v6 Security

Comment

Comment by Ahmed Abu-Abed on May 11, 2011 at 9:03am

Router Advertisments DoS attacks are becoming more interesting, and Microsoft do not have a fix yet ... some claim that the IETF needs to act to come up with a new standard to prevent RA DoS.

 

More on how it works:

http://samsclass.info/ipv6/proj/flood-router6a.htm

Comment by Ewout Meij on March 28, 2011 at 10:24am

If only IPv6 security was as easy as "re doing what you did for IPv4". Unfortunatly, IPv6 comes with many options that are unthinkable in v4, and the otherway around. Take the fact that every single home network will have 18,446,744,073,709,551,616 addresses available. How are you going to detect and block a scan from 18,446,744,073,709,551,614 different addresses with your v4-style scripts/firewalls/ids?

V4 is very often used with a NAT solution, are you planning to use that in v6 aswell?

V6 requires Packet Too Big or Destination Unreachable ICMP, end to end, v4 does not. [see http://www.ietf.org/rfc/rfc4890.txt for more ICMP v6 filtering].

The list goes on. Really, v6 is a beast of it's own and I'd advice you to tread carefully.

Comment by Ahmed Abu-Abed on January 3, 2011 at 1:09am

The final version of NIST's IPv6 security guidelines (and general IPv6 intro) document is now published:

"NIST IPv6 SP 800-119: Guidelines for the Secure Deployment of IPv6" 

from http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf

Comment by Thomas Maufer on September 15, 2010 at 2:18pm

FYI, NIST's USGv6 test program has been operational since 1-July-2010 with two lab partners: ICSA Labs and UNH's InterOperability Lab (UNH-IOL). Today, UNH-IOL announced the availability of ready-to-run pre-packaged test content for evaluating Network Protection Devices (NPDs): http://bit.ly/daNa8T

Comment by Michael Gorelik on April 12, 2010 at 1:08pm

Hi,
Again Few issues regarding DSL scenarios , Host side and BRAS side firewall:

There is assumption that we use PPP connection and both ends are dual stack support ipv4 and IPv6 + the host uses bridge modem so that host OS's is responsible for the PPP negotiation.
I am trying to investigate BRAS and client vulnerabilities.

1. IPv6CP negotiation in Windows is enabled by default , so that if IPv6 enabled , The host will definitely try to assign IPv6 address , Furthermore the identifier of 64 bit is created randomly so that the address can't be monitored , i haven't found if the identifier for the link local address is created each time the PPP session is initialized , or when the OS is loaded , it can be a vulnerability.
Linux for example doesn't start IPv6 negotiation by default even if the IPv6 is enabled, can it be a vulnerability when trying to deploy IPv6 together with existing IPv6 (dual stack).
2. does the order of IPCP and IPV6CP negotiation in dual stack supporting machine can be vulnerability? , lets say , one host OS tries first IPCP , other host OS tries first IPV6CP.
3. Does the firewall in the BRAS end should be stateless or statefull ?
from one side , BRAS should forward fastly the packets without deep inspection , so that statefull firewall won't work (we loose time and cpu), from the other side , attackers can pretend to be legal clients with already open session (session flag ack..) , so that the firewall would not inspect them at all..
3. when we have PPP vlan 1:1 we don't need ND messages , should we filter those messages in the BRAS ingress side ? what more types of messages and addresses we could filter when using specifically ppp vlan 1:1?
4. I am searching for example of BRAS firewall rules , more probably that special distribution of Linux would be used with IPv6 tables..
5. Tunneling , by denying tunneling in the BRAS side we solve many tunnel problems , like Teredo vulnerabilities (we can not perform deep inspection of them in the BRAS side). can it be some other solution without deep inspection , so that users would use tunnels , but the BRAS would be protected?

I will be happy to here your thoughts on some of the questions/issues..
sorry if it is not well explained..

Comment by Joe Klein on March 31, 2010 at 12:12pm

Police put spotlight on IPv6

Police have drafted a plan to watch over the 340 trillion trillion trillion Internet addresses being issued under IPv6, the root and branch reform of addressing being done to stop the internet running out of space.
http://www.thinq.co.uk/news/2010/3/29/police-put-spotlight-on-ipv6/

Comment by Joe Klein on March 30, 2010 at 10:18am

Here is a link to the JITC (Joint Interoperability Test Center ) which performed interoperability, performance and security testing on firewalls. http://jitc.fhu.disa.mil/apl/ipv6.html

Note, current testing from NIST and "IPv6 Ready" perform NO security testing. Security professional - buy beware!

Comment by Thorsten Behrens on March 30, 2010 at 8:43am

The built-in firewall in Win7 handles ipv6 without issue. On a network level, the Juniper SSG series works well today, and the SRX series will gain v6 firewalling with the mid-May release.

Comment by Nimitz on March 30, 2010 at 7:07am

Any suggestion on fast firewall s/w for ipv6, ESET NOD32 Smart Security 4 seems failed, NIS slows system down.
Thanks.

Comment by John Gibbins on March 18, 2010 at 11:37pm

Simply a matter of remembering that everything you did to protect you IPv4 network you need to do for your IPv6 network. In this case they had firewall protection for IPv4 but not for IPv6. Running dual stack does mean that you have to do everything twice. Part of the problem is remembering all of the things you did to protect your IPv4 network over a long period of time and applying them quickly to the new network connections.

• ‹ Previous
• 1
• 2
• 3
• Next ›
• Page