[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Tomas Podermanski tpoder at cis.vutbr.cz
Tue Sep 27 17:10:23 CEST 2011


Hi,

    Marc, thanks for explanation. I'd like to extend a little bit the
difference between IPv4 and IPv6 world. In IPv4 we know some techniques
to eliminate attacks as rouge DHCP server, ARP spoofing or address
spoofing. Many vendors implement DHCP snooping and some other
functionality (dynamic ARP protection/inspection, dynamic lock down/ip
source guard). All of them are based on simple idea - a database based
on the data from DHCP(v4) server (obtained during requesting IP address
from DHCP server). There is possibility to buy cheap access switches
supporting that features and you can easily have this level of security
on all access ports (if you want and need of course).

In IPv6 everything is differed. Addresses are not managed by a central
authority (aka DHCP server) but every node creates own address (at least
link local address). That means there is not possible to create similar
database to protect access ports. Some vendors tries to create such
database on combination of DHCPv6 + DAD packets (SAVI), but this still
not provide same level as IPv4 does.

The another problem is that only few devices devices supports IPv6
protection mechanisms for IPv6 (RA guard, ND protection, DHCPv6
snooping, SAVI*) today. All such devices are usually two or three times
more expensive comparing devices having protection for IPv4. What's
worse even if you have money to buy more expensive devices there are
still ways to bypass the protection (fragmented packets and extension
headers).

Building new network that will work for next 5 years we are faced with a
big dilemma. There are 3 possible scenarios:
1. Spent money on more expensive devices with IPv6 protection mechanisms
(that can by bypassed).
2. Save money and buy devices providing IPv4 only protection and block
all IPv6 traffic. It is not a good way to develop IPv6 by blocking them.
3. Save money and buy devices providing IPv4 only protection and monitor
ND packets (NDPmon etc.). It a way how we do it now, but it only
mitigates potential problem. Do not solve them and network is still
easily vulnerable.
 
It seems to me that the right solution ready to use does not exists yet.

Tomas


On 9/27/11 10:06 AM, Marc Heuse wrote:
> Am 27.09.2011 03:28, schrieb Owen DeLong:
>> I will point out that NDP spoofing is no worse than ARP spoofing in IPv4,
>> so, I'm not sure how you can say that it is not an equivalent level of first
>> hop security.
> comparing ARP with NA/NS - you are right.
> But the RA are makeing the difference.
>
> in IPv4 the router is configured by hand or comes from DHCP.
> in IPv6 they can be configured by hand, but otherwise *must* come by RA,
> as there is still no DHCP option for routes/routers.
> You could argue that you can do DHCP spoofing too, yes, but only when a
> device is asking for a new address or if you achieve the a little bit
> more difficult part of sabotaging the renewing of a lease.
> But with RA, an attacker can do that to all times to all systems.
> And if autoconfiguration is active, you can configure DNS servers and
> new routes at anytime to anybody too.
>
> And that changes the threat level. As NDP consists of NS/NA and RS/RA,
> the security is not equivalent. It would only be if you configure routes
> manually on both IPv4 and IPV6.
>
> Greets,
> Marc
>
> --
> Marc Heuse
> Mobil: +49 177 9611560
> Fax: +49 30 37309726
> www.mh-sec.de
>
> Marc Heuse - IT-Security Consulting
> Winsstr. 68
> 10405 Berlin
>
> Ust.-Ident.-Nr.: DE244222388
> PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers




More information about the Ipv6hackers mailing list