IPv6 and security: news from the front – February

New publications

DHCPv6 Guard: Do It Like RA Guard Evasion by Enno Rey, article published on the Insinuator blog

In this article, Enno Rey presents a solution to bypass the countermeasures implemented by Cisco to identify malicious DHCPv6 packets. Again, this solution relies on fragmenting the transmitted packets. Attacks using this technique are numerous and call into question the design of the protocol in general and the fragmentation layer in particular.

Evasion of Cisco ACLs by (Ab)Using IPv6 & Discussion of Mitigation Techniques by Enno Rey, article published on the Insinuator blog

Following the successful attack described in the article above, Enno Rey decided to use the same approach to test the effectiveness of ACLs implemented on Cisco routers. The attack was successfully carried out using fragmentation and header addition techniques.

IPv6 Hardening Guide for OS X by Florian Grunow, Matthias Luft, Michael Thumann, Michael Schaefer published on the website of ernw

Following the publication of guides on hardening IPv6 security for Linux and Windows servers, the authors cited above publish a document containing several actions to be implemented in order to limit the risks of IPv6 attacks against OSX systems.

New tools and updates

 Chiron by Antonios Atlasis

A new version of the Chiron IPv6 attack framework will be presented at the conference Troopers. This new version will include improvements related to support for the MLD (Multicast Listener Discovery) protocol, as well as the addition of DHCPv6 features.