Skip to content

Trespassing

Advanced network discovery enables the selection of optimal paths for packet transmission. However, this capability could empower attackers to trespass into restricted areas where they should not have access, particularly in DMZ-enabled networks.

IPv6's advanced network discovery facilitates path selection for packets, yet it also exposes vulnerabilities that attackers can exploit to infiltrate restricted areas. Trespassing enables unauthorized access to off-limits zones and interaction with equipment beyond direct visibility. Additionally, attackers may exploit these vulnerabilities to gather detailed information about remote networks.

tress

Discovery through Multicast Address

By sending ICMPv6 to the link-local multicast address, our packet will reach all active link-local addresses on the network.  RFC 3513 tells us that multicast address FF02::1 can send a packet to all active link-local addresses.

To enumerate the active link-local addresses, we can use PINGv6, as shown below.

1
2
$ ping6 -I eth0 -c 5 ff02::1 > /dev/null 2>&1
$ ip neigh|grep ^fe80

Security issues associated with an IPv6 implementation will generally surface in networks new to IPv6 or the early phases of the IPv6 transition. Dual-stacked networks (that run both IPv4 and IPv6 simultaneously) have additional security concerns, so further countermeasures are needed to mitigate these risks due to the increased attack surface of IPv4 and IPv6.

Filter IPv6 traffic (boundary protection)

IPv6 traffic should be filtered according to the organization's network policies. A network that still needs to deploy IPv6 should block all IPv6 at the network border, including any IPv6 tunneled in IPv4. A network deployed IPv6 should only allow IPv6 traffic permitted by policy, with ACLs allowing authorized flows and protocols and blocking all others by default. Although the IPv6 filtering policy may be based on an existing IPv4 policy, the IPv6 policy should reflect IPv6-specific issues. In addition, the filtering policy should reflect that the Internet Control Message Protocol for IPv6 (ICMPv6) is more fundamental to IPv6 communications than the corresponding ICMP for IPv4. Specific ICMPv6 messages, such as neighbor discovery and router advertisement, may need to be permitted even if the corresponding message in ICMP for IPv4 is blocked.

IPv6 defines network functions that operate on the local link. These include link-layer address resolution, router discovery, and stateless auto-configuration of addresses. To prevent IPv6 link-local address enumeration, we need to disable IPv6 from the system completely if it is not needed.