[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Jim Small jim.small at cdw.com
Fri Mar 8 14:31:27 CET 2013


Cameron,

I see where you're going.  I agree with the overall sentiment.  I'm not saying most of these are new - all I'm trying to show attendees is that just like with IPv4, there are real deployable defenses available today that they can use to defend their networks.  I talk to a lot of people who still mistakenly believe that there are all these "IPv6 attacks" and no defenses.  I'm not saying there isn't room for improvement, only that there are many options currently available.  My goal is to give attendees working configs that will mitigate many of these attacks.

--Jim

> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Cameron Byrne
> Sent: Thursday, March 07, 2013 11:32 PM
> To: IPv6 Hackers Mailing List
> Subject: Re: [ipv6hackers] Looking for feedback on subjective top list of IPv6
> security issues
> 
> Let me give it a shot, obviously i am rounding out some edges
> 
> I believe most of these have ipv4 equivalents
> 
> On Thu, Mar 7, 2013 at 7:12 PM, Jim Small <jim.small at cdw.com> wrote:
> >
> > I'm working on a presentation for practical IPv6 security countermeasures.
> > I've reviewed the latest presos from Fernando, Marc, Antonios, and Éric
> > Vyncke to compile a list of security vulnerabilities.  Here's a somewhat
> > subjective list of what I feel are "scary" attacks for those new to IPv6:
> >
> > 1)      Remotely triggered neighbor cache exhaustion attacks (from subnet
> > scanning)
> >
> 
> http://en.wikipedia.org/wiki/Unicast_flood
> 
> > 2)      RA floods (autoconfig prefixes, routes, etc...) which crash all L2
> > adjacent hosts with IPv6 enabled stacks
> >
> 
> http://en.wikipedia.org/wiki/MAC_flooding
> 
> > 3)      RA spoofing
> >
> 
> http://en.wikipedia.org/wiki/ARP_spoofing
> 
> > 4)      DHCPv6 spoofing
> >
> 
> http://trac.secdev.org/scapy/wiki/DhcpTakeover
> 
> > 5)      NDP (NS/NA) spoofing
> >
> 
> http://en.wikipedia.org/wiki/ARP_spoofing
> 
> > 6)      NS floods - DoS
> >
> 
> http://en.wikipedia.org/wiki/MAC_flooding
> 
> > 7)      Fragmentation attacks
> >
> 
> http://en.wikipedia.org/wiki/Denial-of-service_attack#Teardrop_attacks
> 
> > 8)      ICMPv6 redirect spoofing
> >
> 
> https://supportforums.cisco.com/thread/2176802
> 
> > 9)      MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for
> > this one...
> >
> > a.       For general countermeasures it is possible to do MLD ACLs and of
> > course you could implement 802.1X and/or 802.1AE.  I know
> Fernando/Marc
> > aren't fans of MLDv2 - what do you think are the most risky aspects?
> >
> > 10)   "Discoverability" or the idea that you should use randomized
> > addressing so as not to be discoverable from a "semi-intelligent" brute
> > force scan (assuming you're not in DNS or some other registry)
> >
> 
> no link needed, you just need a for loop that counts from 0 to 255
> 
> > 11)   Extension header attacks - this one is especially tough, probably
> > lots more to find...  I especially like Marc's warp packets with the router
> > alert "high speed tag" which also double as ACL bypass agents.
> >
> 
> http://arstechnica.com/gadgets/2007/05/old-ipv4-flaws-resurface-with-
> ipv6/
> 
> ipv4 has lots of crufty stuff in it too
> 
> > 12)   Tunnel attacks - I think the only interesting ones would be those
> > against 6in4, ISATAP, and 6rd as IMHO those are the only ones that are in
> > use.  I have read about tunnel attacks but haven't played with this very
> > much.  Do you think this is a serious threat worth covering?  Any
> > suggestions on tools?
> >
> 
> PPTP ?
> 
> And, then there always cool things like this
> http://www.cisco.com/en/US/products/csa/cisco-sa-20070124-crafted-ip-
> option.html
> 
> Perhaps IPv4 is not as baked as we think it is?
> 
> CB
> 
> 
> 
> > For the first 10 except fragmentation there are plenty of effective
> > countermeasures that I could discuss.  There are some defenses against
> > fragmentation and extension header attacks but these are less mature.  In
> > addition, it would be difficult to protect against these at L2.  As much as
> > I'd like to believe 12 isn't necessary it still very much is.  We have a
> > long way to go both within corporate networks and on backbone networks
> to
> > progress to end-to-end native v6 access.
> >
> > So what do you think?  Are these the most concerning security issues for
> > those looking to deploy IPv6?  Any thoughts greatly appreciated either on
> or
> > off list.
> >
> > Thanks,
> >   --Jim
> >
> >
> > _______________________________________________
> > Ipv6hackers mailing list
> > Ipv6hackers at lists.si6networks.com
> > http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers



More information about the Ipv6hackers mailing list