The video demonstrates how to bypass an access control list on HP A5800 switch using IPv6 and extension headers. The attacker uses kernel modul which adds empty destination-options headers to the whole TCP session, thus is able to connect to any service on the server. The video is temporarily removed … Read More
This article describes first hop security issue of IPv6 Neighbor Discovery Protocol. Vulnerability of this protocol is exploited to perform a Rogue Router Advertisement attack. Currently, there are few mitigation techniques available against this type of attack. Most of them, however are useful only in specific scenarios, or not widely used, mainly because insufficient support of vendors. This article presents probably the most applicable mitigation technique against the Rogue RA attack — RA Snooping. Specifically, its implementations by Cisco and HP (H3C).
On February 2011, IANA has run out of IPv4 addresses. On April 2011, APNIC pool reached the final /8 IPv4 address block. Projected address pool exhaustion for other RIRs varies from the beginning of the 2012 to the end of 2014. This situation pushes organizations to think about transition to IPv6. Unfortunately IPv4 and IPv6 are incompatible protocols that make the transition more difficult and raise new security issues. This paper shares experiences of deploying IPv6 in the university campus network, describes the most significant troubles that we have been faced with and describes the best practices in the practical IPv6 deployment. The article discusses differences in IPv6 and IPv4 networks with focus on the first hop security, autoconfiguration (SLAAC, DHCP, DHCPv6) and different client’s support.
Traditional firewall techniques usually permit traffic according to IP addresses or port numbers. More advanced firewalls inspect even packet’s payload – e.g. http traffic. However, neither of these techniques is sufficient when dealing with IPv6 transition techniques. An attacker can easily avoid a security policy in a network by using … Read More
Protocol IPv6 puts new challenges for network administrators in the context of user identification. Unlike IPv4, an IPv6 address no longer uniquely identifies a user or PC. IPv6 address can be randomly generated and keeps changing in time. The presentation describes the system developed at the Brno University of Technology, … Read More
Users in IPv4 networks typically use only one IP address per interface configured either statically or dynamically via DHCPv4 server. Several techniques can be used to detect violation of that policy. However, IPv6 protocol brings new techniques and possibilities to obtain an IPv6 address. New concepts – autoconfiguration, multiple IPv6 addresses per interface or temporary IPv6 addresses providing privacy for end users introduce new challenges for users identification. Network administrators have to collect additional information for user identification from more sources, e.g. DHCPv6 log, routers neighbor cache, Radius logs, syslog etc. This paper presents analysis of IPv6 address assignment used in current networks together with guidelines how to identify a user in IPv6 networks.
Data monitoring and data retention are vital for network management and troubleshooting. The network and provided services are expected to be seamlessly available. Administrators often collect information about the on-going traffic in the form of IP flow records to reveal potential malicious activity that might violate the network usage policy but also to meet legal requirements on providing data about electronic communication to authorized organizations. It is vital not only to collect data about traffic but also to track the identity of users who are responsible for the traffic. The deployment of IPv6 renders unique user identification quite problematic or at least a complex task in comparison with IPv4 environment. In this report, we suggest a data retention system with user identification capabilities in IPv6 as well as in IPv4 network. This is achieved by extending flow records with information obtained by monitoring state of network devices via SNMP and monitoring state of control servers such as Radius. The system has been successfully deployed in BUT network.
IPv4 addresses are still running out. Global IPv4 address pool administered by IANA organization is depleted together with IPv4 pool of APNIC Routing Registry. This situation pushes organizations to think about IPv6 transition. Unfortunately IPv4 and IPv6 are incompatible protocols which raise new security issues and problems with user monitoring and accounting. The article shares experiences of deploying IPv6 on the university campus network and describes the most significant troubles that we have been faced with. It describes and compares differences in first hop security in IPv6 and IPv4 networks. Issues connected with user addressing, accounting and monitoring are also discussed. The experience is mainly based on the deployment of IPv6 on the campus network at Brno University of Technology which is one of the biggest universities in the Czech Republic.
One of the basic requirements of the IPv6 protocol is support for the autoconfiguration of network nodes. This document details the options for autoconfiguration in current operating systems and gives an overview of these options in IPv6 networks.
This document describes network structure, the ways of creating IPv6 addresses in end-user networks, and the methods used to connect home, corporate and campus networks.
- Page 1 of 2