[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Marc Heuse mh at mh-sec.de
Sun Sep 25 11:55:07 CEST 2011


Am 25.09.2011 11:39, schrieb Owen DeLong:
> On Sep 24, 2011, at 2:23 PM, Fernando Gont wrote:
>> On 09/22/2011 03:01 PM, Gert Doering wrote:
>>> Hi, On Wed, Sep 21, 2011 at 09:37:11PM -0300, Arturo Servin wrote:
>>>> Jean, Regarding SEND AFAIK, you need a certificate in each device
>>>> requesting network information to validate the source. For that
>>>> requirement only, SEND is not easy to deploy.
>>>
>>> You need the PKI infrastructure to validate RAs.
>>
>> If you don't validate RA's, then an attacker would simply spoof RA's,
>> and would have all packets forwarded to him, thus defeating any
>> protection that could have been provided with the CGAs.
>>
> 
> Unless you use RA Guard instead.

and in the current state of RA implementations and IPv6 implementation
into the OSes, RA guard can easily be bypassed.

Greets,
Marc

--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de

Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin

Ust.-Ident.-Nr.: DE244222388
PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A



More information about the Ipv6hackers mailing list