Building

MLD Considered Harmful?

This is a guest post from Antonios Atlasis.

On Thursday the 20th Enno, Jayson and I had the pleasure to present our latest research results  regarding MLD at Deepsec 2014, both from vendors’ implementation perspective as well as regarding protocol design flaws (some preliminary results as well as our testing methodology were discussed here and here).

For refreshing out memory, in a nutshell, the purpose of MLD, a subprotocol of IPv6, is to inform routers about the presence of nodes which are interested in receiving specific multicast traffic (RFC 2710). The newer version of MLD, MLDv2 adds the ability for source address selection (RFC 3810).

Continue reading “MLD Considered Harmful?”

Continue reading
Building

MLD to Be Reconsidered?

This is guest post from Antonios Atlasis.

Following my September post about the connection between MLD and Neighbor Discovery, as well as Enno’s introduction about our upcoming talk at DeepSec, I would like to try to enlighten you about this with some technical details. First, we have some facts:

  1. MLD is pre-enabled in most modern Operating Systems.
  2. MLD traffic is sent out-of the-box during the stack initialization, as well as periodically.
  3. They also interact with/respond to MLD Queries without any further configuration.

Continue reading “MLD to Be Reconsidered?”

Continue reading
Building

Protocol Properties & Attack Vectors

Next week, at DeepSec, we’re going to give a talk about Multicast Listener Discovery (MLD), a component of IPv6 which is realized by means of ICMPv6 messages. There are two versions of MLD (mainly specified in RFC 2710 and RFC 3810 respectively) and while MLD is technically implemented by ICMPv6 exchanges, these specifications describe a whole set of rules and communication formats, hence we can safely talk about “the MLD protocol”.

Now, you might ask: how does one tackle the task of examining the security “of a protocol”?

Continue reading “Protocol Properties & Attack Vectors”

Continue reading
Building

Dynamics of IPv6 Prefixes within the LIR Scope in the RIPE NCC Region

To contribute to the current debate on IPv6 route deaggregation & “strict-filtering” performed by certain ISPs we just released a white paper on “Dynamics of IPv6 Prefixes within the LIR Scope in the RIPE NCC Region“. I will give a talk on the overall topic later today at the Routing Working Group. We sincerely hope that the IPv6 community becomes aware of the inherent issues, and that practical solutions can be found which consider & meet the needs of the different parties involved.

Best

Enno

Continue reading
Building

Router Advertisement Options to the Rescue – A Deep Dive into DHCPv6, Part 2

This is the sequel post to the first part in which I mainly covered some elements of the specification wrt the “on-link” flag and the IPv6 subnet model.
In short each IPv6 address has an associated flag which determines if the host considers the respective address to be part of “a network where neighbors exist”. If this is the case ND is performed to talk to them, otherwise all communication with other hosts on that prefix is sent to the router. This flag is NOT set for DHCPv6 addresses (and, btw, just to make this clear already, there’s no way of setting it as part of the DHCP configuration procedure either) so communication with hosts with the same DHCPv6 provided prefix is supposed to go through a router, which in turn is very different (behavior) from the IPv4 world.

At the end of the first part we had a configuration state which led to two global addresses on both systems involved, a DHCPv6 provided one and another one generated as part of the SLAAC process, which can create operational issues of all kinds (improper source address selection, hindered troubleshooting etc.). Furthermore such a setting does not reflect “the operational DHCPv4 model” which we envisaged as the ultimate goal of our exercise. I had finished that post along the lines: “we then have to get rid of the SLAAC address”.

Continue reading “Router Advertisement Options to the Rescue – A Deep Dive into DHCPv6, Part 2”

Continue reading
Building

I Don’t Have Any Neighbors – A Deep Dive into DHCPv6, Part 1

Probably due to the (“secondary”) role it has been historically assigned within the IPv6 universe, DHCPv6 is a protocol which is very different from its IPv4 counterpart. Some of the differences and similarities have been discussed recently (e.g. see Scott Hogg‘s article on “High Availability DHCPv6“). This post aims at covering a fundamental, yet widely unknown or misunderstood difference, that is the properties of DHCPv6 addresses and their behavior on the local-link.

Continue reading “I Don’t Have Any Neighbors – A Deep Dive into DHCPv6, Part 1”

Continue reading
Breaking

A “Please, Don’t Waste my Time” Approach and the Sourcefire/Snort Evasion

This is a guest post from Antonios Atlasis.

Yesterday we (Rafael Schaefer, Enno and me) had the pleasure to deliver together our talk at BlackHat Europe 2014 named Evasion of High-End IDPS Devices at the IPv6 Era (by the way, latest slides can be found here and the white paper here). In this talk we summarised all the IDPS evasion techniques that we have found so far. At previous blogposts I had the chance to describe how to evade Suricata and TippingPoint. In this post I am going to describe some other techniques that can be used to evade Snort, and its companion commercial version, Sourcefire. The tool used to evade these IDPS is –  what else – Chiron.

The versions that we used for our tests are the latest available ones at the time of this writing, that is:

  • Sourcefire, Model 3D7020 (63) Version 5.2.0.3 (Build 48), VDB version 216.
  • Snort 2.9.6.2 GRE (build 77), Registered User’s Release Rules.

Continue reading “A “Please, Don’t Waste my Time” Approach and the Sourcefire/Snort Evasion”

Continue reading
Building

Deaggregation by large organizations

Some hours ago Iljitsch van Beijnum posted an email with the above subject to the RIPE Best Current Operational Practices (BCOP) mailing list.
Therein he describes the growing issue of (IPv6 prefix) deaggregation desires/approaches by certain organizations vs. the filtering practices of other organizations (providers). I touched this problem, from an enterprise’s perspective, some time ago in the second part of my blog post series on IPv6 address planning. Given we think that the discussion is heavily needed from several angles, I had actually submitted a talk on the topic twice (for the RIPE meeting in Warsaw in May and the upcoming one in London) which was unfortunately rejected at both occasions.
I’m hence very happy to see that a dialogue about the inherent dilemma might be started by Iljitsch’s mail. As a contribution to the development of a BCOP document I will hereby publish our draft slides of the talk which was initially planned. Furthermore two fellow IPv6 practitioners (Hi Roland & Nico!) and I plan to release a detailed paper with research results as for IPv6 prefix distribution at major European IXs in the near future.

Let’s hope that we as the IPv6 community can reach some consensus in this space soon. See you in London,
have a good one everybody

Enno

 

Continue reading