Re: IPv6Dec 20 2002 01:45PM Valdis Kletnieks vt edu
On Wed, 18 Dec 2002 18:03:18 EST, Jose Nazario <jose (at) monkey (dot) org [email concealed]> said:
> IPv6 has optional headers, which means the IDS (or really any security
> device) will have to do a lot of stateful analysis of the IPv6 traffic it
> sees. so far, the only IPv6 security discussions i have seen are all about
> IPsec. anyone have anything GOOD on securing IPv6 networks?
There's probably not a lot out there. This is probably because most people
think that for the most part, securing an IPv6 network is really almost
the same thing as securing an IPv4 network. There's only a few real classes
of attacks:
1) Attacks that exploit some brokenness of the protocol itself (for instance,
Smurf using what was a bad choice of default for pings to a broadcast address).
2) Attacks that exploit a bug in a broken stack (for instance, the original
'ping-of-death').
3) Attacks that happen to use a given protocol stack to deliver malicious
data to an application listening on a port. For instance, I suspect that
last week's round of SSH bugs will work equally well over IPv6 if the SSH
supports IPv6 connections.
(3) is protocol-agnostic, (2) can't really be secured against before the
fact, as the proper fix is to patch the systems when a problem is found,
and (1) we don't have any data on yet. ;)
And let's face it - there's only a limited amount you can do to *secure*
the network before it becomes time to bite the bullet and start using IPSec. ;)
As far as *monitoring* the net - all you have to do is make sure your IDS
knows about all protocols that you're using/routing. There's nothing mystical
about IPv6-over-IPv4 tunnelling that's a totally new idea - we've seen plenty
of tunnelling in the IPv4 world already - telnet-over-DNS-queries, transferring
data inside ICMP packets, etc etc etc.
Move along folks, nothing to see... Move along.. nothing to see... :)
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
> IPv6 has optional headers, which means the IDS (or really any security
> device) will have to do a lot of stateful analysis of the IPv6 traffic it
> sees. so far, the only IPv6 security discussions i have seen are all about
> IPsec. anyone have anything GOOD on securing IPv6 networks?
There's probably not a lot out there. This is probably because most people
think that for the most part, securing an IPv6 network is really almost
the same thing as securing an IPv4 network. There's only a few real classes
of attacks:
1) Attacks that exploit some brokenness of the protocol itself (for instance,
Smurf using what was a bad choice of default for pings to a broadcast address).
2) Attacks that exploit a bug in a broken stack (for instance, the original
'ping-of-death').
3) Attacks that happen to use a given protocol stack to deliver malicious
data to an application listening on a port. For instance, I suspect that
last week's round of SSH bugs will work equally well over IPv6 if the SSH
supports IPv6 connections.
(3) is protocol-agnostic, (2) can't really be secured against before the
fact, as the proper fix is to patch the systems when a problem is found,
and (1) we don't have any data on yet. ;)
And let's face it - there's only a limited amount you can do to *secure*
the network before it becomes time to bite the bullet and start using IPSec. ;)
As far as *monitoring* the net - all you have to do is make sure your IDS
knows about all protocols that you're using/routing. There's nothing mystical
about IPv6-over-IPv4 tunnelling that's a totally new idea - we've seen plenty
of tunnelling in the IPv4 world already - telnet-over-DNS-queries, transferring
data inside ICMP packets, etc etc etc.
Move along folks, nothing to see... Move along.. nothing to see... :)
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
[ reply ]