Honeypots mailing list archives
Re: IPv6
From: Valdis.Kletnieks () vt edu
Date: Fri, 20 Dec 2002 12:13:10 -0500
On Fri, 20 Dec 2002 08:12:31 -0200, mb_lima said:
The situacion is very more complex. In IPv6 protocol, IPSEC is mandatory. So, the attacker can use DES or other to cipher all traffic tunneled.
A quick clarification: Support for IPSec is mandatory. You can't call it IPv6 without a certain minimum level of IPSec support. It is *NOT* mandatory that an IPv6 connection use IPSec. On the other hand, especially with Microsoft shipping IPSec, there's more IPSec boxes on IPv4 than there are on IPv6. So it's hardly "a new problem".
I think that several "new" security problems will happen in the IPv4-IPv6 trasition. Using the transition MEchanisms (6to4, for example)networks can introduce a backdoor via IPv6 networks.
They will be "new" only to people who haven't been paying attention. "introducing a backdoor" is news only if you've never seen some of the creative tunnelling *already* being done on IPv4 (piggybacking on DNS queries or ICMP come to mind).
of your question/comment yes they have to come in over IPv4,
This sort of thinking is more likely to trip you up than any IPv6 specific issues. They could quite easily come *IN* over IPv6 if your site has such connectivity (and more and more sites *are* connected). It's even possible that your network people started deploying/testing IPv6 without telling you security people. Do you know *for a fact* that your site does *NOT* have a 6to4 tunnel to the 6bone already running? But this isn't anything new either - how many sites have gotten whacked because "the firewall will stop everything" only to find out there's an unauthorized modem with auto-answer set? ;) (At least locally, they *could* come in over IPv6 if they are connecting to a machine that is doing IPv6: % traceroute6 www.linux-ipv6.org traceroute to nezu.linux-ipv6.org (2001:200:0:1c01:2b0:d0ff:fe23:d5e5) from 3ffe:2900:5005:1342:206:5bff:feea:8e4e, 30 hops max, 16 byte packets 1 isb-7507-3.fa1-0-0.103.cns.ip6.vt.edu (3ffe:2900:5005:1342:280:1cff:fe15:5820) 1.583 ms 0.556 ms 0.466 ms 2 3ffe:2900:5:5::1 (3ffe:2900:5:5::1) 8.077 ms 8.394 ms 8.164 ms 3 3ffe:2900:b:e::2 (3ffe:2900:b:e::2) 71.652 ms 72.054 ms 72.169 ms 4 plt6-gate0.IIJ.Net (2001:240:100:2000::1) 72.323 ms 72.453 ms 72.347 ms 5 otm6-bb0.IIJ.Net (2001:240:100:fffe::ff) 231.823 ms otm6-bb1.IIJ.Net (2001:240:100:ffff::ff) 186.082 ms otm6-bb0.IIJ.Net (2001:240:100:fffe::ff) 231.111 ms 6 otm6-gate0.IIJ.Net (2001:240:100::204) 186.891 ms 154.93 ms 187.927 ms 7 hitachi1.otemachi.wide.ad.jp (2001:200:0:1800::9c4:2) 234.284 ms 212.636 ms 234.414 ms 8 2001:200:0:1c04:260:3eff:fe4e:3048 (2001:200:0:1c04:260:3eff:fe4e:3048) 212.465 ms 269.115 ms 212.775 ms 9 2001:200:0:1c01:2b0:d0ff:fe23:d5e5 (2001:200:0:1c01:2b0:d0ff:fe23:d5e5) 235.061 ms 213.192 ms 234.835 ms My laptop is in Virginia, the other end of that is in Japan. I'll let you figure out for yourselves which hops are natively routed and which are 6to4 tunnels ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- Re: IPv6, (continued)
- Re: IPv6 Chris Green (Dec 18)
- RE: IPv6 Hornat, Charles (Dec 18)
- RE: IPv6 mike (Dec 18)
- FW: IPv6 Hornat, Charles (Dec 18)
- Re: FW: IPv6 xbud (Dec 19)
- Re: FW: IPv6 mike (Dec 19)
- Re: IPv6 Jon Miller (Dec 19)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 Valdis . Kletnieks (Dec 20)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 mb_lima (Dec 20)