist in IPv6. > > Which is true. > >> That sounds like the argument that faults in the space shuttle o-ring >> haven't caused explosions before, so it's safe. > > No. It's just an argument that operating systems have already been fixed > *before* they implemented IPv6. Common attack vectors are in different > (higher) parts of the software stack, against which stateful firewalls are > totally helpless. If we believe that the attacks that today exist in IPv4 won't exist in IPv6 I think we are highly underestimating the investments in the underground economy. I am convinced we will see the same level of attacks and exploits for IPv6 as for IPv4. That said, I am not convinced that any security in the CPE will protect against that, just as NAT didn't protect in IPv4. However, I don't think that is the issue that we are trying to address with the simple security draft. Best regards, - kurtis -
Attachment:
PGP.sig
Description: This is a digitally signed message part