[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Owen DeLong owend at he.net
Thu Sep 29 23:29:25 CEST 2011 

On Sep 29, 2011, at 2:25 PM, Enno Rey wrote:

> Hi,
> 
> On Thu, Sep 29, 2011 at 01:57:46PM -0700, Owen DeLong wrote:
>> The difference is that in IPv4, most (security conscious) people turn off
>> the ability to pay attention to redirects.
>> 
>> In IPv6, you cannot (unless you want to deal with static routes or a routing
>> protocol on EVERY host) ignore RA.
> 
> how would running a RP prevent dealing with RAs?

You can turn on, for example, OSPF for host to learn its gateway and then, it
can ignore RAs.

If you ignore RAs without an RP, then, you have no routing other than static.

> not going through the RFCs right now I'm pretty sure that an end node initially _has_ to go through an NDP (RA, potentially RS before) based communication act before anything else (even it ran an RP).
> 

Nopeā€¦ The node can use a statically assigned address.


> thanks,
> 
> Enno
> 
> and, btw, how do you turn off processing ICMP redirects on, say, a common recent Windows OS?
> [not that I regard ICMP redirects as a relevant problem at all, just asking for real interest]
> 

I believe it's a registry tweak and might be controllable by security policy. I'm not
sure. I'm not a windows expert. Just because I know what is commonly done does
not mean that I necessarily know how to do it on all (especially the most insecure)
platforms.

Owen

> 
> 
> 
> 
>> 
>> Owen
>> 
>> On Sep 29, 2011, at 1:50 PM, fred wrote:
>> 
>>> Hi Owen,
>>> 
>>> I read and read again and I am not sure I understand your point.
>>> 
>>> If you send a rogue ICMP Redirect to intercept the traffic.
>>> So the source will use your IP address as the next hop instead of the
>>> legitimate gateway, OK ?
>>> Then you capture the packet and get the payload and then what prevent you
>>> from forwarding the packet to the legitimate gateway ?
>>> 
>>> What is the difference with a rogue RA again ?
>>> 
>>> I must be stupid but I don't get your point here and it seems that I am
>>> the only one on this list ;-)
>>> 
>>> TIA
>>> Fred
>>> 
>>> 
>>> 
>>> Le 27/09/2011 17:27, ? Owen DeLong ? <owend at he.net> a ?crit :
>>> 
>>>> The key difference is that in IPv4, most of those mechanisms break things
>>>> visibly where a rogue RA can still forward the packets to the legitimate
>>>> gateway
>>>> after capturing them.
>>>> 
>>>> Owen
>>>> 
>>>> On Sep 27, 2011, at 3:51 AM, fred wrote:
>>>> 
>>>>> You are right that the big issue with ND is that RA can be used
>>>>> announce a
>>>>> Rogue router and without SEND or at least RA Guard, we have no way to
>>>>> control this efficiently.
>>>>> 
>>>>> On the other hand, with IPv4 we had the ICMP REDIRECT since day 1 which
>>>>> has
>>>>> the potential to do basically the same damage and reprogram the default
>>>>> gateway of any host to an arbitrary address. And we have been living
>>>>> with
>>>>> this threat for 30 years pretty good!
>>>>> 
>>>>> RA go a bit further as they can advertize much more than a default
>>>>> gateway.
>>>>> 
>>>>> But in IPv4 you can also have rogue DNS servers and rogue DHCP servers
>>>>> which
>>>>> can break even more things than a rogue RA which can be identified very
>>>>> quickly with a good IDS and blasted to stop its attack!
>>>>> 
>>>>> Fred
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Le 27/09/2011 05:04, ? Jim Small ? <jim.small at cdw.com> a ?crit :
>>>>> 
>>>>>> Fred,
>>>>>> 
>>>>>> So why NDP could be worse than ARP ?
>>>>>> [JRS>] Better and worse.  Better in the sense that it has more
>>>>>> features and
>>>>>> flexibility.  Worse in the sense that since it uses IPv6 it can use
>>>>>> (abuse)
>>>>>> extension headers to bypass current security mechanisms like ACLs and
>>>>>> RA
>>>>>> Guard.
>>>>>> 
>>>>>> Because it can advertise a default router with a RA? If the answer is
>>>>>> yes
>>>>>> maybe there is a way (which I would
>>>>>> not recommend anyway) to stop the router from sending RA and configure
>>>>>> the
>>>>>> end node from DHCPv6 or manually. Just like IPv4 would do.
>>>>>> [JRS>] Currently DHCPv6 is not capable of provisioning a default
>>>>>> gateway, it
>>>>>> relies on SLAAC for this.  So currently disabling SLAAC would prevent
>>>>>> DHCPv6
>>>>>> from working.
>>>>>> 
>>>>>> Or is there anything else where NDP spoofing is worst than ARP
>>>>>> spoofing ? I
>>>>>> would really think the opposite...
>>>>>> [JRS>] I think it will end up being superior, but first the issues with
>>>>>> extension header abuse and getting mainstream vendors like Microsoft
>>>>>> and Apple
>>>>>> to implement SeND must be addressed.
>>>>>> 
>>>>>> --Jim
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Ipv6hackers mailing list
>>>>>> Ipv6hackers at lists.si6networks.com
>>>>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>>>> 
>>>>> -- 
>>>>> 
>>>>> Fred Bovy
>>>>> fred at fredbovy.com
>>>>> Skype: fredericbovy
>>>>> Mobile: +33676198206
>>>>> Siret: 5221049000017
>>>>> Twitter: http://twitter.com/#!/FredBovy
>>>>> Blog: http://fredbovyipv6.blogspot.com/
>>>>> ccie #3013
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Ipv6hackers mailing list
>>>>> Ipv6hackers at lists.si6networks.com
>>>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>>> 
>>>> _______________________________________________
>>>> Ipv6hackers mailing list
>>>> Ipv6hackers at lists.si6networks.com
>>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>> 
>>> 
>>> _______________________________________________
>>> Ipv6hackers mailing list
>>> Ipv6hackers at lists.si6networks.com
>>> http://lists.si6networks.com/listinfo/ipv6hackers
>> 
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
> 
> -- 
> Enno Rey
> 
> ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
> Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
> PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1
> 
> Handelsregister Mannheim: HRB 337135
> Geschaeftsfuehrer: Enno Rey
> 
> =======================================================
> Blog: www.insinuator.net || Conference: www.troopers.de
> =======================================================
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

More information about the Ipv6hackers mailing list