[ipv6hackers] IPv6 security presentation at Hack.lu 2011

Enno Rey erey at ernw.de
Thu Sep 29 23:42:57 CEST 2011


Hi,

On Thu, Sep 29, 2011 at 02:29:25PM -0700, Owen DeLong wrote:
> 
> On Sep 29, 2011, at 2:25 PM, Enno Rey wrote:
> 
> > Hi,
> > 
> > On Thu, Sep 29, 2011 at 01:57:46PM -0700, Owen DeLong wrote:
> >> The difference is that in IPv4, most (security conscious) people turn off
> >> the ability to pay attention to redirects.
> >> 
> >> In IPv6, you cannot (unless you want to deal with static routes or a routing
> >> protocol on EVERY host) ignore RA.
> > 
> > how would running a RP prevent dealing with RAs?
> 
> You can turn on, for example, OSPF for host to learn its gateway and then, it
> can ignore RAs.

are you sure?
Just went through RFC 4862 and I don't think a host can do anything else than (SLAAC with RAs|DHCPv6, not distributing a default gateway anyway|manual).

thanks

Enno






> 
> If you ignore RAs without an RP, then, you have no routing other than static.
> 
> > not going through the RFCs right now I'm pretty sure that an end node initially _has_ to go through an NDP (RA, potentially RS before) based communication act before anything else (even it ran an RP).
> > 
> 
> Nope? The node can use a statically assigned address.
> 
> 
> > thanks,
> > 
> > Enno
> > 
> > and, btw, how do you turn off processing ICMP redirects on, say, a common recent Windows OS?
> > [not that I regard ICMP redirects as a relevant problem at all, just asking for real interest]
> > 
> 
> I believe it's a registry tweak and might be controllable by security policy. I'm not
> sure. I'm not a windows expert. Just because I know what is commonly done does
> not mean that I necessarily know how to do it on all (especially the most insecure)
> platforms.
> 
> Owen
> 
> > 
> > 
> > 
> > 
> >> 
> >> Owen
> >> 
> >> On Sep 29, 2011, at 1:50 PM, fred wrote:
> >> 
> >>> Hi Owen,
> >>> 
> >>> I read and read again and I am not sure I understand your point.
> >>> 
> >>> If you send a rogue ICMP Redirect to intercept the traffic.
> >>> So the source will use your IP address as the next hop instead of the
> >>> legitimate gateway, OK ?
> >>> Then you capture the packet and get the payload and then what prevent you
> >>> from forwarding the packet to the legitimate gateway ?
> >>> 
> >>> What is the difference with a rogue RA again ?
> >>> 
> >>> I must be stupid but I don't get your point here and it seems that I am
> >>> the only one on this list ;-)
> >>> 
> >>> TIA
> >>> Fred
> >>> 
> >>> 
> >>> 
> >>> Le 27/09/2011 17:27, ? Owen DeLong ? <owend at he.net> a ?crit :
> >>> 
> >>>> The key difference is that in IPv4, most of those mechanisms break things
> >>>> visibly where a rogue RA can still forward the packets to the legitimate
> >>>> gateway
> >>>> after capturing them.
> >>>> 
> >>>> Owen
> >>>> 
> >>>> On Sep 27, 2011, at 3:51 AM, fred wrote:
> >>>> 
> >>>>> You are right that the big issue with ND is that RA can be used
> >>>>> announce a
> >>>>> Rogue router and without SEND or at least RA Guard, we have no way to
> >>>>> control this efficiently.
> >>>>> 
> >>>>> On the other hand, with IPv4 we had the ICMP REDIRECT since day 1 which
> >>>>> has
> >>>>> the potential to do basically the same damage and reprogram the default
> >>>>> gateway of any host to an arbitrary address. And we have been living
> >>>>> with
> >>>>> this threat for 30 years pretty good!
> >>>>> 
> >>>>> RA go a bit further as they can advertize much more than a default
> >>>>> gateway.
> >>>>> 
> >>>>> But in IPv4 you can also have rogue DNS servers and rogue DHCP servers
> >>>>> which
> >>>>> can break even more things than a rogue RA which can be identified very
> >>>>> quickly with a good IDS and blasted to stop its attack!
> >>>>> 
> >>>>> Fred
> >>>>> 
> >>>>> 
> >>>>> 
> >>>>> 
> >>>>> Le 27/09/2011 05:04, ? Jim Small ? <jim.small at cdw.com> a ?crit :
> >>>>> 
> >>>>>> Fred,
> >>>>>> 
> >>>>>> So why NDP could be worse than ARP ?
> >>>>>> [JRS>] Better and worse.  Better in the sense that it has more
> >>>>>> features and
> >>>>>> flexibility.  Worse in the sense that since it uses IPv6 it can use
> >>>>>> (abuse)
> >>>>>> extension headers to bypass current security mechanisms like ACLs and
> >>>>>> RA
> >>>>>> Guard.
> >>>>>> 
> >>>>>> Because it can advertise a default router with a RA? If the answer is
> >>>>>> yes
> >>>>>> maybe there is a way (which I would
> >>>>>> not recommend anyway) to stop the router from sending RA and configure
> >>>>>> the
> >>>>>> end node from DHCPv6 or manually. Just like IPv4 would do.
> >>>>>> [JRS>] Currently DHCPv6 is not capable of provisioning a default
> >>>>>> gateway, it
> >>>>>> relies on SLAAC for this.  So currently disabling SLAAC would prevent
> >>>>>> DHCPv6
> >>>>>> from working.
> >>>>>> 
> >>>>>> Or is there anything else where NDP spoofing is worst than ARP
> >>>>>> spoofing ? I
> >>>>>> would really think the opposite...
> >>>>>> [JRS>] I think it will end up being superior, but first the issues with
> >>>>>> extension header abuse and getting mainstream vendors like Microsoft
> >>>>>> and Apple
> >>>>>> to implement SeND must be addressed.
> >>>>>> 
> >>>>>> --Jim
> >>>>>> 
> >>>>>> 
> >>>>>> _______________________________________________
> >>>>>> Ipv6hackers mailing list
> >>>>>> Ipv6hackers at lists.si6networks.com
> >>>>>> http://lists.si6networks.com/listinfo/ipv6hackers
> >>>>> 
> >>>>> -- 
> >>>>> 
> >>>>> Fred Bovy
> >>>>> fred at fredbovy.com
> >>>>> Skype: fredericbovy
> >>>>> Mobile: +33676198206
> >>>>> Siret: 5221049000017
> >>>>> Twitter: http://twitter.com/#!/FredBovy
> >>>>> Blog: http://fredbovyipv6.blogspot.com/
> >>>>> ccie #3013
> >>>>> 
> >>>>> 
> >>>>> 
> >>>>> 
> >>>>> _______________________________________________
> >>>>> Ipv6hackers mailing list
> >>>>> Ipv6hackers at lists.si6networks.com
> >>>>> http://lists.si6networks.com/listinfo/ipv6hackers
> >>>> 
> >>>> _______________________________________________
> >>>> Ipv6hackers mailing list
> >>>> Ipv6hackers at lists.si6networks.com
> >>>> http://lists.si6networks.com/listinfo/ipv6hackers
> >>> 
> >>> 
> >>> _______________________________________________
> >>> Ipv6hackers mailing list
> >>> Ipv6hackers at lists.si6networks.com
> >>> http://lists.si6networks.com/listinfo/ipv6hackers
> >> 
> >> _______________________________________________
> >> Ipv6hackers mailing list
> >> Ipv6hackers at lists.si6networks.com
> >> http://lists.si6networks.com/listinfo/ipv6hackers
> > 
> > -- 
> > Enno Rey
> > 
> > ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
> > Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
> > PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1
> > 
> > Handelsregister Mannheim: HRB 337135
> > Geschaeftsfuehrer: Enno Rey
> > 
> > =======================================================
> > Blog: www.insinuator.net || Conference: www.troopers.de
> > =======================================================
> > _______________________________________________
> > Ipv6hackers mailing list
> > Ipv6hackers at lists.si6networks.com
> > http://lists.si6networks.com/listinfo/ipv6hackers
> 
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers

-- 
Enno Rey

ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 174 3082474
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

=======================================================
Blog: www.insinuator.net || Conference: www.troopers.de
=======================================================



More information about the Ipv6hackers mailing list