Article: IPv6 host scanning attacks

STARNES, CURTIS Curtis.Starnes at granburyisd.org
Wed Jun 13 20:22:10 UTC 2012


It seems I saw that title came through an article somewhere but I have a slight problem with stating that "Vast IPv6 address space actually enables IPv6 attacks".

Going from an IPv4 32 bit address space to a IPv6 128 bit address space like you mentioned in the article would be a tedious effort to scan.

But you also make the following assumptions:
<Quote>
	A number of options are available for selecting the Interface ID (the low-order 64 bits of an IPv6 address), including:
		.Embed the MAC address;
		.Employ low-byte addresses;
		.Embed the IPv4 address;
		.Use a "wordy" address;
		.Use a privacy or temporary address;
		.Rely on a transition or coexistence technology.
 
	Unfortunately, each of these options reduces the potential search space, making IPv6 host-scanning attacks easier and potentially more successful.
<End Quote>

That sounds fine and dandy but in reality, Internet facing IPv6 native or dual-stack systems that are installed with any security forethought at all would not embed any of these options with the exception of the last one (transitional or coexistence) only if forced to do so.

I agree that some IPv6 addresses are set up to have catchy names, but why set up hundreds or even thousands of IPv6 addresses with IPv6 addresses that you try to remember like we did with IPv4?

I will also concede that Microsoft has not helped with issuing multiple IPv6 addresses using "privacy" settings even if a static IPv6 address is set.

In general, I just don't agree with your conclusions, and with proper IPv6 firewall rules, the network should still be as secure as the IPv4 systems.  Not more insecure just because they run an IPv6 stack.


Curtis

-----Original Message-----
From: Dave Hart [mailto:davehart at gmail.com] 
Sent: Wednesday, June 13, 2012 12:29 PM
To: Fernando Gont
Cc: NANOG
Subject: Re: Article: IPv6 host scanning attacks

On Wed, Jun 13, 2012 at 6:52 AM, Fernando Gont <fernando at gont.com.ar> wrote:
> Folks,
>
> TechTarget has published an article I've authored for them, entitled
> "Analysis: Vast IPv6 address space actually enables IPv6 attacks".
>
> The aforementioned article is available at:
> <http://searchsecurity.techtarget.com/tip/Analysis-Vast-IPv6-address-s
> pace-actually-enables-IPv6-attacks>

"published" and "available" are misleading at best.  The article is teased with a sentence and a half, truncated by a demand for an email address with tiny legalese mentioning a privacy policy and terms of use that undoubtedly would take far longer to read than Gont's valuable content.

> (FWIW, it's a human-readable version  of the IETF Internet-Draft I 
> published a month ago or so about IPv6 host scanning (see:
> <http://tools.ietf.org/html/draft-gont-opsec-ipv6-host-scanning>))

I guess I'll take a look at this to see what you're smoking.

> You can get "news" about this sort of stuff by following @SI6Networks 
> on Twitter.

"news" in quotes is appropriate given it's really eyeball harvesting for marketing purposes.

Cheers,
Dave Hart





More information about the NANOG mailing list