[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Owen DeLong owend at he.net
Fri Aug 24 19:17:13 CEST 2012


On Aug 24, 2012, at 00:39 , Marc Heuse <mh at mh-sec.de> wrote:

>>>>>> However, I do not see this as being any worse in most
>>>>>> cases than a rogue DHCP server which is a vulnerability in IPv4 that
>>>>>> has not been fixed even to this day.
>>>>> 
>>>>> My understanding is that you cannot crash a host with forged DHCP
>>>>> responses, but that you *can* do taht with forged RAs.
>>>> 
>>>> I'm not sure I buy either one of those assertions.
>>> 
>>> Hi Owen - actually you can.  See here:
>>> http://www.networkworld.com/community/blog/known-ipv6-hole-freezes-windows-network-in-minutes
>>> 
>>> As far as I know, there is no equivalent vulnerability in IPv4.  I wholeheartedly agree with Marc that this is unacceptable.  Microsoft's position is untenable.  I really hope this is fixed in 8/2012.  Until Marc brought it up I just assumed this had been fixed.  I'm a little stunned that it's gone on this long.
>> 
>> If there isn't, it's because it got fixed a while back. (Ping O' Death anyone?... and that wasn't the only one).
>> 
>> However, I thought we were talking about reputable desktop OS. I hadn't realize that we were measuring an entire protocol by the capabilities of the least proficient development house on the planet. I make no excuses for Juniper on this one, either. However, to the best of my knowledge, they're the only two that still have this problem. If that's the case, I'd consider that a corner case and not an open issue.
> 
> well, if Windows is not a reputable desktop os ... then I think this
> discussion makes no sense right? come on, the Internet depends on
> Microsoft and Cisco products, we we like it or not. And only one of them
> is doing a good job here.
> 
> but your argument is still moot because in my list of IPv6 security
> issues I found and where most of them still have to be fixed include:
> Solaris, FreeBSD, OS X, Freebsd and QNX. But let me guess, these are not
> reputable desktop os either.
> 
> and its stuff that is really not that hard to find or come up with as an
> attack.
> 
> IPv6's maturity is not where it should be. Features available are not
> where they should be. But thats understandable, because such things take
> time and labor. and especially the labor part is the main reason it will
> still takes one to two years until the implemenation is done, and then
> it takes another year to see if the implementation was good and bugs are
> fixed. Even then it will not be en par with IPv4, but at least then it
> will be in an acceptable state.

This is where we disagree. Yes, IPv6 has its issues, but by and large, those
issues aren't significantly worse than the current state of IPv4.

Yes, there are some IPv4 workarounds that haven't made it into the IPv6
world (or at least not universally) yet, but that's coming along at a fairly
reasonable pace. The wider IPv6 gets deployed, the faster those things
will get corrected.

> 
> yes, we do not have that time. but that is the reason why I recommend to
> wait with IPv6 as much as long as you can, and only do the minimum
> necessary.
> 

And that is the reason your approach only exacerbates the problem.

> 
> And for the record: Windows 7 with all currennt updates applied is still
> vulnerable to RA flooding, just tried last week.
> 

Shall we talk about all of the IPv4 vulnerabilities that are still present
in Windows 7 too?

Owen




More information about the Ipv6hackers mailing list