Fernando Gont - Title: Recent Advances in IPv6 Security
HTML-код
- Опубликовано: 8 фев 2025
- During the last few years, the UK CPNI (Centre for the Protection of National Infrastructure) carried out a comprehensive security assessment of the Internet Protocol version 6 (IPv6) and related technologies (such as transition/co-existence mechanisms). The result of the aforementioned project is a series of documents (yet unpublished) that provide advice both to programmers implementing the IPv6 protocol suite and to network engineers
and security administrators deploying or operating the protocols. One of the protocols/mechanisms that was assessed as part of this project is Neighbor Discovery for IPv6, which provides in IPv6 similar functions to those provided in the IPv4 protocol suite by the Address Resolution Protocol (ARP) and the Internet Control Message Protocol (ICMP). This resulted in the first thorough security assessment of Neighbor Discovery for IPv6, covering not only protocol-design flaws, but also vulnerabilities arising from common implementation flaws. While some basic tools were already publicly available for exploiting some ND vulnerabilities (e.g., THC's "IPv6 attack suite"), these tools provided only very limited functionality and thus allowed experimentation with only a small subset of the potential Neighbor Discovery (ND) vulnerabilities that were identified as a result of this project. Therefore, in order to allow a thorough assessment of real-world systems, a comprehensive set of tools was produced as part of this project. The resulting tools were not only used internally for the evaluation of some popular IPv6 implementations, but were also shared with a number of vendors and open source projects such that they could perform an assessment of their own implementations.
This cooperation process led to the discovery of a number of vulnerabilities in real-world systems, some of which were patched before the complete results of this project were publicly released. Fernando Gont will discuss some of the identified Neighbor Discovery vulnerabilities, and will provide guidance to network operators and security administrators, such that these vulnerabilities can be mitigated (where possible) with standard security devices. Fernando will also provide a live demonstration of how these vulnerabilities can be exploited with the Neighbor Discovery attack suite produced by CPNI as part of the aforementioned project. The live demonstration will include at least three Denial of Service (DoS) vulnerabilities that affect popular operating systems (such as FreeBSD and Linux), and a demonstration of
evasion of network security controls such as RA-Guard and NDPMon. The attendees will be guided to reproduce a number of Neighbor Discovery attacks with a network of virtual machines provided to them during the training. Additionally, they will be guided to implement counter-measures for the aforementioned vulnerabilities. Focus of the presentation will be on the operational aspects of Neighbor Discovery (i.e., how to mitigate these vulnerabilities), and on the practical aspect of assessing IPv6 implementations with respect to the aforementioned vulnerabilities (i.e., live demonstration of the attacks).
