On Mon, 2011-04-04 at 19:46 +0200, Mikael Abrahamsson wrote: > > I believe this attack will work on most networks out > > there, simply because IPv6 is enabled on hosts and rogue RA filtering > > hasn't been implemented on most switches yet. > > Any responsible ISP will block this kind of L2 "unknown" traffic between > customers.
I fully agree, but not all networks are run by ISPs (let alone by "responsible" persons/entities). Perhaps not the main audience for Nanog, but there will be enough enterprises, small ISPs or colo facilities, schools / edu networks etc where this attack is currently possible. > We see this happening unwittingly in the wild as of several years ago with > Windows ICS announcing RA to both WAN and LAN because it (or thinks it) > has 6to4 connectivity and wants to share it. It's almost the same, but not quite: the same in the sense that it might result in MITM for traffic and rogue RAs are involved; different because with the attack described, *virtually all* traffic can be intercepted with the addition of NAT-PT including modified DNS responses (eg returning quad-A RRs for (originally) IPv4-only services. That's not the same as some ICS box which usually doesn't even properly forward the v6 traffic, and if it does, only sees the traffic for the small percentage of v6-enabled services with both an A and quad-A resource record in DNS. > Nothing new here, but the wider it's known the better. To me the NAT-PT part was new, but I don't work for an ISP and perhaps you wouldn't consider me to be a responsible network admin... even though our University has been running RA monitors on all segments for a long time (and will continue to do so until we can properly filter rogue RA on all edge ports etc). I don't know *everything* there is to know in networking, nor will I believe anyone who claims he/she does. The main reason I responded was the "blah blah old news" attitude in one of the reactions, while I doubt that the possibilities with the combination of methods as described are that widely known. But if I'm the only (security) ignorant person on this list, please forgive me ;) Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
