Re: simple security

[Mark Townsley <townsley@cisco.com>]

On 3/24/10 4:14 AM, Lindqvist Kurt Erik wrote:
> On 23 mar 2010, at 16.48, Rémi Denis-Courmont wrote:
>
>    
> > > It was also argued that attacks of this kind simply don't exist in IPv6.
> > >        
> > Which is true.
> >
> >      
> > > That sounds like the argument that faults in the space shuttle o-ring
> > > haven't caused explosions before, so it's safe.
> > >        
> > No. It's just an argument that operating systems have already been fixed
> > *before* they implemented IPv6. Common attack vectors are in different
> > (higher) parts of the software stack, against which stateful firewalls are
> > totally helpless.
> >      
> If we believe that the attacks that today exist in IPv4 won't exist in IPv6 I think we are highly underestimating the investments in the underground economy. I am convinced we will see the same level of attacks and exploits for IPv6 as for IPv4. That said, I am not convinced that any security in the CPE will protect against that, just as NAT didn't protect in IPv4. However, I don't think that is the issue that we are trying to address with the simple security draft.
>    
Application level attacks will surely be the same.

L3/L4 attacks will match the vulnerabilities of the OSes under attack. 
90s and early-2000 era IPv4-only stacks are different than today's IPv6 
(and IPv4) stacks. There will definitely be overlap in both 
vulnerabilities and attack methods, but I still think it will be a 
subset of what we saw in yesteryear.

I do think that CPE security could protect against future attacks, just 
not the CPE security defined in draft-ietf-v6ops-simple-security...

- Mark
> Best regards,
>
> - kurtis -
>
>
>
>
>