IPv6 and security: news from the front – December
Published articles
Jérôme Durand, Routing & Switching Consultant, published an article on the blog Cisco Networks : I tested it for you: IPv6 First Hop Security. After a description of the lab In this article, the author presents Cisco's First Hop Security features, providing configuration examples and scenarios for testing these configurations. The article clearly explains the First Hop Security technologies: IPv6 RA Guard, IPv6 DHCP Guard, IPv6 Binding Identity Guard, and IPv6 Source Guard.
WatchGuard has made its 2013 security forecasts. IPv6 is included: WatchGuard predicts an increase in IPv6-related attacks and that the lack of consideration for IPv6 will open doors for attackers.
Fernando Gont published two documents dealing with NDP security:
- Security Assessment of Neighbor Discovery (ND) for IPv6
- Security/Robustness Assessment of IPv6 Neighbor Discovery Implementations
The first is a draft from the IETF, this document provides a very comprehensive (62 pages) overview of attack possibilities exploiting NDP functionalities. This document focuses solely on the theoretical aspects, while the second presents practical examples for implementing the attacks. These examples are based on the IPv6 Toolkit suite.
Michael Messner, Senior IT Security Consultant at Integralis Deutschland GmbH, wrote an article detailing a penetration testing scenario in an IPv6 environment: IPv6 Pen Testing. It uses only the Metasploit tool and follows this scenario: host scanning (ipv6_multicast_ping and ipv6_neighbor modules), port scanning (tcp module), vulnerability scanning (telnet_encrypt_overflow module), and vulnerability exploitation (telnet_encrypt_keyid module). While not all phases of the scenario are specific to IPv6, the article is interesting and demonstrates that Metasploit is functional in an IPv6 environment.
Conferences
During the conference gogoNET LIVE! 3, Joe Klein, Principal Cyber Security Architect at QinetiQ, gave a presentation: IPv4 vs. IPv6 The Shifting Security Paradigm. He begins by presenting some general information on cybersecurity and defense models, then compares the trust models between IPv4 (trust in networks) and IPv6 (trust in nodes). He then addresses the topic of node discovery in IPv6 and concludes by listing 15 possibilities offered by IPv6 to secure a network.
Tools
A tool, still at the Proof of Concept stage, has been published by Daniel Garcia and Rafael Sanchez: topera. It allows for port scans that are not detected by the Snort NIDS.
The new Linux kernel, version 3.7 now supports NAT with IPv6. Although the use of NAT is generally discouraged, it can be a useful mechanism during penetration testing. For example, some attacks only allow the interception of network traffic in one direction (Rogue RA and ICMPv6 Redirect). Adding a NAT mechanism would allow the interception of traffic in the other direction as well.
Version 2.1 of the tool suite THC-IPv6 has been released. Four new tools are available: dnssecwalk, firewall6, fake_pim6, and ndpexhaust26. Various improvements have also been made to existing tools.
Vulnerabilities
ISC BIND is vulnerable to a denial-of-service attack (crash of daemon) which occurs during the implementation of the DNS64 mechanism: AA-00828, CVE-2012-5688 (CVSS Base = 7.8). Updates fixing the vulnerability are available.
A vulnerability in the Linux kernel has been discovered: CVE-2012-4444. The way in which the overlapping fragments This vulnerability in IPv6 can be exploited to bypass filtering rules. An update fixing the vulnerability is available.
