gogoNET

IPv6 & Networking the Internet of Things

Information

v6 Security

Discussion about the security (or lack of) of the IPv6 protocol

Members: 93
Latest Activity: Jun 23

Discussion Forum

anyone working on DDoS attack remediation and/or IP traceback schemes ?

I am working on analyzing IP traceback schemes of IPv4 for their adaptability in IPv6 networks and thus, first trying to create an experimental network. I need some guidance in this task. Can someone…Continue

Started by Maninder Singh Jun 13, 2013.

Question on IPV6 Security

I am looking for some recommendations/references on ipv6 network security.I am currently working on getting my Cisco ccnp band followed by CCNA security.Thanks for the helpContinue

Tags: cisco, security, ipv6

Started by Peter C. Tonnesen Feb 11, 2013.

IDS for ipv6?? 2 Replies

I community....I'm a new member and a new ipv6 user. I have the need to implement an ids, someone could help me??I need names of software for linux/windows that work like ids...thanksContinue

Tags: security, ids

Started by william ernesto alfaro avila. Last reply by william ernesto alfaro avila Nov 10, 2011.

Comment Wall

Comment

You need to be a member of v6 Security to add comments!

Comment by Joe Klein on May 31, 2012 at 4:44pm

IPv6 security and hacking blog at: http://scientifichooligan.me/  Contains all of my slides, videos, daily updates about products, news analysis and soon a creative commons version of my "IPv6 hacking and defending class" & "IPv6 Programming".

Comment by Ahmed Abu-Abed on May 11, 2011 at 8:03am

Router Advertisments DoS attacks are becoming more interesting, and Microsoft do not have a fix yet ... some claim that the IETF needs to act to come up with a new standard to prevent RA DoS.

 

More on how it works:

http://samsclass.info/ipv6/proj/flood-router6a.htm

Comment by Ewout Meij on March 28, 2011 at 9:24am

If only IPv6 security was as easy as "re doing what you did for IPv4". Unfortunatly, IPv6 comes with many options that are unthinkable in v4, and the otherway around. Take the fact that every single home network will have 18,446,744,073,709,551,616 addresses available. How are you going to detect and block a scan from 18,446,744,073,709,551,614 different addresses with your v4-style scripts/firewalls/ids?

V4 is very often used with a NAT solution, are you planning to use that in v6 aswell?

V6 requires Packet Too Big or Destination Unreachable ICMP, end to end, v4 does not. [see http://www.ietf.org/rfc/rfc4890.txt for more ICMP v6 filtering].

The list goes on. Really, v6 is a beast of it's own and I'd advice you to tread carefully.

Comment by Ahmed Abu-Abed on January 2, 2011 at 11:09pm

The final version of NIST's IPv6 security guidelines (and general IPv6 intro) document is now published:

"NIST IPv6 SP 800-119: Guidelines for the Secure Deployment of IPv6" 

from http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf

Comment by Thomas Maufer on September 15, 2010 at 1:18pm
FYI, NIST's USGv6 test program has been operational since 1-July-2010 with two lab partners: ICSA Labs and UNH's InterOperability Lab (UNH-IOL). Today, UNH-IOL announced the availability of ready-to-run pre-packaged test content for evaluating Network Protection Devices (NPDs): http://bit.ly/daNa8T
Comment by Michael Gorelik on April 12, 2010 at 12:08pm
Hi,
Again Few issues regarding DSL scenarios , Host side and BRAS side firewall:

There is assumption that we use PPP connection and both ends are dual stack support ipv4 and IPv6 + the host uses bridge modem so that host OS's is responsible for the PPP negotiation.
I am trying to investigate BRAS and client vulnerabilities.

1. IPv6CP negotiation in Windows is enabled by default , so that if IPv6 enabled , The host will definitely try to assign IPv6 address , Furthermore the identifier of 64 bit is created randomly so that the address can't be monitored , i haven't found if the identifier for the link local address is created each time the PPP session is initialized , or when the OS is loaded , it can be a vulnerability.
Linux for example doesn't start IPv6 negotiation by default even if the IPv6 is enabled, can it be a vulnerability when trying to deploy IPv6 together with existing IPv6 (dual stack).
2. does the order of IPCP and IPV6CP negotiation in dual stack supporting machine can be vulnerability? , lets say , one host OS tries first IPCP , other host OS tries first IPV6CP.
3. Does the firewall in the BRAS end should be stateless or statefull ?
from one side , BRAS should forward fastly the packets without deep inspection , so that statefull firewall won't work (we loose time and cpu), from the other side , attackers can pretend to be legal clients with already open session (session flag ack..) , so that the firewall would not inspect them at all..
3. when we have PPP vlan 1:1 we don't need ND messages , should we filter those messages in the BRAS ingress side ? what more types of messages and addresses we could filter when using specifically ppp vlan 1:1?
4. I am searching for example of BRAS firewall rules , more probably that special distribution of Linux would be used with IPv6 tables..
5. Tunneling , by denying tunneling in the BRAS side we solve many tunnel problems , like Teredo vulnerabilities (we can not perform deep inspection of them in the BRAS side). can it be some other solution without deep inspection , so that users would use tunnels , but the BRAS would be protected?

I will be happy to here your thoughts on some of the questions/issues..
sorry if it is not well explained..
Comment by Joe Klein on March 31, 2010 at 11:12am
Police put spotlight on IPv6

Police have drafted a plan to watch over the 340 trillion trillion trillion Internet addresses being issued under IPv6, the root and branch reform of addressing being done to stop the internet running out of space.
http://www.thinq.co.uk/news/2010/3/29/police-put-spotlight-on-ipv6/
Comment by Joe Klein on March 30, 2010 at 9:18am
Here is a link to the JITC (Joint Interoperability Test Center ) which performed interoperability, performance and security testing on firewalls. http://jitc.fhu.disa.mil/apl/ipv6.html

Note, current testing from NIST and "IPv6 Ready" perform NO security testing. Security professional - buy beware!
Comment by Thorsten Behrens on March 30, 2010 at 7:43am
The built-in firewall in Win7 handles ipv6 without issue. On a network level, the Juniper SSG series works well today, and the SRX series will gain v6 firewalling with the mid-May release.
Comment by Nimitz on March 30, 2010 at 6:07am
Any suggestion on fast firewall s/w for ipv6, ESET NOD32 Smart Security 4 seems failed, NIS slows system down.
Thanks.
 

Members (93)

 
 
 

Sponsor

IoT & IPv6 Networking Conference

Training

Product Information

Fill out my online form.

© 2014   Created by gogo6.

Badges  |  Report an Issue  |  Terms of Service