Cisco warns IPv6 ping-of-death vuln is everyone's problem Cisco is warning network administrators about a flaw in the handling of IPv6 packets that it says extends beyond its own products. The networking behemoth has issued a security alert detailing a vulnerability in the processing of IPv6 Neighbor Discovery (ND) packets that could allow a remote and unauthenticated miscreant to …
And if it's only just come to light, maybe that says something about how much IPv6 is being used?
(I mean I know my Web server is capable of it but I've yet to be able to use it from home. Or any WiFi hotspot... Or my 3/4g connection or pretty much anywhere other than said server.)
According to Google's IPv6 stats. 11.76% of world wide traffic to Google's servers on the weekends and 9.51% during the week (up 1% since Jan). The US is at 27% but they don't provide a nice graph for per country so I can't compare evenings to weekends.
It's far from new news. But it's also far from the end of the world, because it can be filtered out fairly easily as others have said. Neighbor Discovery multicasts always have link-local source addresses so must not be forwarded to another link in any circumstances. (If that can happen, it's an implementation bug. Sounds like Cisco have an implementation bug.)
Web server? I should hope so. It's usually just a case of enabling it in Apache etc.
Your home? Probably not. Virgin haven't even tried to deploy IPv6 to normal homes yet, despite being DOCSIS 3 which mandates compatibility with it.
Wifi hotspot? See above.
3G/4G? IPv6 is mandated as part of those protocols. Probably more phones use it than they do IPv4 when connected direct to the cell network, rather than wireless.
I have an IPv6 website, email, etc. server. It's not a huge majority of traffic, but its definitely "there" and been working fine for years. Google servers prefer IPv6, for instance, so almost all GMail and Google traffic use it first, and I get IPv6 mail from Google all the time.
It's certainly not "untested". Hell, IPv4 was still finding problems DECADES after deployment (ping-of-death, Xmas-tree packets, ECN, you name it). But to suggest it should be "bug-free" even 20 years from now would be moronically stupid for such a thing.
Well at least Linux appears to correctly validate the TTL must equal 255 on ND packets, and has done so at least since 2.6.12 (when it started using git in 2005), since the check was already in the code at that point. Apparently a number of other OSs out there, especially on routers used by ISPs and telcos on the other hand seem to be failing to follow that requirement in the IPv6 standard. How unfortunate. Of course just because linux checks doesn't mean someone didn't use linux on a router and use a 3rd party network stack or hardware accelerator that does the wrong thing.
Looks like blocking ICMPv6 types 133 through 137 on the public tunnel is one way to "fix" this. My firewall rules have been updated.
So far it hasn't seemed to affect my ability to access anything via IPv6. I'll know soon enough I guess.
protocol described (briefly) here:
https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
