[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Fri Mar 8 05:24:08 CET 2013

One thing I wanted to add - I realize there have been a lot of talks on security countermeasures.  For example - use RA Guard.  But as you would all agree - this is not effective with the fragmentation bypass attack.  What I aim to do with this talk is to provide working configurations that actually protect against the example tools that Fernando and Marc provide.  I believe it is possible to create a config which protects against these attacks while not impairing general IPv6 operations.  That's the point of the talk - to provide working, tested configs that protect against these attacks.  That's why I was curious if the consensus is that these are perceived as the more disconcerting IPv6-specific attack vectors.

--Jim

> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Jim Small
> Sent: Thursday, March 07, 2013 10:49 PM
> To: IPv6 Hackers Mailing List
> Subject: Re: [ipv6hackers] Looking for feedback on subjective top list of IPv6
> security issues
> 
> Hi Cameron,
> 
> > > 1)      Remotely triggered neighbor cache exhaustion attacks (from subnet
> > scanning)
> 
> Unique to IPv6 because of large subnet side and encapsulation of L2 address
> resolution within IPv6 (ICMP)
> 
> 
> > > 2)      RA floods (autoconfig prefixes, routes, etc...) which crash all
> > L2 adjacent hosts with IPv6 enabled stacks
> 
> Unique?  Well, I agree with Fernando/Marc - a result of immature IPv6
> stacks...
> 
> 
> > > 3)      RA spoofing
> 
> Unique (sort of) - IPv4 does have ICMP router discovery, but I don't believe
> this was ever widely implemented
> 
> 
> > > 4)      DHCPv6 spoofing
> > > 5)      NDP (NS/NA) spoofing
> 
> Analogous to DHCP/ARP spoofing in IPv4
> 
> 
> > > 6)      NS floods - DoS
> 
> Again, IMHO because of immature IPv6 stacks.
> 
> 
> > > 7)      Fragmentation attacks
> 
> Not unique, see Antonios' preso but worse in IPv6 because of complexity of
> extension headers and stack immaturity.
> 
> 
> > > 8)      ICMPv6 redirect spoofing
> 
> Analogous to IPv4
> 
> 
> > > 9)      MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for
> > this one...
> 
> Somewhat analogous to IPv4 but interested to hear from Fernando/Marc as
> my impression is they think it's worse.  Code immaturity again or additional
> IETF work needed?  Not sure...
> 
> 
> > > 10)   "Discoverability" or the idea that you should use randomized
> > addressing so as not to be discoverable from a "semi-intelligent" brute
> > force scan (assuming you're not in DNS or some other registry)
> 
> New to IPv6 because of subnet size.
> 
> 
> > > 11)   Extension header attacks - this one is especially tough, probably
> > lots more to find...  I especially like Marc's warp packets with the router
> > alert "high speed tag" which also double as ACL bypass agents.
> 
> New to IPv6.
> 
> 
> > > 12)   Tunnel attacks - I think the only interesting ones would be those
> > against 6in4, ISATAP, and 6rd as IMHO those are the only ones that are in
> > use.  I have read about tunnel attacks but haven't played with this very
> > much.  Do you think this is a serious threat worth covering?  Any
> > suggestions on tools?
> 
> New to IPv6/transition issue.
> 
> 
> > Just a question. Are any these unique or do they all have an approximate
> > equivalent in Ipv4?
> 
> I feel like a padawan explaining something to a master.  Did I answer your
> question or are you poking fun at me and I missed the bus?  :-)
> 
> --Jim
> 
> 
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
> 
> 
> 
> *** PLEASE NOTE: This email transmission was sent using a CDW address but
> originated from an e-mail system that is neither controlled nor managed by
> CDW and its affiliates. ***