[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Owen DeLong owend at he.net
Tue Sep 27 17:27:28 CEST 2011


The key difference is that in IPv4, most of those mechanisms break things
visibly where a rogue RA can still forward the packets to the legitimate gateway
after capturing them.

Owen

On Sep 27, 2011, at 3:51 AM, fred wrote:

> You are right that the big issue with ND is that RA can be used announce a
> Rogue router and without SEND or at least RA Guard, we have no way to
> control this efficiently.
> 
> On the other hand, with IPv4 we had the ICMP REDIRECT since day 1 which has
> the potential to do basically the same damage and reprogram the default
> gateway of any host to an arbitrary address. And we have been living with
> this threat for 30 years pretty good!
> 
> RA go a bit further as they can advertize much more than a default gateway.
> 
> But in IPv4 you can also have rogue DNS servers and rogue DHCP servers which
> can break even more things than a rogue RA which can be identified very
> quickly with a good IDS and blasted to stop its attack!
> 
> Fred
> 
> 
> 
> 
> Le 27/09/2011 05:04, « Jim Small » <jim.small at cdw.com> a écrit :
> 
>> Fred,
>> 
>> So why NDP could be worse than ARP ?
>> [JRS>] Better and worse.  Better in the sense that it has more features and
>> flexibility.  Worse in the sense that since it uses IPv6 it can use (abuse)
>> extension headers to bypass current security mechanisms like ACLs and RA
>> Guard.
>> 
>> Because it can advertise a default router with a RA? If the answer is yes
>> maybe there is a way (which I would
>> not recommend anyway) to stop the router from sending RA and configure the
>> end node from DHCPv6 or manually. Just like IPv4 would do.
>> [JRS>] Currently DHCPv6 is not capable of provisioning a default gateway, it
>> relies on SLAAC for this.  So currently disabling SLAAC would prevent DHCPv6
>> from working.
>> 
>> Or is there anything else where NDP spoofing is worst than ARP spoofing ? I
>> would really think the opposite...
>> [JRS>] I think it will end up being superior, but first the issues with
>> extension header abuse and getting mainstream vendors like Microsoft and Apple
>> to implement SeND must be addressed.
>> 
>> --Jim
>> 
>> 
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
> 
> -- 
> 
> Fred Bovy
> fred at fredbovy.com
> Skype: fredericbovy
> Mobile: +33676198206
> Siret: 5221049000017
> Twitter: http://twitter.com/#!/FredBovy
> Blog: http://fredbovyipv6.blogspot.com/
> ccie #3013
> 
> 
> 
> 
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers




More information about the Ipv6hackers mailing list