[LACNIC/Seguridad] Fwd: Re: [v6ops] IPv6 transition technologies vs MITM (DEFCON)

Fernando Gont fgont en si6networks.com
Mie Ago 28 03:14:19 BRT 2013


Discusión similar, en el v6ops wg de IETF...


-------- Original Message --------
From: 	Tim Chown <tjc en ecs.soton.ac.uk>
In-Reply-To: 	<52165DC0.7090406 en scea.com>
Date: 	Thu, 22 Aug 2013 21:51:18 +0100
Message-ID:
<EMEW3|aa8823c39ca54364e45099ae590c0046p7LLpN03tjc|ecs.soton.ac.uk|CFF483B5-E780-4D8F-B2B4-2F9AE19A4147 en ecs.soton.ac.uk>
References: 	<52165DC0.7090406 en scea.com>
<CFF483B5-E780-4D8F-B2B4-2F9AE19A4147 en ecs.soton.ac.uk>
To: 	Tom Perrine <tperrine en scea.com>
Cc: 	IETF v6ops list <v6ops en ietf.org>
Subject: 	Re: [v6ops] IPv6 transition technologies vs MITM (DEFCON)


On 22 Aug 2013, at 19:51, Tom Perrine <tperrine en scea.com
<mailto:tperrine en scea.com>> wrote:

> There's been a fair amount of debate on the list about the merits of
> using the transition technologies vs an aggressive
> move to native IPv6 (usually dual-stack). We keep coming back to (as
> we have for 10+ years) to finding business reasons
> to transition.
>
> In parallel, there's been a goodly amount of poking around IPv6, "the
> real world" and those transition technologies.
>
> The MITM attack demonstrated at DEFCON this year was nothing new.
> While it was widely covered as an "IPv6 security
> flaw", it was really taking advantage of the well-known "RA problem"
> and the behavior of an IPv6-capable node on a
> nominally IPv4-only network.
>
> Frankly, while it was a nice "one click" automation of an
> already-recognized exploit, there wasn't really anything new.
>
> But, what I'm seeing is that no one is talking about how the
> transition strategies will not address this attack at all,
> at least as far as I can tell. They all seem to seek to leave
> (allegedly) IPv4-only nodes in place and work at one or
> more hops away from those nodes. This ignores that so many nodes
> really aren't IPv4-only. They are really dual-stack
> nodes that are waiting for the IPv6 configuration to be completed. And
> you can complete that configuration, or your
> attacker will!
>
> I see two ways to mitigate this attack:  turn off IPv6 on all modern
> OSes, or fully deploy IPv6.  Guess which one I
> don't want to see advocated :-)
>
> Am I missing something, or is this one more point to add to the
> "deploy IPv6 now, deploy native, skip the transition
> technologies" ?  (I'm including dual-stack in the native strategy.)

There's lots of work within the IETF on this, e.g. take a look
at
http://tools.ietf.org/html/draft-ietf-opsec-ipv6-implications-on-ipv4-nets-05.

The sunset4 WG is also quite interesting.

I'm surprised an event like DEFCON presented something that old.

Tim





Más información sobre la lista de distribución Seguridad