Results 1 to 4 of 4

Thread: ISS X-Force Whitepaper: Security Implications of IPv6

  1. #1
    Senior Member
    Join Date
    Aug 2002

    ISS X-Force Whitepaper: Security Implications of IPv6

    I got this off the focus-IDS list today. It seems like it might be a pretty interesting read. I will probably read over it tonight. Let me know what your opinions are of it when/if you do.

    Focus-IDS readers-

    ISS X-Force has released a whitepaper describing the current and future security implications of the IPv6 protocol. The main premise of the paper is to help educate administrators and network operators about how IPv6 can be used today on current IPv4 networks to establish rogue channels and to evade IDS systems. I have included the executive summary, and a link to the paper in its entirety below:

    Executive Summary

    Internet Protocol version 6 (IPv6) contains numerous features that make it attractive from a security standpoint. It is reliable and easy to set up, with automatic configuration. Huge, sparsely populated address spaces render it highly resistant to malicious scans and inhospitable to automated, scanning and self-propagating worms and hybrid threats.

    IPv6 is not a panacea for security, though, because few security problems derive solely from the IP layer in the network model. For example, IPv6 does not protect against misconfigured servers, poorly designed applications, or poorly protected sites. In addition, IPv6 and IPv6 transitional mechanisms introduce new, not widely understood, tools and techniques that intruders can use to secure unauthorized activity from detection. These IPv6-derived efforts are often successful even against existing IPv4 networks.

    Since many network administrators have yet to take advantage of IPv6, they may be unaware of IPv6 traffic that has tunneled into their networks. Attackers are already using this potential oversight to establish safe havens for attack.

    Fortunately, existing protection technology is equipped for IPv6, making protection across this emerging standard both practical and straightforward. This whitepaper discusses the security implications of IPv6 and solutions that enable administrators to protect against attacks, intrusions and backdoors that take specific advantage of the protocol.

    Security Implications of IPv6: http://documents.iss.net/whitepapers/IPv6.pdf

    Dan Ingevaldson
    Engineering Manager, X-Force R&D
    Opinions are like holes - everybody\'s got\'em.


  2. #2
    Senior Member
    Join Date
    Jan 2002
    This is some real good info!
    Thx kadeng
    i m gone,thx everyone for so much fun and good info.
    cheers and good bye

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Ouch..... Scarey read...... I'm not sure I understand it yet and really need to read more about IPv6..... But it scared me enough to fire off an email to my firewall manufacturer asking a few pertinent questions because their support doesn't even mention IPv6......

    Ok...... Good old Google came up with the following:-

    Sending and Receiving Rules for 6to4 Routers

    When the requesting site's 6to4 router sees that it must send a packet to another site (that is, there is a nonlocal destination), and that the next hop destination prefix contains the special 6to4 Top Level Aggregation (TLA) value of 2002::/16, the IPv6 packet is encapsulated in an IPv4 packet using an IPv4 protocol type of 41, as defined in the Transition Mechanisms RFC [4] . The source IPv4 address will be the one in the requesting site's 6to4 prefix (which is the IPv4 address of the outgoing interface to the Internet on the 6to4 router, and contained in the source 6to4 prefix of the IPv6 packet), and the destination IPv4 address will be the one in the next hop destination 6to4 prefix of the IPv6 packet.
    The entire article is here and worth the read.

    The upshot here seems to be that IPv6 can be tunnelled, (wrapped in an IPv4 packet), by the use of IPv6 to IPv4, (6to4), across the internet via IPv6 _un_aware routers until it reaches it's destination 6to4 router within the target network. The 6to4 aware router would then recognize that the IP protocol is Type 41 and strip the IPv4 packet away leaving the intact IPv6 packet to continue on to it's destination.

    The security implications of this are quite disturbing. L33t Haxor Bernardo manages to engineer his IPv6 aware trojan/backdoor onto one of my (L)users workstations via a web site let's say. The Trojan/backdoor pre-packages it's IPv6 packets in a 6to4 manner and sends off it's packets to a predestined 6to4 router in his domain. He can do this over regular ports like 80 so I can't block him. Any IDS rules are made invalid since the wrapping of the IPv6 packet in the IPv4 wrapper alters all the content offsets etc. in the signatures. Just to make matters worse IPv6 natively supports IPSec so the wrapped IPv6 packet can be easily encrypted making my IDS's utterly useless..... The one thing I have to rely on is that I can recognize the IP Type 41 with my IDS but I can't block it at my firewall so I only get late warning of activity....<sux>. I'm off to write a snort rule for the Type 41..... Then I gotta try to test it and hope that Type 41 is reserved for 6to4 only or my false rate will be horrible and may not even be worth the effort........
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Yeah i agree Tiger shark scarry stuff and it will become even more scary in the future when this will be common knowledge and even a script kidd can use it!

    So now it s the moment to learn!
    i m gone,thx everyone for so much fun and good info.
    cheers and good bye

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts