[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
Owen DeLong
owend at he.net
Fri Aug 24 06:10:33 CEST 2012
On Aug 23, 2012, at 20:59 , Jim Small <jim.small at cdw.com> wrote:
>>>> The fake router RA vulnerabilities are well known and relatively well
>>>> understood. Vendors are working on it and most have reasonable
>>>> initial solutions with progress being made towards more complete
>>>> solutions.
>>>
>>> This is not the message that I got the last time I talk with some
>>> well-known desktop os vendor.
>>>
>> If you managed to find an OS vendor that is asleep at the switch, good for
>> you,
>> you got an opportunity to educate someone. Nonetheless, the data has
>> been
>> well published and I know most of the switch/router vendors either have
>> running
>> code to (mostly) solve the problem or are working on it as we speak.
>>
>>>
>>>> However, I do not see this as being any worse in most
>>>> cases than a rogue DHCP server which is a vulnerability in IPv4 that
>>>> has not been fixed even to this day.
>>>
>>> My understanding is that you cannot crash a host with forged DHCP
>>> responses, but that you *can* do taht with forged RAs.
>>>
>>
>> I'm not sure I buy either one of those assertions.
>
> Hi Owen - actually you can. See here:
> http://www.networkworld.com/community/blog/known-ipv6-hole-freezes-windows-network-in-minutes
>
> As far as I know, there is no equivalent vulnerability in IPv4. I wholeheartedly agree with Marc that this is unacceptable. Microsoft's position is untenable. I really hope this is fixed in 8/2012. Until Marc brought it up I just assumed this had been fixed. I'm a little stunned that it's gone on this long.
If there isn't, it's because it got fixed a while back. (Ping O' Death anyone?... and that wasn't the only one).
However, I thought we were talking about reputable desktop OS. I hadn't realize that we were measuring an entire protocol by the capabilities of the least proficient development house on the planet. I make no excuses for Juniper on this one, either. However, to the best of my knowledge, they're the only two that still have this problem. If that's the case, I'd consider that a corner case and not an open issue.
Owen
More information about the Ipv6hackers
mailing list