[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues
Cameron Byrne
cb.list6 at gmail.com
Fri Mar 8 04:35:22 CET 2013
On Mar 7, 2013 7:22 PM, "Jim Small" <jim.small at cdw.com> wrote:
>
> I'm working on a presentation for practical IPv6 security
countermeasures. I've reviewed the latest presos from Fernando, Marc,
Antonios, and Éric Vyncke to compile a list of security vulnerabilities.
Here's a somewhat subjective list of what I feel are "scary" attacks for
those new to IPv6:
>
> 1) Remotely triggered neighbor cache exhaustion attacks (from subnet
scanning)
>
> 2) RA floods (autoconfig prefixes, routes, etc...) which crash all
L2 adjacent hosts with IPv6 enabled stacks
>
> 3) RA spoofing
>
> 4) DHCPv6 spoofing
>
> 5) NDP (NS/NA) spoofing
>
> 6) NS floods - DoS
>
> 7) Fragmentation attacks
>
> 8) ICMPv6 redirect spoofing
>
> 9) MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for
this one...
>
> a. For general countermeasures it is possible to do MLD ACLs and of
course you could implement 802.1X and/or 802.1AE. I know Fernando/Marc
aren't fans of MLDv2 - what do you think are the most risky aspects?
>
> 10) "Discoverability" or the idea that you should use randomized
addressing so as not to be discoverable from a "semi-intelligent" brute
force scan (assuming you're not in DNS or some other registry)
>
> 11) Extension header attacks - this one is especially tough, probably
lots more to find... I especially like Marc's warp packets with the router
alert "high speed tag" which also double as ACL bypass agents.
>
> 12) Tunnel attacks - I think the only interesting ones would be those
against 6in4, ISATAP, and 6rd as IMHO those are the only ones that are in
use. I have read about tunnel attacks but haven't played with this very
much. Do you think this is a serious threat worth covering? Any
suggestions on tools?
>
> For the first 10 except fragmentation there are plenty of effective
countermeasures that I could discuss. There are some defenses against
fragmentation and extension header attacks but these are less mature. In
addition, it would be difficult to protect against these at L2. As much as
I'd like to believe 12 isn't necessary it still very much is. We have a
long way to go both within corporate networks and on backbone networks to
progress to end-to-end native v6 access.
>
> So what do you think? Are these the most concerning security issues for
those looking to deploy IPv6? Any thoughts greatly appreciated either on
or off list.
>
> Thanks,
> --Jim
>
>
Just a question. Are any these unique or do they all have an approximate
equivalent in Ipv4?
CB
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list