Caught in the cross fire
“Security experts are urging Microsoft and Juniper to patch a year-old IPv6 vulnerability so dangerous it can freeze any Windows machine on a LAN in a matter of minutes.” So starts this Computerworld article.
There are obviously some politics somewhere in this story, but nonetheless a year is a long time for any DoS vulnerability to be ignored. Juniper blame an RFC and Microsoft don’t seem to care. Cisco equipment was vulnerable, but they patched last year. Thing is, IPv6 is enabled on standard machine builds therefore your equipment is vulnerable whether or not you’re using IPv6 because the impact of the vulnerability is to take down all box resources.
This marks the beginning of an emerging ‘no mans land’ of conflict between IPv4 and IPv6. OS vendors like Apple and Microsoft have been shipping IPv6 activated builds for a long time. Goodness only knows how many millions of IPv6 TCP stacks are already inside our networks offering another attack vector for viruses and hackers - even though they aren’t in use. On the other side of the fence ISP’s and other vendors of routers and firewalls are slow to adopt or protect IPv6. When I contacted my ISP about the possibility of IPv6 address space they were positively defensive, to the extent they suggested (in writing) there were no benefits to IPv6. Either they are badly educated or simply mischievous but neither option inspires confidence.
So some parts of the internet are moving forward and other parts show little interest in moving at all or appear to be digging in on IPv4 for the long haul. I seem to be coming across more instances of double NAT and use of private IP address space on public routes. If I were cynical I would think ISP’s are only interesting in selling their private cloud space to solve the design problems of their public address space. Or maybe they are only interested in the status quo because fixing things means effort and effort means money. I know of least one situation where the customer has been forced to route through their DR connection to make core protocols work because the ISP won’t change their practice of using private IP addresses in public routes.
As an aside it’s an interesting legal question. If you’re in a contract with your ISP and you can browse the internet but can’t get one in four emails into your primary MX — is your ISP in breach of contract? In this instance the ISP took a close look but was convinced it’s not a problem they are obligated to fix.
We’re likely to see more of these “holes” emerging, both on the security side and also on the basic routing side as the gap grows. We can expect to see both the ignorance problem and the mischievous one. No mans land will likely grow in size and it won’t be any fun standing in the cross fire of ISP’s who won’t acknowledge or fix their growing IPv4 problems, OS vendors who are shipping IPv6 enabled everything and router/firewall vendors who don’t implement full dual stack IPv6 support properly.
Comments
Post new comment