Full Disclosure mailing list archives
Re: Hacking IPv6 Networks (slides)
From: Fernando Gont <fgont () si6networks com>
Date: Tue, 09 Aug 2011 18:03:19 -0300
Hi, Roland, Thanks so much for your e-mail! Please find my comments inline... On 08/09/2011 03:32 PM, Dobbins, Roland wrote:
1. By prepending lots of extension headers to packets, it may be possible to exhaust router ASIC/TCAM capacity, causing the traffic in question to be punted to the RP and thus leading to a DoS condition.
Agreed. -- Which makes one wonder a bit about the "stremlined header blah blah" that one usually hears :-) (ok, it's "streamlined" in a world in which attackers do not exist :-) )
2. The consonance of the English letters 'B', 'C', 'D', & 'E' is likely to result in untold billions of dollars of opex related to misconfigurations, outages, improper access policies contributing to security breaches, etc. Whenever possible, IPv6 address-/netblock-related information should be transmitted in written form, not verbally.
Hadn't though aboiut this one. Good grief :-)
3. BGP and IGP mining can also be useful for hinted scanning.
Yes, this would be another one to add to the list of "IPv6 addresses leaked by application protocols".
4. The numerous instantiations of additional state being added to networks in the form of 6-to-4 gateways, CGNs, et. al. as a result of IPv4 address exhaustion and IPv6 transition greatly increases the DoS risk, as well.
Agreed. At least in the short and near term, NAT usage will only increase despite of the claims of "return to the e2e internet" (I have commented a bit about this one in (http://searchenterprisewan.techtarget.com/tip/Why-IPv6-wont-rid-the-Internet-of-Network-Address-Translation). -- And it's not just the additional state... it's the increased complexity of the resulting "system" (the Internet). Even for troubleshooting it will become more and more painful.
There's already far too much of this in the mobile/wireless world, resulting in numerous DoS conditions on those networks caused by portscans/hostscans/outbound & crossbound DDoS attacks initiated by botted hosts; now it's going to become even more common in the wireline world, as well.
It has been relieving to read your post, I must admit :-) -- particularly when at least half of the stuff that usually gets published about IPv6 security has to do with how the mandatory-ness of IPsec is going to save us all. :-) Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont () si6networks com web: http://www.si6networks.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Hacking IPv6 Networks (slides) Dobbins, Roland (Aug 09)
- Re: Hacking IPv6 Networks (slides) Fernando Gont (Aug 09)
- Re: Hacking IPv6 Networks (slides) Pavel Kankovsky (Aug 14)