[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues
jim.small at cdw.com
Fri Mar 8 14:48:48 CET 2013
> >> 9) MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for
> >> this one...
> >> a. For general countermeasures it is possible to do MLD ACLs and of
> >> course you could implement 802.1X and/or 802.1AE. I know
> >> aren't fans of MLDv2 - what do you think are the most risky aspects?
> MLDv2 is extremely complex. -- too bad most nodes deploy this just for
> the use of multicast with Neighbor Discovery. -- for the ND use, MLD is
> more than fine.
Fernando, I trust your judgment but is there anything else you can share on this? Is the complexity based on looking at system code? My understanding is MLDv1 ~= IGMPv2 and MLDv2 ~= IGMPv3. The big difference between IGMPv2 and v3 is that v3 adds SSM capabilities. Does this feature greatly complicate things? Couldn't you argue that SSM gives the client more control over which multicast streams are accepted? Do you have any working attacks that would be worth exploring and developing defenses for? Anything you could share would be great.
> >> 11) Extension header attacks - this one is especially tough, probably
> >> lots more to find... I especially like Marc's warp packets with the router
> >> alert "high speed tag" which also double as ACL bypass agents.
> > http://arstechnica.com/gadgets/2007/05/old-ipv4-flaws-resurface-with-
> > ipv4 has lots of crufty stuff in it too
> Yep. But not as crufty as this: draft-ietf-6man-oversized-header-chain
I agree - I know from doing beta/product testing that there are *many* issues here that have yet to be resolved. I am sure there are many vulnerabilities, evasions, and issues yet to be discovered. Filtering and control of extension headers is in its infancy. Just take a look at your favorite firewall/IDS/IPS and see how good it is at dealing with extension headers. I can virtually guarantee you that you'll be disappointed.
> > And, then there always cool things like this
> > http://www.cisco.com/en/US/products/csa/cisco-sa-20070124-crafted-ip-
> > Perhaps IPv4 is not as baked as we think it is?
Did you look at Fernando and Marc's presos where they discuss CVEs for IPv4 versus IPv6? I'm not saying IPv6 isn't ready - it needs to be deployed. But there is something to what Fernando and Marc are saying. We need to work together to do product testing, get bugs filed, and improve the robustness of IPv6. I suppose you could argue that's always the case but I think there's some urgency with the current state of things.
More information about the Ipv6hackers