IPv6 and security: news from the front – October

Published articles

Andrew Yourtchenko, with the help of a few others, published a page on the Cisco DocWiki wiki: FHS. This page presents Cisco's First Hop Security (FHS) features and provides configuration examples. These features enable IPv6 security within a local network.

Enno Rey published an article on the Insinuator blog: IPAM Requirements in IPv6 Networks. It lists the IPv6-specific features that IPAM (IP Address Management) solutions must have: being able to use SNMPv3 to communicate with network equipment and retrieve the IPv6 addresses used, being able to classify IPv6 addresses by categories (SLAAC or DHCP for example), etc.

Vulnerabilities

The Virtual Fragmentation Reassembly (VFR) feature for IPv6 in Cisco IOS is affected by a vulnerability (CVSS Base = 7.8) that allows a denial-of-service attack to be carried out by sending a series of specially crafted IPv6 fragments (cisco-sa-20130925-ipv6vfr, CVE-2013-5474).

A vulnerability (CVSS Base = 4.3) affecting the Linux kernel has been identified: when using IPsec, SCTP traffic is not encrypted with IPv6, whereas it is with IPv4 (CVE-2013-4350).

A vulnerability (CVSS Base = 4.9) affecting the Linux kernel has been identified: it is possible to crasher the OS using a socket AF_INET6 to connect to an IPv4 interface (CVE-2013-2232).

The Linux kernel's ip6_ufo_append_data function, linked to the UFO (UDP Fragmentation Offload) functionality, is affected by a vulnerability (CVSS Base = 6.1): sending specially crafted UDP messages can cause crasher the kernel and potentially allow the execution of arbitrary code (CVE-2013-4387).