[ipv6hackers] Windows 7/2008 R2 Improved Resilliency to IPv6 Floods

Fernando Gont fgont at si6networks.com
Sun Apr 14 08:51:09 CEST 2013


On 04/13/2013 05:52 PM, Owen DeLong wrote:
>> btw. at my IPv6 hacking training a few days at hack in the box
>> amsterdam, we were able crash the whole conference network (not just the
>> part we were in) four times - with different issues each time.
>> I do not know what it were each time, once it triggered a kernel bug in
>> linux in point to point links, another time it was crashing Arbor'  over
>> its intrusion detection engine as the neighbor table grew and grew.
>> everything is oh so IPv6 ready ...
> If you're saying that's impossible to do with IPv4, then you're not trying hard enough, IMHO.

This list is not about whether to deploy IPv6 or not. That's, as far as
this list is concerned, mostly off-topic.

Marc didn't compare v6 with v4 (who cares, for the most part?). And even
if he (or anyone) were to, that shouldn't lead to "to deploy or not to
deploy v6 kind of thread".

Not only off-topic -- that's even boring. Since this list is about
hacking, I expect subscribers to be clueful. Which means they should be
able to analize Marc's and others' experiments, tests, and reports, and
make up their own mind whether they want to deploy v6 or not.

> Sure, there are some bugs in IPv6 implementations and some vulnerabilities. However, let's
> look at this realistically. We've been beating up IPv4 for 30 years and we're still finding bugs
> and vulnerabilities there.
> It's not like you crashed the entire conference network by accident with casual packets or
> script-kiddie tools. You gathered some of the most capable hackers, focused on attacking
> IPv6, and went at it in a brutal exercise of trying to expose and probe any vulnerability that
> might exist. 

That sounds like a paragraph for a hacking or science fiction novel.

Marc's tools are pretty straightforward to use --  IIRC
you only need the target IPv6 address to perform the aforementioned attack.

Since the "math" had already been done my Marc when he built the tools,
any decent professional could have reproduced the aforementioned attack
using Marc's toolkit. -- i.e. please don't infer "since Marc was there
and he knows his stuff, I shouldn't worry about this".

> This is a valuable exercise, but thinking it is representative of the real world
> in which most of us operate is, well, absurd.
> Yes, the vulnerabilities need to get fixed, and I'm pretty sure they will. However, claiming this
> is a reason not to deploy IPv6 is ill-advised at best.
> Let's look at what happens while we keep delaying IPv6 deployment.
> 1.	The IPv4 network is having more and more CGN boxes and other hacks thrown onto
> 	it. Many of these have had even less testing than the IPv6 work you guys are doing.

Most-likely.... but this is ipv6hackers@, and not cgn-hackers... so
that's probably the reason for which folks on this list are hacking v6,
rather than v4 and/or cgn.

> Bottom line, IPv6 is at least as ready for prime time as IPv4 was when it was first deployed.

This is absurd. The world's economy did not depend as much on the 'net
as the current world depends on it.

> The question is, which set of consequences is worse? The consequences of deploying IPv6 as
> it currently stands and patching it going forward, or, the consequence of delaying IPv6 and
> continuing to try and hold the IPv4 internet together with spit and bailing wire?

That question is off-topic as far as this list is concerned. Any
discussion of such topic, other than wayyyy boring already, has nothing
to do with ipv6 hacking.

Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

More information about the Ipv6hackers mailing list