New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

IPv6 and security: news from the front – April

April 26, 2013

IPv6 and security: news from the front – April

Published articles

Fernando Gont published an article on the SearchSecurity website: Address IPv6 security before your time runs out. The article discusses the security implications of IPv6, without introducing any new elements. It is organized into five parts:

  • IPv6 Security Implications
  • IPv6 Security Considerations
  • IPv4 vs. IPv6: A Brief Comparison
  • IPv6 Security Myths
  • Where To Go From Here

Enno Rey published an article entitled Some more Notes on RA Guard Evasion and “undetermined-transport”. He proposes a solution to replace RA Guard on a switch Cisco. The solution involves using a PACL containing "undetermined-transport" and allows for a configuration that is more resistant to evasion methods.

 

Conferences

Marco Hogewoning gave a presentation during SSE 2/RIPE NCC Regional Meeting (second South East Europe): IPv6 Security Where is the challenge?. The introduction presents some statistics showing that security is increasingly becoming a barrier to IPv6 adoption. Then, after comparing IPv6 security to that of IPv4 and information security in general, it concludes:

  • IPv6 can introduce vulnerabilities
  • IPv6 is not a threat
  • The main risk is you.

 

Videos

Ivan Pepelnjak published a video where Eric Vyncke presents Cisco's implementation of SAVI: Source Address Validation Improvement. SAVI is a solution for protecting against IPv6 address spoofing on a local network. Not all Cisco switches are yet compatible with SAVI, but they should be later this year.

 

Tools

A new version of the IPv6 Toolkit suite has been released: the version 1.3.4. This version improves support for the host tracking in the scan6 tool and a new tool, address6, makes its appearance.

A new tool, called Evil Foca, has been released: Download Evil FOCA 0.1.2.0. The article's features are interesting: IPv6 MITM, IPv4 MITM, IPv6 DoS, and DNS hijacking. A dedicated article on this tool will be published on this blog soon.

 

Vulnerabilities

A vulnerability (CVSS Base Score = 5) in Juniper's vGW product that allows bypassing filtering policies has been discovered (PSN-2013-03-875). A product update is available.

Another vulnerability (CVSS Base Score = 7.8) affecting a Juniper product has been disclosed (PSN-2013-04-915). Sending a specially crafted IPv6 packet, corresponding to a specific filtering rule, allows attackers to... crasher The Junos kernel. An update is available.

Two vulnerabilities (CVSS Base Score = 7.8) affect the Cisco IOS XE product (CVE-2013-1164, CVE-2013-2779 And cisco-sa-20130410-asr1000) :

  • sending IPv6 traffic multicast fragmentation allows to do crasher equipment; ;
  • Sending fragmented IPv6 MVPN traffic also allows you to crasher equipment.

A product update is available.

A vulnerability (CVSS Base Score = 6.4) affecting the Solaris NFS client when used with IPv6 impacts confidentiality and integrity (CVE-2013-0405Few details are available.

Contact