[ipv6hackers] my IPv6 insecurity slides

Douglas Otis dotis at mail-abuse.org
Wed Nov 23 20:36:25 CET 2011


On 11/23/11 9:04 AM, Marc Heuse wrote:
> Hi guys,
>
> I did a lot of presentations on my IPv6 security research since 2005.
> I condensed most if it into a 2h presentation I performed at the IPv6
> congress in Frankfurt, Germany in May.
>
> I updated the information, and if you are interested in the slides, here
> is the direct link:
> http://www.mh-sec.de/downloads/mh-ipv6_vulnerabilities.pdf
>
> On a side note, I plan the next thc-ipv6 (will be 2.0) release
> containing all and every tool (no more private version) to be between
> March and May 2012.
Marc,

Without a doubt, IPv6 is challenging.  Nevertheless IPv6 is a reality.  
However, tunneling or translating this traffic will make the problem 
worse.  Also, recursive DNS servers and domain search lists are 
supported in RAs.

Disabling IPv6 because local networks can't be trusted would be an over 
reaction.  Local networks could never be trusted.  Reliance must be 
placed on cryptographic validation of end points, whether over IPv4 or 
IPv6.  IPv6 better ensures actual host validation remains practical, and 
not involve other (IPv4 or IPv6) insecure routing techniques.

Spoofing threats occur in IPv4 via ARP spoofing, etc.  Your tools are 
great, but rather than making apocalyptic assertions, recommending 
improved tracking techniques seems like a better strategy.  Of course, 
this effort should be done in conjunction with greater dependence upon 
cryptographic host confirmations.  RFC6281 offers an important example.

Indeed, trusting local networks has been problematic with either IPv4 or 
IPv6.  Clearly, local networks offering Internet access or those exposed 
to mobile devices should not be trusted.  Security must depend upon 
cryptography, not encryption.  Privacy depends upon encryption.  Of 
course current filtering methods will be unable to scale, and this needs 
to be resolved.

By the way, where has white-listing of the entire IPv4 been practical?  
IMHO, the real issue is that block lists will soon be unable to scale 
and requires different strategies.  Perhaps Kerberos as a service that 
signals domains confirmed using DANE where their APL RRsets are applied 
to access firewalls might represent a new type of security industry 
waiting to happen. :^)

I know of an update to RFC3041.  This update offers user controls for 
temporary addresses.  Will this satisfy the privacy concerns raised?  
IMHO, privacy on the Internet requires greater efforts.  Dynamically 
assigned addresses offered by providers rarely changing seem like a 
benefit, where privacy requires efforts analogous that found with Tor 
(the onion router).

-Doug



More information about the Ipv6hackers mailing list