[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues
Jim Small
jim.small at cdw.com
Sun Mar 10 02:10:26 CET 2013
> On 09.03.2013 19:50, Jim Small wrote:
> >>> 9) MLD/MLDv2 attacks - I'm not very clear on dangerous attacks
> >>> for this one...
> >>
> >> I can shed some light here.
> >> many router implementation suck here. flood them with random
> >> report/done
> >> messages, or mld router advertisements/solicitation and you get 100%
> >> cpu, 100% ram and/or crash.
> >> even with firewalls (netscreen for example. uh, just remembering I never
> >> told them that. because their security team was not interested in fixing
> >> ipv6 bugs so I stopped telling them)
> >
> > I would definitely like to know more here.
> > MLDv2 is the default though so to even consider convincing people to
> > "downgrade" to MLDv1 I feel like I'd have to have a lot more evidence.
> > I'll keep looking at this. I did go through the RFCs and I see what
> > Fernando means about MLDv2 being much more involved.
>
> well, I think Fernando is saying "do MLDv1 instead of MLDv2" simply
> because MLDv1 is a very simple message, whereas MLDv2 is way more
> complex which increases DOS attack vectors, general higher likelihood
> for bad parser implementation etc.
>
> In my opinion multicast is a very cool thing and can be very useful.
> sadly, to harden it against attacks, from design to configuration to
> implementation is very, very hard.
You're right.
> Therefore I personally would recommend to avoid any ff05:: multicast
> stuff unless you have all areas secured down and under control.
> basically: if trust everyone within the multicast domain.
>
> doesnt sound like that in what you describe as the planned usages ;-)
>
> Well, getting back to your question - with all the things in multicast
> that can be problematic or hard to secure, recommending MLDv1 vs MLDv2
> does not gain much. So I'd say, go with MLDv2.
I continue to look at this but I agree multicast decisions should be made carefully.
> >>> 11) Extension header attacks - this one is especially tough,
> >>> probably lots more to find... I especially like Marc's warp packets
> >>> with the router alert "high speed tag" which also double as ACL
> >>> bypass agents.
> >>
> >> yeah, that was so much fun ... :-)
> >> actually I did not find a lot of issues here. as there are not that many
> >> options yet, this is rather limited.
> >> but fragementation headers plus extension headers - thats where it gets
> >> scary (one of many examples, see my report on the Kaspersky remote
> >> freeze).
> >
> > There are two issues I see here. Fragmentation and the fact that many
> > systems can't filter/parse/inspect extension headers. Many security
> > systems are only designed to deal with a single L2 header and a single
> > L3 header. If you stick a bunch of extension headers in the middle
> > they just ignore them. I find this disconcerting and have been
> > pushing for better options.
>
> I havent come across such things for quite some time now.
> Agreed it was a problem, I remember the old ndpmon implementation.
> Do you have information on affected products/tools that are "current"?
> I can't believe I am arguing "pro" here ;-)
I know of many "enterprise-grade" commercial firewalls that are IMHO unsatisfactory with their current IPv6 extension header capabilities. I would like to see a firewall be able to arbitrarily block any extension header by number regardless of where it is in the chain or regardless of fragmentation. I would also like the ability to parse/inspect any extension header with the same criteria - regardless of where it is in the chain and regardless of fragmentation. There are definitely some capabilities here, but not as much as I would like. I really like pf and netfilter/iptables but I haven't really done an IPv6 deep dive with these. Do they have these capabilities already? Does snort or suricata?
> >> Either go IPv4 only (means: disabling IPv6 everywhere)
> >
> > I don't see how to do v4 only. Organizations need parts of their
> > networks running v6 to develop operational experience. Developers need
> > v6 to develop and test mobile/web applications for v6. I can see limiting
> > v6 within a network but I don't see how to do v4 only. If an organization
> > stays v4 only until say 25% of the Internet is running v6 then they will
> > have no security/operational v6 experience.
>
> I do not agree to this. products are still inmature. deploying when its
> still bleeding edge gives you experience, yes. but also a lot of
> trouble, also security ones.
> When you join late, yeah, you are missing experience. but good, mature
> products, training for your staff, and external consultants who know
> whats imporant make it an even easier and more painless experience.
>
> but of course - somebody must start, otherwise nobody will ever deploy.
That's the point of the conferences - present there, present at user groups, share best practices and promote a smart, steady ramp up.
> >> or IPv6 only
> >
> > I also don't see how to make this work. Most companies have legacy
> > v4 systems like embedded/controls/SCADA-type systems that may never
> > do v6. Take a look at almost all training and network related
> > material. Everything is "IPv4-only."
> > I think trying to switch to v6 only is too much. In a network
> > centric crowd you have a general awareness of IPv6. However,
> > ask systems people, developers, or the virtualization crowd about IPv6.
> [...]
> > However, I can't see this working for a typical enterprise/organization.
> > Do you think I'm way off here and missing the bus?
> > Marc, I know you do a lot of consulting - have you seen these
> > approaches work for your clients?
>
> I'd say you are right on the spot. however there a lot of small fresh
> companies who could go directly IPv6 only without major issues.
> Dual stack is a bag of snakes. I'd recommend to avoid it as much as
> possible, and rather build a translation segment and gradually move
> equipment vom the ipv4 network to an ipv6 network.
> But in some scenarios thats unfeasible. In these I'd recommend to either
> stay IPv4, and do dual stack and curse your job :-)
>
> (but I am not an IPv6 consultant. I do security research and analysis
> for clients, also in the field of IPv6. In the IPv6 projects I was so
> far, I take care of good policies, equipment testing, pentesting, etc.
> And I ask "is IPv6 really necessary for you?". But I will never organize
> a migration myself. not my field of expertise. I only can say from the
> issues I have seen, that dual stack is good for people who need job
> security)
Running a multi-protocol network is a pain. But we did it for DECNet, IPX, AppleTalk, and others. We'll manage. I agree the goal needs to be to get to IPv6 only but I don't think most people are ready for that yet. At least not from what I've seen. Give it time.
> And maybe to add to this: I have no clear vision how the start to move
> to IPv6 in the next 2-4 years can actually happen.
One person, one organization at a time. That's why we're all here, to help everyone make the move.
> Nearly every company will need external know-how. OK, more and more
> consultants get IPv6 knowledge, but as such projects tend to take 6-24
> months (depending on network size, complexity and application
> readiness), there can not be enough consultants on the market for this
> by that time. And of course its a high cost factor for companies too
> (not to mention the training for the people who need that. license cost
> for software upgrade. new hardware. overtime required for the migration.
> etc.).
I am trying very hard to promote a steady ramp up. Critical mass will most likely happen in the US in late 2014/early 2015. That's when the killer apps will start. My hope is that we have rough consensus on best practices and reasonable security by then. One can only hope...
--Jim
More information about the Ipv6hackers
mailing list