[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues
Jim Small
jim.small at cdw.com
Fri Mar 8 04:12:00 CET 2013
I'm working on a presentation for practical IPv6 security countermeasures. I've reviewed the latest presos from Fernando, Marc, Antonios, and Éric Vyncke to compile a list of security vulnerabilities. Here's a somewhat subjective list of what I feel are "scary" attacks for those new to IPv6:
1) Remotely triggered neighbor cache exhaustion attacks (from subnet scanning)
2) RA floods (autoconfig prefixes, routes, etc...) which crash all L2 adjacent hosts with IPv6 enabled stacks
3) RA spoofing
4) DHCPv6 spoofing
5) NDP (NS/NA) spoofing
6) NS floods - DoS
7) Fragmentation attacks
8) ICMPv6 redirect spoofing
9) MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for this one...
a. For general countermeasures it is possible to do MLD ACLs and of course you could implement 802.1X and/or 802.1AE. I know Fernando/Marc aren't fans of MLDv2 - what do you think are the most risky aspects?
10) "Discoverability" or the idea that you should use randomized addressing so as not to be discoverable from a "semi-intelligent" brute force scan (assuming you're not in DNS or some other registry)
11) Extension header attacks - this one is especially tough, probably lots more to find... I especially like Marc's warp packets with the router alert "high speed tag" which also double as ACL bypass agents.
12) Tunnel attacks - I think the only interesting ones would be those against 6in4, ISATAP, and 6rd as IMHO those are the only ones that are in use. I have read about tunnel attacks but haven't played with this very much. Do you think this is a serious threat worth covering? Any suggestions on tools?
For the first 10 except fragmentation there are plenty of effective countermeasures that I could discuss. There are some defenses against fragmentation and extension header attacks but these are less mature. In addition, it would be difficult to protect against these at L2. As much as I'd like to believe 12 isn't necessary it still very much is. We have a long way to go both within corporate networks and on backbone networks to progress to end-to-end native v6 access.
So what do you think? Are these the most concerning security issues for those looking to deploy IPv6? Any thoughts greatly appreciated either on or off list.
Thanks,
--Jim
More information about the Ipv6hackers
mailing list