[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Eric Vyncke (evyncke) evyncke at cisco.com
Mon Sep 26 14:48:38 CEST 2011 

Sara,

As you kindly asked about Cisco SeND implementation, here are some details:
- available since probably 2 years now in IOS (this is for the 'regular' routers not for the big ones)
- it obviously includes CGA
- RA can be protected as well but, of course, router must have a certificate (IOS router can be part of a PKI, from sending an enrollment request, checking CRL and even acting as poor-man CA) and the receiving nodes must have configured the trust anchor

I would be really interested to know more about your implementation because SeND in a router is a nice engineering work but as long as no nodes are able to process SeND-protected RA, it is also useless :-(

Hope this helps

-éric


> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Sara
> Sent: vendredi 23 septembre 2011 09:22
> To: IPv6 Hackers Mailing List
> Subject: Re: [ipv6hackers] IPv6 security presentation at Hack.lu 2011
> 
> Hi All,
> we already implemented SEND for windows however we're working on
> performance. I'm really interested to know more about CISCO implementation
> and other details if available because we would like to know what CISCO did
> about router certification and so on.
> 
> Regards,
> Sara
> 
> 
> 
> ________________________________
> From: fred <fred at fredbovy.com>
> To: IPv6 Hackers Mailing List <ipv6hackers at lists.si6networks.com>; Karl Auer
> <kauer at biplane.com.au>
> Sent: Thursday, September 22, 2011 6:15 PM
> Subject: Re: [ipv6hackers] IPv6 security presentation at Hack.lu 2011
> 
> Hi,
> 
> A bit more about SEND.
> I was the CISCO IPv6 engineer who did the dev-test for SEND. I wrote the
> test plan and all the TCL scripts to test it all and I also developed the
> template to decode the protocol with the Cisco Internal tool...
> 
> I would have love to see Microsoft keeps its word and implements it in Vista
> as I heard they will but once we (CISCO) developed it, then Microsoft did
> not :-(
> 
> I wrote this post about SEND:
> http://www.fastlaneus.com/blog/2011/08/30/secure-the-ipv6-network-access-wit
> h-secure-neighbor-discovery-send-rfc3971-and-cga-rfc3972/
> 
> I believe that there would be no protocol safer than IPv6 if SEND was
> implemented by Microsoft and Apple... It's a shame they did not!
> 
> Having PKI is not a big deal. We get a certificates in France in 10 minutes
> from the French Tax when we do our tax return online ! And you only need to
> do it sometimes. You don't need a new certificate everyday !
> 
> You also need strong time synchronization to make it work but this is not a
> big issue neither.
> 
> The only big problem is that neither Microsoft neither Apple implemented it.
> 
> Fred
> 
> 
> 
> 
> Le 22/09/2011 17:56, « Jim Small » <jim.small at cdw.com> a écrit :
> 
> > Karl,
> >
> > To address your questions:
> > 1) SeND (Secure Neighbor Discovery Protocol) Info including sources:
> > http://en.wikipedia.org/wiki/Secure_Neighbor_Discovery_Protocol
> > And a good overview (saw lots of comments on the list):
> > http://ipv6.com/articles/research/Secure-Neighbor-Discovery.htm
> >
> > Ideally I could point you to a Live CD but I couldn't find one.  I'll ask
> > around and post back if I can find one.  I know several people well who
> have
> > setup SeND with Linux/IOS so I know it's possible.
> >
> >
> > 2) Official proclamation from Microsoft the SeND is not implemented in
> > Windows:
> > http://technet.microsoft.com/en-us/library/bb726956.aspx
> > Updated this August, from the Authorization for Automatically Assigned
> > Addresses and Configurations section, "Microsoft does not support SEND in
> any
> > version of Windows."
> >
> > 3) Definitive information on SeND support from Apple for OS X -
> unfortunately
> > I couldn't find it.  I'll post back if I can.
> >
> > 4) Bonus - How to setup SeND in IOS:
> > http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-
> first_hop_sec
> > urity.html#wp1112987
> >
> > --Jim
> >
> > _______________________________________________
> > Ipv6hackers mailing list
> > Ipv6hackers at lists.si6networks.com
> > http://lists.si6networks.com/listinfo/ipv6hackers
> 
> --
> 
> Fred Bovy
> fred at fredbovy.com
> Skype: fredericbovy
> Mobile: +33676198206
> Siret: 5221049000017
> Twitter: http://twitter.com/#!/FredBovy
> Blog: http://fredbovyipv6.blogspot.com/
> ccie #3013
> 
> 
> 
> 
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list