[ipv6hackers] IPv6 security presentation at Hack.lu 2011
Marc Blanchet
marc.blanchet at viagenie.ca
Tue Sep 27 17:37:20 CEST 2011
Le 2011-09-27 à 11:27, Owen DeLong a écrit :
> The key difference is that in IPv4, most of those mechanisms break things
> visibly where a rogue RA can still forward the packets to the legitimate gateway
> after capturing them.
well, if I'm a rogue dhcpv4 server and advertise myself as v4 default router, then I can still "forward packets to the legitimate gateway after capturing them".
no?
Marc.
>
> Owen
>
> On Sep 27, 2011, at 3:51 AM, fred wrote:
>
>> You are right that the big issue with ND is that RA can be used announce a
>> Rogue router and without SEND or at least RA Guard, we have no way to
>> control this efficiently.
>>
>> On the other hand, with IPv4 we had the ICMP REDIRECT since day 1 which has
>> the potential to do basically the same damage and reprogram the default
>> gateway of any host to an arbitrary address. And we have been living with
>> this threat for 30 years pretty good!
>>
>> RA go a bit further as they can advertize much more than a default gateway.
>>
>> But in IPv4 you can also have rogue DNS servers and rogue DHCP servers which
>> can break even more things than a rogue RA which can be identified very
>> quickly with a good IDS and blasted to stop its attack!
>>
>> Fred
>>
>>
>>
>>
>> Le 27/09/2011 05:04, « Jim Small » <jim.small at cdw.com> a écrit :
>>
>>> Fred,
>>>
>>> So why NDP could be worse than ARP ?
>>> [JRS>] Better and worse. Better in the sense that it has more features and
>>> flexibility. Worse in the sense that since it uses IPv6 it can use (abuse)
>>> extension headers to bypass current security mechanisms like ACLs and RA
>>> Guard.
>>>
>>> Because it can advertise a default router with a RA? If the answer is yes
>>> maybe there is a way (which I would
>>> not recommend anyway) to stop the router from sending RA and configure the
>>> end node from DHCPv6 or manually. Just like IPv4 would do.
>>> [JRS>] Currently DHCPv6 is not capable of provisioning a default gateway, it
>>> relies on SLAAC for this. So currently disabling SLAAC would prevent DHCPv6
>>> from working.
>>>
>>> Or is there anything else where NDP spoofing is worst than ARP spoofing ? I
>>> would really think the opposite...
>>> [JRS>] I think it will end up being superior, but first the issues with
>>> extension header abuse and getting mainstream vendors like Microsoft and Apple
>>> to implement SeND must be addressed.
>>>
>>> --Jim
>>>
>>>
>>> _______________________________________________
>>> Ipv6hackers mailing list
>>> Ipv6hackers at lists.si6networks.com
>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>
>> --
>>
>> Fred Bovy
>> fred at fredbovy.com
>> Skype: fredericbovy
>> Mobile: +33676198206
>> Siret: 5221049000017
>> Twitter: http://twitter.com/#!/FredBovy
>> Blog: http://fredbovyipv6.blogspot.com/
>> ccie #3013
>>
>>
>>
>>
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list