[ipv6hackers] Looking for feedback on subjective top list of IPv6 security issues

Merike Kaeo merike at doubleshotsecurity.com
Sun Mar 10 05:45:34 CET 2013


On Mar 9, 2013, at 7:18 PM, Marc Heuse wrote:

> Hi Jim,
> 
> On 10.03.2013 02:10, Jim Small wrote:
>>>>>> 11)   Extension header attacks - this one is especially tough,
>>>>>> probably lots more to find...  I especially like Marc's warp packets
>>>>>> with the router alert "high speed tag" which also double as ACL
>>>>>> bypass agents.
>>> 
>>> I havent come across such things for quite some time now.
>>> Agreed it was a problem, I remember the old ndpmon implementation.
>>> Do you have information on affected products/tools that are "current"?
>>> I can't believe I am arguing "pro" here ;-)
>> 
>> I know of many "enterprise-grade" commercial firewalls that are IMHO
>> unsatisfactory with their current IPv6 extension header capabilities.
>> I would like to see a firewall be able to arbitrarily block any
>> extension header by number regardless of where it is in the chain
>> or regardless of fragmentation.  I would also like the ability to
>> parse/inspect any extension header with the same criteria -
>> regardless of where it is in the chain and regardless of fragmentation.
>> There are definitely some capabilities here, but not as much as I
>> would like.
> 
> I am just now reviewing four different firewalls for the IPv6
> capabilities for a german magazine.
> useful filtering on extension headers - only Cisco ASA can do this with
> their newest firmware.
> Filtering on options: nobody can do this at the moment. and this is
> important (but also for an admin not very feasible to also know and make
> good decisions about. I was told ASA can should be able to do that at
> the end of the year. But lets see.

Dave Piscatello had done a fairly comprehensive v6 firewall survey about 2-3 years ago 
and was just appalled at state of things.  I'd love to compare what you are doing to what 
was found a few years back (I'm fluent in German btw so a pointer to article once available would be great)

I have heard that some folks are asking vendors to create capability to drop packets if they have more 
than 'X' extension headers - not sure when that functionality will ship but this is a good practical feature.

I had a good conversation with Fernando today since we're both in Orlando for IETF.  I am super
happy more people are helping educate and creating tools to help folks create more resilient v6 deployments
(I am avoiding 'more secure' on purpose).   

- merike


More information about the Ipv6hackers mailing list