| 1 |
On 03/08/2013 07:45 PM, Kevin Chadwick wrote: |
| 2 |
>>> What would have been best, could have been done years ago and |
| 3 |
>>> not cost lots of money and even more in security breaches and |
| 4 |
>>> what I meant by ipv5 and would still be better to switch to even |
| 5 |
>>> today with everyone being happy to switch to it is simply ipv4 |
| 6 |
>>> with more bits for address space. |
| 7 |
>> |
| 8 |
>> This should be FAQ entry zero for the IPV6 FAQ... *NO* you can |
| 9 |
>> *NOT* add more bits to IPV4, and still have it backwards |
| 10 |
>> compatable. It won't work... period... end of story. Every piece |
| 11 |
>> of hardware and software that deals with IPV4 has the concept of 32 |
| 12 |
>> bits *HARD-CODED* into it. Switching over to IPV4-extended would be |
| 13 |
>> just as painfull as switching over to IPV6. |
| 14 |
> |
| 15 |
> No it would not, the headers would be different. All the hardware |
| 16 |
> would have already updated because there would be no bad sides and |
| 17 |
> it would have been released something like 15 years ago. But lets |
| 18 |
> not discuss them as we would be here for an eternity and there are |
| 19 |
> already whole websites dedicated to just that. |
| 20 |
|
| 21 |
I don't know, you just dropped the 2-3 most trollish anti-IPv6 posts |
| 22 |
I've ever seen. |
| 23 |
|
| 24 |
|
| 25 |
> |
| 26 |
> I re-iterate it would be worth hardware not being backwards |
| 27 |
> compatible again to go to ipv4 with large address space today. |
| 28 |
|
| 29 |
"IPv4 with large address space" would have taken just as long to deploy; |
| 30 |
it's the hardware support that's held us back the most. |
| 31 |
|
| 32 |
> |
| 33 |
> http://www.hackingipv6networks.com/past-trainings/hip2011-hacking-ipv6-networks.pdf |
| 34 |
> |
| 35 |
> That's just on security. There's a whole bad side to it's |
| 36 |
> functionality too. |
| 37 |
> |
| 38 |
|
| 39 |
Let's discuss security. I'll walk through the slide deck. |
| 40 |
|
| 41 |
"We have much less experience with IPv6 than with IPv4" |
| 42 |
|
| 43 |
That's a meaningless statement... |
| 44 |
|
| 45 |
"IPv6 implementations are much less mature than their IPv4 counterparts." |
| 46 |
|
| 47 |
Only in hardware Software has been much better. Windows has had full |
| 48 |
IPv6 support since Vista. Linux has |
| 49 |
had full IPv6 support for a few years, including IPSec. The software |
| 50 |
implementations are written...the stuff that's still arriving is |
| 51 |
feature-add. |
| 52 |
|
| 53 |
Offload engines and managed switches haven't switched over because |
| 54 |
clients were more interested in putting off a transition (the same |
| 55 |
transition you'd have to go through for IPv4 with extended address |
| 56 |
space) than paying for the upgrades. This would have happened with any |
| 57 |
IPv4 replacement. |
| 58 |
|
| 59 |
"Security products (firewalls, NIDS, etc.) have less support for IPv6 |
| 60 |
than for |
| 61 |
IPv4" |
| 62 |
|
| 63 |
Dedicated commercial products, yes. General-purpose products? Like I |
| 64 |
said, Windows Vista made IPv6 a first-class protocol, including firewall |
| 65 |
support. Linux's implementation is a bit quirky. I don't care for the |
| 66 |
separation between iptables and ip6tables; I think people tend to write |
| 67 |
an iptables script and forget to set up a firewall of any kind for IPv6. |
| 68 |
Most of the builder tools (i.e. fwbuilder), require seperate setup |
| 69 |
between the two, too. |
| 70 |
|
| 71 |
That's why I use sanewall (formerly firehol); defined rules apply to |
| 72 |
both IPv4 and IPv6. |
| 73 |
|
| 74 |
"The complexity of the resulting network will greatly increase during |
| 75 |
the transition/co-existence period:" |
| 76 |
|
| 77 |
Yes, and that would apply to any transition period. |
| 78 |
|
| 79 |
"Lack of trained human resources" |
| 80 |
|
| 81 |
That's why people like me go out and do training sessions. (I'll be at |
| 82 |
Penguicon again this year, if anyone else was thinking about going...) |
| 83 |
That's why Hurricane Electric offers free online certification programs. |
| 84 |
|
| 85 |
Regarding flow labels: |
| 86 |
|
| 87 |
"Currently unused by many stacks – others use it improperly" |
| 88 |
|
| 89 |
Honestly, I don't know about this. It's not something most people will |
| 90 |
need to work with. |
| 91 |
|
| 92 |
"Might be leveraged to perform “dumb” (stealth) address scans" |
| 93 |
|
| 94 |
I don't understand the relevance; you get the same information by |
| 95 |
observing the packet flow without the flow label. |
| 96 |
|
| 97 |
"Might be leveraged to perform Denial of Service attacks" |
| 98 |
|
| 99 |
So might absolutely anything. |
| 100 |
|
| 101 |
Regarding hop limit: |
| 102 |
|
| 103 |
"Could be leveraged for Detecting the Operating System of a remote node" |
| 104 |
|
| 105 |
So can IPv4's TTL, which it's analogous to. |
| 106 |
|
| 107 |
"Could be leveraged for Fingerprinting a remote physical device" |
| 108 |
|
| 109 |
So can IPv4's TTL, which it's analogous to. |
| 110 |
|
| 111 |
"Could be leveraged for Locating a node in the network topology" |
| 112 |
|
| 113 |
tcptraceroute does this with IPv4 TTLs. And traceroute has been doing |
| 114 |
this with IPV4's ICMP echo for decades. |
| 115 |
|
| 116 |
"Could be leveraged for Evading Network Intrusion Detection Systems (NIDS)" |
| 117 |
|
| 118 |
Just like IPv4 TTL. |
| 119 |
|
| 120 |
"Could be leveraged for Reducing the attack exposure of some |
| 121 |
hosts/applications" |
| 122 |
|
| 123 |
Not sure what's being said here, but we're talking about a feature |
| 124 |
directly analogous to IPv4 TTL. |
| 125 |
|
| 126 |
(skipping the remainder of the section, as there's nothing in there |
| 127 |
that's bad that's unique to IPv6) |
| 128 |
|
| 129 |
(skipping the next several sections, as they're just general technical |
| 130 |
training material, and don't discuss security implications) |
| 131 |
|
| 132 |
Re Fragmentation security implications that are different from IPv4: |
| 133 |
|
| 134 |
"The Identification field is much larger: chances of “IP ID collisions” |
| 135 |
are reduced" |
| 136 |
|
| 137 |
Good thing. |
| 138 |
|
| 139 |
"Note: Overlapping fragments have been recently forbidden (RFC 5722) – |
| 140 |
but they are still allowed by many Oses" |
| 141 |
|
| 142 |
This will improve. |
| 143 |
|
| 144 |
"IPv6 Idle scan" |
| 145 |
|
| 146 |
Noted as being applicable to IPv4. |
| 147 |
|
| 148 |
(skipping some general technical material aimed at sysadmin use for |
| 149 |
securing their systems) |
| 150 |
|
| 151 |
(skipping description of IPv6 headers; basic technical information) |
| 152 |
|
| 153 |
(skipping suggested countermeasures for theorized attacks) |
| 154 |
|
| 155 |
"IPv6 can be easily leveraged for evading firewalls." |
| 156 |
|
| 157 |
Not if the firewall is set up properly to begin with. Part of that is |
| 158 |
described in the preceding 'countermeasures' section. Most of the |
| 159 |
remainder is leveraging the same source, dest, port and state data |
| 160 |
that's known in IPv4. Finally, use IPSec if possible. (Right now, IPSec |
| 161 |
is largely useful as a VPN technique natively supported by by layer 3) |
| 162 |
|
| 163 |
"Most likely, firewalls will block packets with extension headersEs muy |
| 164 |
probable que se haga común el filtrado (en firewalls) de paquetes que |
| 165 |
contengan en encabezados de extensión" |
| 166 |
|
| 167 |
Not really; firewalls will continue to be based on known factors, and |
| 168 |
most of the interesting known factors are in the first header, not the |
| 169 |
extension headers. |
| 170 |
|
| 171 |
"The result will be: less flexibility, possibly preventing any use of |
| 172 |
IPv6 exntesion headers" |
| 173 |
|
| 174 |
Extension headers will be used where appropriate. |
| 175 |
|
| 176 |
(skip more benign material) |
| 177 |
|
| 178 |
"Some ICMPv6 messages are assumed to indicate “hard errors”. Some stacks |
| 179 |
used to abort TCP connections when hard errors were |
| 180 |
received. BSD-derived and Linux implementations don’t--Good!" |
| 181 |
|
| 182 |
I believe Windows's stack is based on BSD. I don't know of any stacks |
| 183 |
which do. (None are listed, either) |
| 184 |
|
| 185 |
(skip portion which notes straightforward solutions) |
| 186 |
|
| 187 |
(skip benign material) |
| 188 |
|
| 189 |
Re ICMPv6 Echo Request/Echo response |
| 190 |
|
| 191 |
"Also usually exploited for network reconnaissance" |
| 192 |
|
| 193 |
A.K.A. 'traceroute', a known entity in IPv4. |
| 194 |
|
| 195 |
(skip benign material) |
| 196 |
|
| 197 |
Re Node Information Query/Response |
| 198 |
|
| 199 |
"My take: unless you really need your nodes to support Node Information |
| 200 |
messages, disable it (i.e., “sysctl –w net.inet6.icmp6.nodeinfo=0)." |
| 201 |
|
| 202 |
Or even firewall it off at your network edge, like you would any |
| 203 |
unblessed, unsolicited inbound traffic. |
| 204 |
|
| 205 |
(skip benign material) |
| 206 |
|
| 207 |
Re Address Resolution Games |
| 208 |
|
| 209 |
"Neighbor Cache Poisoning attacks – the v6 version of V4’s ARP cache |
| 210 |
poisoning" |
| 211 |
|
| 212 |
Says it for me...same as IPv4's ARP poisoning. (Incidentally, this is |
| 213 |
the attack bandied about the most by people arguing that IPv6 is insecure) |
| 214 |
|
| 215 |
"Advertising “special” link-layer addresses, e.g.," |
| 216 |
|
| 217 |
That's probably a bug in the implementation. It will be fixed. |
| 218 |
|
| 219 |
"Some implementations (FreeBSD, NetBSD) don’t enforce limits on the |
| 220 |
number of entries that can be created in the Neighbor Cache" |
| 221 |
|
| 222 |
Certainly that will change soon. |
| 223 |
|
| 224 |
(Skipping MitM and DoS discussion, as it's analogous to IPv4's ARP |
| 225 |
poisoning) |
| 226 |
|
| 227 |
"Not much support in layer-2 security boxes to mitigate these attacks" |
| 228 |
|
| 229 |
This is improving. It hadn't shown up yet because commercial purchasers |
| 230 |
had been dragging their feet in demanding their vendors support IPv6 in |
| 231 |
the first place. |
| 232 |
|
| 233 |
(skip more benign material) |
| 234 |
|
| 235 |
"Disable an Existing Router" |
| 236 |
|
| 237 |
Depends on the attacker being on the local network, and is what RAGuard |
| 238 |
is for. |
| 239 |
|
| 240 |
"Exploit DAD for Denial of Service" |
| 241 |
|
| 242 |
This is the first interesting attack I've seen mentioned in the slide |
| 243 |
deck (and I'm on slide 109 out of 167, getting to it). |
| 244 |
|
| 245 |
I don't think there's a way to mitigate against it, except to prevent |
| 246 |
the attacker from getting on layer 2 network in the first place. |
| 247 |
(Entirely doable with things like 802.1x.) |
| 248 |
|
| 249 |
"Advertise Malicious Network Parameters" |
| 250 |
|
| 251 |
Again, what RAGuard is for. |
| 252 |
|
| 253 |
Re Autoconf Addresses & Privacy |
| 254 |
|
| 255 |
"There were concerns that autoconf addresses hurt privacy, as they could |
| 256 |
be used to correlate network activity" |
| 257 |
|
| 258 |
Not all that interesting, actually. That kind of correlating activity is |
| 259 |
happening more effectively with DPI and HTTP request headers, and *that* |
| 260 |
sees through NAT, privacy addresses and proxy servers. |
| 261 |
|
| 262 |
When people express concerns about autoconf addresses to me, I tell them |
| 263 |
that if they're that worried about it, they need to already be using |
| 264 |
source-obfuscating techniques like the Tor network. |
| 265 |
|
| 266 |
(skip benign material) |
| 267 |
|
| 268 |
"The use of a single “Destination Options” header is enough to evade |
| 269 |
most implementations of RA-Guard." |
| 270 |
|
| 271 |
Sadly, that's on the hardware vendors again. Hopefully, the |
| 272 |
commercial-grade vendors will get their crap patched. There's no reason |
| 273 |
(that I know of) for an RA-Guard implementation to need to inspect the |
| 274 |
destination options header. |
| 275 |
|
| 276 |
"This technique can also be exploited to circumvent Neighbor Discover |
| 277 |
monitoring tools such as NDPMon" |
| 278 |
|
| 279 |
I don't know so much about this attack, honestly. |
| 280 |
|
| 281 |
Re DHCPv6 |
| 282 |
|
| 283 |
"It can be exploited in a similar way to Router Advertisement messages." |
| 284 |
|
| 285 |
And protected in the same way. |
| 286 |
|
| 287 |
Re MLD |
| 288 |
|
| 289 |
"Potential issues: If a MLD-snooping switch is employed, MLD could be |
| 290 |
exploited for Denial of Service attacks." |
| 291 |
|
| 292 |
Largely the same class of attacks as if the attacker is on the local |
| 293 |
segment. Enable MLD snooping if and only if you're willing to expand |
| 294 |
your attack surface in that way. That's not a difficult question; it's |
| 295 |
similar to asking whether you want to use a wireless bridge to a wired |
| 296 |
network, or if you want to use a router instead. |
| 297 |
|
| 298 |
Re IPSec |
| 299 |
|
| 300 |
"IPsec support is currentlymantatory for IPv6 implementations – the IETF |
| 301 |
is changing this requirement to “optional” thus acknowledging reality." |
| 302 |
|
| 303 |
I have yet to encounter a widely-used IPv6 stack that does not support |
| 304 |
IPSec. *BSD, Linux and Windows all support it. The idea of it being |
| 305 |
"optional" is irrelevant to the question of whether it's available for |
| 306 |
use by servers and desktop machines. |
| 307 |
|
| 308 |
"Also, many IPv4 implementations support IPsec, while many IPv6 |
| 309 |
implementations do not." |
| 310 |
|
| 311 |
As I said, I have yet to encounter a widely-used IPv6 stack that doesn't |
| 312 |
support IPSec. Actually, I haven't encountered *any* IPv6 stack that |
| 313 |
doesn't support IPSec. I imagine the ones that don't are in things like |
| 314 |
voip phones. |
| 315 |
|
| 316 |
"Most of the key problems (e.g., PKI) for IPsec deployment in IPv4 apply |
| 317 |
to IPv6, as well." |
| 318 |
|
| 319 |
This is true, if you want to use PKI for IPSec deployment. If you're |
| 320 |
setting up static relationships between campus endpoints, it's not so |
| 321 |
big a deal. |
| 322 |
|
| 323 |
"There is no reason to believe that IPv6 will result in an increased use |
| 324 |
of IPsec." |
| 325 |
|
| 326 |
Bull. The biggest barrier to IPsec use has been NAT! If an intermediate |
| 327 |
router has to rewrite the packet to change the apparent source and/or |
| 328 |
destination addresses, then the cryptographic signature will show it, |
| 329 |
and the packet will be correctly identified as having been tampered with! |
| 330 |
|
| 331 |
With IPsec, NAT is unnecessary. (You can still use it if you need |
| 332 |
it...but please try to avoid it!) |
| 333 |
|
| 334 |
Re "DNS support for IPv6" |
| 335 |
|
| 336 |
"Increased size of DNS responses due to larger addresses might be |
| 337 |
exploited for DDos attacks" |
| 338 |
|
| 339 |
That's not even significant. Have you looked at the size of DNS |
| 340 |
responses? The increased size of the address pales in comparison to the |
| 341 |
amount of other data already stuffed into the packet. |
| 342 |
|
| 343 |
Re "IPv6 Transition Co-Existence Technologies" |
| 344 |
|
| 345 |
"Original transition plan: deploy IPv6 before we ran out of IPv4 |
| 346 |
addresses, and eventually turn off IPv4 when no longer needed – it |
| 347 |
didn’t happen" |
| 348 |
|
| 349 |
That's correct; the IPv6 deployment didn't happen when it should have. |
| 350 |
Instead, a ton of coping mechanisms for a shrinking address pool came |
| 351 |
around. NAT is the big one. If IPv6 had been deployed early on, people |
| 352 |
wouldn't think of "one IP address per customer" as the norm...and they |
| 353 |
shouldn't have to. |
| 354 |
|
| 355 |
"An attacker can connect to an IPv4-only network, and forge IPv6 Router |
| 356 |
Advertisement messages. (*)" |
| 357 |
|
| 358 |
Again, this depends on them being on the same layer 2 network segment. |
| 359 |
|
| 360 |
The same class of attacks would be possible for any IPv4 successor that |
| 361 |
implemented either RAs or DHCP. |
| 362 |
|
| 363 |
(Yes, you will want to deploy the countermeasures described) |
| 364 |
|
| 365 |
(skipping more benign material) |
| 366 |
|
| 367 |
Re ISATAP |
| 368 |
|
| 369 |
"An attacker could forge name resolution responses to--" |
| 370 |
|
| 371 |
Secure your DNS. |
| 372 |
|
| 373 |
"This could be used in conjunction with other attacks (e.g. forging DNS |
| 374 |
responses such that--" |
| 375 |
|
| 376 |
Secure your DNS. |
| 377 |
|
| 378 |
Re Problems with 6to4 |
| 379 |
|
| 380 |
Actually, I'm going to skip most of this and simply acknowledge it: Yes. |
| 381 |
6to4 sucks. It's terrible and horrible. *Everyone* of low-to-moderate |
| 382 |
knowledge in IPv6 knows it. Use 6rd instead if you need that kind of |
| 383 |
tunnel; at least you'll know who to yell at if it breaks. |
| 384 |
|
| 385 |
Re Security Implications of Teredo: |
| 386 |
|
| 387 |
Yes, Teredo sucks, too. Disable it. |
| 388 |
|
| 389 |
Re 'Translation' |
| 390 |
|
| 391 |
(pardon the US-centric view, here) All major ISPs have deployed (or are |
| 392 |
in the process of deploying) native IPv6. Mobile carriers have deployed |
| 393 |
IPv6. Tunnels will be largely unnecessary. NAT will remain, but it will |
| 394 |
be more prevalent in IPv4 than in IPv6. |
| 395 |
|
| 396 |
Re 'Exploiting Transition Technologies' |
| 397 |
|
| 398 |
"Some systems (notably Windows) have support of trnasition technologies |
| 399 |
enabled by default." |
| 400 |
|
| 401 |
Yes. Disable Teredo. I'm not aware any other distro that enables a |
| 402 |
tunneling protocol by default. |
| 403 |
|
| 404 |
(skip benign material.) |
| 405 |
|
| 406 |
Re Application-layer protocols |
| 407 |
|
| 408 |
"A number of applications may leak IPv6 addresses: E-mail headers, P2P |
| 409 |
applications" |
| 410 |
|
| 411 |
As far as email headers, that's just as in IPv4. You can examine some |
| 412 |
folks' IPv4 RFC1918 topology by their email headers today, so don't tell |
| 413 |
me IPv6 brings much new to the table. |
| 414 |
|
| 415 |
As for P2P applications, this is actually a good thing; P2P applications |
| 416 |
can use what they learn for more efficient peer association. |
| 417 |
|
| 418 |
(skip the rest, as it's benign) |
Archives