DeepSec 2014 Talk: MLD Considered Harmful – Breaking Another IPv6 Subprotocol

In case you haven’t noticed, the Internet is getting crowded. Next to having billions of people online, their devices are starting to follow. Information security experts can’t wait to see this happen. The future relies on the Internet Protocol Version 6 (IPv6). IPv6 features a lot of improvements over IPv4. Since you cannot get complex stuff right at the first time, IPv6 brings some security implications with it. Past and present conferences have talked about this. DeepSec 2014 is no exception. Enno Rey of ERNW will talk about Multicast Listener Discovery (MLD) in his presentation.

The presentation is the first time that the results of an ongoing research of MLD are published. MLD is a protocol belonging to the IPv6 family, and sadly it features insecurities. MLD (Multicast Listener Discovery), and its successor, MLDv2, are used by IPv6 routers for discovering multicast listeners on a directly attached link, much like the Internet Group Management Protocol (IGMP) is used in IPv4. Even if you haven’t realised it yet, MLD is already everywhere. Many multicast applications, when the underlying layer-3 protocol is IPv6, base their operation on MLD, while most of the modern Operating Systems (OS), like Windows, Linux and FreeBSD, not only come pre-configured with IPv6 enabled, but they also start-up by sending MLD traffic, which is repeated periodically. Despite of the out-of-the-box usage of MLD, it is one of the IPv6 protocols that have not be studied yet to a suitable extend, especially as far as its potential security implications are concerned. As it will be shown, these can vary from OS fingerprinting on the local-link by sniffing the wire passively, to amplified Denial of Service attacks.

Specifically, in this talk, after presenting the results of the analysis of the default behaviour of some of the most popular OS, we will examine, by using specialised tools, whether the specific OS implementations conform to the security measures defined by the corresponding RFCs, and if not, what are the potential security implications. Then, by diving into the specifications of the protocol, we will discuss potential security issues related with the design of MLD and how they can be exploited by attackers. Finally, specific security mitigation techniques will be proposed to defend against them, which will allow us to secure IPv6 networks to the best possible extend in the emerging IPv6 era.

Let’s make the IPv6 world a safer place! ☻

For anyone dealing with IPv6, DeepSec 2014 also offers a two day training IPv6 Attacks and Defenses – A Hands-on Workshop, held by Enno himself.

Internet service providers already rolled out IPv6, especially for hosted or co-located environments. Furthermore IPv6 connectivity is widely available by means of tunnels (Teredo for example). This is why we recommend Enno’s talk and training for anyone using networks (Internet connection is optional since most operating systems use IPv6 locally any way). Deal with your network before attackers do!

Tags: , , ,

1 Response to "DeepSec 2014 Talk: MLD Considered Harmful – Breaking Another IPv6 Subprotocol"