IPv6 – Page 3 – Insinuator.net

Misc

May 8, 2017 by Christopher Werny

One Step Closer – RDNSS (RFC 8106) Support in Windows 10 Creators Update

Good Afternoon,

It is a pleasant surprise for many (us included) that Microsoft implemented support for the RDNSS (RFC 8106) option in Router Advertisements beginning with the Windows 10 Creators Update. Interestingly, I wasn’t able to find any official documents from Microsoft stating this. As we are involved in a lot of IPv6 related projects for our customers, the lack of RDNSS support for Windows and DHCPv6 for Android is a major pain point when implementing IPv6 in mixed client segments, as you need to implement both mechanisms to ensure that all clients do get the relevant network parameters. I won’t beat on the dead horse, but Microsoft’s decision is a huge step in the right direction and one can hope that one day Google finds a “compelling use case” to implement at least stateless DHCPv6 for Android. Continue reading “One Step Closer – RDNSS (RFC 8106) Support in Windows 10 Creators Update”

Misc

March 11, 2017 by Enno Rey

Testing RFC 6980 Implementations with Chiron

In the recent post on the IPv6 properties of the latest MS Windows versions I announced another one providing details on the RFC 6980 related testing I had performed. So here we go.

When doing IPv6 security testing there’s mainly four toolkits which can be used: Continue reading “Testing RFC 6980 Implementations with Chiron”

Building

January 30, 2017 by Enno Rey

IPv6 Properties of Windows Server 2016 / Windows 10

In this post we’ll take a detailed look at the properties of the Windows Server 2016 IPv6 stack.
I perform(ed) this exercise for several reasons:

Continue reading “IPv6 Properties of Windows Server 2016 / Windows 10”

Building

December 21, 2016 by Enno Rey

IPv6 Configuration Approaches for Servers

In this post I’ll discuss configuration approaches for systems which usually have been configured with “static” IP parameters in the IPv4 age/context (like servers in data centers). When it comes to IPv6 there are more options and we’ll have a look at their implications and potential advantages/disadvantages.

Continue reading “IPv6 Configuration Approaches for Servers”

Breaking

December 5, 2016 by Christopher Werny

Some Notes from the Lab – BlackNurse in the IPv6 Era

Since BlackNurse was released on 10th of November, we asked ourselves whether this problem does also apply to ICMPv6 traffic. To answer this question, Christian Tanck (one of our students) build a lab with several firewall appliances. Kudos to him for testing and the following blog post.

Continue reading “Some Notes from the Lab – BlackNurse in the IPv6 Era”

Building

November 2, 2016 by Enno Rey

IPv6 Source Address Selection

As we all know an IPv6 enabled host can have multiple addresses. In order to select a source address for a to-be established outbound connection, operating systems implement a source address selection mechanism that evaluates multiple source address candidates and selects the (potentially) best candidate. Criteria for this selection are defined in RFC6724 (which obsoletes RFC 3484).

Continue reading “IPv6 Source Address Selection”

Breaking

August 21, 2016 by Enno Rey

Follow-Up on CVE-2016-1409 – IPv6 NDP DoS Vulnerability

This is a guest post from Jed Kafetz.

After seeing Christopher’s post I decided to create a proof using GNS3 and Virtualbox.
The aim is to perform the exact attacking using Antonios Atlasis’ Chiron tools and run a Wireshark packet capture to prove the hop limit drops below 255.

Continue reading “Follow-Up on CVE-2016-1409 – IPv6 NDP DoS Vulnerability”

Events

June 3, 2016 by Enno Rey

IPv6 & Threat Intelligence

Tomorrow, I will join a meeting where I’m expected to contribute, amongst others, to a discussion on the impact of IPv6 on threat intelligence. To prepare for that I started putting together some thoughts & ideas on the topic, and I even thought I might share this in a post (the one you read right now ;-), not least to, maybe, stimulate a discussion.

Continue reading “IPv6 & Threat Intelligence”

Breaking

May 30, 2016 by Christopher Werny

CVE-2016-1409 – IPv6 NDP DoS Vulnerability in Cisco Software

Dear readers,

As you may have already noticed, Cisco released an urgent security advisory describing an IPv6 Neighbor Discovery DoS Vulnerability in several flavors of Cisco’s operating systems. Currently IOS-XR, XE and NX-OS are affected while ASA and “classic” IOS are under investigation. At first glance, it might look like yet another IPv6 DoS vulnerability. Looking closer, Cisco is mentioning an unauthenticated, remote attacker due to insufficient processing logic for crafted IPv6 NDP packets that are sent to an affected device. Following the public discussion about the vulnerability, it seems that these packets will reach the, probably low rate-limited, LPTS filter/queue on IOS XR devices “crowding” out legitimate NDP packets resulting in a DoS for IPv6 traffic, or in general a high CPU load as these packets will be processed by the CPU. More details are currently not available, but this might indicate the affected systems aren’t doing proper message validation checks on NDP packets (in addition to the LPTS filter/queue problem).

Continue reading “CVE-2016-1409 – IPv6 NDP DoS Vulnerability in Cisco Software”

Events

May 28, 2016 by Enno Rey

The Beauty of IPv6 Link-Local Addressing. Not

In November 2014, after quite some controversy in the IETF OPSEC working group (for those interested look at the archives), the Informational RFC 7404 “Using Only Link-Local Addressing inside an IPv6 Network” was published. It is authored by Michael Behringer and Eric Vyncke and discusses the advantages & disadvantages of an approach using “only link-local addresses on infrastructure links between routers”.

Continue reading “The Beauty of IPv6 Link-Local Addressing. Not”