Well, NZNOG 2013 has come and gone – and Into6 was there! We delivered two IPv6 security tutorials and a half-hour talk on same. Attendance seemed good, and the level of interest was very high.
The conference was a lot of fun – a lot of focused people. It’s rare at a conference that every session seems to have every delegate present, but the room seemed packed for just about every presentation. I learned a lot, especially about an interesting new direction in routing known as SDN – software defined networking. Also got to see some interesting, IPv6 capable and very cost-effective equipment from Mikrotik at the GoWirelessNZ stand.
Over the three days I was there what I mostly saw was the inside of the conference venue, but on the Thursday evening we all went off to Zealandia, a huge nature reserve just outside Wellington. The thing is fenced off completely, with a tall, small-mesh fence that is impervious to the many non-native and very destructive pests that New Zealand has, such as possums, cats and mice. The idea is that native species can breed in safety inside this reserve, and the plan seems to be meeting with some real success. Several bird species, for example, are being seen again, far from the reserve. There was an introductory presentation which I found fascinating – did you know that New Zealand has no native mammals at all? All ecosystem niches that would on other continents be filled by mammals are filled by birds in new Zealand. Or they were until humans brought so many non-native pests along to decimate the wildlife :-(
It was interesting to see how far people had got with IPv6. I spoke to someone who multihomed with Kordia as one of their upstreams; they were unable to get IPv6 from Kordia. I also spoke to a couple of Kordia techs who were working on rolling out IPv6 so I guess happiness is in the offing :-) For others in the same boat, a tunnel might be the answer. Put in a 6in4 tunnel to a suitable endpoint, making sure the traffic reaches the other end of the tunnel via Kordia, and multihome across the tunnel. When Kordia catches up and offers native IPv6, just scrap the tunnel. For the amount of IPv6 traffic currently being moved by most enterprises, the tunnel is unlikely to present any performance issues, and because the tunnel is just a link, getting rid of it is as simple as making a routing change.
Our IPv6 security tutorial looked at some of the main ways IPv6 differs from IPv4, and then at how those differences have possible security implications. Things like the change from broadcast to multicast, the new protocols that arise from that and the issues they have. We looked at rogue RA, the weaknesses in current mitigation, RFC changes that will make mitigation easier and so on. We also looked at ND cache exhaustion and talked about the fact that at present there is no real defence against that – at least not for a network that has to be generally accessible. And of course we also looked at issues like newness, lack of operational experience, whether or not exposing MAC addresses is a security issue or a privacy issue and so on. If you’re interested in a similar tutorial, or a longer one with more depth and plenty of practical exercises, get in touch.
The talk the next day, being only 25 minutes long, was by necessity a very fast, high-level flight over some of the issues, but was well received. One point that seemed to resonate with people was the fact that a lot of the apparent security flaws in IPv6 may turn out to be irrelevant – until we get more operational experience, we don’t really know which flaws will be important and which we can ignore. At present, any security talk tends to make all of the various issues seem equally important, but they almost certainly are not going to be that way in practice.