IPv6 and security: news from the front – March
Published articles
Stéphane Bortzmeyer gave a presentation on IPv6 security at ESGI (École Supérieure de Génie Informatique). slides and the video of the presentation are available here. Various impacts of IPv6 on security are discussed, without going into detail.
A series of four articles was published on the blog A computer in the middle of evil :
- Evil FOCA: SLAAC Attack (1 of 4)
- Evil FOCA: SLAAC Attack (2 of 4)
- Evil FOCA: SLAAC Attack (3 of 4)
- Evil FOCA: SLAAC Attack (4 of 4)
The articles detail an attack scenario using IPv6 to intercept traffic in an IPv4 network. The scenario is based on an IPv6 router advertisement and NAT64/DNS64 translation. This attack is implemented in the Evil FOCA tool, which is not currently publicly available.
The ISC (Internet Storm Center) is publishing a series of articles this month concerning IPv6: IPv6 Focus Month. They are not all security-oriented, but cover topics such as filtering or fuzzing are nevertheless addressed.
Cisco has published a document on the level 2 protections available on Cisco equipment: IPv6 First Hop Security (FHS). The PDF includes five diagrams that allow for a very quick understanding of the benefits of the protections.
Conferences
At the Troopers conference, Antonios Atlasis gave a presentation entitled IPv6 Extension Headers – New Features, and New Attack Vectors. In it, he presents the results of his research on Extension Headers and how operating systems and IDS interpret them. He concludes that EHs can be used for...’OS fingerprinting to create hidden channels, to bypass firewalls, and to evade IDS, "at least yet." The scripts he used during his research are available here.
Enno Rey also gave a presentation during Troopers: DESIGN & CONFIGURATION OF IPV6 SEGMENTS WITH HIGH SECURITY REQUIREMENTS. It provides guidelines for strengthening the security of an IPv6 network: limiting the number of addresses per interface, limiting "NDP requests", removing Router Advertisement messages, etc.
Tools
A new version of the IPv6 Toolkit suite has been released, the version 1.3.3. This minor update adds the –tgt-known-iids option to the scan6 tool and allows checking the presence of a host within a network, based on its Interface ID.
Vulnerabilities
Marc Heuse has made public a vulnerability on the mailing list Full Disclosure: Remote system freeze thanks to Kaspersky Internet Security 2013. Sending specially crafted IPv6 packets to a host where Kaspersky Internet Security 2013 is installed allows you to freezer the host in question. Kaspersky has since updated its software.
