[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"

Owen DeLong owend at he.net
Sat Aug 25 19:05:25 CEST 2012


On Aug 25, 2012, at 04:47 , Marc Heuse <mh at mh-sec.de> wrote:

>>>> It's also an attack that the best defence against is to deploy v6
>>>> across your entire network.
>>> 
>>> I don't see how you arrived at that conclusion. RA flooding has nothing
>>> to do with IPv4.
>> 
>> My understanding is that windows hosts are vulnerable to the attack
>> whether or not IPv6 is turned on on the host.
> 
> well this is not the case. IPv6 has to be enabled, which is the default.
> 

Or perhaps I just mixed up this particular windows vulnerability with one
of the other 50,000 ways to crash a windows box using datagrams.

> this is similar to the "there is no dhcp protection for ipv4" you said
> before.
> 

I didn't say there was none, I said that there was nothing better than the
current state of RA Guard.

I did make the mistake of thinking of snooping being snooping instead of
something called snooping that actively blocks packets.

> maybe your opinion why ipv6 deployment should be done now and the risk
> is neglectable comes from that you are a good network guy, but you
> knowledge of the security issues and impacts are not as deep?

Or maybe it's because I work in the real world where we consider not only the
possibility of an exploit, but also measure the likelihood that it will occur, the
benefit to the attacker, the impact if it does occur, and other factors when
considering a risk.

Then, we measure those risks of deployment against the other risks of failing
to deploy and make an informed decision.

Today, the risks of failing to deploy IPv6 far outweigh the risks of deployment.

All of the attacks mentioned so far have some or all of the following properties:

1.	Relatively low value to the attacker.
2.	Require link local access.
3.	Have IPv4 equivalents that still work in 90+% of environments
	(care to guess what % of environments actually use dhcp snooping?)
4.	Are relatively easy to detect.
5.	Are relatively easy to mitigate.
6.	Improbable (Largely due to 1 above)

OTOH, the longer you wait to deploy IPv6 at this point, the more of the internet
you will be unable to reach. APNIC has been effectively out of addresses for
more than a year. RIPE will run out very soon. Likely the other RIRs will not be
far behind. Deploying IPv6 in a reasoned and controlled manner takes time and
planning. If you haven't already started that process, especially in an enterprise
of any meaningful size, you likely will not be able to complete it in a controlled
or reasoned manner and will leave yourself in the position of scrambling to
complete the deployment due to user demand.

Scrambling probably creates MUCH larger security risks than any of the IPv6
attacks described to date.

Owen




More information about the Ipv6hackers mailing list