IPv6%20Transition/Co-existence%20Security%20Overview%20draft-ietf-v6ops-security-overview-03

1
IPv6 Transition/Co-existence Security
Overviewdraft-ietf-v6ops-security-overview-03

• Elwyn Davies
• Suresh Krishnan
• Pekka Savola
• IETF-64, Paris, 7 November 2005

2
Status

• Finished 2nd WG Last Call 20 August 2005 on
  version -02
• Significant comments received from Tim Chown
• Version 03 addresses these comments
• Discussion with Fernando Gont re.
  draft-gont-tcpm-icmp-attacks-05 suggests need to
  reference this doc

3
Major Changes from -02 to -03

• s2.1.11.1 Securing Router Adverts promoted to
  s2.1.12
• In new s2.1.12 Added note on possible DoS
  attacks due to malicious deprecation of prefixes
  with and without IPv6 Router Selection option.
• Added new s2.1.13 Documenting security issues
  with Host-Router Load Sharing
• s3.3 Added extra paragraph and figure 1 at end
  suggesting routing of traffic through IPv6 and
  IPv4 firewalls with tunnel endpoint between them

4
Changes from -02 to -03 - contd

• s4.1 completely rewritten was very weak and
  not really security oriented. Now called
  Avoiding the Trap of Insecure IPv6 Service
  Piloting
• s4.3 added additional example of DHCP servers
  for guessable addresses
• s4.4 Added comment emphasising that
  multiaddressing is the norm not the exception
• s4.4 Added note that privacy addresses can only
  be disabled by using full stateful DHCPv6

5
Changes from -02 to -03 - contd

• Appendix A Added comment that 3041 addresses
  can only be used behind 6to4 router if host is
  not to be reachable from elsewhere.
• Appendix B Added reference to Network
  Architecture Protection draft
• Appendix B.3 Added note that many users would
  like a static /48 so they can host services.

6
Next steps

• Add note of Gont draft
• New version and 3rd WG Last Call
• Hopefully Document ready for IETF Last Call
• Authors
• Elwyn Davies elwynd_at_dial.pipex.com
• Suresh Krishnan suresh.krishnan_at_ericsson.com
• Pekka Savola - pekkas_at_netcore.fi