IPv6 vulnerable to fragmentation attacks that threaten core internet routers A trio of 'net experts argues that a key IPv6 protocol needs fixing to get rid of a fragmentation attack vector against routers in large-scale core networks. The vector, called “atomic fragments” has long been regarded with suspicion by IPv6 security wonks. Here, for example, is a Black Hat 2012 presentation illustrating the …
Am I alone here in thinking that IPv6 seems to show many classic signs of the second-system syndrome?
"Am I alone here in thinking that IPv6 seems to show many classic signs of the second-system syndrome?"
Its certainly got that designed by commitee feel about it. Its hard to understand, way too complex to set up which is why a lot of network admins are reluctant to use it and why even now IP4 still dominates, and the hex addresses are almost impossible for a normal user to use when DNS has failed. And what numpty thought having 2 addresses per adaptor was a good idea? Wtf is the point of the link local address? If there's no DHCP just hard code an address as per IP4 , if there is then link local isn't needed. Extra complexity for no reason.
Re: 'second-system syndrome'
Yes IPv6 does suffer from this. Remember around the time IPv6 was at it's formative stage there was much earnest discussion about using IP directly over the physical media and thus replacing IEEE 802. Notice the turf war, IETF were choosing to pick fights both ISO OSI and IEEE 802...
@Roland: "much earnest discussion about using IP directly over the physical media and thus replacing IEEE 802"
Not that I remember, at least not in the proposals that actually became IPv6. On the contrary, the layer 2/layer 3 separation was considered very fundamental. MPLS came later, but not to eliminate layer 2, rather to fix the mess created by ATM. TRILL came much later.
It's true that the IETF chose not to use the OSI datagram protocol (CLNP) but there was very little dispute about the layered model, which the OSI people got from TCP/IP (and CYCLADES) in the first place.
IPv4 was designed for a small research network; actually it's a miracle it's been stretched to several billion nodes (and all credit to the designers, of course).
IPv6 was designed for *many* billion nodes - it wasn't called IoT then but we knew it was coming. It was also designed for self-configuring small stand-alone networks (the model was Applenet) - hence stateless address autoconfiguration, and link-local addresses for when there is no router and no Internet connection. And by the way, you aren't limited to 2 addresses per interface - you could for example have link-local (for bootstrapping), ULA (unique local address) for intranet use, and a couple of globally reachable addresses from different ISPs. Yes, it's more complicated - because the world is a lot more complicated (thanks to Moore's law) than it was in 1977 when the basics of IPv4 were laid down. Your grandchildren will be grateful.
The article goes to some length to explain what are atomic fragments, but does not emphasize enough the DoS mechanism in play here. Specifically, according to the RFC, the practice of blindly dropping IPv6 packets with extension headers is so widespread, that if an attacker ticks the victim into producing such packets, it will have disruptive effect.
It can happen because the people who designed IPv6 fragmentation are human beings and let this one slip by.
> Internet-will-die-otherwise
People overstate things sometimes. An Internet without packet translation will work better than one with packet translation. And (as I noted a minute ago) IPv6 is designed for situations where IPv4 does badly: stand-alone networks, IoT, and tens of millions of multihomed enterprises.
Shocked! Shocked I am that the ipv6 extended headers might theoretically not have been checked in any reasonable way on the wire. Calling Sir Churchy, self declared expert on all things networking and IPv6 specifically..have you discovered a good fuzzing util for enumerating extended header flaws yet. Seems like NIST is still fumbling with that rather publically:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10142
So how is it that you can categorically dismiss all who believe that where IPv6 is concerned, both in its creation and timing, something smells...off.
Be thee a GCHQ shill, or be thee a sales weasel? Inquiring minds want to know
-Al
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
