New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

IPv6 and security: news from the front – March

March 16, 2012

IPv6 and security: news from the front – March

Published articles

In an article entitled "« Don't Panic About, or Ignore, IPv6 Security »Carl Weinschenk uses excerpts from several articles to highlight the potential security risks of IPv6. Here are the main points:

  • Lack of infrastructure maturity (many operators are not able to monitor IPv6 traffic sufficiently to detect denial-of-service attacks)
  • IPv4/IPv6 tunneling mechanisms may allow some traffic to pass unattended.
  • If there is not enough memory allocated to handle IPv6 addresses, which are larger than IPv4 addresses, there is a risk of code execution

Some positive points are also discussed:

  • The major operating systems have an IPv6 stack that has been extensively tested, and most equipment is based on these operating systems – «Things may go wrong, of course, but we'll survive.»

He concluded by saying that extreme caution must be exercised when planning, deploying, and using IPv6.
Fernando Gont published an article entitled "« IPv6 NIDS evasion and improvements in IPv6 fragmentation/reassembly »"Following tests he conducted on fragmentation, the conclusions are as follows:"

  • The majority of "popular" operating systems (Windows, Linux, *BSD) implement the RFC 5722 and do not accept overlapping fragments
  • The majority of these systems do not implement the draft draft-ietf-6man-ipv6-atomic-fragments-00 and process the atomic fragment like classical fragments

Compared to IPv4, it appears much more difficult to use fragmentation as a method of evading firewalls and NIDS.
An interview with Robert Hinden was conducted:« RSA 2012 talk to offer help understanding IPv6 security issues »He gives his opinion on IPv6 and security in general. Here are some excerpts:

  • One of the major problems today is the lack of skills in the field of IPv6 (the protocols are there, the products too, but the teams need to be trained on the subject)
  • One of the two most concerning problems with IPv6 relates to the IPv4/IPv6 transition mechanisms, which can allow the creation of unmonitored tunnels to the outside of the enterprise.
  • The second problem is the lack of monitoring of IPv6 traffic (malware could use this protocol to spread undetected).

Scott Hogg published an article titled "« Should You Allow Inbound Email Over IPv6? »"It addresses in a rather comprehensive way the problems that will surely arise with the activation of IPv6 on SMTP servers: how to create IP blacklists containing the IPs of spammers knowing that IPv6 allows the use of a very large number of addresses, email management solutions (SpamAssassin, Barracuda, etc.) do not all have IPv6 functionalities, etc.
Alexandre MSP Moraes published a series of articles dealing with the configuration of IPv6 (ACL, zone-base policy firewall, etc.) on Cisco equipment.
On the Tenable Network Security blog, Ron Gula published an article addressing four common misconceptions about IPv6 security:« Decoding IPv6: Four Misconceptions that Security Execs Need to Know »Here they are:

  • IPv6 is more secure
  • The absence of NAT introduces an additional risk
  • IPv6 is too large to be scanned, preventing hackers from compromising an IPv6 network.
  • ISPs will handle the transition to IPv6

Tools

Metasploit version 4.2 is exit. Among the new features are significant improvements in IPv6 support:

  • News payloads have been added and existing ones have been updated; now, the majority of payloads are compatible with IPv6
  • Metasploit can now communicate with a database using IPv6
  • Various other improvements related to IPv6 support have also been made

Vulnerabilities

Certain versions of Cisco Wireless LAN Controller equipment are affected by a vulnerability (CVE-2012-0369) allowing a denial of service to be caused by sending a series of specially shaped IPv6 packets.

Contact