[no subject]

["J. Oquendo" <sil () politrix org>]

Re: IPv6, IPSEC and deep packet inspection

On Fri, 31 Dec 2004 bmanning () vacation karoshi com wrote:

> as one who has been "bit" by this already - i can say amen to
> what Rob preacheth...  the hardest part is getting folks up to
> speed on IPv6 as a threat vector.  Swat teams that can neutralize
> an IPv4 based flareup in minutes/hours can take days/weeks to
> contain a v6 channel...

Supposedly the vulns associated with IPv6 are: reconnaissance, unauth'd
access, layers 3-4 spoofing, ARP and DHCP attacks, smurfs, routing
attacks, viruses andworms, translations, transistions, and tunneling
mechanisms. According to Sean Covery's IPv6 Security Threats
(http://www.seanconvery.com/SEC-2003.pdf)

I recall something with OpenBSD and IPv6 not too long ago where MTU was a
factor so I pondered: If someone created a packet generator which spoofed
source to destination using random checksums, etc, but set an MTU too
high, would the recipient drop the connection altogether? For example:

// BEGIN EXAMPLE //

USER -- HOP1 -- HOP2 -- HOP3 -- PAYSITE

USER has an established connection (IPv6 of course) with PAYSITE

ATKR sends enough spoofed packets as USER to PAYSITE with an incremented
checksum he managed to get hold of via a network analyzer, and sets a high
MTU which some router en route to PAYSITE replies to USER with a Type 2

USER gets Type 2's from either HOP1, HOP2, or HOP3

USER never gets through to PAYSITE because of ATKR's cruddy packets

// END EXAMPLE //

Wouldn't PAYSITE disconnect the session with USER. I'm thinking indeed it
would break any session for starters. ATKR could be on the same network
possibly a virus or worm set to capture some preliminary packet
information and shoot it right back upstream keeping any kind of
handshaking/transactions from occurring. I could/would do a proof of
concept but it would be worthless, hopefully those doing the protocols
though of this anyway.

NOW...

On Sat, 1 Jan 2005, Christopher L. Morrow wrote:

> Some of this 'not follow it now' is partly due to equipment problems.
> These problems should be disappearring from many larger networks as new
> gear is cycled in over the next couple of years. The option will then be
> available to the engineers that operate the networks, they will likely
> still prefer the 'closest to the end system router' make the filtering
> decision though.

I think I've mentioned this before... Why isn't it standard by default. To
which most replied about the ever changing BOGON addresses. It would be
nice to see a "Trusted" repository that all equipment could pass to and
from information.

> your company likely has this capability, or could have it today... They
> also likely don't want you wasting company time buying things on ebay or
> amazon... your company, in the US, likely has this in their HR/Employee
> handbook in the form of some 'corporate assets are for corporate use only'
> statement.

Indeed no one wants their resources wasted, but what about those in the
financial industries where monetary information is being sent. Surely no
one wants that information being passed. On that note of network "waste",
for those who do have those types of policies, that's what content
management is for in my opinion. If it hasn't been fully implemented, than
why call the kettle black.

Once again... Happy New Year everyone... Going going gone...

Jesus Oquendo

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey