[ipv6hackers] IPv6 security presentation at Hack.lu 2011

[Jim Small]

> The key difference is that in IPv4, most of those mechanisms break things
> visibly where a rogue RA can still forward the packets to the legitimate gateway
> after capturing them.

well, if I'm a rogue dhcpv4 server and advertise myself as v4 default router, then I can still "forward packets to the legitimate gateway after capturing them". 

[JRS> ] All of this can be done with IPv4.  ARP poisoning is probably the easiest way to accomplish this and is rarely protected against.  I believe the point is that in IPv4 for ARP spoofing/poisoning, DHCP spoofing, and spoofing in general we have excellent and reliable defenses such as ARP inspection/DAI, DHCP Snooping, and IP Source Guard.  I believe Fernando has shown that the current defenses we have in IPv6 - Port ACLs and RA Guard can be bypassed by crafting and abusing specific extension headers.  So, we need to push forward proposals to improve features like RA Guard, get DHCPv6 Snooping and IPv6 Source Guard, and consider limiting extension headers in NDP is they are not needed.  This allows us to achieve "feature" or "security" parity with IPv4 in regards to this very specific set of features.

--Jim