In April 2007, when two security researchers demonstrated a flaw in the next-generation IPv6 routing scheme that would allow attackers to significantly amplify any denial-of-service attack by a factor of at least 80, networking expert Jun-ichiro "Itojun" Hagino worked to get Internet engineers to take the threat seriously.
Hagino was a core researcher at KAME Project, which wrote and now manages a freely distributable set of code for Internet Protocol Version 6 (IPv6) and IPSec technology used by the Unix-like operating systems FreeBSD, NetBSD and OpenBSD as well as by many companies in their next-generation networking products. During September and the beginning of October, SecurityFocus contributor Federico Biancuzzi interviewed Hagino by e-mail about IPv6 and his most recent project, the OpenBSD IPv6 Security Audit.
Sadly, Hagino's life was cut short; he died on October 29, 2007. He was only 37.
During his life, Hagino served as Internet Architecture Board member and served on the board of the Widely Integrated Distributed Environments (WIDE) project since March 2004. He had been hacking computers since his junior high school days and defined himself a "free software activist."
If you are using IPv6, you are probably running some of his code.
SecurityFocus: Could you introduce yourself?
Jun-ichiro "Itojun" Hagino: My name is Jun-ichiro Itojun Hagino. Just call me "Itojun". I'm a seasoned BSD developer, I guess I'm the only person who have commit rights to four out of six BSD projects -- OpenBSD, NetBSD, FreeBSD and Darwin. The rest are PC-BSD and DragonflyBSD. I have been implementing various free software since 20 years ago, for MS-DOS as well as UNIX. One of my major achievements is nvi-m17n, which is multilingual nvi -- it can operate on multilingual text just like recent GNU emacs.
(For) 10+ years I have been devoting my professional -- and some of my personal -- life to IPv6 as well as IPSec. I served as an Internet Architecture Board (IAB) member, the technical steering committee of the Internet Engineering Task Force (IETF) in (the) 2003 (to) 2005 timeframe.
I'm a technology fundamentalist. I have never configured (a) NAT box (a router implementing network address translation, or NAT) myself, since doing so I would damage my belief to IPv6. I have never operated Microsoft stuffs -- other than using a browser in (a) net cafe -- since they ... introduced long file names. I do use MacOS X as I can say that it is a BSD variant, and it has our IPv6 code in it. :-)
But anyways, I'm just another super geek from Tokyo, who loves manga, anime and sci-fi.
How did the OpenBSD IPv6 Security Audit project start?
The project is to audit IPv6 implementations and also standards, to proactively combat against security problems we might have in IPv6 implementations as well as specifications.
At the beginning, it actually was a proposal for government funding. However, the funding body turned the proposal down because I was too popular already and the funding was for newcomers. But I felt the urge to do it, so I've decided to start and finish it on my own. So it was not funded by anyone.
It took me around (a) month or so to go through the Internet draft which talks about various security issues in IPv6 specifications and implementations. Basically I cheated, because some part of the draft was based on my writing.
What link does the project have with the KAME tree?
KAME is the project which is responsible for IPv6 code in every single BSD-ish project, including Apple Mac OS X and Juniper JunOS. KAME code was integrated into OpenBSD and other BSDs (during the) 1999 to 2000 timeframe.
The audit was based on OpenBSD integration. There are differences between IPv6 integration among BSDs, because their technical needs, project focuses, and other random things. For example, OpenBSD does not integrate 6to4 (RFC3056) automatic tunneling mechanism, which is stf(4) in other BSDs. This is because OpenBSD cares about security, and I knew that there are serious problem in 6to4 specification just like those presented in RFC3964. Anyways, the audit based on OpenBSD IPv6 code will be beneficial to the KAME project too.
I have started a new effort, which is basically to continue KAME project effort -- KAME funding was cut in spring 2006 so I'm filling the void. So the auditing effort was under ipv6samurais.com umbrella. (Editor's note: The IPv6 Samurais site continues to be maintained by its two other members, Mark Uemura and Marc Blanchet.)