SANS ISC: Stupid Little IPv6 Tricks

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

With the IPv6 Summit on Friday, various IPv6 related topics are of course on my mind. So I figured to put together a quick laundry list of "stupid little IPv6 tricks/topics". Let me know what issues you are running into as well:

1 - Proxies 

Right now, many web sites use proxies to provide IPv6 access. The result is some "interesting" behaviour that you may experience:

• The IPv6 version of the site may be out of date because the proxy cached it.
• The IPv6 version may use a different certificate (see an earlier story about this).
• A site may be down via IPv6 (because of a proxy problem) but up via IPv4.
• The actual web application isn't coded to look at the Forward-For or similar header, so it has no idea where you are comming from and you run into rate limits.

2 - Extension Headers

Security devices still have issues with extension headers. They may miss attacks, or just misinterpret packets.

• IDSs will not reassemble sessions correctly as they do not know if a packet will be dropped or not.
• Firewalls may block packets (or let them pass) as they can't figure out the protocol.
• Packet analysis tools will give you the wrong interpretation of a packet.

3 - Log Analysis / Address Interpreation

I still see log analysis tools that at first sight seem to work fine with IPv6, but they don't "normalize" the addresses, meaning that 2001:db8::1 is not considered equal to 2001:0db8::1 or 2001:0db8:0000:0000:0000:0000:0000:0001.

4 - Spam

Probably the most common IPv6 "attack" I see is spam, probably by accident (both ends happen to support IPv6) but it works quite well as there are still no real block list for IPv6.

5 - Portscans

So far, we see pretty much no port scans on IPv6 (which is kind of good ;-) ). It is still a decent idea to "hide" an SSH server in IPv6 space. 

BTW: Don't forget that we are now able to accept IPv6 firewall logs, not just IPv4!

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter