Honeypots mailing list archives

Re: IPv6

From: Valdis.Kletnieks () vt edu
Date: Fri, 20 Dec 2002 12:13:10 -0500

On Fri, 20 Dec 2002 08:12:31 -0200, mb_lima said:

  The situacion is very more complex. In IPv6 protocol, IPSEC 
is mandatory. So, the attacker can use DES or other to cipher 
all traffic tunneled.


A quick clarification: Support for IPSec is mandatory.  You can't call it IPv6
without a certain minimum level of IPSec support.  It is *NOT* mandatory that
an IPv6 connection use IPSec.  On the other hand, especially with Microsoft
shipping IPSec, there's more IPSec boxes on IPv4 than there are on IPv6.

So it's hardly "a new problem".

                             I think that several "new" security 
problems will happen in the IPv4-IPv6 trasition. Using the 
transition MEchanisms (6to4, for example)networks can 
introduce a backdoor via IPv6 networks.


They will be "new" only to people who haven't been paying attention.

"introducing a backdoor" is news only if you've never seen some of the
creative tunnelling *already* being done on IPv4 (piggybacking on DNS
queries or ICMP come to mind).

of your question/comment yes they have to come in over IPv4,


This sort of thinking is more likely to trip you up than any IPv6 specific
issues.

They could quite easily come *IN* over IPv6 if your site has such
connectivity (and more and more sites *are* connected).  It's even
possible that your network people started deploying/testing IPv6 without
telling you security people.

Do you know *for a fact* that your site does *NOT* have a 6to4 tunnel
to the 6bone already running?

But this isn't anything new either - how many sites have gotten whacked
because "the firewall will stop everything" only to find out there's an
unauthorized modem with auto-answer set? ;)

(At least locally, they *could* come in over IPv6 if they are connecting to
a machine that is doing IPv6:

% traceroute6 www.linux-ipv6.org
traceroute to nezu.linux-ipv6.org (2001:200:0:1c01:2b0:d0ff:fe23:d5e5) from 3ffe:2900:5005:1342:206:5bff:feea:8e4e, 30 
hops max, 16 byte packets
 1  isb-7507-3.fa1-0-0.103.cns.ip6.vt.edu (3ffe:2900:5005:1342:280:1cff:fe15:5820)  1.583 ms  0.556 ms  0.466 ms
 2  3ffe:2900:5:5::1 (3ffe:2900:5:5::1)  8.077 ms  8.394 ms  8.164 ms
 3  3ffe:2900:b:e::2 (3ffe:2900:b:e::2)  71.652 ms  72.054 ms  72.169 ms
 4  plt6-gate0.IIJ.Net (2001:240:100:2000::1)  72.323 ms  72.453 ms  72.347 ms
 5  otm6-bb0.IIJ.Net (2001:240:100:fffe::ff)  231.823 ms otm6-bb1.IIJ.Net (2001:240:100:ffff::ff)  186.082 ms 
otm6-bb0.IIJ.Net (2001:240:100:fffe::ff)  231.111 ms
 6  otm6-gate0.IIJ.Net (2001:240:100::204)  186.891 ms  154.93 ms  187.927 ms
 7  hitachi1.otemachi.wide.ad.jp (2001:200:0:1800::9c4:2)  234.284 ms  212.636 ms  234.414 ms
 8  2001:200:0:1c04:260:3eff:fe4e:3048 (2001:200:0:1c04:260:3eff:fe4e:3048)  212.465 ms  269.115 ms  212.775 ms
 9  2001:200:0:1c01:2b0:d0ff:fe23:d5e5 (2001:200:0:1c01:2b0:d0ff:fe23:d5e5)  235.061 ms  213.192 ms  234.835 ms

My laptop is in Virginia, the other end of that is in Japan. I'll let you figure
out for yourselves which hops are natively routed and which are 6to4 tunnels ;)
-- 
                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin
Description:

Current thread:

Re: IPv6, (continued)
- Re: IPv6 Chris Green (Dec 18)
  - Re: IPv6 Jose Nazario (Dec 19)
    - Re: IPv6 Valdis . Kletnieks (Dec 20)
- RE: IPv6 Hornat, Charles (Dec 18)
  - RE: IPv6 mike (Dec 18)
- FW: IPv6 Hornat, Charles (Dec 18)
  - Re: FW: IPv6 xbud (Dec 19)
  - Re: FW: IPv6 mike (Dec 19)
  - Re: IPv6 Jon Miller (Dec 19)
- Re: IPv6 mb_lima (Dec 20)
  - Re: IPv6 Valdis . Kletnieks (Dec 20)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 mb_lima (Dec 20)
- Re: IPv6 mb_lima (Dec 20)