[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues
Cameron Byrne
cb.list6 at gmail.com
Fri Mar 8 05:31:50 CET 2013
Let me give it a shot, obviously i am rounding out some edges
I believe most of these have ipv4 equivalents
On Thu, Mar 7, 2013 at 7:12 PM, Jim Small <jim.small at cdw.com> wrote:
>
> I'm working on a presentation for practical IPv6 security countermeasures.
> I've reviewed the latest presos from Fernando, Marc, Antonios, and Éric
> Vyncke to compile a list of security vulnerabilities. Here's a somewhat
> subjective list of what I feel are "scary" attacks for those new to IPv6:
>
> 1) Remotely triggered neighbor cache exhaustion attacks (from subnet
> scanning)
>
http://en.wikipedia.org/wiki/Unicast_flood
> 2) RA floods (autoconfig prefixes, routes, etc...) which crash all L2
> adjacent hosts with IPv6 enabled stacks
>
http://en.wikipedia.org/wiki/MAC_flooding
> 3) RA spoofing
>
http://en.wikipedia.org/wiki/ARP_spoofing
> 4) DHCPv6 spoofing
>
http://trac.secdev.org/scapy/wiki/DhcpTakeover
> 5) NDP (NS/NA) spoofing
>
http://en.wikipedia.org/wiki/ARP_spoofing
> 6) NS floods - DoS
>
http://en.wikipedia.org/wiki/MAC_flooding
> 7) Fragmentation attacks
>
http://en.wikipedia.org/wiki/Denial-of-service_attack#Teardrop_attacks
> 8) ICMPv6 redirect spoofing
>
https://supportforums.cisco.com/thread/2176802
> 9) MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for
> this one...
>
> a. For general countermeasures it is possible to do MLD ACLs and of
> course you could implement 802.1X and/or 802.1AE. I know Fernando/Marc
> aren't fans of MLDv2 - what do you think are the most risky aspects?
>
> 10) "Discoverability" or the idea that you should use randomized
> addressing so as not to be discoverable from a "semi-intelligent" brute
> force scan (assuming you're not in DNS or some other registry)
>
no link needed, you just need a for loop that counts from 0 to 255
> 11) Extension header attacks - this one is especially tough, probably
> lots more to find... I especially like Marc's warp packets with the router
> alert "high speed tag" which also double as ACL bypass agents.
>
http://arstechnica.com/gadgets/2007/05/old-ipv4-flaws-resurface-with-ipv6/
ipv4 has lots of crufty stuff in it too
> 12) Tunnel attacks - I think the only interesting ones would be those
> against 6in4, ISATAP, and 6rd as IMHO those are the only ones that are in
> use. I have read about tunnel attacks but haven't played with this very
> much. Do you think this is a serious threat worth covering? Any
> suggestions on tools?
>
PPTP ?
And, then there always cool things like this
http://www.cisco.com/en/US/products/csa/cisco-sa-20070124-crafted-ip-option.html
Perhaps IPv4 is not as baked as we think it is?
CB
> For the first 10 except fragmentation there are plenty of effective
> countermeasures that I could discuss. There are some defenses against
> fragmentation and extension header attacks but these are less mature. In
> addition, it would be difficult to protect against these at L2. As much as
> I'd like to believe 12 isn't necessary it still very much is. We have a
> long way to go both within corporate networks and on backbone networks to
> progress to end-to-end native v6 access.
>
> So what do you think? Are these the most concerning security issues for
> those looking to deploy IPv6? Any thoughts greatly appreciated either on or
> off list.
>
> Thanks,
> --Jim
>
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
More information about the Ipv6hackers
mailing list