Honeypots mailing list archives

Re: IPv6

From: Valdis.Kletnieks () vt edu
Date: Fri, 20 Dec 2002 08:45:10 -0500

On Wed, 18 Dec 2002 18:03:18 EST, Jose Nazario <jose () monkey org>  said:

IPv6 has optional headers, which means the IDS (or really any security
device) will have to do a lot of stateful analysis of the IPv6 traffic it
sees. so far, the only IPv6 security discussions i have seen are all about
IPsec. anyone have anything GOOD on securing IPv6 networks?


There's probably not a lot out there.  This is probably because most people
think that for the most part, securing an IPv6 network is really almost
the same thing as securing an IPv4 network.  There's only a few real classes
of attacks:

1) Attacks that exploit some brokenness of the protocol itself (for instance,
Smurf using what was a bad choice of default for pings to a broadcast address).

2) Attacks that exploit a bug in a broken stack (for instance, the original
'ping-of-death').

3) Attacks that happen to use a given protocol stack to deliver malicious
data to an application listening on a port.  For instance, I suspect that
last week's round of SSH bugs will work equally well over IPv6 if the SSH
supports IPv6 connections.

(3) is protocol-agnostic, (2) can't really be secured against before the
fact, as the proper fix is to patch the systems when a problem is found,
and (1) we don't have any data on yet. ;)

And let's face it - there's only a limited amount you can do to *secure*
the network before it becomes time to bite the bullet and start using IPSec. ;)

As far as *monitoring* the net - all you have to do is make sure your IDS
knows about all protocols that you're using/routing.  There's nothing mystical
about IPv6-over-IPv4 tunnelling that's a totally new idea - we've seen plenty
of tunnelling in the IPv4 world already - telnet-over-DNS-queries, transferring
data inside ICMP packets, etc etc etc.

Move along folks, nothing to see... Move along.. nothing to see... :)
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

IPv6 Lance Spitzner (Dec 17)
- Re: IPv6 Colin Stubbs (Dec 18)
- Re: IPv6 Chris Green (Dec 18)
  - Re: IPv6 Jose Nazario (Dec 19)
    - Re: IPv6 Valdis . Kletnieks (Dec 20)
- <Possible follow-ups>
- RE: IPv6 Hornat, Charles (Dec 18)
  - RE: IPv6 mike (Dec 18)
- FW: IPv6 Hornat, Charles (Dec 18)
  - Re: FW: IPv6 xbud (Dec 19)
  - Re: FW: IPv6 mike (Dec 19)
  - Re: IPv6 Jon Miller (Dec 19)
- Re: IPv6 mb_lima (Dec 20)
  - Re: IPv6 Valdis . Kletnieks (Dec 20)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 mb_lima (Dec 20)

(Thread continues...)