nanog mailing list archives
[no subject]
From: "J. Oquendo" <sil () politrix org>
Date: Fri, 31 Dec 2004 20:12:48 -0500 (EST)
Re: IPv6, IPSEC and deep packet inspection On Fri, 31 Dec 2004 bmanning () vacation karoshi com wrote:
as one who has been "bit" by this already - i can say amen to what Rob preacheth... the hardest part is getting folks up to speed on IPv6 as a threat vector. Swat teams that can neutralize an IPv4 based flareup in minutes/hours can take days/weeks to contain a v6 channel...
Supposedly the vulns associated with IPv6 are: reconnaissance, unauth'd access, layers 3-4 spoofing, ARP and DHCP attacks, smurfs, routing attacks, viruses andworms, translations, transistions, and tunneling mechanisms. According to Sean Covery's IPv6 Security Threats (http://www.seanconvery.com/SEC-2003.pdf) I recall something with OpenBSD and IPv6 not too long ago where MTU was a factor so I pondered: If someone created a packet generator which spoofed source to destination using random checksums, etc, but set an MTU too high, would the recipient drop the connection altogether? For example: // BEGIN EXAMPLE // USER -- HOP1 -- HOP2 -- HOP3 -- PAYSITE USER has an established connection (IPv6 of course) with PAYSITE ATKR sends enough spoofed packets as USER to PAYSITE with an incremented checksum he managed to get hold of via a network analyzer, and sets a high MTU which some router en route to PAYSITE replies to USER with a Type 2 USER gets Type 2's from either HOP1, HOP2, or HOP3 USER never gets through to PAYSITE because of ATKR's cruddy packets // END EXAMPLE // Wouldn't PAYSITE disconnect the session with USER. I'm thinking indeed it would break any session for starters. ATKR could be on the same network possibly a virus or worm set to capture some preliminary packet information and shoot it right back upstream keeping any kind of handshaking/transactions from occurring. I could/would do a proof of concept but it would be worthless, hopefully those doing the protocols though of this anyway. NOW... On Sat, 1 Jan 2005, Christopher L. Morrow wrote:
Some of this 'not follow it now' is partly due to equipment problems. These problems should be disappearring from many larger networks as new gear is cycled in over the next couple of years. The option will then be available to the engineers that operate the networks, they will likely still prefer the 'closest to the end system router' make the filtering decision though.
I think I've mentioned this before... Why isn't it standard by default. To which most replied about the ever changing BOGON addresses. It would be nice to see a "Trusted" repository that all equipment could pass to and from information.
your company likely has this capability, or could have it today... They also likely don't want you wasting company time buying things on ebay or amazon... your company, in the US, likely has this in their HR/Employee handbook in the form of some 'corporate assets are for corporate use only' statement.
Indeed no one wants their resources wasted, but what about those in the financial industries where monetary information is being sent. Surely no one wants that information being passed. On that note of network "waste", for those who do have those types of policies, that's what content management is for in my opinion. If it hasn't been fully implemented, than why call the kettle black. Once again... Happy New Year everyone... Going going gone... Jesus Oquendo =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey
Current thread:
- [no subject] J. Oquendo (Dec 31)