[ipv6hackers] Slides from IPv6 Sec Summit

Jim Small jim.small at cdw.com
Fri Mar 15 03:22:08 CET 2013


Awesome talk!  I especially like how you walked through your approach and provide scapy samples - very cool.

> the talk wasn't just about TCP port scanning without being detected by
> Snort, as it is TOPERA, and generally speaking not just about evading IDS.
> It also discusses several other security issues, from OS fingerprinting and
> covert channels to firewall evasions (ubder specific circumstances). People
> that participated at the live workshops afterwards, know what I mean. But,
> the goal of this presentation, if you check the last slide, was not just to
> show a dozen of tricks (either new or not) or to provide a few scripts, but
> to raise some questions and start a discussion regarding:
> a. whether the approach defined in several RFCs is adequate, from a
> security perspective, or not.

Doesn't seem like it...

> b. whether the various vendors' implementation (from OS to
> security/network
> devices) meet the various standards.

There are definitely some options here, at least on the wired side.  However, Enno had a great point in his preso about being realistic with operational complexity.  That remains a challenge.

> c. how can we fix them to make the IPv6 world safer (the goal of Troopers)

Interested in what everyone thinks.  IMHO, short term best options are working with major vendors at the access layer and for security solutions.  At the access layer (Ethernet switches, Wireless controllers, Access points) and for firewalls push for strong controls for extensions headers and fragmentation.  For IDS/IPS push for good detection.  Could an IPS do prevention without being susceptible to DoS?

So the question is, what are the best practices to push for?  Are the RFCs reasonable and change the shoulds to musts (in access layer/firewalls)?  I guess the other thing I'm wondering is if ASICs/FPGAs can either cope with or be enhanced to cope with this at high speed.

Other thing is perhaps coming up with a standard "fuzzing" framework for access layer/security tools to accelerate "stack maturity."

What do you think?

More information about the Ipv6hackers mailing list