New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

IPv6 and security: news from the front – April

April 20, 2012

IPv6 and security: news from the front – April

Published articles Eric Vyncke published an article in which he presents methods for blocking IPv6 tunnels:« Can we block all IPv6 tunnels in our enterprise network? »He begins by reminding everyone that tunnels can be used to bypass filtering mechanisms and that there are rumors that... botnet swould use such tunnels. Primarily based on Cisco technologies, here are their proposals for blocking IPv6 tunnels:

  •  For 6to4 and ISATAP tunnels, it is sufficient to block protocol 41 with an ACL (Access Control List).
  • For Teredo tunnels, which are based on UDP, Flexible Pattern Matching (FPM) technology can be used, as it allows for the creation of sufficiently precise filtering rules (analysis of the content of the UDP datagram).
  • Finally, it is also possible to disable these tunnels on workstations by modifying the Windows configuration (http://support.microsoft.com/kb/929852)

An article entitled "« Example::IPv6:firewall:ruleset »This was published by Ferry. It's an example of a Cisco firewall configuration for IPv6 traffic. It can be used as a starting point when setting up such a firewall. Keith O'Brien wrote a script allowing you to test an IPv6 stack and find out if it is vulnerable to certain attacks (six tests allowing you to test six attacks are performed by the script).

 

Conferences

Fernando Gont gave a lecture at Hackito Ergo Sum : « Recent Advances in IPv6 Security »where he presents his latest research in the field of IPv6 security, presented in six parts:

  • «"IPv6 Addressing": Currently, the mechanisms for generating an IPv6 address are not optimal: they either facilitate network scans or make IT system administration more difficult. Fernando Gont therefore proposes a new method for generating an address. This address would change each time a host changes networks.
  • «"IPv6 Fragmentation & Reassembly": The presenter conducted tests to determine if operating systems use fragments ID predictable or if they handle correctly the atomic fragments. The result is that most operating systems do not accept the overlapping fragments but some do not treat them correctly atomic fragments. THE draft draft-ietf-6man-ipv6-atomic-fragments indicates how an IPv6 stack should handle these atomic fragment.
  • «IPv6 First Hop Security»: In the draft draft-gont-6man-nd-extension-headers,Fernando Gont proposes banning fragmentation with Neighbor Discovery messages. This would allow for effective monitoring mechanisms for this type of message. He also participated in drafting the draft draft-gont-6man-ra-guard-implementation which provides advice on how to effectively filter Router Advertisement messages.
  • «IPv6 Firewalling»: The draft draft-gont-6man-oversized-header-chain offers solutions that facilitate the filtering of IPv6 packets.
  • «Mitigation to some Denial of Service attacks»: The draft draft-gont-6man-ipv6-smurf-amplifier proposing a method to limit the risks of Smurf-type attacks.
Contact