[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Merike Kaeo merike at doubleshotsecurity.com
Fri Mar 8 06:05:46 CET 2013 

Sorry for top post but couldn't decide where to best make this comment.

What I always looked at from security perspective in difference between v4 and v6 are:
- multiple addresses per interface so which one gets used as SRC of packet so that you can have effective access control at network layer (if you are trying to provide access control in various parts of network for this)
- extension header parsing which is hard in hardware at line rates if you are late to the game and haven't paid attention

Then there is the fact that no matter how proactive you are with rate limiting and filtering and effective cache management how are you observing anomolies and detecting malicious traffic utilizing native or tunneled v6?  This refers to effective auditing/logging which is hard enough in v4 environment but how do you deal with this in v6?   

There's also the email SPAM  black list issues which need to be rethought (and there is ongoing work on this since for v6 environment...just follow MAAWG work). For now it is expected that email servers will continue to use v4 for a long time still which hopefully will buy some time until the solution is solidified for how to handle v6 email SPAM.

There have been some BotNets using v6....can we detect them? Rhetorical question here.  Need to be much more vocal on that so vendors start creating tools that will be useful here.

Being proactive with security countermeasures is one thing but being able to detect malicious behavior in v6 environment goes hand-in-hand.  Logging/auditing exception behavior effectively is critical.

- merike

On Mar 7, 2013, at 8:47 PM, Cameron Byrne wrote:

> On Thu, Mar 7, 2013 at 8:24 PM, Jim Small <jim.small at cdw.com> wrote:
>> One thing I wanted to add - I realize there have been a lot of talks on security countermeasures.  For example - use RA Guard.  But as you would all agree - this is not effective with the fragmentation bypass attack.  What I aim to do with this talk is to provide working configurations that actually protect against the example tools that Fernando and Marc provide.  I believe it is possible to create a config which protects against these attacks while not impairing general IPv6 operations.  That's the point of the talk - to provide working, tested configs that protect against these attacks.  That's why I was curious if the consensus is that these are perceived as the more disconcerting IPv6-specific attack vectors.
>> 
> 
> This is the one that scares me the most
> http://www.ietf.org/id/draft-ietf-opsec-vpn-leakages-00.txt
> 
> CB
> 
>> --Jim
>> 
>>> -----Original Message-----
>>> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
>>> bounces at lists.si6networks.com] On Behalf Of Jim Small
>>> Sent: Thursday, March 07, 2013 10:49 PM
>>> To: IPv6 Hackers Mailing List
>>> Subject: Re: [ipv6hackers] Looking for feedback on subjective top list of IPv6
>>> security issues
>>> 
>>> Hi Cameron,
>>> 
>>>>> 1)      Remotely triggered neighbor cache exhaustion attacks (from subnet
>>>> scanning)
>>> 
>>> Unique to IPv6 because of large subnet side and encapsulation of L2 address
>>> resolution within IPv6 (ICMP)
>>> 
>>> 
>>>>> 2)      RA floods (autoconfig prefixes, routes, etc...) which crash all
>>>> L2 adjacent hosts with IPv6 enabled stacks
>>> 
>>> Unique?  Well, I agree with Fernando/Marc - a result of immature IPv6
>>> stacks...
>>> 
>>> 
>>>>> 3)      RA spoofing
>>> 
>>> Unique (sort of) - IPv4 does have ICMP router discovery, but I don't believe
>>> this was ever widely implemented
>>> 
>>> 
>>>>> 4)      DHCPv6 spoofing
>>>>> 5)      NDP (NS/NA) spoofing
>>> 
>>> Analogous to DHCP/ARP spoofing in IPv4
>>> 
>>> 
>>>>> 6)      NS floods - DoS
>>> 
>>> Again, IMHO because of immature IPv6 stacks.
>>> 
>>> 
>>>>> 7)      Fragmentation attacks
>>> 
>>> Not unique, see Antonios' preso but worse in IPv6 because of complexity of
>>> extension headers and stack immaturity.
>>> 
>>> 
>>>>> 8)      ICMPv6 redirect spoofing
>>> 
>>> Analogous to IPv4
>>> 
>>> 
>>>>> 9)      MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for
>>>> this one...
>>> 
>>> Somewhat analogous to IPv4 but interested to hear from Fernando/Marc as
>>> my impression is they think it's worse.  Code immaturity again or additional
>>> IETF work needed?  Not sure...
>>> 
>>> 
>>>>> 10)   "Discoverability" or the idea that you should use randomized
>>>> addressing so as not to be discoverable from a "semi-intelligent" brute
>>>> force scan (assuming you're not in DNS or some other registry)
>>> 
>>> New to IPv6 because of subnet size.
>>> 
>>> 
>>>>> 11)   Extension header attacks - this one is especially tough, probably
>>>> lots more to find...  I especially like Marc's warp packets with the router
>>>> alert "high speed tag" which also double as ACL bypass agents.
>>> 
>>> New to IPv6.
>>> 
>>> 
>>>>> 12)   Tunnel attacks - I think the only interesting ones would be those
>>>> against 6in4, ISATAP, and 6rd as IMHO those are the only ones that are in
>>>> use.  I have read about tunnel attacks but haven't played with this very
>>>> much.  Do you think this is a serious threat worth covering?  Any
>>>> suggestions on tools?
>>> 
>>> New to IPv6/transition issue.
>>> 
>>> 
>>>> Just a question. Are any these unique or do they all have an approximate
>>>> equivalent in Ipv4?
>>> 
>>> I feel like a padawan explaining something to a master.  Did I answer your
>>> question or are you poking fun at me and I missed the bus?  :-)
>>> 
>>> --Jim
>>> 
>>> 
>>> _______________________________________________
>>> Ipv6hackers mailing list
>>> Ipv6hackers at lists.si6networks.com
>>> http://lists.si6networks.com/listinfo/ipv6hackers
>>> 
>>> 
>>> 
>>> *** PLEASE NOTE: This email transmission was sent using a CDW address but
>>> originated from an e-mail system that is neither controlled nor managed by
>>> CDW and its affiliates. ***
>> 
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>

More information about the Ipv6hackers mailing list