[ipv6hackers] SLAAC and DHCPv6 support (was Re: IPv6 security presentation at Hack.lu 2011)
fred at fredbovy.com
Wed Sep 28 15:10:16 CEST 2011
Just a last thing I would like to add about the spoofed RA!
These RA must be sent locally. RA must have a hop limit of 255 or it is
For sure it may be easier to spoof a DNS answer but this is not a reason why
we don't use DNS with or without DNSSEC...
There is a long list of simple attacks (DoS, MITM,...) which can be done
from a local access, IPv4 or IPv6... A very long list! That's why we need
IDS to prevent all these attacks and neutralize the attacker...
Did we consider that it was a showstopper for IPv4 ?
Le 28/09/2011 12:29, « Fred Bovy » <fred at fredbovy.com> a écrit :
> Hi Fernando,
>>> As protocols like DANE get advanced, the need for
>>> PKI related services start to disappear, which removes another
>>> impediment against the use of SeND. Even DANE itself might act as a
>>> replacement whenever encryption based upon the certificate at the host
>>> is used.
>> ... and NATs will disappear with IPv6, and there will be increased use
>> of IPsec as a result of IPv6 end-to-end'ness, etc.
>> For instance, SeND doesn't help much while the DNS is still mostly
>> insecure. Rather than bothering with ND spoofing or RA sppofing, an
>> attacker could simply spoof DNS responses. -- i.e., the usual "the
>> strength of a chain is that of its weakest link".
> This is exactly what I said about IPv4...
> You can send an ICMP REDIRECT and change the routing of IPv4 end hosts to
> any address ! You don't have to have IPv6 and RA do do that ! It seems that
> everybody wake up on something which has already be there!
> I also said that since day one we can also spoof DNS or DHCP response!
> No need for RA to break a Network...
> DNSSEC could help but I think it is not compatible with NAT.
> And because it is a joke that NAT will disappear one day because people will
> never realize that NAT brings much more troubles that it solves problems, we
> are having a problem...
> So, may be the best is solution may be to just do nothing... Just add some
> more NAT as many people think it is the solution and consider that IPv6 was
> just a bad idea, an illusion for naive people who thought that an address
> for each device which need connectivity on the Internet would be the
> solution. An illusion to think about all these applications which requires
> direct connections rather than intermediate servers to bypass NAT...
fred at fredbovy.com
More information about the Ipv6hackers