[ipv6hackers] IPv6 security presentation at Hack.lu 2011
fred
fred at fredbovy.com
Thu Sep 29 22:50:08 CEST 2011
Hi Owen,
I read and read again and I am not sure I understand your point.
If you send a rogue ICMP Redirect to intercept the traffic.
So the source will use your IP address as the next hop instead of the
legitimate gateway, OK ?
Then you capture the packet and get the payload and then what prevent you
from forwarding the packet to the legitimate gateway ?
What is the difference with a rogue RA again ?
I must be stupid but I don't get your point here and it seems that I am
the only one on this list ;-)
TIA
Fred
Le 27/09/2011 17:27, « Owen DeLong » <owend at he.net> a écrit :
>The key difference is that in IPv4, most of those mechanisms break things
>visibly where a rogue RA can still forward the packets to the legitimate
>gateway
>after capturing them.
>
>Owen
>
>On Sep 27, 2011, at 3:51 AM, fred wrote:
>
>> You are right that the big issue with ND is that RA can be used
>>announce a
>> Rogue router and without SEND or at least RA Guard, we have no way to
>> control this efficiently.
>>
>> On the other hand, with IPv4 we had the ICMP REDIRECT since day 1 which
>>has
>> the potential to do basically the same damage and reprogram the default
>> gateway of any host to an arbitrary address. And we have been living
>>with
>> this threat for 30 years pretty good!
>>
>> RA go a bit further as they can advertize much more than a default
>>gateway.
>>
>> But in IPv4 you can also have rogue DNS servers and rogue DHCP servers
>>which
>> can break even more things than a rogue RA which can be identified very
>> quickly with a good IDS and blasted to stop its attack!
>>
>> Fred
>>
>>
>>
>>
>> Le 27/09/2011 05:04, « Jim Small » <jim.small at cdw.com> a écrit :
>>
>>> Fred,
>>>
>>> So why NDP could be worse than ARP ?
>>> [JRS>] Better and worse. Better in the sense that it has more
>>>features and
>>> flexibility. Worse in the sense that since it uses IPv6 it can use
>>>(abuse)
>>> extension headers to bypass current security mechanisms like ACLs and
>>>RA
>>> Guard.
>>>
>>> Because it can advertise a default router with a RA? If the answer is
>>>yes
>>> maybe there is a way (which I would
>>> not recommend anyway) to stop the router from sending RA and configure
>>>the
>>> end node from DHCPv6 or manually. Just like IPv4 would do.
>>> [JRS>] Currently DHCPv6 is not capable of provisioning a default
>>>gateway, it
>>> relies on SLAAC for this. So currently disabling SLAAC would prevent
>>>DHCPv6
>>> from working.
>>>
>>> Or is there anything else where NDP spoofing is worst than ARP
>>>spoofing ? I
>>> would really think the opposite...
>>> [JRS>] I think it will end up being superior, but first the issues with
>>> extension header abuse and getting mainstream vendors like Microsoft
>>>and Apple
>>> to implement SeND must be addressed.
>>>
>>> --Jim
>>>
>>>
>>> _______________________________________________
>>> Ipv6hackers mailing list
>>> Ipv6hackers at lists.si6networks.com
>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>
>> --
>>
>> Fred Bovy
>> fred at fredbovy.com
>> Skype: fredericbovy
>> Mobile: +33676198206
>> Siret: 5221049000017
>> Twitter: http://twitter.com/#!/FredBovy
>> Blog: http://fredbovyipv6.blogspot.com/
>> ccie #3013
>>
>>
>>
>>
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>
>_______________________________________________
>Ipv6hackers mailing list
>Ipv6hackers at lists.si6networks.com
>http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list