[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues
Marc Heuse
mh at mh-sec.de
Sun Mar 10 04:18:02 CET 2013
Hi Jim,
On 10.03.2013 02:10, Jim Small wrote:
>>>>> 11) Extension header attacks - this one is especially tough,
>>>>> probably lots more to find... I especially like Marc's warp packets
>>>>> with the router alert "high speed tag" which also double as ACL
>>>>> bypass agents.
>>
>> I havent come across such things for quite some time now.
>> Agreed it was a problem, I remember the old ndpmon implementation.
>> Do you have information on affected products/tools that are "current"?
>> I can't believe I am arguing "pro" here ;-)
>
> I know of many "enterprise-grade" commercial firewalls that are IMHO
> unsatisfactory with their current IPv6 extension header capabilities.
> I would like to see a firewall be able to arbitrarily block any
> extension header by number regardless of where it is in the chain
> or regardless of fragmentation. I would also like the ability to
> parse/inspect any extension header with the same criteria -
> regardless of where it is in the chain and regardless of fragmentation.
> There are definitely some capabilities here, but not as much as I
> would like.
I am just now reviewing four different firewalls for the IPv6
capabilities for a german magazine.
useful filtering on extension headers - only Cisco ASA can do this with
their newest firmware.
Filtering on options: nobody can do this at the moment. and this is
important (but also for an admin not very feasible to also know and make
good decisions about. I was told ASA can should be able to do that at
the end of the year. But lets see.
Greets,
Marc
--
Marc Heuse
www.mh-sec.de
PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A
More information about the Ipv6hackers
mailing list