New publications

IPv6 for Managers by Enno Rey, article published on the Insinuator blog

This article discusses how Enno Rey presents IPv6 to managers to make them realize that it's time to begin the transition to IPv6. slides are also provided.

Evasion of High-End IDPS Devices in the Age of IPv6 by Antonios Atlasis and Enno Rey, presentation given at the Black Hat conference

THE slides The presentation details methods for bypassing IDS (Suricata and Tipping Point) by manipulating IPv6 Extension Headers: use of multiple fragments, fragmentation and modification of the Next Header field value in certain packets only, etc.

IPv6 insecurities on “IPv4-only” networks by Frank Herberg, article published on the SWITCH Security Blog

The article briefly presents three possible attack scenarios using IPv6 in a network IPv4-only:

• Rogue IPv6 router attracts traffic
• Attacker bypasses IP based access control
• Client bypasses firewall with IPv6 tunnel

À At the end of the article, there are four questions to ask yourself to determine if your network is at risk:

• Do you see IPv6 traffic on your network? (Monitoring)
• Are you sure your firewalls filter (tunneled) IPv6 traffic?
• Do you have enough knowledge about IPv6 and its specific attacks to detect them?
• Do you rely on IP-based ACLs – which are ineffective for IPv6?

New vulnerabilities

CVE-2014-3353 (Cisco IOS XR Software Malformed IPv6 Packet Denial of Service Vulnerability)

• Affected product: Cisco IOS XR
• Impact: Denial of service (CVSS Base Score = 7.1)