Had to build a custom Linux kernel for a hardened product two years ago. Patching this out was one of the steps taken.
IPv6 vulnerable to fragmentation attacks that threaten core internet routers
A trio of 'net experts argues that a key IPv6 protocol needs fixing to get rid of a fragmentation attack vector against routers in large-scale core networks. The vector, called “atomic fragments” has long been regarded with suspicion by IPv6 security wonks. Here, for example, is a Black Hat 2012 presentation illustrating the …
COMMENTS
-
Wednesday 18th January 2017 10:14 GMT Anonymous Coward
.
Am I alone here in thinking that IPv6 seems to show many classic signs of the second-system syndrome?
-
Wednesday 18th January 2017 16:14 GMT Anonymous Coward
Re: .
"Am I alone here in thinking that IPv6 seems to show many classic signs of the second-system syndrome?"
Its certainly got that designed by commitee feel about it. Its hard to understand, way too complex to set up which is why a lot of network admins are reluctant to use it and why even now IP4 still dominates, and the hex addresses are almost impossible for a normal user to use when DNS has failed. And what numpty thought having 2 addresses per adaptor was a good idea? Wtf is the point of the link local address? If there's no DHCP just hard code an address as per IP4 , if there is then link local isn't needed. Extra complexity for no reason.
-
-
Thursday 19th January 2017 14:28 GMT Roland6
Re: .
Re: 'second-system syndrome'
Yes IPv6 does suffer from this. Remember around the time IPv6 was at it's formative stage there was much earnest discussion about using IP directly over the physical media and thus replacing IEEE 802. Notice the turf war, IETF were choosing to pick fights both ISO OSI and IEEE 802...
-
Saturday 21st January 2017 01:12 GMT Yes Me
Re: .
@Roland: "much earnest discussion about using IP directly over the physical media and thus replacing IEEE 802"
Not that I remember, at least not in the proposals that actually became IPv6. On the contrary, the layer 2/layer 3 separation was considered very fundamental. MPLS came later, but not to eliminate layer 2, rather to fix the mess created by ATM. TRILL came much later.
It's true that the IETF chose not to use the OSI datagram protocol (CLNP) but there was very little dispute about the layered model, which the OSI people got from TCP/IP (and CYCLADES) in the first place.
-
-
Saturday 21st January 2017 01:06 GMT Yes Me
Extra complexity for good reasons
IPv4 was designed for a small research network; actually it's a miracle it's been stretched to several billion nodes (and all credit to the designers, of course).
IPv6 was designed for *many* billion nodes - it wasn't called IoT then but we knew it was coming. It was also designed for self-configuring small stand-alone networks (the model was Applenet) - hence stateless address autoconfiguration, and link-local addresses for when there is no router and no Internet connection. And by the way, you aren't limited to 2 addresses per interface - you could for example have link-local (for bootstrapping), ULA (unique local address) for intranet use, and a couple of globally reachable addresses from different ISPs. Yes, it's more complicated - because the world is a lot more complicated (thanks to Moore's law) than it was in 1977 when the basics of IPv4 were laid down. Your grandchildren will be grateful.
-
-
-
Wednesday 18th January 2017 13:15 GMT Eugene Crosser
Clarification
The article goes to some length to explain what are atomic fragments, but does not emphasize enough the DoS mechanism in play here. Specifically, according to the RFC, the practice of blindly dropping IPv6 packets with extension headers is so widespread, that if an attacker ticks the victim into producing such packets, it will have disruptive effect.
-
-
Saturday 21st January 2017 01:18 GMT Yes Me
Re: How can this happen ?
It can happen because the people who designed IPv6 fragmentation are human beings and let this one slip by.
> Internet-will-die-otherwise
People overstate things sometimes. An Internet without packet translation will work better than one with packet translation. And (as I noted a minute ago) IPv6 is designed for situations where IPv4 does badly: stand-alone networks, IoT, and tens of millions of multihomed enterprises.
-
-
Monday 23rd January 2017 19:20 GMT AlgoRythm
So..where is SirChurchy lately...
Shocked! Shocked I am that the ipv6 extended headers might theoretically not have been checked in any reasonable way on the wire. Calling Sir Churchy, self declared expert on all things networking and IPv6 specifically..have you discovered a good fuzzing util for enumerating extended header flaws yet. Seems like NIST is still fumbling with that rather publically:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10142
So how is it that you can categorically dismiss all who believe that where IPv6 is concerned, both in its creation and timing, something smells...off.
Be thee a GCHQ shill, or be thee a sales weasel? Inquiring minds want to know
-Al