lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 01 Feb 2012 23:17:46 -0300
From: Fernando Gont <fgont@...networks.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Fwd: IPv6 RA-Guard: Advice on the implementation
	(feedback requested)

Folks,

We have talked about this one quite a few times (including
<http://blog.si6networks.com/2011/09/router-advertisement-guard-ra-guard.html>).
-- still, most implementations remain broken.

If you care to get this fixed, please provide feedback about this I-D on
the IETF *v6ops* mailing-list <v6ops@...f.org>, and CC me if possible.

Thanks!

Best regards,
Fernando




-------- Original Message --------
Subject: RA-Guard: Advice on the implementation  (feedback requested)
Date: Wed, 01 Feb 2012 21:44:29 -0300
From: Fernando Gont <fgont@...networks.com>
Organization: SI6 Networks
To: IPv6 Operations <v6ops@...f.org>

Folks,

We have just published a revision of our I-D "Implementation Advice for
IPv6 Router Advertisement Guard (RA-Guard)"
<http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-implementation-01.txt>.

In essence, this is the problem statement, and what this I-D is about:

* RA-Guard is essential to have feature parity with IPv4.

* Most (all?) existing RA-Guard implementations can be trivially evaded:
if the attacker includes extension headers in his packets, the RA-Guard
devices fail to identify the Router Advertisement messages. -- For
instance, THC's "IPv6 attack suite" (<http://www.thc.org/thc-ipv6/>)
contains tools that can evade RA-Guard as indicated.

* The I-D discusses this problem, and provides advice on how to
implement RA-Guard, such that the aforementioned vulnerabilities are
eliminated, we have an effective RA-Guard device, and hence
feature-parity with IPv4.

We'd like feedback on this I-D, including high-level comments on whether
you support the proposal in this I-D.

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont@...networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ