Re: [Full-disclosure] Hacking IPv6 Networks (slides)



Hi, Roland,

Thanks so much for your e-mail! Please find my comments inline...

On 08/09/2011 03:32 PM, Dobbins, Roland wrote:
1. By prepending lots of extension headers to packets, it may be
possible to exhaust router ASIC/TCAM capacity, causing the traffic in
question to be punted to the RP and thus leading to a DoS condition.

Agreed. -- Which makes one wonder a bit about the "stremlined header
blah blah" that one usually hears :-) (ok, it's "streamlined" in a world
in which attackers do not exist :-) )



2. The consonance of the English letters 'B', 'C', 'D', & 'E' is
likely to result in untold billions of dollars of opex related to
misconfigurations, outages, improper access policies contributing to
security breaches, etc. Whenever possible, IPv6
address-/netblock-related information should be transmitted in
written form, not verbally.

Hadn't though aboiut this one. Good grief :-)



3. BGP and IGP mining can also be useful for hinted scanning.

Yes, this would be another one to add to the list of "IPv6 addresses
leaked by application protocols".



4. The numerous instantiations of additional state being added to
networks in the form of 6-to-4 gateways, CGNs, et. al. as a result of
IPv4 address exhaustion and IPv6 transition greatly increases the DoS
risk, as well.

Agreed. At least in the short and near term, NAT usage will only
increase despite of the claims of "return to the e2e internet" (I have
commented a bit about this one in
(http://searchenterprisewan.techtarget.com/tip/Why-IPv6-wont-rid-the-Internet-of-Network-Address-Translation).

-- And it's not just the additional state... it's the increased
complexity of the resulting "system" (the Internet). Even for
troubleshooting it will become more and more painful.



There's already far too much of this in the
mobile/wireless world, resulting in numerous DoS conditions on those
networks caused by portscans/hostscans/outbound & crossbound DDoS
attacks initiated by botted hosts; now it's going to become even more
common in the wireline world, as well.

It has been relieving to read your post, I must admit :-) --
particularly when at least half of the stuff that usually gets published
about IPv6 security has to do with how the mandatory-ness of IPsec is
going to save us all. :-)

Thanks!

Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont@xxxxxxxxxxxxxxx
web: http://www.si6networks.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/