[ipv6hackers] "Stick to limited IPv6 deployments, businesses warned"
jim.small at cdw.com
Sat Aug 25 19:36:07 CEST 2012
> > My understanding is that windows hosts are vulnerable to the attack
> > whether or not IPv6 is turned on on the host.
> well this is not the case. IPv6 has to be enabled, which is the default.
> this is similar to the "there is no dhcp protection for ipv4" you said
> maybe your opinion why ipv6 deployment should be done now and the risk
> is neglectable comes from that you are a good network guy, but you
> knowledge of the security issues and impacts are not as deep?
Marc, I agree this is a significant risk. I also agree Microsoft needs to fix it. To the best of my knowledge there is a vendor who either has or will have a solution shortly in equipment you can buy which can mitigate this attack. It can block rogue RAs and block fragment attacks as described by Fernando. So this is at least a possible solution although I think we all agree that the ideal solution is for Microsoft to fix the problem.
What do you think about blocking RAs on "user" access ports? Do you see that as a partial solution? I know you can do the fragment attack, but how likely do you think it is that someone will do that? I apologize but I haven't playing with the IPv6 THC toolkit, does this do the fragmentation by default to defeat a simple ACL or do you have to enable this?
More information about the Ipv6hackers