Too Many Details Can Hurt You (or Why You Need the Fundamentals First)
The IPv6 Security Summit at the Troopers conference always has a few awesome IPv6 presentations (many people claim Troopers is the conference to attend if you’re serious about IPv6), and this year was no exception. A day after the MLD bashing, Enno Rey delivered a great in-depth presentation on DHCPv6 features and shortcomings.
It seems the DHCPv6 intricacies presented in that talk were too much for some of the attendees – that afternoon I accidentally stumbled upon a visibly distressed gentleman who started our chat with “How could anyone expect us to deploy IPv6 in a production environment?”
Me:Why would you say that?
Him:Did you know that Android still doesn’t support DHCPv6?
Me:That’s old news. There have been religious debates on this topic on the v6ops mailing list and we never got anywhere. I don’t expect it to change in near future.
Him:But that’s unacceptable. How could a service provider deploy IPv6 in their network?
Me:There are plenty of service providers doing IPv6 right now. Some of them are even running IPv6-only networks with Android phones (example: T-mobile)
Him:But service providers need stable customer IP addresses to reduce logging
Me:In 3G/LTE world every device gets its own /64 prefix. It’s easy to track users based on prefixes. (In DSL and cable environments every home CPE gets a delegated prefix, which is also easy to track).
Him:You don’t get it. Service providers need deterministic NAT to reduce logging, and it’s impossible to do that if the device IP address changes
Me:There’s no need for NAT in IPv6 (at least not in the environments we’ve been discussing, we might need NAT66 in other scenarios)
Him:You’re not listening. Deterministic NAT is a prerequisite.
At that point I decided I better leave and get a cup of chamomile tea.
For more dialogs like the one above, watch this excellent video by Andrew Yourtschenko.
Takeaway
It’s disheartening to see that many network- and security engineers still don’t get the basics of IPv6 at the time when it’s becoming a Mission Impossible to get a reasonable-sized block of public IPv4 addresses.
To make matters even more depressing, it’s not hard to get that knowledge, you just have to (A) admit you need it, (B) forget every preconception you have about IPv4, (C) accept that IPv6 is just different and (D) do something about your lack of knowledge.
To help you get started, I put together a list of IPv6-related resources (including plenty of free presentations and deployment guidelines).
3 comments: