Re: simple security

[Mark Townsley <townsley@cisco.com>]

On 3/24/10 7:26 PM, Lindqvist Kurt Erik wrote:
> On 24 mar 2010, at 13.22, Mark Townsley wrote:
>
>    
> > > >          
> > > If we believe that the attacks that today exist in IPv4 won't exist in IPv6 I think we are highly underestimating the investments in the underground economy. I am convinced we will see the same level of attacks and exploits for IPv6 as for IPv4. That said, I am not convinced that any security in the CPE will protect against that, just as NAT didn't protect in IPv4. However, I don't think that is the issue that we are trying to address with the simple security draft.
> > >
> > >        
> > Application level attacks will surely be the same.
> >
> > L3/L4 attacks will match the vulnerabilities of the OSes under attack. 90s and early-2000 era IPv4-only stacks are different than today's IPv6 (and IPv4) stacks. There will definitely be overlap in both vulnerabilities and attack methods, but I still think it will be a subset of what we saw in yesteryear.
> >      
> I would agree with this, but I also think that the current simple security draft does address that overlap.
>
>    
It mimicks IPv4, so addresses quite a bit more than just the overlap.
> > I do think that CPE security could protect against future attacks, just not the CPE security defined in draft-ietf-v6ops-simple-security...
> >      
> Could you elaborate in more detail what you think should change?
draft-vyncke-advanced-ipv6-security-01 is a start.

Also, simply letting people know that running without an IPv6 firewall, today, is not as dangerous as running without an IPv4 firewall, today.

- Mark

> Best regards,
>
> - kurtis -
>
>
>
>
>