Category Archives: IPv6

Well, this is simply IPv6 stuff. Either network and/or security related.

Minor Palo Alto Bug concerning IPv6 MGT

2015-02-03IPv6, Palo Alto NetworksBug, IPv6, IPv6 Neighbor Cache, Management, Palo Alto Networks, VLANJohannes Weber

A few months ago I found a small bug in PAN-OS, the operating system from Palo Alto Networks. It is related to an IPv6 enabled management interface. The MGT address was not reachable when the firewall operates in layer 2 mode, that is, had layer 2 interfaces along with VLANs. Luckily, this bug is fixed with the new software version 6.1.2 which was released this week (bug ID 67719).

Following are a few listings that show the incomplete handling of the IPv6 neighbor cache of the MGT interface in the old version (pre 6.1.2).

Continue reading Minor Palo Alto Bug concerning IPv6 MGT →

IPv4 vs. IPv6 Traffic Statistics on Routers

2014-10-23IPv6, MonitoringCisco Router, Counters, IPv4, IPv6, SNMP, Statistics, TrafficJohannes Weber

I am very interested in statistics about the usage of IPv6 on Internet routers and firewalls. The problem is, that most routers/firewalls do not have unique SNMP OIDs for IPv4 and IPv6 traffic, but only the normal incoming/outgoing packet counters per interface. Therefore I am using two independent ethernet ports and cables between my outer router and my first firewall, one for IPv4-only and the other one for IPv6-only traffic. Now I have independent statistics for each protocol and can combine them in one summary graph. (Though I know that this will never be a “best practice” solution…)

Continue reading IPv4 vs. IPv6 Traffic Statistics on Routers →

Zugehörigkeit von MAC- und IPv6-Adressen (IPv6-Kongress 2014)

2014-05-23Conference Talks, IPv6IPv6, IPv6-Kongress, MAC AddressJohannes Weber

Genau wie letztes Jahr stelle ich hier meinen Vortrag vom diesjährigen IPv6-Kongress in Frankfurt zur Verfügung. Es ist eine PDF-Datei die jeweils meine Folie sowie meine ganzen Stichpunkte beinhält. Somit sollte man den kompletten Inhalt verstehen, auch wenn man nicht beim Vortrag war.

Continue reading Zugehörigkeit von MAC- und IPv6-Adressen (IPv6-Kongress 2014) →

FileZilla Server Bug: Autoban does not work with IPv6

2014-05-14IPv6, Network, SecurityBrute-Force, Bug, FileZilla Server, IPv6, PasswordJohannes Weber

While testing with the new release of Hydra against my own FTP server from FileZilla, I recognized that the autoban feature from FileZilla does not work for IPv6 connections. If there are multiple failed login attempts from an IPv4 address, FileZilla Server correctly blocks that IP. That is: Hydra stops testing passwords since it is not able to connect to the server anymore. However, when using IPv6, the FileZilla server generates the same error message (“421 Temporarily banned for too many failed login attempts”), but new connections from the same IPv6 address are still possible.

Here are my test results:

Continue reading FileZilla Server Bug: Autoban does not work with IPv6 →

IPv6 Address Statistics based on DAD Messages

2014-05-02IPv6, MonitoringDAD, IPv6, IPv6 Duplicate Address Detection, IPv6 Privacy Extensions, MAC Address, StatisticsJohannes Weber

After my Tcpdump script for storing MAC-IPv6 address bindings via the Duplicate Address Detection messages (link) and an analysis of the realibility of them (here), I had the idea of a Linux script that analyzes the Tcpdump output for obtaining some IPv6 address statistics. It should not show concrete bindings between MAC- and IPv6-addresses, but the number of different kind of IPv6 addresses, such as link-local or global-unicast addresses, built with or without EUI-64, etc.

In the following, I will present my script and will show the results after running it through the DAD logs of a whole month (March 2014) in a BYOD-WLAN with more than 100 clients.

Continue reading IPv6 Address Statistics based on DAD Messages →

Reliability of IPv6 DAD Message Sniffing

2014-04-24IPv6, MonitoringDAD, IPv6, IPv6 Duplicate Address Detection, SyslogJohannes Weber

A few weeks ago I published an article in which I proposed a method on how to capture the MAC- to IPv6-address bindings via sniffing and storing IPv6 DAD messages. Though any IPv6 node MUST send these Duplicate Address Detection messages prior to assign the address, I was not fully assured that *really* each new IPv6 address is stored with this Tcpdump sniffer.

That is, over a whole month I captured the DAD messages on a test BYOD-LAN and furthermore the complete IPv6 connection logs of the corresponding firewall. At best, I should have any IPv6 address that made an outbound connection through the firewall in the DAD logfiles. Here are the results:

Continue reading Reliability of IPv6 DAD Message Sniffing →

Monitoring MAC-IPv6 Address Bindings

2014-03-17IPv6, Monitoring, Security, Tutorial/HowtoDAD, First Hop Security, Forensic, IPv6, IPv6 Duplicate Address Detection, IPv6 Security, MAC Address, NDPMon, Proof of Concept, Regex, Switch, tcpdumpJohannes Weber

In the legacy IPv4 world, the DHCP server allocates IPv4 addresses and thereby stores the MAC addresses of the clients. In the IPv6 world, if SLAAC (autoconfiguration) is used, no network or security device per se stores the binding between the MAC (layer 2) and the IPv6 (layer 3) addresses from the clients. That is, a subsequent analysis of network behaviour corresponding to concrete IPv6 addresses and their client machines is not possible anymore. The mapping of “identity to IP” is not done automatically somewhere.

A simple way to overcome this issue is to install a service that captures Duplicate Address Detection (DAD) messages from all clients on the subnet in order to store the bindings of MAC and IPv6 addresses. This can be done with a small Tcpdump script on a dedicated Ethernet interface of a Linux host.

In this blog post I will present a use case for storing these bindings, the concept of the DAD messages, a Tcpdump script for doing this job, and the disadvantages and alternatives of this method.

Continue reading Monitoring MAC-IPv6 Address Bindings →

Cisco AnyConnect: IPv6 Access through IPv4 VPN Tunnel

2014-01-18Cisco ASA, IPsec/VPN, IPv6Cisco AnyConnect, Cisco ASA, IPv6, Remote Access VPNJohannes Weber

When travelling to guest Wifis, e.g., at different customers sites, hotels, or public Wifis in general, I often have only IPv4 access to the Internet. Since I do not want to use IPv6 tunnelling protocols such as Teredo, I decided to use the Cisco AnyConnect Secure Mobility Client to tunnel IPv6 between my test laboratory (Cisco ASA) and my computer. With a few changes on the ASA, my computer now gets a private IPv4 address and a global unicast IPv6 address out of my space at home. Since I am using a VPN tunnel to access the Internet from untrusted Wifis anyway, the overall process did not change that much.

In the following, I am showing a few screenshots but not a complete configuration guide for the AnyConnect Client.

Continue reading Cisco AnyConnect: IPv6 Access through IPv4 VPN Tunnel →

IPv6 Security – An Overview

2013-06-19IPv6, SecurityDoS, IPv6 Security, Man-in-the-Middle, MITM, OverviewJohannes Weber

I wrote a very small summary of my IPv6 Security master thesis which gives an introduction to several IPv6 security issues. People that are interested in IPv6 security are welcome to read this summary prior to study the whole master thesis. In this way, they will get an overview of IPv6 security issues before they are flooded with too many details. ;) I wrote this article for the RIPE Labs (published here), but since it gives a good overview about my thesis, I publish it here, too.

Continue reading IPv6 Security – An Overview →

IPv6 Man-in-the-Middle Attacken auf Schicht 2 (IPv6-Kongress 2013)

2013-06-07Conference Talks, DHCP/DHCPv6, IPv6, SecurityIPv6 Security, IPv6-Kongress, Man-in-the-Middle, THC-IPv6Johannes Weber

Hier gibt es meinen Vortrag vom IPv6-Kongress 2013 in Frankfurt zum Download.

Es ist eine PDF-Datei in der a) die Präsentationsfolien und b) eine Menge Kommentare von mir stehen, die quasi das Gesagte während des Vortrags ziemlich gut abdecken.

Continue reading IPv6 Man-in-the-Middle Attacken auf Schicht 2 (IPv6-Kongress 2013) →

Windows 7 IPv6 Neighbor Cache Bug?

2013-05-07IPv6, SecurityBug, IPv6 Neighbor Cache, IPv6 Security, WindowsJohannes Weber

Last year, I posted the following bug report on the IPv6 hackers mailing list, but nobody ever responded. I also sent it to Microsoft, but heart no response either. Since I am owning this blog since a few days, I will post it here, too:

Hello everybody,

I am testing with the THC-IPV6 Toolkit from van Hauser and noticed that Windows 7 adds and deletes several neighbor cache entries even on interfaces which are not connected. It further adds and deletes complete network interface cards from the neighbor cache. I would like to know if this is a feature or a bug.

Continue reading Windows 7 IPv6 Neighbor Cache Bug? →

IPv6 Security Master Thesis

2013-05-06IPv6, SecurityCisco ASA, DoS, Firewall, IPv6, IPv6 Security, Juniper ScreenOS, Juniper SSG, Man-in-the-Middle, Neighbor Discovery, Palo Alto Networks, Router Advertisement, THC-IPv6Johannes Weber

Hello world,

with this post I want to publish my own master thesis which I finished in February 2013 about the topic “IPv6 Security Test Laboratory”. (I studied the Master of IT-Security at the Ruhr-Uni Bochum.) I explained many IPv6 security issues in detail and tested three firewalls (Cisco ASA, Juniper SSG, Palo Alto PA) against all these IPv6 security attacks.

[UPDATE]Before reading the huge master thesis, this overview of IPv6 Security may be a good starting point for IPv6 security issues.[/UPDATE]

Continue reading IPv6 Security Master Thesis →

Weberblog.net

IT-Security, Networks, IPv6, VPN, DNSSEC, NTP