1 |
On 03/08/2013 07:45 PM, Kevin Chadwick wrote: |
2 |
>>> What would have been best, could have been done years ago and |
3 |
>>> not cost lots of money and even more in security breaches and |
4 |
>>> what I meant by ipv5 and would still be better to switch to even |
5 |
>>> today with everyone being happy to switch to it is simply ipv4 |
6 |
>>> with more bits for address space. |
7 |
>> |
8 |
>> This should be FAQ entry zero for the IPV6 FAQ... *NO* you can |
9 |
>> *NOT* add more bits to IPV4, and still have it backwards |
10 |
>> compatable. It won't work... period... end of story. Every piece |
11 |
>> of hardware and software that deals with IPV4 has the concept of 32 |
12 |
>> bits *HARD-CODED* into it. Switching over to IPV4-extended would be |
13 |
>> just as painfull as switching over to IPV6. |
14 |
> |
15 |
> No it would not, the headers would be different. All the hardware |
16 |
> would have already updated because there would be no bad sides and |
17 |
> it would have been released something like 15 years ago. But lets |
18 |
> not discuss them as we would be here for an eternity and there are |
19 |
> already whole websites dedicated to just that. |
20 |
|
21 |
I don't know, you just dropped the 2-3 most trollish anti-IPv6 posts |
22 |
I've ever seen. |
23 |
|
24 |
|
25 |
> |
26 |
> I re-iterate it would be worth hardware not being backwards |
27 |
> compatible again to go to ipv4 with large address space today. |
28 |
|
29 |
"IPv4 with large address space" would have taken just as long to deploy; |
30 |
it's the hardware support that's held us back the most. |
31 |
|
32 |
> |
33 |
> http://www.hackingipv6networks.com/past-trainings/hip2011-hacking-ipv6-networks.pdf |
34 |
> |
35 |
> That's just on security. There's a whole bad side to it's |
36 |
> functionality too. |
37 |
> |
38 |
|
39 |
Let's discuss security. I'll walk through the slide deck. |
40 |
|
41 |
"We have much less experience with IPv6 than with IPv4" |
42 |
|
43 |
That's a meaningless statement... |
44 |
|
45 |
"IPv6 implementations are much less mature than their IPv4 counterparts." |
46 |
|
47 |
Only in hardware Software has been much better. Windows has had full |
48 |
IPv6 support since Vista. Linux has |
49 |
had full IPv6 support for a few years, including IPSec. The software |
50 |
implementations are written...the stuff that's still arriving is |
51 |
feature-add. |
52 |
|
53 |
Offload engines and managed switches haven't switched over because |
54 |
clients were more interested in putting off a transition (the same |
55 |
transition you'd have to go through for IPv4 with extended address |
56 |
space) than paying for the upgrades. This would have happened with any |
57 |
IPv4 replacement. |
58 |
|
59 |
"Security products (firewalls, NIDS, etc.) have less support for IPv6 |
60 |
than for |
61 |
IPv4" |
62 |
|
63 |
Dedicated commercial products, yes. General-purpose products? Like I |
64 |
said, Windows Vista made IPv6 a first-class protocol, including firewall |
65 |
support. Linux's implementation is a bit quirky. I don't care for the |
66 |
separation between iptables and ip6tables; I think people tend to write |
67 |
an iptables script and forget to set up a firewall of any kind for IPv6. |
68 |
Most of the builder tools (i.e. fwbuilder), require seperate setup |
69 |
between the two, too. |
70 |
|
71 |
That's why I use sanewall (formerly firehol); defined rules apply to |
72 |
both IPv4 and IPv6. |
73 |
|
74 |
"The complexity of the resulting network will greatly increase during |
75 |
the transition/co-existence period:" |
76 |
|
77 |
Yes, and that would apply to any transition period. |
78 |
|
79 |
"Lack of trained human resources" |
80 |
|
81 |
That's why people like me go out and do training sessions. (I'll be at |
82 |
Penguicon again this year, if anyone else was thinking about going...) |
83 |
That's why Hurricane Electric offers free online certification programs. |
84 |
|
85 |
Regarding flow labels: |
86 |
|
87 |
"Currently unused by many stacks – others use it improperly" |
88 |
|
89 |
Honestly, I don't know about this. It's not something most people will |
90 |
need to work with. |
91 |
|
92 |
"Might be leveraged to perform “dumb” (stealth) address scans" |
93 |
|
94 |
I don't understand the relevance; you get the same information by |
95 |
observing the packet flow without the flow label. |
96 |
|
97 |
"Might be leveraged to perform Denial of Service attacks" |
98 |
|
99 |
So might absolutely anything. |
100 |
|
101 |
Regarding hop limit: |
102 |
|
103 |
"Could be leveraged for Detecting the Operating System of a remote node" |
104 |
|
105 |
So can IPv4's TTL, which it's analogous to. |
106 |
|
107 |
"Could be leveraged for Fingerprinting a remote physical device" |
108 |
|
109 |
So can IPv4's TTL, which it's analogous to. |
110 |
|
111 |
"Could be leveraged for Locating a node in the network topology" |
112 |
|
113 |
tcptraceroute does this with IPv4 TTLs. And traceroute has been doing |
114 |
this with IPV4's ICMP echo for decades. |
115 |
|
116 |
"Could be leveraged for Evading Network Intrusion Detection Systems (NIDS)" |
117 |
|
118 |
Just like IPv4 TTL. |
119 |
|
120 |
"Could be leveraged for Reducing the attack exposure of some |
121 |
hosts/applications" |
122 |
|
123 |
Not sure what's being said here, but we're talking about a feature |
124 |
directly analogous to IPv4 TTL. |
125 |
|
126 |
(skipping the remainder of the section, as there's nothing in there |
127 |
that's bad that's unique to IPv6) |
128 |
|
129 |
(skipping the next several sections, as they're just general technical |
130 |
training material, and don't discuss security implications) |
131 |
|
132 |
Re Fragmentation security implications that are different from IPv4: |
133 |
|
134 |
"The Identification field is much larger: chances of “IP ID collisions” |
135 |
are reduced" |
136 |
|
137 |
Good thing. |
138 |
|
139 |
"Note: Overlapping fragments have been recently forbidden (RFC 5722) – |
140 |
but they are still allowed by many Oses" |
141 |
|
142 |
This will improve. |
143 |
|
144 |
"IPv6 Idle scan" |
145 |
|
146 |
Noted as being applicable to IPv4. |
147 |
|
148 |
(skipping some general technical material aimed at sysadmin use for |
149 |
securing their systems) |
150 |
|
151 |
(skipping description of IPv6 headers; basic technical information) |
152 |
|
153 |
(skipping suggested countermeasures for theorized attacks) |
154 |
|
155 |
"IPv6 can be easily leveraged for evading firewalls." |
156 |
|
157 |
Not if the firewall is set up properly to begin with. Part of that is |
158 |
described in the preceding 'countermeasures' section. Most of the |
159 |
remainder is leveraging the same source, dest, port and state data |
160 |
that's known in IPv4. Finally, use IPSec if possible. (Right now, IPSec |
161 |
is largely useful as a VPN technique natively supported by by layer 3) |
162 |
|
163 |
"Most likely, firewalls will block packets with extension headersEs muy |
164 |
probable que se haga común el filtrado (en firewalls) de paquetes que |
165 |
contengan en encabezados de extensión" |
166 |
|
167 |
Not really; firewalls will continue to be based on known factors, and |
168 |
most of the interesting known factors are in the first header, not the |
169 |
extension headers. |
170 |
|
171 |
"The result will be: less flexibility, possibly preventing any use of |
172 |
IPv6 exntesion headers" |
173 |
|
174 |
Extension headers will be used where appropriate. |
175 |
|
176 |
(skip more benign material) |
177 |
|
178 |
"Some ICMPv6 messages are assumed to indicate “hard errors”. Some stacks |
179 |
used to abort TCP connections when hard errors were |
180 |
received. BSD-derived and Linux implementations don’t--Good!" |
181 |
|
182 |
I believe Windows's stack is based on BSD. I don't know of any stacks |
183 |
which do. (None are listed, either) |
184 |
|
185 |
(skip portion which notes straightforward solutions) |
186 |
|
187 |
(skip benign material) |
188 |
|
189 |
Re ICMPv6 Echo Request/Echo response |
190 |
|
191 |
"Also usually exploited for network reconnaissance" |
192 |
|
193 |
A.K.A. 'traceroute', a known entity in IPv4. |
194 |
|
195 |
(skip benign material) |
196 |
|
197 |
Re Node Information Query/Response |
198 |
|
199 |
"My take: unless you really need your nodes to support Node Information |
200 |
messages, disable it (i.e., “sysctl –w net.inet6.icmp6.nodeinfo=0)." |
201 |
|
202 |
Or even firewall it off at your network edge, like you would any |
203 |
unblessed, unsolicited inbound traffic. |
204 |
|
205 |
(skip benign material) |
206 |
|
207 |
Re Address Resolution Games |
208 |
|
209 |
"Neighbor Cache Poisoning attacks – the v6 version of V4’s ARP cache |
210 |
poisoning" |
211 |
|
212 |
Says it for me...same as IPv4's ARP poisoning. (Incidentally, this is |
213 |
the attack bandied about the most by people arguing that IPv6 is insecure) |
214 |
|
215 |
"Advertising “special” link-layer addresses, e.g.," |
216 |
|
217 |
That's probably a bug in the implementation. It will be fixed. |
218 |
|
219 |
"Some implementations (FreeBSD, NetBSD) don’t enforce limits on the |
220 |
number of entries that can be created in the Neighbor Cache" |
221 |
|
222 |
Certainly that will change soon. |
223 |
|
224 |
(Skipping MitM and DoS discussion, as it's analogous to IPv4's ARP |
225 |
poisoning) |
226 |
|
227 |
"Not much support in layer-2 security boxes to mitigate these attacks" |
228 |
|
229 |
This is improving. It hadn't shown up yet because commercial purchasers |
230 |
had been dragging their feet in demanding their vendors support IPv6 in |
231 |
the first place. |
232 |
|
233 |
(skip more benign material) |
234 |
|
235 |
"Disable an Existing Router" |
236 |
|
237 |
Depends on the attacker being on the local network, and is what RAGuard |
238 |
is for. |
239 |
|
240 |
"Exploit DAD for Denial of Service" |
241 |
|
242 |
This is the first interesting attack I've seen mentioned in the slide |
243 |
deck (and I'm on slide 109 out of 167, getting to it). |
244 |
|
245 |
I don't think there's a way to mitigate against it, except to prevent |
246 |
the attacker from getting on layer 2 network in the first place. |
247 |
(Entirely doable with things like 802.1x.) |
248 |
|
249 |
"Advertise Malicious Network Parameters" |
250 |
|
251 |
Again, what RAGuard is for. |
252 |
|
253 |
Re Autoconf Addresses & Privacy |
254 |
|
255 |
"There were concerns that autoconf addresses hurt privacy, as they could |
256 |
be used to correlate network activity" |
257 |
|
258 |
Not all that interesting, actually. That kind of correlating activity is |
259 |
happening more effectively with DPI and HTTP request headers, and *that* |
260 |
sees through NAT, privacy addresses and proxy servers. |
261 |
|
262 |
When people express concerns about autoconf addresses to me, I tell them |
263 |
that if they're that worried about it, they need to already be using |
264 |
source-obfuscating techniques like the Tor network. |
265 |
|
266 |
(skip benign material) |
267 |
|
268 |
"The use of a single “Destination Options” header is enough to evade |
269 |
most implementations of RA-Guard." |
270 |
|
271 |
Sadly, that's on the hardware vendors again. Hopefully, the |
272 |
commercial-grade vendors will get their crap patched. There's no reason |
273 |
(that I know of) for an RA-Guard implementation to need to inspect the |
274 |
destination options header. |
275 |
|
276 |
"This technique can also be exploited to circumvent Neighbor Discover |
277 |
monitoring tools such as NDPMon" |
278 |
|
279 |
I don't know so much about this attack, honestly. |
280 |
|
281 |
Re DHCPv6 |
282 |
|
283 |
"It can be exploited in a similar way to Router Advertisement messages." |
284 |
|
285 |
And protected in the same way. |
286 |
|
287 |
Re MLD |
288 |
|
289 |
"Potential issues: If a MLD-snooping switch is employed, MLD could be |
290 |
exploited for Denial of Service attacks." |
291 |
|
292 |
Largely the same class of attacks as if the attacker is on the local |
293 |
segment. Enable MLD snooping if and only if you're willing to expand |
294 |
your attack surface in that way. That's not a difficult question; it's |
295 |
similar to asking whether you want to use a wireless bridge to a wired |
296 |
network, or if you want to use a router instead. |
297 |
|
298 |
Re IPSec |
299 |
|
300 |
"IPsec support is currentlymantatory for IPv6 implementations – the IETF |
301 |
is changing this requirement to “optional” thus acknowledging reality." |
302 |
|
303 |
I have yet to encounter a widely-used IPv6 stack that does not support |
304 |
IPSec. *BSD, Linux and Windows all support it. The idea of it being |
305 |
"optional" is irrelevant to the question of whether it's available for |
306 |
use by servers and desktop machines. |
307 |
|
308 |
"Also, many IPv4 implementations support IPsec, while many IPv6 |
309 |
implementations do not." |
310 |
|
311 |
As I said, I have yet to encounter a widely-used IPv6 stack that doesn't |
312 |
support IPSec. Actually, I haven't encountered *any* IPv6 stack that |
313 |
doesn't support IPSec. I imagine the ones that don't are in things like |
314 |
voip phones. |
315 |
|
316 |
"Most of the key problems (e.g., PKI) for IPsec deployment in IPv4 apply |
317 |
to IPv6, as well." |
318 |
|
319 |
This is true, if you want to use PKI for IPSec deployment. If you're |
320 |
setting up static relationships between campus endpoints, it's not so |
321 |
big a deal. |
322 |
|
323 |
"There is no reason to believe that IPv6 will result in an increased use |
324 |
of IPsec." |
325 |
|
326 |
Bull. The biggest barrier to IPsec use has been NAT! If an intermediate |
327 |
router has to rewrite the packet to change the apparent source and/or |
328 |
destination addresses, then the cryptographic signature will show it, |
329 |
and the packet will be correctly identified as having been tampered with! |
330 |
|
331 |
With IPsec, NAT is unnecessary. (You can still use it if you need |
332 |
it...but please try to avoid it!) |
333 |
|
334 |
Re "DNS support for IPv6" |
335 |
|
336 |
"Increased size of DNS responses due to larger addresses might be |
337 |
exploited for DDos attacks" |
338 |
|
339 |
That's not even significant. Have you looked at the size of DNS |
340 |
responses? The increased size of the address pales in comparison to the |
341 |
amount of other data already stuffed into the packet. |
342 |
|
343 |
Re "IPv6 Transition Co-Existence Technologies" |
344 |
|
345 |
"Original transition plan: deploy IPv6 before we ran out of IPv4 |
346 |
addresses, and eventually turn off IPv4 when no longer needed – it |
347 |
didn’t happen" |
348 |
|
349 |
That's correct; the IPv6 deployment didn't happen when it should have. |
350 |
Instead, a ton of coping mechanisms for a shrinking address pool came |
351 |
around. NAT is the big one. If IPv6 had been deployed early on, people |
352 |
wouldn't think of "one IP address per customer" as the norm...and they |
353 |
shouldn't have to. |
354 |
|
355 |
"An attacker can connect to an IPv4-only network, and forge IPv6 Router |
356 |
Advertisement messages. (*)" |
357 |
|
358 |
Again, this depends on them being on the same layer 2 network segment. |
359 |
|
360 |
The same class of attacks would be possible for any IPv4 successor that |
361 |
implemented either RAs or DHCP. |
362 |
|
363 |
(Yes, you will want to deploy the countermeasures described) |
364 |
|
365 |
(skipping more benign material) |
366 |
|
367 |
Re ISATAP |
368 |
|
369 |
"An attacker could forge name resolution responses to--" |
370 |
|
371 |
Secure your DNS. |
372 |
|
373 |
"This could be used in conjunction with other attacks (e.g. forging DNS |
374 |
responses such that--" |
375 |
|
376 |
Secure your DNS. |
377 |
|
378 |
Re Problems with 6to4 |
379 |
|
380 |
Actually, I'm going to skip most of this and simply acknowledge it: Yes. |
381 |
6to4 sucks. It's terrible and horrible. *Everyone* of low-to-moderate |
382 |
knowledge in IPv6 knows it. Use 6rd instead if you need that kind of |
383 |
tunnel; at least you'll know who to yell at if it breaks. |
384 |
|
385 |
Re Security Implications of Teredo: |
386 |
|
387 |
Yes, Teredo sucks, too. Disable it. |
388 |
|
389 |
Re 'Translation' |
390 |
|
391 |
(pardon the US-centric view, here) All major ISPs have deployed (or are |
392 |
in the process of deploying) native IPv6. Mobile carriers have deployed |
393 |
IPv6. Tunnels will be largely unnecessary. NAT will remain, but it will |
394 |
be more prevalent in IPv4 than in IPv6. |
395 |
|
396 |
Re 'Exploiting Transition Technologies' |
397 |
|
398 |
"Some systems (notably Windows) have support of trnasition technologies |
399 |
enabled by default." |
400 |
|
401 |
Yes. Disable Teredo. I'm not aware any other distro that enables a |
402 |
tunneling protocol by default. |
403 |
|
404 |
(skip benign material.) |
405 |
|
406 |
Re Application-layer protocols |
407 |
|
408 |
"A number of applications may leak IPv6 addresses: E-mail headers, P2P |
409 |
applications" |
410 |
|
411 |
As far as email headers, that's just as in IPv4. You can examine some |
412 |
folks' IPv4 RFC1918 topology by their email headers today, so don't tell |
413 |
me IPv6 brings much new to the table. |
414 |
|
415 |
As for P2P applications, this is actually a good thing; P2P applications |
416 |
can use what they learn for more efficient peer association. |
417 |
|
418 |
(skip the rest, as it's benign) |