Kamis, 30 September 2010

Kundra IPv6 Memo

I've written a few posts on IPv6 here. I read the short Transition to IPv6 Memo (.pdf) written by Federal CTO Vivek Kundra. I'd like to comment on two of the assumptions he makes in that memo:

The Federal government must transition to IPv6 in order to...

1. Reduce complexity and increase transparency of Internet services by eliminating the architectural need to rely on Network Address Translation (NAT) technologies;

2. Enable ubiquitous security services for end-to-end network communications that will serve as the foundation for securing future Federal IT systems;


I find the first point laughable. Anyone who has even obliquely worked with IPv6 knows that adopting the protocol will massively increase complexity, whether IPv6 is used natively or especially if it's used in a conjunction with IPv4. Take a few minutes to look at all the extra addresses an IPv6-enabled system provides to see what I mean. Complexity and unfamiliarity with configuring IPv6 will introduce exposures that intruders will exploit. IPv6 stacks are likely to possess vulnerabilities that intruders will also attack. Finally, did you know that many networks will keep NAT even with IPv6? The "abolish NAT" argument is just false.

The second point represents what I think is a a fundamental misunderstanding concerning IPv6. I've written about this before too, but the point is simple: IPv6 is not inherently more secure than IPv4. You can introduce the same level of "security" in IPv4 as you can with IPv6. In fact, IPv6 is in many ways less secure than IPv4; check out all the auto-configuration protocols included with IPv6. Anyone who thinks making "IPSec mandatory in IPv6" means IPSec must be enabled isn't paying attention. "IPSec mandatory in IPv6" means IPv6 must offer IPSec, not that it be enabled [RMB: fixed error, thank you!]. Since you can run IPv4 with IPSec now, there's no advantage to IPv6 in this regard.

I'd also like to comment on the two major directives in the memo:

In order to facilitate timely and effective IPv6 adoption, agencies shall:

1. Upgrade public/external facing servers and services (e.g. web, email, DNS, ISP services, etc) to operationally use native IPv6 by the end of FY 2012;

2. Upgrade internal client applications that communicate with public Internet servers and supporting enterprise networks to operationally use native IPv6 by the end of FY 2014;


There's also a footnote for the first point:

To ensure interoperability, it is expected that agencies will also continue running IPv4 into the foreseeable future.

I think the first point means Federal servers will offer IPv4 and IPv6 services. I think they mean dual-stack will be allowed. I think the "native" comment means that Federal servers are not allowed to run only IPv4 but be accessible via an IPv6 gateway.

The second point is probably similar, meaning clients will have IPv6 addresses and speak directly to other IPv6 hosts without requiring gateways. That is going to be a security nightmare since the goal of IPv6 is to restore "end to end connectivity," which is inherently at odds with security.

What's your take on this IPv6 issue?

0 komentar:

Posting Komentar