New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

IPv6 and security: news from the front

December 15, 2011

IPv6 and security: news from the front

For several years, Intrinsec has been interested in IPv6 and the impact of this protocol on information systems security. In response to current demands and to anticipate future ones, we are intensifying our work in this area.

That's why we'll regularly publish articles covering current events related to IPv6 and its impact on security. Here's the first in this series.

Items published

Fernando Gont published an article discussing the impact of IPv6 on firewalls: IPv6 firewall security: Fixing issues introduced by the new protocol. The main idea is that analyzing an IPv6 packet is more complex and resource-intensive than an IPv4 packet. This is primarily due to the need to analyze all Extension Headers before information about the Layer 4 transport protocol can be obtained. The IPv4/IPv6 transition technologies also introduce their own set of complications. Consequently, there are potentially more opportunities for denial-of-service attacks and firewall evasion.

Marc Heuse updated the slideshow which he had presented at IPv6-Kongress last May: IPv6: Vulnerabilities, Failures – and a Future?. He gives a quick introduction to IPv6, then a review of attacks specific to IPv6, and finally a look back at the attitude of vendors towards vulnerabilities related to IPv6.

An article entitled Hackers target IPv6, A report providing an update on the current state of IPv6 deployment and its impact on security has also been published.

Vulnerabilities discovered

Vulnerability CVE-2011-2059 This vulnerability allows the detection of a Cisco router. It stems from the addition of a surprising feature:

«Back in 2003, a Cisco Technical Assistance Center (TAC) engineer made a very simple request: […] it would be nice to have a way to generate (within Cisco IOS itself) an IPv6 packet that, when received by a Cisco IOS device, would be punted to the CPU and out of the CEF path. This was indeed considered useful, and was hence implemented […] within Cisco IOS. » (source)

Tools

thc-ipv6 is a suite of tools for carrying out attacks on the IPv6 protocol. Marc Heuse announced that the next version will be released between March and May 2012. There will be only one version, not two, one public and one private, as is currently the case.

Picture

To end this article on a humorous note (source) :

IPv6 keyboard

Contact