[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Jim Small jim.small at cdw.com
Fri Mar 8 14:37:54 CET 2013


> This is the one that scares me the most
> http://www.ietf.org/id/draft-ietf-opsec-vpn-leakages-00.txt

This is a concerning issue.  Like you said, older VPN clients are simply oblivious to IPv6.  IPv6 is being steadily rolled out to consumers with hardware that has IPv6 on by default.  We have many organizations with their head in the sand about IPv6 thus allowing a client bridgehead into corporate networks.  I will consider adding this.

Thanks--Jim

> >> -----Original Message-----
> >> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> >> bounces at lists.si6networks.com] On Behalf Of Jim Small
> >> Sent: Thursday, March 07, 2013 10:49 PM
> >> To: IPv6 Hackers Mailing List
> >> Subject: Re: [ipv6hackers] Looking for feedback on subjective top list of
> IPv6
> >> security issues
> >>
> >> Hi Cameron,
> >>
> >> > > 1)      Remotely triggered neighbor cache exhaustion attacks (from
> subnet
> >> > scanning)
> >>
> >> Unique to IPv6 because of large subnet side and encapsulation of L2
> address
> >> resolution within IPv6 (ICMP)
> >>
> >>
> >> > > 2)      RA floods (autoconfig prefixes, routes, etc...) which crash all
> >> > L2 adjacent hosts with IPv6 enabled stacks
> >>
> >> Unique?  Well, I agree with Fernando/Marc - a result of immature IPv6
> >> stacks...
> >>
> >>
> >> > > 3)      RA spoofing
> >>
> >> Unique (sort of) - IPv4 does have ICMP router discovery, but I don't
> believe
> >> this was ever widely implemented
> >>
> >>
> >> > > 4)      DHCPv6 spoofing
> >> > > 5)      NDP (NS/NA) spoofing
> >>
> >> Analogous to DHCP/ARP spoofing in IPv4
> >>
> >>
> >> > > 6)      NS floods - DoS
> >>
> >> Again, IMHO because of immature IPv6 stacks.
> >>
> >>
> >> > > 7)      Fragmentation attacks
> >>
> >> Not unique, see Antonios' preso but worse in IPv6 because of complexity
> of
> >> extension headers and stack immaturity.
> >>
> >>
> >> > > 8)      ICMPv6 redirect spoofing
> >>
> >> Analogous to IPv4
> >>
> >>
> >> > > 9)      MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for
> >> > this one...
> >>
> >> Somewhat analogous to IPv4 but interested to hear from Fernando/Marc
> as
> >> my impression is they think it's worse.  Code immaturity again or
> additional
> >> IETF work needed?  Not sure...
> >>
> >>
> >> > > 10)   "Discoverability" or the idea that you should use randomized
> >> > addressing so as not to be discoverable from a "semi-intelligent" brute
> >> > force scan (assuming you're not in DNS or some other registry)
> >>
> >> New to IPv6 because of subnet size.
> >>
> >>
> >> > > 11)   Extension header attacks - this one is especially tough, probably
> >> > lots more to find...  I especially like Marc's warp packets with the router
> >> > alert "high speed tag" which also double as ACL bypass agents.
> >>
> >> New to IPv6.
> >>
> >>
> >> > > 12)   Tunnel attacks - I think the only interesting ones would be those
> >> > against 6in4, ISATAP, and 6rd as IMHO those are the only ones that are
> in
> >> > use.  I have read about tunnel attacks but haven't played with this very
> >> > much.  Do you think this is a serious threat worth covering?  Any
> >> > suggestions on tools?
> >>
> >> New to IPv6/transition issue.
> >>
> >>
> >> > Just a question. Are any these unique or do they all have an
> approximate
> >> > equivalent in Ipv4?
> >>
> >> I feel like a padawan explaining something to a master.  Did I answer your
> >> question or are you poking fun at me and I missed the bus?  :-)
> >>
> >> --Jim
> >>
> >>
> >> _______________________________________________
> >> Ipv6hackers mailing list
> >> Ipv6hackers at lists.si6networks.com
> >> http://lists.si6networks.com/listinfo/ipv6hackers
> >>
> >>
> >>
> >> *** PLEASE NOTE: This email transmission was sent using a CDW address
> but
> >> originated from an e-mail system that is neither controlled nor managed
> by
> >> CDW and its affiliates. ***
> >
> > _______________________________________________
> > Ipv6hackers mailing list
> > Ipv6hackers at lists.si6networks.com
> > http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers



More information about the Ipv6hackers mailing list