Stupid Little IPv6 Tricks
Last Updated: 2013-06-12 22:12:51 UTC
by Johannes Ullrich (Version: 1)
With the IPv6 Summit on Friday, various IPv6 related topics are of course on my mind. So I figured to put together a quick laundry list of "stupid little IPv6 tricks/topics". Let me know what issues you are running into as well:
1 - Proxies
Right now, many web sites use proxies to provide IPv6 access. The result is some "interesting" behaviour that you may experience:
- The IPv6 version of the site may be out of date because the proxy cached it.
- The IPv6 version may use a different certificate (see an earlier story about this).
- A site may be down via IPv6 (because of a proxy problem) but up via IPv4.
- The actual web application isn't coded to look at the Forward-For or similar header, so it has no idea where you are comming from and you run into rate limits.
2 - Extension Headers
Security devices still have issues with extension headers. They may miss attacks, or just misinterpret packets.
- IDSs will not reassemble sessions correctly as they do not know if a packet will be dropped or not.
- Firewalls may block packets (or let them pass) as they can't figure out the protocol.
- Packet analysis tools will give you the wrong interpretation of a packet.
3 - Log Analysis / Address Interpreation
I still see log analysis tools that at first sight seem to work fine with IPv6, but they don't "normalize" the addresses, meaning that 2001:db8::1 is not considered equal to 2001:0db8::1 or 2001:0db8:0000:0000:0000:0000:0000:0001.
4 - Spam
Probably the most common IPv6 "attack" I see is spam, probably by accident (both ends happen to support IPv6) but it works quite well as there are still no real block list for IPv6.
5 - Portscans
So far, we see pretty much no port scans on IPv6 (which is kind of good ;-) ). It is still a decent idea to "hide" an SSH server in IPv6 space.
BTW: Don't forget that we are now able to accept IPv6 firewall logs, not just IPv4!
Johannes B. Ullrich, Ph.D.
SANS Technology Institute