[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Cameron Byrne cb.list6 at gmail.com
Fri Mar 8 17:20:50 CET 2013


On Mar 8, 2013 12:52 AM, "Fernando Gont" <fgont at si6networks.com> wrote:
>
> On 03/08/2013 01:31 AM, Cameron Byrne wrote:
> >> 2)      RA floods (autoconfig prefixes, routes, etc...) which crash
all L2
> >> adjacent hosts with IPv6 enabled stacks
> >
> > http://en.wikipedia.org/wiki/MAC_flooding
>
> These are very different. The latter is usually meant to cause a switch
> to behave as a hub 8for sniffing purposes), while the former is a
> deliberate DoS against a host.
>
>
> >> 6)      NS floods - DoS
> >>
> >
> > http://en.wikipedia.org/wiki/MAC_flooding
>
> Same as above.
>
>
>
> >> 9)      MLD/MLDv2 attacks - I'm not very clear on dangerous attacks for
> >> this one...
> >>
> >> a.       For general countermeasures it is possible to do MLD ACLs and
of
> >> course you could implement 802.1X and/or 802.1AE.  I know Fernando/Marc
> >> aren't fans of MLDv2 - what do you think are the most risky aspects?
>
> MLDv2 is extremely complex. -- too bad most nodes deploy this just for
> the use of multicast with Neighbor Discovery. -- for the ND use, MLD is
> more than fine.
>
>
> >> 10)   "Discoverability" or the idea that you should use randomized
> >> addressing so as not to be discoverable from a "semi-intelligent" brute
> >> force scan (assuming you're not in DNS or some other registry)
> >
> > no link needed, you just need a for loop that counts from 0 to 255
>
> Well, yeah,  but the problem space is completely different.
>
>
>
> >> 11)   Extension header attacks - this one is especially tough, probably
> >> lots more to find...  I especially like Marc's warp packets with the
router
> >> alert "high speed tag" which also double as ACL bypass agents.
> >
> >
http://arstechnica.com/gadgets/2007/05/old-ipv4-flaws-resurface-with-ipv6/
> >
> > ipv4 has lots of crufty stuff in it too
>
> Yep. But not as crufty as this: draft-ietf-6man-oversized-header-chain
>
>
>
> > And, then there always cool things like this
> >
http://www.cisco.com/en/US/products/csa/cisco-sa-20070124-crafted-ip-option.html
> >
> > Perhaps IPv4 is not as baked as we think it is?
>
> May be. But with v6 we still have to go for about 10 years to get where
> IPv4 implementations are. -- not that I like it, though.
>

So, my point is not really in the specifics.  In the last 2 years I know
for sure Microsoft, Cisco, and Juniper all had critical bugs where a
special Ipv4 packet would cause a catastrophic failure, right?

I don't think the lessons of Ipv4 are really lessons. People reinvent the
wheel and fail in both new and the same ways all the time.

I just don't think it means anything to say that Ipv4 is baked and Ipv6 is
not. They are both capable of catastrophic failure now and it the future.
Such is the case of software. And hardware. And wet ware.

If you want to make the claim that one is more baked , do it based on
statistics. That way we all agree you are telling a lie :)

CB

> Cheers,
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont at si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>



More information about the Ipv6hackers mailing list