[ipv6hackers] IPv6 security presentation at Hack.lu 2011

fred fred at fredbovy.com
Thu Sep 29 22:50:08 CEST 2011

Hi Owen,

I read and read again and I am not sure I understand your point.

If you send a rogue ICMP Redirect to intercept the traffic.
So the source will use your IP address as the next hop instead of the
legitimate gateway, OK ?
Then you capture the packet and get the payload and then what prevent you
from forwarding the packet to the legitimate gateway ?

What is the difference with a rogue RA again ?

I must be stupid but I don't get your point here and it seems that I am
the only one on this list ;-)

Le 27/09/2011 17:27, « Owen DeLong » <owend at he.net> a écrit :

>The key difference is that in IPv4, most of those mechanisms break things
>visibly where a rogue RA can still forward the packets to the legitimate
>after capturing them.
>On Sep 27, 2011, at 3:51 AM, fred wrote:
>> You are right that the big issue with ND is that RA can be used
>>announce a
>> Rogue router and without SEND or at least RA Guard, we have no way to
>> control this efficiently.
>> On the other hand, with IPv4 we had the ICMP REDIRECT since day 1 which
>> the potential to do basically the same damage and reprogram the default
>> gateway of any host to an arbitrary address. And we have been living
>> this threat for 30 years pretty good!
>> RA go a bit further as they can advertize much more than a default
>> But in IPv4 you can also have rogue DNS servers and rogue DHCP servers
>> can break even more things than a rogue RA which can be identified very
>> quickly with a good IDS and blasted to stop its attack!
>> Fred
>> Le 27/09/2011 05:04, « Jim Small » <jim.small at cdw.com> a écrit :
>>> Fred,
>>> So why NDP could be worse than ARP ?
>>> [JRS>] Better and worse.  Better in the sense that it has more
>>>features and
>>> flexibility.  Worse in the sense that since it uses IPv6 it can use
>>> extension headers to bypass current security mechanisms like ACLs and
>>> Guard.
>>> Because it can advertise a default router with a RA? If the answer is
>>> maybe there is a way (which I would
>>> not recommend anyway) to stop the router from sending RA and configure
>>> end node from DHCPv6 or manually. Just like IPv4 would do.
>>> [JRS>] Currently DHCPv6 is not capable of provisioning a default
>>>gateway, it
>>> relies on SLAAC for this.  So currently disabling SLAAC would prevent
>>> from working.
>>> Or is there anything else where NDP spoofing is worst than ARP
>>>spoofing ? I
>>> would really think the opposite...
>>> [JRS>] I think it will end up being superior, but first the issues with
>>> extension header abuse and getting mainstream vendors like Microsoft
>>>and Apple
>>> to implement SeND must be addressed.
>>> --Jim
>>> _______________________________________________
>>> Ipv6hackers mailing list
>>> Ipv6hackers at lists.si6networks.com
>>> http://lists.si6networks.com/listinfo/ipv6hackers
>> -- 
>> Fred Bovy
>> fred at fredbovy.com
>> Skype: fredericbovy
>> Mobile: +33676198206
>> Siret: 5221049000017
>> Twitter: http://twitter.com/#!/FredBovy
>> Blog: http://fredbovyipv6.blogspot.com/
>> ccie #3013
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>Ipv6hackers mailing list
>Ipv6hackers at lists.si6networks.com

More information about the Ipv6hackers mailing list