* Posts by Oliprof

3 publicly visible posts • joined 5 Apr 2011

IPv6 networking: Bad news for small biz


NPT66 is NOT a solution

So, more FUD about IPv6 with an article that totally fails to grasp key IPv6 concepts.

1) NPT66 is still hardly more than an RFC, there are *no* trivially accessible implementations of this (as in, for the low-end folks), and sure as shizz not in home routers or even the latest build of OpenWRT - the only way you're going to get it is by merging a bunch of currently unstable Netfilter patches into the Linux kernel source and building yourself.

2) It's largely unnecessary anyway - ISPs can delegate prefixes of /64 or larger to clients (either through RAs and/or DHCPv6-PD) which could then be announced on the LAN side for assignment to clients (something that could be achieved with ISC'd DHCP client and/or a bash script to invoke radvd and optionally dhcpd)

3) Don't confuse multihoming with poor-man's load balancing involving round-robin SNAT on multiple separate IPv4 addresses - exactly the same tosh can be done with IPv6 but the responsibility moves to the endpoint (i.e. you give a machine an IP in every one of your subnets and configure it to use them in some per-connection rotated fashion) - of course, I have no doubt the plebiscites will be utilising round-robin IPv6 SNAT once it gets mainlined into the kernel.

4) Suggesting the use of BGP to be a bad idea because of an issue in China is mentally retarded when you take a moment to that your provider, or their provider MUST BE USING BGP since, y'know, it's the backbone protocol of the *entire* Internet and therefore, any upstream prefix hijacking is basically *unavoidable* - on the contrary, at least if you do BGP yourself, you have the option of using stuff like pgBGP to at least have a chance of handling prefix hijacks.

5) You can actually get a free IPv6 BGP tunnel from companies like HE providing you have your own ASn and subnet assignment from an RIR which is generally affordable if you get it via a sponsoring LIR, but also only something either an enthusiast or small business would do.

AES crypto broken by 'groundbreaking' attack



AES isn't broken; This research does prove that the algorithm isn't an "ideal" cipher because these attacks do nonetheless reduce the complexity to less than brute force of the entire key space.

However, these attacks have not reduced the computational complexity to any level where they are feasible; the complexity of AES-128 still remains slightly larger than the entire IPv6 Global Unicast Internet, have a pop at enumerating that if you like and see how long it takes you.

AES is not broken, it is not compromised, it is merely weakened, and very slightly at that.

Attack hijacks sensitive data using newer Windows features


Yet more Non-news FUD

Just a protip: turning off IPv6 on your machines is both pointless and silly unless there's a possibility of someone plugging their own router into your stuff, in which case, why not just go with the good old tried and tested IPv4 attacks... hell, a rogue radvd + DHCPv6 server will work just as well as a rogue DHCPv4.

Correct mitigation? don't let people install crap inside your network.