[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Cameron Byrne cb.list6 at gmail.com
Fri Mar 8 05:47:13 CET 2013


On Thu, Mar 7, 2013 at 8:24 PM, Jim Small <jim.small at cdw.com> wrote:
> One thing I wanted to add - I realize there have been a lot of talks on security countermeasures.  For example - use RA Guard.  But as you would all agree - this is not effective with the fragmentation bypass attack.  What I aim to do with this talk is to provide working configurations that actually protect against the example tools that Fernando and Marc provide.  I believe it is possible to create a config which protects against these attacks while not impairing general IPv6 operations.  That's the point of the talk - to provide working, tested configs that protect against these attacks.  That's why I was curious if the consensus is that these are perceived as the more disconcerting IPv6-specific attack vectors.
>

This is the one that scares me the most
http://www.ietf.org/id/draft-ietf-opsec-vpn-leakages-00.txt

CB

> --Jim
>
>> -----Original Message-----
>> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
>> bounces at lists.si6networks.com] On Behalf Of Jim Small
>> Sent: Thursday, March 07, 2013 10:49 PM
>> To: IPv6 Hackers Mailing List
>> Subject: Re: [ipv6hackers] Looking for feedback on subjective top list of IPv6
>> security issues
>>
>> Hi Cameron,
>>
>> > > 1)      Remotely triggered neighbor cache exhaustion attacks (from subnet
>> > scanning)
>>
>> Unique to IPv6 because of large subnet side and encapsulation of L2 address
>> resolution within IPv6 (ICMP)
>>
>>
>> > > 2)      RA floods (autoconfig prefixes, routes, etc...) which crash all
>> > L2 adjacent hosts with IPv6 enabled stacks
>>
>> Unique?  Well, I agree with Fernando/Marc - a result of immature IPv6
>> stacks...
>>
>>
>> > > 3)      RA spoofing
>>
>> Unique (sort of) - IPv4 does have ICMP router discovery, but I don't believe
>> this was ever widely implemented
>>
>>
>> > > 4)      DHCPv6 spoofing
>> > > 5)      NDP (NS/NA) spoofing
>>
>> Analogous to DHCP/ARP spoofing in IPv4
>>
>>
>> > > 6)      NS floods - DoS
>>
>> Again, IMHO because of immature IPv6 stacks.
>>
>>
>> > > 7)      Fragmentation attacks
>>
>> Not unique, see Antonios' preso but worse in IPv6 because of complexity of
>> extension headers and stack immaturity.
>>
>>
>> > > 8)      ICMPv6 redirect spoofing
>>
>> Analogous to IPv4
>>
>>
>> > > 9)      MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for
>> > this one...
>>
>> Somewhat analogous to IPv4 but interested to hear from Fernando/Marc as
>> my impression is they think it's worse.  Code immaturity again or additional
>> IETF work needed?  Not sure...
>>
>>
>> > > 10)   "Discoverability" or the idea that you should use randomized
>> > addressing so as not to be discoverable from a "semi-intelligent" brute
>> > force scan (assuming you're not in DNS or some other registry)
>>
>> New to IPv6 because of subnet size.
>>
>>
>> > > 11)   Extension header attacks - this one is especially tough, probably
>> > lots more to find...  I especially like Marc's warp packets with the router
>> > alert "high speed tag" which also double as ACL bypass agents.
>>
>> New to IPv6.
>>
>>
>> > > 12)   Tunnel attacks - I think the only interesting ones would be those
>> > against 6in4, ISATAP, and 6rd as IMHO those are the only ones that are in
>> > use.  I have read about tunnel attacks but haven't played with this very
>> > much.  Do you think this is a serious threat worth covering?  Any
>> > suggestions on tools?
>>
>> New to IPv6/transition issue.
>>
>>
>> > Just a question. Are any these unique or do they all have an approximate
>> > equivalent in Ipv4?
>>
>> I feel like a padawan explaining something to a master.  Did I answer your
>> question or are you poking fun at me and I missed the bus?  :-)
>>
>> --Jim
>>
>>
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
>>
>>
>>
>> *** PLEASE NOTE: This email transmission was sent using a CDW address but
>> originated from an e-mail system that is neither controlled nor managed by
>> CDW and its affiliates. ***
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers



More information about the Ipv6hackers mailing list