back to article Cisco warns IPv6 ping-of-death vuln is everyone's problem

Cisco is warning network administrators about a flaw in the handling of IPv6 packets that it says extends beyond its own products. The networking behemoth has issued a security alert detailing a vulnerability in the processing of IPv6 Neighbor Discovery (ND) packets that could allow a remote and unauthenticated miscreant to …

  1. John Sanders
    Facepalm

    Why I'm not surprised...?

    Stupidly complicated protocol... stupid bugs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why I'm not surprised...?

      Ouch! Lots of IPv6 lovers here.

  2. Sgt_Oddball Silver badge

    how long has this bug been around?

    And if it's only just come to light, maybe that says something about how much IPv6 is being used?

    (I mean I know my Web server is capable of it but I've yet to be able to use it from home. Or any WiFi hotspot... Or my 3/4g connection or pretty much anywhere other than said server.)

    1. Anonymous Coward
      Anonymous Coward

      Re: how long has this bug been around?

      Has anyone actually stress tested the IPV6 stack for such vulnerabilities or did they just sign off on it as compliant with some legal doc.

    2. Gerhard Mack

      Re: how long has this bug been around?

      According to Google's IPv6 stats. 11.76% of world wide traffic to Google's servers on the weekends and 9.51% during the week (up 1% since Jan). The US is at 27% but they don't provide a nice graph for per country so I can't compare evenings to weekends.

      1. Sgt_Oddball Silver badge

        Re: how long has this bug been around?

        So pretty data connections and not much else?

    3. Yes Me Silver badge

      Re: how long has this bug been around?

      It's far from new news. But it's also far from the end of the world, because it can be filtered out fairly easily as others have said. Neighbor Discovery multicasts always have link-local source addresses so must not be forwarded to another link in any circumstances. (If that can happen, it's an implementation bug. Sounds like Cisco have an implementation bug.)

    4. Lee D

      Re: how long has this bug been around?

      Web server? I should hope so. It's usually just a case of enabling it in Apache etc.

      Your home? Probably not. Virgin haven't even tried to deploy IPv6 to normal homes yet, despite being DOCSIS 3 which mandates compatibility with it.

      Wifi hotspot? See above.

      3G/4G? IPv6 is mandated as part of those protocols. Probably more phones use it than they do IPv4 when connected direct to the cell network, rather than wireless.

      I have an IPv6 website, email, etc. server. It's not a huge majority of traffic, but its definitely "there" and been working fine for years. Google servers prefer IPv6, for instance, so almost all GMail and Google traffic use it first, and I get IPv6 mail from Google all the time.

      It's certainly not "untested". Hell, IPv4 was still finding problems DECADES after deployment (ping-of-death, Xmas-tree packets, ECN, you name it). But to suggest it should be "bug-free" even 20 years from now would be moronically stupid for such a thing.

  3. Lennart Sorensen

    Well at least Linux appears to correctly validate the TTL must equal 255 on ND packets, and has done so at least since 2.6.12 (when it started using git in 2005), since the check was already in the code at that point. Apparently a number of other OSs out there, especially on routers used by ISPs and telcos on the other hand seem to be failing to follow that requirement in the IPv6 standard. How unfortunate. Of course just because linux checks doesn't mean someone didn't use linux on a router and use a 3rd party network stack or hardware accelerator that does the wrong thing.

  4. Anonymous Coward
    Anonymous Coward

    IPv6 ping of death

    Yeah, we should definitely speed the adoption of the new version of IP.

  5. bombastic bob Silver badge

    ICMPv6 types 133 through 137

    Looks like blocking ICMPv6 types 133 through 137 on the public tunnel is one way to "fix" this. My firewall rules have been updated.

    So far it hasn't seemed to affect my ability to access anything via IPv6. I'll know soon enough I guess.

    protocol described (briefly) here:

    https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

  6. Mike Shepherd

    "malformed bytes"

    Last time I checked, all 256 possible values were working on my system.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022