[ipv6hackers] SLAAC and DHCPv6 support (was Re: IPv6 security presentation at Hack.lu 2011)

fred fred at fredbovy.com
Wed Sep 28 15:10:16 CEST 2011


Just a last thing I would like to add about the spoofed RA!

These RA must be sent locally. RA must have a hop limit of 255 or it is
invalid! 
For sure it may be easier to spoof a DNS answer but this is not a reason why
we don't use DNS with or without DNSSEC...

There is a long list of simple attacks (DoS, MITM,...) which can be done
from a local access, IPv4 or IPv6... A very long list! That's why we need
IDS to prevent all these attacks and neutralize the attacker...

Did we consider that it was a showstopper for IPv4 ?

Fred

Le 28/09/2011 12:29, « Fred Bovy » <fred at fredbovy.com> a écrit :

> Hi Fernando,
> 
> 
> 
> 
>>> As protocols like DANE get advanced, the need for
>>> PKI related services start to disappear, which removes another
>>> impediment against the use of SeND.  Even DANE itself might act as a
>>> replacement whenever encryption based upon the certificate at the host
>>> is used.
>> 
>> ... and NATs will disappear with IPv6, and there will be increased use
>> of IPsec as a result of IPv6 end-to-end'ness, etc.
> 
> SNIP
> 
>> 
>> For instance, SeND doesn't help much while the DNS is still mostly
>> insecure. Rather than bothering with ND spoofing or RA sppofing, an
>> attacker could simply spoof DNS responses. -- i.e., the usual "the
>> strength of a chain is that of its weakest link".
> 
> This is exactly what I said about IPv4...
> 
> You can send an ICMP REDIRECT and change the routing of IPv4 end hosts to
> any address ! You don't have to have IPv6 and RA do do that ! It seems that
> everybody wake up on something which has already be there!
> 
> I also said that since day one we can also spoof DNS or DHCP response!
> No need for RA to break a Network...
> 
> DNSSEC could help but I think it is not compatible with NAT.
> And because it is a joke that NAT will disappear one day because people will
> never realize that NAT brings much more troubles that it solves problems, we
> are having a problem...
> 
> So, may be the best is solution may be to just do nothing... Just add some
> more NAT as many people think it is the solution and consider that IPv6 was
> just a bad idea, an illusion for naive people who thought that an address
> for each device which need connectivity on the Internet would be the
> solution. An illusion to think about all these applications which requires
> direct connections rather than intermediate servers to bypass NAT...
> 
> 
> 
> 

-- 

Fred Bovy
fred at fredbovy.com
Skype: fredericbovy
Mobile: +33676198206
Siret: 5221049000017
Twitter: http://twitter.com/#!/FredBovy
Blog: http://fredbovyipv6.blogspot.com/
ccie #3013
 






More information about the Ipv6hackers mailing list