Stupid Little IPv6 Tricks

Published: 2013-06-12
Last Updated: 2013-06-12 22:12:51 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

With the IPv6 Summit on Friday, various IPv6 related topics are of course on my mind. So I figured to put together a quick laundry list of "stupid little IPv6 tricks/topics". Let me know what issues you are running into as well:

1 - Proxies 

Right now, many web sites use proxies to provide IPv6 access. The result is some "interesting" behaviour that you may experience:

  • The IPv6 version of the site may be out of date because the proxy cached it.
  • The IPv6 version may use a different certificate (see an earlier story about this).
  • A site may be down via IPv6 (because of a proxy problem) but up via IPv4.
  • The actual web application isn't coded to look at the Forward-For or similar header, so it has no idea where you are comming from and you run into rate limits.

2 - Extension Headers

Security devices still have issues with extension headers. They may miss attacks, or just misinterpret packets.

  • IDSs will not reassemble sessions correctly as they do not know if a packet will be dropped or not.
  • Firewalls may block packets (or let them pass) as they can't figure out the protocol.
  • Packet analysis tools will give you the wrong interpretation of a packet.

3 - Log Analysis / Address Interpreation

I still see log analysis tools that at first sight seem to work fine with IPv6, but they don't "normalize" the addresses, meaning that 2001:db8::1 is not considered equal to 2001:0db8::1 or 2001:0db8:0000:0000:0000:0000:0000:0001.

4 - Spam

Probably the most common IPv6 "attack" I see is spam, probably by accident (both ends happen to support IPv6) but it works quite well as there are still no real block list for IPv6.

5 - Portscans

So far, we see pretty much no port scans on IPv6 (which is kind of good ;-) ). It is still a decent idea to "hide" an SSH server in IPv6 space. 

BTW: Don't forget that we are now able to accept IPv6 firewall logs, not just IPv4!

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ipv6
0 comment(s)
ISC StormCast for Wednesday, June 12th 2013 http://isc.sans.edu/podcastdetail.html?id=3362

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives