[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

[Jim Small]

Owen,

FWIW, I don't think anyone here is against deploying IPv6.  We need to deploy.

At the same time though, we need to have a candid discussion about the problems with IPv6 and how to fix them.  I also think that it's human nature to resist change without some pain.  So it's important that Marc is constantly applying pressure to make sure the problems are getting fixed.  And while Marc is showing what's broken, Fernando has well thought out ideas on how to update the standards.

I would in fact argue that Fernando is working to facilitate the secure and simple deployment of IPv6.  Why does someone need to attend hours of security training talking about obscure fragmentation vulnerabilities?  The standards should be fixed so that the protocol is as plug and play as possible.  So in my view, Fernando and Marc are helping to ease the operational burden of IPv6.  By pushing for the right fixes it will improve the return on investment for our global network.

I am also very grateful for their work.  As I help deploy IPv6 I like knowing any shortcomings before I start.  I never want to learn that someone's network was compromised because I didn't understand the security architecture of the protocols I used.

--Jim


> -----Original Message-----
> From: Owen DeLong [mailto:owend at he.net]
> Sent: Saturday, April 13, 2013 4:52 PM
> To: IPv6 Hackers Mailing List
> Cc: Jim Small
> Subject: Re: [ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6
> Floods
> 
> 
> On Apr 13, 2013, at 01:31 , Marc Heuse <mh at mh-sec.de> wrote:
> 
> > Hi Jim!
> >
> > On 12.04.2013 08:45, Jim Small wrote:
> >> Your tools are better than you think!  With some advice from Sam Bowne I
> can consistently crash Windows 8 using fake_router6 and flood_router26 -
> takes less than a minute.  However, I can't crash Windows 7 with KB2750841.
> So it would seem there is some missing functionality on Windows 8/2012 as
> compared to 7/2008 R2 with KB2750841.
> >>
> >> RA Guard on some switches does seem to protect against this - even with
> using fragmentation and/or HBH tricks.  However, with Fernando's ra6 tool I
> can create wicked packets that still crash Windows 8 with RA Guard.
> However, with a switch that can block fragments and/or undetermined
> transport packets (ULP not in first fragment) I can defend against these
> attacks.  It is some work though and there could be unintended side effects.
> Hopefully the drafts Fernando is pushing will eventually make it through the
> IETF and close the loopholes.
> >
> > I think everybody - including me - is interested what you are doing
> > exactly :-)
> >
> > how do you crash windows 8 with fake_router6 and flood_router26?
> >
> > And how do you use Fernando's ra6 tool to bypass RA guard on some
> > switches and crash windows 8 with it?
> >
> > Thanks!
> >
> > btw. at my IPv6 hacking training a few days at hack in the box
> > amsterdam, we were able crash the whole conference network (not just
> the
> > part we were in) four times - with different issues each time.
> > I do not know what it were each time, once it triggered a kernel bug in
> > linux in point to point links, another time it was crashing Arbor'  over
> > its intrusion detection engine as the neighbor table grew and grew.
> > everything is oh so IPv6 ready ...
> >
> > Greets,
> > Marc
> >
> 
> If you're saying that's impossible to do with IPv4, then you're not trying hard
> enough, IMHO.
> 
> Sure, there are some bugs in IPv6 implementations and some vulnerabilities.
> However, let's
> look at this realistically. We've been beating up IPv4 for 30 years and we're
> still finding bugs
> and vulnerabilities there.
> 
> It's not like you crashed the entire conference network by accident with
> casual packets or
> script-kiddie tools. You gathered some of the most capable hackers, focused
> on attacking
> IPv6, and went at it in a brutal exercise of trying to expose and probe any
> vulnerability that
> might exist. This is a valuable exercise, but thinking it is representative of the
> real world
> in which most of us operate is, well, absurd.
> 
> Yes, the vulnerabilities need to get fixed, and I'm pretty sure they will.
> However, claiming this
> is a reason not to deploy IPv6 is ill-advised at best.
> 
> Let's look at what happens while we keep delaying IPv6 deployment.
> 
> 1.	The IPv4 network is having more and more CGN boxes and other
> hacks thrown onto
> 	it. Many of these have had even less testing than the IPv6 work you
> guys are doing.
> 
> 2.	It becomes harder and harder to sustain IPv4 and the internet
> becomes more fragile.
> 
> 3.	The cost of sustaining IPv4 continues to rise.
> 
> 4.	We're continuing to have to spend extra money/time/resources
> maintaining 2 stacks even longer.
> 
> Bottom line, IPv6 is at least as ready for prime time as IPv4 was when it was
> first deployed.
> While it has some known vulnerabilities, so does IPv4 if you look at the real
> world and how often
> most systems actually get patched.
> 
> The question is, which set of consequences is worse? The consequences of
> deploying IPv6 as
> it currently stands and patching it going forward, or, the consequence of
> delaying IPv6 and
> continuing to try and hold the IPv4 internet together with spit and bailing
> wire?
> 
> IMHO, the damage from the latter is going to be much more pervasive, much
> more expensive,
> and much harder to recover than the former.
> 
> Owen
>