[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Fernando Gont fgont at si6networks.com
Fri Mar 8 09:52:20 CET 2013


On 03/08/2013 01:31 AM, Cameron Byrne wrote:
>> 2)      RA floods (autoconfig prefixes, routes, etc...) which crash all L2
>> adjacent hosts with IPv6 enabled stacks
> 
> http://en.wikipedia.org/wiki/MAC_flooding

These are very different. The latter is usually meant to cause a switch
to behave as a hub 8for sniffing purposes), while the former is a
deliberate DoS against a host.


>> 6)      NS floods - DoS
>>
> 
> http://en.wikipedia.org/wiki/MAC_flooding

Same as above.



>> 9)      MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for
>> this one...
>>
>> a.       For general countermeasures it is possible to do MLD ACLs and of
>> course you could implement 802.1X and/or 802.1AE.  I know Fernando/Marc
>> aren't fans of MLDv2 - what do you think are the most risky aspects?

MLDv2 is extremely complex. -- too bad most nodes deploy this just for
the use of multicast with Neighbor Discovery. -- for the ND use, MLD is
more than fine.


>> 10)   "Discoverability" or the idea that you should use randomized
>> addressing so as not to be discoverable from a "semi-intelligent" brute
>> force scan (assuming you're not in DNS or some other registry)
> 
> no link needed, you just need a for loop that counts from 0 to 255

Well, yeah,  but the problem space is completely different.



>> 11)   Extension header attacks - this one is especially tough, probably
>> lots more to find...  I especially like Marc's warp packets with the router
>> alert "high speed tag" which also double as ACL bypass agents.
> 
> http://arstechnica.com/gadgets/2007/05/old-ipv4-flaws-resurface-with-ipv6/
> 
> ipv4 has lots of crufty stuff in it too

Yep. But not as crufty as this: draft-ietf-6man-oversized-header-chain



> And, then there always cool things like this
> http://www.cisco.com/en/US/products/csa/cisco-sa-20070124-crafted-ip-option.html
> 
> Perhaps IPv4 is not as baked as we think it is?

May be. But with v6 we still have to go for about 10 years to get where
IPv4 implementations are. -- not that I like it, though.

Cheers,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492







More information about the Ipv6hackers mailing list