[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Owen DeLong owend at he.net
Tue Sep 27 19:41:03 CEST 2011


On Sep 27, 2011, at 8:37 AM, Marc Blanchet wrote:

> 
> Le 2011-09-27 à 11:27, Owen DeLong a écrit :
> 
>> The key difference is that in IPv4, most of those mechanisms break things
>> visibly where a rogue RA can still forward the packets to the legitimate gateway
>> after capturing them.
> 
> well, if I'm a rogue dhcpv4 server and advertise myself as v4 default router, then I can still "forward packets to the legitimate gateway after capturing them". 
> 
> no?
> 
Yes, but, your DHCP advertisements will likely conflict with the legitimate DHCP server's
leases, OR, you will have to NAT the packets as well which provides other forms of
breakage unless you also implement a suite of ALGs which provide yet another different
form of breakage.

Additionally, if anyone is paying any attention, the different address issue becomes
somewhat obvious.

Contrast this with rogue RA where the only bogus information is the default route
and you can easily and completely transparently forward the packets to the legitimate
router...

Owen

> Marc.
> 
>> 
>> Owen
>> 
>> On Sep 27, 2011, at 3:51 AM, fred wrote:
>> 
>>> You are right that the big issue with ND is that RA can be used announce a
>>> Rogue router and without SEND or at least RA Guard, we have no way to
>>> control this efficiently.
>>> 
>>> On the other hand, with IPv4 we had the ICMP REDIRECT since day 1 which has
>>> the potential to do basically the same damage and reprogram the default
>>> gateway of any host to an arbitrary address. And we have been living with
>>> this threat for 30 years pretty good!
>>> 
>>> RA go a bit further as they can advertize much more than a default gateway.
>>> 
>>> But in IPv4 you can also have rogue DNS servers and rogue DHCP servers which
>>> can break even more things than a rogue RA which can be identified very
>>> quickly with a good IDS and blasted to stop its attack!
>>> 
>>> Fred
>>> 
>>> 
>>> 
>>> 
>>> Le 27/09/2011 05:04, « Jim Small » <jim.small at cdw.com> a écrit :
>>> 
>>>> Fred,
>>>> 
>>>> So why NDP could be worse than ARP ?
>>>> [JRS>] Better and worse.  Better in the sense that it has more features and
>>>> flexibility.  Worse in the sense that since it uses IPv6 it can use (abuse)
>>>> extension headers to bypass current security mechanisms like ACLs and RA
>>>> Guard.
>>>> 
>>>> Because it can advertise a default router with a RA? If the answer is yes
>>>> maybe there is a way (which I would
>>>> not recommend anyway) to stop the router from sending RA and configure the
>>>> end node from DHCPv6 or manually. Just like IPv4 would do.
>>>> [JRS>] Currently DHCPv6 is not capable of provisioning a default gateway, it
>>>> relies on SLAAC for this.  So currently disabling SLAAC would prevent DHCPv6
>>>> from working.
>>>> 
>>>> Or is there anything else where NDP spoofing is worst than ARP spoofing ? I
>>>> would really think the opposite...
>>>> [JRS>] I think it will end up being superior, but first the issues with
>>>> extension header abuse and getting mainstream vendors like Microsoft and Apple
>>>> to implement SeND must be addressed.
>>>> 
>>>> --Jim
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Ipv6hackers mailing list
>>>> Ipv6hackers at lists.si6networks.com
>>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>> 
>>> -- 
>>> 
>>> Fred Bovy
>>> fred at fredbovy.com
>>> Skype: fredericbovy
>>> Mobile: +33676198206
>>> Siret: 5221049000017
>>> Twitter: http://twitter.com/#!/FredBovy
>>> Blog: http://fredbovyipv6.blogspot.com/
>>> ccie #3013
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Ipv6hackers mailing list
>>> Ipv6hackers at lists.si6networks.com
>>> http://lists.si6networks.com/listinfo/ipv6hackers
>> 
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
> 




More information about the Ipv6hackers mailing list