Honeypots mailing list archives
Re: IPv6
From: Valdis.Kletnieks () vt edu
Date: Fri, 20 Dec 2002 08:45:10 -0500
On Wed, 18 Dec 2002 18:03:18 EST, Jose Nazario <jose () monkey org> said:
IPv6 has optional headers, which means the IDS (or really any security device) will have to do a lot of stateful analysis of the IPv6 traffic it sees. so far, the only IPv6 security discussions i have seen are all about IPsec. anyone have anything GOOD on securing IPv6 networks?
There's probably not a lot out there. This is probably because most people think that for the most part, securing an IPv6 network is really almost the same thing as securing an IPv4 network. There's only a few real classes of attacks: 1) Attacks that exploit some brokenness of the protocol itself (for instance, Smurf using what was a bad choice of default for pings to a broadcast address). 2) Attacks that exploit a bug in a broken stack (for instance, the original 'ping-of-death'). 3) Attacks that happen to use a given protocol stack to deliver malicious data to an application listening on a port. For instance, I suspect that last week's round of SSH bugs will work equally well over IPv6 if the SSH supports IPv6 connections. (3) is protocol-agnostic, (2) can't really be secured against before the fact, as the proper fix is to patch the systems when a problem is found, and (1) we don't have any data on yet. ;) And let's face it - there's only a limited amount you can do to *secure* the network before it becomes time to bite the bullet and start using IPSec. ;) As far as *monitoring* the net - all you have to do is make sure your IDS knows about all protocols that you're using/routing. There's nothing mystical about IPv6-over-IPv4 tunnelling that's a totally new idea - we've seen plenty of tunnelling in the IPv4 world already - telnet-over-DNS-queries, transferring data inside ICMP packets, etc etc etc. Move along folks, nothing to see... Move along.. nothing to see... :) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- IPv6 Lance Spitzner (Dec 17)
- Re: IPv6 Colin Stubbs (Dec 18)
- Re: IPv6 Chris Green (Dec 18)
- Re: IPv6 Jose Nazario (Dec 19)
- Re: IPv6 Valdis . Kletnieks (Dec 20)
- Re: IPv6 Jose Nazario (Dec 19)
- <Possible follow-ups>
- RE: IPv6 Hornat, Charles (Dec 18)
- RE: IPv6 mike (Dec 18)
- FW: IPv6 Hornat, Charles (Dec 18)
- Re: FW: IPv6 xbud (Dec 19)
- Re: FW: IPv6 mike (Dec 19)
- Re: IPv6 Jon Miller (Dec 19)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 Valdis . Kletnieks (Dec 20)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 mb_lima (Dec 20)
(Thread continues...)