This document discusses the security implications of native IPv6 support and IPv6 transition/co-existence technologies on "IPv4-only" networks, and describes possible mitigations for the aforementioned issues.
2ca68992f1e854362ce2fe5d00357f8634430a612c312dba8e00ad5d586e35f4
rd-attack is a tool for finding vulnerabilities based on ICMPv6 Redirect messages.
75ef138e80c715c496ab039939f1aa91edb626d283e4705e8ad8c770aa02c623
ni6 is a security assessment tool that exploits potential flaws in the processing of ICMPv6 Node Information messages.
ef026e19bb05a8e35114e31349134c5a2a5d5688a0963bba15b3d387466c534c
jumbov6 is a tool to assess IPv6 implementations with respect to attack vectors based on IPv6 jumbograms.
70bfa103033977fae419ba459c2326bf358ca0f22ea9e70abc5986d263dfaae1
This toolkit house various IPv6 tool that have been tested to compile and run on Debian GNU/Linux 6.0, FreeBSD 8.2, NetBSD 5.1, OpenBSD 5.0, and Ubuntu 11.10.
495e347d4bbbe9c0d3103f47b8d7a0f7d1a5f329d8d7205e15208bf12efcc139
ipv6mon is a tool for IPv6 address monitoring on local area networks.
87998c9beb90c410776520cb78807d8b97edb1ae4718be2cd8ed998cb9c50079
icmp6-attack is a tool for assessing vulnerabilities in ICMPv6 error messages.
ea6d02dca82a6ab1ff31fe84a06fc2903dd5f62c1fff178f155d3db8be6f32d2
frag6 is a security assessment tool for attack vectors based on IPv6 fragmentation.
ff17013fa710766492566513213184ed833099c8a1d20510c6d0688633371093
flow6 is a tool that performs a security assessment of the IPv6 Flow Label Field.
fec38fb5001ec4bc83eaff5713607b708f5dff5075d86fa4946185e0b8774005
These slides are from the Hacking IPv6 Networks Training provided by SI6 networks at Hack In Paris (HIP) 2012.
0d3955844c228dbbf45829f49ad626b6544eca4022e513a8b948d884d64297e1
This document specifies a mechanism that can be implemented in layer-2 devices to mitigate attack vectors based on Neighbor Discovery messages. It is meant to complement other mechanisms implemented in layer-2 devices such as Router Advertisement Guard (RA-Guard) and DHCPv6-Shield, with the goal of achieving a comprehensive IPv6 First Hop Security solution. This document is motivated by the desire to achieve feature parity with IPv4 with respect to First Hop Security mechanisms.
b0bd48d4dfcf7fc338169df812038a282998457c61b3f8cfb9294a669b43f80a
This document specifies a mechanism for protecting hosts connected to a broadcast network against rogue DHCPv6 servers. The aforementioned mechanism is based on DHCPv6 packet-filtering at the layer-2 device on which the packets are received. The aforementioned mechanism has been widely deployed in IPv4 networks ('DHCP snooping'), and hence it is desirable that similar functionality be provided for IPv6 networks.
2167f8ff55bb0233568e045e7042373efab0919dd45517725399c88fa634ea33
This document discusses the security implications of native IPv6 support and IPv6 transition/co-existence technologies on "IPv4-only" networks, and describes possible mitigations for the aforementioned issues.
b620fd364138e64c6e10717389b326fd4176c5005ea71cbad80cb84096381fe9
IPv6 offers a much larger address space than that of its IPv4 counterpart. The standard /64 IPv6 subnets can (in theory) accommodate approximately 1.844 * 10^19 hosts, thus resulting in a much lower host density (#hosts/#addresses) than their IPv4 counterparts. As a result, it is widely assumed that it would take a tremendous effort to perform host scanning attacks against IPv6 networks, and therefore IPv6 host scanning attacks have long been considered unfeasible. This document analyzes the IPv6 address configuration policies implemented in most popular IPv6 stacks, and identifies a number of patterns in the resulting addresses lead to a tremendous reduction in the host address search space, thus dismantling the myth that IPv6 host scanning attacks are unfeasible.
3e402c5d8f47be6b853bd514ed35744c8ab3f764907fb96603770a5396359be0
These are the slides for the presentation "Recent Advances in IPv6 Security" that was given at Hackito Ergo Sum 2012.
26a911f6f3b82ca092f560786633c0b4c82f374446265a10e96b3f88af2c9c53
This document specifies a method for generating IPv6 Interface Identifiers to be used with IPv6 Stateless Address Autoconfiguration (SLAAC), such that addresses configured using this method are stable within each subnet, but the Interface Identifier changes when hosts move from one network to another. The aforementioned method is meant to be an alternative to generating Interface Identifiers based on IEEE identifiers, such that the benefits of stable addresses can be achieved without sacrificing the privacy of users.
2be85628520d1d07881dc0a60f77204594c41e42519ec05b5b14ddb2b2f10d7f
This Internet Draft specifies the security implications of predictable fragment identification values in IPv6. It primarily focuses on countermeasures and mitigations.
797c390e09afddabe88fd2b44a2368bbbcd4539539cf70a92b9a03e8ffc6de92
This IETF Internet Draft discusses security and interoperability implications of oversized IPv6 header chains.
8ec27e6f6b09e69798fd08859eb67352a7f027ed6076d6512288a35a48b32023
This document specifies an algorithm for the generation of TCP Initial Sequence Numbers (ISNs), such that the chances of an off-path attacker guessing the sequence numbers in use by a target connection are reduced. This document revises (and formally obsoletes) RFC 1948, and takes the ISN generation algorithm originally proposed in that document to Standards Track, formally updating RFC 793.
1de02139d839860eb49ea553acf75e16b93a6326e4b0eda1ef0daa56433b89da
IPv6 Extension Headers with Neighbor Discovery messages can be leveraged to circumvent simple local network protections, such as "Router Advertisement Guard". Since there is no legitimate use for IPv6 Extension Headers in Neighbor Discovery messages, and such use greatly complicates network monitoring and simple security mitigations such as RA-Guard, this document proposes that hosts silently ignore Neighbor Discovery messages that use IPv6 Extension Headers. Revision 2 of this document. This revision includes, among other things, a discussion of possible issues with SEND as a result of IPv6 fragmentation.
a8b7a492cc8ab102f8884547a7f042ea0e94a1cdbbad648050eb655bf675f524
This Internet Draft focuses on providing advice to RA-Guard implementations, rather than on the evasion techniques that have been found effective against most popular implementations of RA-Guard.
b94a267d451834a19ba9db5489c12513c4c414f2e2934e7d487b0a5d8d337180
This Internet Draft specifies the security implications of predictable fragment identification values in IPv6. It primarily focuses on countermeasures and mitigations.
460fd180c573767e12e1ffa15a9dc5ae08637e6d06e765a8c0e9f2d0c204a17c
This document specifies a method for generating IPv6 Interface Identifiers to be used with IPv6 Stateless Address Autoconfiguration (SLAAC), such that addresses configured using this method are stable within each subnet, but the Interface Identifier changes when hosts move from one network to another. The aforementioned method is meant to be an alternative to generating Interface Identifiers based on IEEE identifiers, such that the same manageability benefits can be achieved without sacrificing the privacy of users.
542e6aa994a33734dc569e8c3b291d6929f88f48ab8d12f2e29320b1c816fadd
These are the slides from a presentation called Results of a Security Assessment of the Internet Protocol version 6 (IPv6). It was presented at H2HC 2011.
235e5a42446174bb0aaca07903e927bd0aa9ebe1831174aade73cd8274fb93b3
These are the slides for the IPv6 security talk given at Hack.lu 2011.
c48839ec6e8c59d1496899d1c7147f00134f8c12a6684faa5ee5150fb0a98546