[ipv6hackers] IPv6 security presentation at Hack.lu 2011

fred fred at fredbovy.com
Tue Sep 27 11:52:23 CEST 2011


Thanks Jim,


I think I heard that DHCPv§ could not provision a default gateway but it
sounds so crazy that I immediately forgot this! Thanks...

I don't see any application where NDP would need extension headers...

Strictly NDP, not protocols running on ICMPv6 like MLD where you may need
the hop-by-hop extension with router alert bit. But NDP... I don't see...

Is there any NDP PDU which requires some Extension Header to work ?

If not may be we should start filtering out such packet, this should not be
a difficult rule to set in an ACL, and may be just not allow it in the
future... It there is no other application than hacking...

Or if there is an exception of an Extension header which may be useful, just
permit this one.

And I am 2000% with you than SEND MUST be implemented by Windows and MAC OS
X. It would make of IPv6 the safest protocol in the world...

Fred




Le 27/09/2011 05:04, « Jim Small » <jim.small at cdw.com> a écrit :

> Fred,
> 
> So why NDP could be worse than ARP ?
> [JRS>] Better and worse.  Better in the sense that it has more features and
> flexibility.  Worse in the sense that since it uses IPv6 it can use (abuse)
> extension headers to bypass current security mechanisms like ACLs and RA
> Guard.
> 
> Because it can advertise a default router with a RA? If the answer is yes
> maybe there is a way (which I would
> not recommend anyway) to stop the router from sending RA and configure the
> end node from DHCPv6 or manually. Just like IPv4 would do.
> [JRS>] Currently DHCPv6 is not capable of provisioning a default gateway, it
> relies on SLAAC for this.  So currently disabling SLAAC would prevent DHCPv6
> from working.
> 
> Or is there anything else where NDP spoofing is worst than ARP spoofing ? I
> would really think the opposite...
> [JRS>] I think it will end up being superior, but first the issues with
> extension header abuse and getting mainstream vendors like Microsoft and Apple
> to implement SeND must be addressed.
> 
> --Jim
> 
> 
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

-- 

Fred Bovy
fred at fredbovy.com
Skype: fredericbovy
Mobile: +33676198206
Siret: 5221049000017
Twitter: http://twitter.com/#!/FredBovy
Blog: http://fredbovyipv6.blogspot.com/
ccie #3013
 






More information about the Ipv6hackers mailing list