Re: [Bulk] Re: [gentoo-user] /etc/hosts include file?

[Kevin Chadwick <ma1l1ists@yahoo.co.uk>]

> "There is no reason to believe that IPv6 will result in an increased use
> of IPsec."
> 
> Bull. The biggest barrier to IPsec use has been NAT! If an intermediate
> router has to rewrite the packet to change the apparent source and/or
> destination addresses, then the cryptographic signature will show it,
> and the packet will be correctly identified as having been tampered with!
> 

It's hardly difficult to get around that now is it. You are wrong the
biggest barrier is that it is not desirable to do this as there are
many reasons for firewalls to inspect incoming packets. I don't agree
with things like central virus scanning especially by damn ISPs using
crappy Huawei hardware, deep inspection traffic shaping rather than
pure bandwidth usage tracking or active IDS myself but I do agree
with scrubbing packets.

> With IPsec, NAT is unnecessary. (You can still use it if you need
> it...but please try to avoid it!)
> 

Actually it is no problem at all and is far better than some of the
rubbish ipv6 encourages client apps to do. (See the links I sent in the
other mail)

> Re "DNS support for IPv6"
> 
> "Increased size of DNS responses due to larger addresses might be
> exploited for DDos attacks"
> 
> That's not even significant. Have you looked at the size of DNS
> responses? The increased size of the address pales in comparison to the
> amount of other data already stuffed into the packet.

It's been ages since I looked at that link and longer addresses would
certainly be needed anyway but certainly with DNSSEC again concocted by
costly unthoughtful and unengaging groups who chose to ignore DJB
and enable amplification attacks.

His latest on the "DNS security mess"

http://cr.yp.to/talks/2013.02.07/slides.pdf

> "An attacker can connect to an IPv4-only network, and forge IPv6 Router
> Advertisement messages. (*)"

> Again, this depends on them being on the same layer 2 network segment.

> The same class of attacks would be possible for any IPv4 successor that
> implemented either RAs or DHCP.

Neither of which I use.

As I said we would be here all day and that link wasn't as good as the
one I was actually looking for.

local NAT done right is no problem and actually a good thing and I have
no issues playing games, running servers or anything else behind NAT.
Global NAT works well enough but isn't a good thing and wouldn't exist
if they had simply added more addresses quickly. The hardware uptake
would have been no issue rather than a decade of pleads.

We haven't even touched on the code yet and so all the vulnerable
especially home hardware which yes often has vulnerable sps anyway but
by no way just home hardware.

The ipvshit links give an insight into the code complexity. Note
OpenBSDs kernel which is very secure (unlike Linux whose primary goal is
function) and has had just a few remote holes in well over a decade, one
of which was in ipv6 and which I had avoided without down time because I
won't and what's more shouldn't use ipv6 wherever possible and had
actually removed it from the kernel all together.

If I am Trolling rather than simply trying to make people aware then
stating ipv6 is wonderful is Trolling just as much or more.

Regards,
	Kc

-- 
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)
_______________________________________________________________________