May 2009 Archives

Today, Microsoft released Service Pack 2 for Vista and Windows 2008. There's a noteworthy IPv6 bugfix in SP2 regarding DHCPv6. Vista probably has the best DHCPv6 support of any OS I've used (in that its DHCPv6 client actually works and doesn't require extensive, manual configuration).

It does have one bug: It mangles DNS search domain lists (e.g., ",,"). Windows 2008 SP 1's DHCPv6 server malforms the list, and Vista SP1 expects the list to be malformed. Things work fine if you have Microsoft DHCPv6 software everywhere, but in mixed environments, the DNS search domains will get broken.

This is fixed in SP2 for Windows 2008 and Vista. Happy patching.

IPv6 management

| | Comments (2) | TrackBacks (1)

Today, VMware released vSphere 4.0. vSphere 4.0 has several new IPv6 features:

  • IPv6 TSO and checksum offloading
  • Service Console is reachable over IPv6
  • vmkernel has IPv6 support
I'm particularly happy that the Service Console supports IPv6. A long-standing issue has been: Can I manage my infrastructure components over IPv6? For too many devices, the answer is no.

In ET, we've made IPv6 support an issue. Fortunately, we can manage our IP-based serial consoles and our IP-based KVM over IPv6. Even our networked printer can be managed over IPv6 (following an upgrade to a newer JetDirect card). If you're careful about what you buy, you can get a fair bit of your management network IPv6-ified.

Now if IBM would just add IPv6 support to the BladeCenter Management Module....

A few months ago, I made a post about IPv6 security. I've caught some flak for saying that IPv6 isn't a security issue. I still stand by this position.

This is not to say that you should ignore security considersations when deploying IPv6. All I claim is that deploying IPv6 in and of itself does not make an organization any more or less secure. This point was made by Dr. Joe St. Sauver, of the University of Oregon, in an excellent talk on IPv6 security at the Winter 2009 Internet2 Joint Techs meeting (video is also available). Joe's talk is the most level-headed analysis of IPv6 security I've seen. I highly recommend watching it.

Earlier this month, Derrick Webber posted an article entitled, "The coming IPv6 security disaster". For the most part, I agree with his conclusion: If organizations wait to deploy IPv6 until IPv4 is depleted, they will most likely rush to deploy IPv6, and the ensuing sloppiness will have security implications. But this doesn't seem to me to be an IPv6-specific issue; the same could be said for practically any technology (in his defense, Weber admits this).

Having said that, there are aspects of IPv6 which need to be addressed. These include securing Router Advertisements, handling fragment reassembly and analysis, and the lack of NDP and DHCPv6 inspection in edge switches.

Another common concern are the "transition" mechanisms, such as dual-stack and tunneling. Securing dual-stack networks isn't that difficult: For the most part, you mirror your security policies from IPv4 to IPv6 (accomodating protocol-specific differences, such as ICMPv6 filtering). As for tunneling, I don't have much good to say about it. I certainly recommend avoiding 6to4 and Teredo whenever possible. Both systems tend to be very slow. Many firewalls can't filter them (but most firewalls can't filter many other tunneled protocols either). I understand that it's easy for me to dismiss tunneling, since I work at an institution with native IPv6 access. If you're going to tunnel, at least use a static one from a reputable tunnel broker.

Of course, with any code, there are bound to be implementation bugs. Most recently, Stephan Lagerholm alterted the IPv6 community to a particularly nasty ICMPv6 bug that was patched in Mac OS X 10.5.7 (so go patch if you haven't already). Of course, the 10.5.7 update fixed several other remotely exploitable bugs that have nothing to do with IPv6, some of which are pretty serious. To repeat a line from my earlier blog post: Implementation bugs in any piece of software are inevitable. When we find them, we patch the affected systems. This is true of IPv4, IPv6, Apache, sendmail, IOS, OpenSSL the VMware hypervisor, etc. Keep your wits about you, and sign up for the appropriate mailing lists.

At Penn State, as part of ITS' IPv6 planning process, I've been working with our security office to develop list of security requirements for IPv6-only networks. In other words, if a unit wants to deploy an IPv6-only network, what does ITS have to do first, to enable them to be incompliance with various University policies (such as AD-20 and iPAS Phase II). It's more of a hypothetical exercise today, as we could use private IPv4 addresses to contact internal resources (such as update servers, syslog servers, etc), but it was still a very useful exercice. The good news is that we're well on the way to IPv6-enabling several of these services (watch this space, big announcement should be coming soon).

By the way, I can't say enough positive things about the book, IPv6 Security by Scott Hogg and Eric Vyncke. It's an excellent book that covers the common attacks on IPv6 networks, and presents a realistic, vendor neutral view of the current state of IPv6 security. For readers at Penn State, the book is available online via the University Library's Safari subscription. I also encourage PSU readers to consult the IPv6 Security page in the University Wiki.

Deploying IPv6 won't make you any more or less secure. But like any "new" technology, it takes time to deploy it right. So start now!

It's been a few months since my last stats update, and there's been some progress:

New IPv6-reachable DNS:

  • Northern Lights GigaPOP
  • University of Minnessota
  • University of Washington

At Penn State, we IPv6-enabled one more of our root servers, bringing our total to 50%.

For the top-level domains, we picked up a few more IPv6-reachable domains: Madagascar, Macau, and Somalia. But we lost Niue.

Internet2 Email:

There's been good progress IPv6-enabling DNS in Internet2, but much less progress with email servers. Recently, there's been some progress: University of Maine and Virginia Tech have IPv6-enabled their incoming mail servers. However, the University of South Florida took down their IPv6 mail server in late March. Only five members of Internet2 have IPv6-reachable email servers:

  • 3ROX
  • KanREN
  • UCLA
  • U. Maine
  • Virginia Tech

This doesn't compare favorably to the 45 I2 members with IPv6-reachable DNS.