[6bone] Headsup: Block messaging over IPv6 options

Jeroen Massar jeroen@unfix.org
Tue, 15 Jul 2003 10:31:02 +0200

Previous message: [6bone] Headsup: Block messaging over IPv6 options
Next message: [6bone] Headsup: Block messaging over IPv6 options
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hank Nussbacher wrote:

> http://www.checkpoint.com/securitycenter/advisories/2003/cpai-2003-22.html

Better start checking the IP addresses too, because I could easily:

<---      128 bit IPv6 address     --->
<---    subnet  ---><---  EUI-64   --->
3ffe:8114:2000:0240:0290:27ff:fe24:c19f

What if I use the EUI-64 part for 8x8 bits: 8 chars of text ?

Route the /64 through one box and use some tcpdump trickery.
Currently, with especially the 6bone it is not too uncommon
to have a complete /48 directed to one box, let's see
how 'covert' we can play there. I could even put the chars
in the EUI-64 form, looking like EUI-64 but not being it.
Have fun filtering oh mighty firewall people.

IMHO think that 'inspecting' is useless. As long as
two(+) endpoints are in control of a user he can send
any kind of packets between them. We are not talking
about distributing or crypting stuff yet...
Think of the nice DNS tunnels :)

Using a HTTP proxy could be a good start though.
But then we simply would use POST on a external server
to get a nice tunnel. So have fun filtering.
And why do IPv6 if you are denying users their
end to end experience ? IMHO stick to your "ipv4 nat" security then.

If you really want to firewall your users: disconnect them.

Greets,
 Jeroen

Previous message: [6bone] Headsup: Block messaging over IPv6 options
Next message: [6bone] Headsup: Block messaging over IPv6 options
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]