Re: RE: IPv6 support in IDS/IPS products

From: David Williams (dwilliamsd_at_gmail.com)
Date: 11/10/05

  • Next message: Jim Bauer: "Re: IPv6 support in IDS/IPS products"
    Date: Wed, 9 Nov 2005 18:11:22 -0500
    To: "barcajax@gmail.com" <barcajax@gmail.com>
    
    

    First, if you're doing security you should NEVER "assume" anything.
    That's a sure fire way to NOT get what you want out of a product.

    Second, the U.S. Government has lots of checkboxes. Common Criteria,
    FIPS 140, etc. IPv6 can be viewed as a checkbox if you don't ask the
    right question, which is why I specifically am interested in not on
    the ability to "detect IPv6", but to actually properly decode IPv6,
    all the IPv6 methods, IPv6 tunnels, and other weirdness that I
    probably don't know about. We never ask enough questions about the
    ways our vendors implement these requirements and it gets us in
    trouble.

    For example, in IPv4 a typical header is normally 20bytes, but could
    be slightly larger, let's say 60bytes. Not a big deal for most
    people, and even old ASIC technology can handle 64 byte headers. But,
    a normal IPv6 header with options, and tunneling, could easily exceed
    the 64 byte header length, since it's arbitrary. A smart hacker could
    add enough options and tunnels to extend the header length to well
    past 1K (assuming a large MTU). I seriously doubt most vendors have
    accounted for this. So, when Cisco claims "enhanced visibility", I
    note that they did NOT answer my question specifically, and they don't
    go into any details about how they do it. The phrase "we detect IPv6"
    is not the same as the answer given by ISS & NFR. I'd like to
    actually more fully explore those answers, which I will do once I
    create a Matrix from vendors that give an appropriate response,
    because I STILL don't believe them.

    People ask questions around buzzwords, they get an answer, and then
    don't follow up with more detailed questions, because they assume
    vendors are doing the right thing... when in reality, many vendors
    will simply do "just enough".

    Sorry for the rant... I've gotten burned by making "assumptions".

    -d

    On 8 Nov 2005 00:34:12 -0000, barcajax@gmail.com <barcajax@gmail.com> wrote:
    > I think its safe to assume that most of the IDS/IPS products support IPv6 because its a U.S. government requirement if I'm not wrong. From personal experience, nfr Sentivist is IPv6 aware.
    >
    > ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ------------------------------------------------------------------------
    >
    >

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: Jim Bauer: "Re: IPv6 support in IDS/IPS products"

    Relevant Pages

    • Re: FreeBSD 10-RC4: Got crash in igb driver
      ... The kernel make a pagefault in the igb_tx_ctx_setup function when accessing to ... a IPv6 header. ... the ethernet header, the second, the IPv6 header and data payload. ... Instead of patching each driver with pullup code we can add a generic pullup code? ...
      (freebsd-current)
    • Re: FreeBSD 10-RC4: Got crash in igb driver
      ... The kernel make a pagefault in the igb_tx_ctx_setup function when accessing to ... a IPv6 header. ... i see that the mbuf is split in two. ... the ethernet header, the second, the IPv6 header and data payload. ...
      (freebsd-current)
    • Re: FreeBSD 10-RC4: Got crash in igb driver
      ... I experience some troubles with the igb device driver on FreeBSD 10-RC4. ... a IPv6 header. ... the ethernet header, the second, the IPv6 header and data payload. ... Instead of patching each driver with pullup code we can add a generic pullup code? ...
      (freebsd-current)
    • Windows (XP, 2k3, Longhorn) is vulnerable to IpV6 Land attack.
      ... The land attack described in - ... This program attacks only IpV6 Link-Local ... Use build-in windows firewall to block open IpV6 ports (port 135 is open ... Static header size: 14 bytes ...
      (Bugtraq)
    • Windows (XP, 2k3, Longhorn) is vulnerable to IpV6 Land attack.
      ... The land attack described in - ... This program attacks only IpV6 Link-Local ... Use build-in windows firewall to block open IpV6 ports (port 135 is open ... Static header size: 14 bytes ...
      (NT-Bugtraq)