[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
Mike Jones
mike at mikejones.in
Sat Aug 25 05:31:24 CEST 2012
On 25 August 2012 02:24, Karl Auer <kauer at biplane.com.au> wrote:
> On Sat, 2012-08-25 at 01:49 +0100, Mike Jones wrote:
>> It's also an attack that the best defence against is to deploy v6
>> across your entire network.
>
> I don't see how you arrived at that conclusion. RA flooding has nothing
> to do with IPv4.
>
How much IPv4-only equipment provides filtering for IPv6 RA packets?
worst case scenario (no RA filtering switches) you are vulnerable no
matter what you do, and deploying IPv6 will either have no impact on
this or it might possibly make it less of an issue (a lower priority
router etc, but this specific bug you're pretty much screwed either
way).
Another likely scenario is a network with "must fully support IPv6" as
part of its purchasing requirements. This network is more likely to be
able to protect themselves from these issues with RA guarding (i am
counting both this bug and the other issue of being able to MITM
everything, which is mostly related), so if someone really is
concerned about the security impacts of IPv6 on their network then
they would be encouraging v6 capabilities in any new equipment
purchases already, because a v4-only network is vulnerable to pretty
much every attack against v6 networks that is possible, a network that
requires IPv6 support from its vendors is probably going to be able to
protect against at least some of the vulnerabilities if not all of
them (depending on models etc).
I am simplifying things a little (you can get switches that have no
idea about IPv6 to drop RAs, but that typically only works if there
are no extension headers for example), however a network that thinks
these vulnerabilities don't apply to them if they ignore IPv6 is
probably extremely misguided at the very least, and more than likely
is also wide open to attack. I have seen this bug cited as an excuse
for not deploying IPv6 on several occasions, when in fact this
vulnerability already exists on the very networks they are talking
about and the only way to fix this is with some kind of v6 awareness
in the network. (or for microsoft to fix it and get the update applied
to all clients, which even if they changed their minds and tried to do
would probably not be completely effective, and wouldn't help with the
other RA issues).
I'm sure there is probably a network somewhere that filters all
ethernet packets that don't have the IPv4 packet type and filters all
the automatic IPv6 in IPv4 tunnels etc, they may or may not be
vulnerable to these types of issues, but they're also not typical :)
- Mike
More information about the Ipv6hackers
mailing list