[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Marc Heuse mh at mh-sec.de
Fri Aug 24 09:39:32 CEST 2012 

>>>>> However, I do not see this as being any worse in most
>>>>> cases than a rogue DHCP server which is a vulnerability in IPv4 that
>>>>> has not been fixed even to this day.
>>>>
>>>> My understanding is that you cannot crash a host with forged DHCP
>>>> responses, but that you *can* do taht with forged RAs.
>>>
>>> I'm not sure I buy either one of those assertions.
>>
>> Hi Owen - actually you can.  See here:
>> http://www.networkworld.com/community/blog/known-ipv6-hole-freezes-windows-network-in-minutes
>>
>> As far as I know, there is no equivalent vulnerability in IPv4.  I wholeheartedly agree with Marc that this is unacceptable.  Microsoft's position is untenable.  I really hope this is fixed in 8/2012.  Until Marc brought it up I just assumed this had been fixed.  I'm a little stunned that it's gone on this long.
> 
> If there isn't, it's because it got fixed a while back. (Ping O' Death anyone?... and that wasn't the only one).
> 
> However, I thought we were talking about reputable desktop OS. I hadn't realize that we were measuring an entire protocol by the capabilities of the least proficient development house on the planet. I make no excuses for Juniper on this one, either. However, to the best of my knowledge, they're the only two that still have this problem. If that's the case, I'd consider that a corner case and not an open issue.

well, if Windows is not a reputable desktop os ... then I think this
discussion makes no sense right? come on, the Internet depends on
Microsoft and Cisco products, we we like it or not. And only one of them
is doing a good job here.

but your argument is still moot because in my list of IPv6 security
issues I found and where most of them still have to be fixed include:
Solaris, FreeBSD, OS X, Freebsd and QNX. But let me guess, these are not
reputable desktop os either.

and its stuff that is really not that hard to find or come up with as an
attack.

IPv6's maturity is not where it should be. Features available are not
where they should be. But thats understandable, because such things take
time and labor. and especially the labor part is the main reason it will
still takes one to two years until the implemenation is done, and then
it takes another year to see if the implementation was good and bugs are
fixed. Even then it will not be en par with IPv4, but at least then it
will be in an acceptable state.

yes, we do not have that time. but that is the reason why I recommend to
wait with IPv6 as much as long as you can, and only do the minimum
necessary.


And for the record: Windows 7 with all currennt updates applied is still
vulnerable to RA flooding, just tried last week.


Greets,
Marc

--
Marc Heuse
www.mh-sec.de

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the Ipv6hackers mailing list