While there is a – rapidly – growing pressure to deploy IPv6 at least on the public facing systems of many organizations, network-/sysadmins face a huge number of IPv6 security issues which are only partially solved so far. This includes security problems related to extension headers and/or fragmentation, the continued failure of security products to offer their full range of capabilities for IPv6 traffic or architectural flaws (like unauthenticated router advertisements while at the same time the operationally most feasible control [RA Guard] being easily bypassable for attackers). In this talk I’ll discuss what the historical and design level reasons for this state are and what this means for the mid-term future, with regard to IPv6 security. Gaining insight into these contexts might help IPv6 network engineers to direct their resources and energy into the right direction and to take well-informed decisions when it comes to design choices or product selection.
Enno Rey @Enno_Insinuator is an old school network security guy who has been involved with IPv6 since 1999. In the last years he has contributed to many IPv6 projects in very large environments, both on a planning and on a technical implementation level.