by the way!
Regards,
Fernando
Forwarded Message
Subject: New Version Notification for
draft-ietf-opsec-ipv6-addressing-00.txt
Date: Fri, 02 Jun 2023 07:26:18 -0700
From: internet-dra...@ietf.org
To: Fernando Gont , Guillermo Gont
A new version of I-D, draft-ietf-opsec-ipv6
robably lies some good advice .. i.e., that to the extent that
is possible, folks refrain from sharing the same /64 across
unrelated/disassociated users.
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
acked AWS accounts.
Do they lose or earn money when accounts are hacked?
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
Hi, Bill,
On 7/2/23 01:26, William Herrin wrote:
On Mon, Feb 6, 2023 at 7:40 PM Fernando Gont wrote:
On 7/2/23 00:05, William Herrin wrote:
On the one hand, sophisticated attackers already scatter attacks
between source addresses to evade protection software.
Whereas in the IPv6 case , you
Hi, Bill,
Thanks for your feedback! In-line
On 7/2/23 00:05, William Herrin wrote:
On Mon, Feb 6, 2023 at 6:43 PM Fernando Gont wrote:
On 6/2/23 20:39, Owen DeLong wrote:
After all, they’re only collecting addresses to ban at the rate they’re
actually being used to send packets.
Yeah
consistently use memory
iptables-rules slot to store more and more rules/addresses youĺl get no
benefit from, the attacker is winning
Thanks!
Regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
hanks!
Regards,
Fernando
Forwarded Message
Subject: New Version Notification for
draft-gont-opsec-ipv6-addressing-00.txt
Date: Thu, 02 Feb 2023 19:48:40 -0800
From: internet-dra...@ietf.org
To: Fernando Gont , Guillermo Gont
A new version of I-D, draft-gont-opsec-ipv6-addressi
y
issues in IPv6 address generation!
[Original article with screenshots:
https://www.linkedin.com/posts/fernandogont_after-over-10-yes-ten-years-we-have-activity-7008316664207290368-Wcto
]
Thanks!
Regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494
nsider the case where the router intentionally splits
the options into multiple packets (which does not exist in practice),
AND the link is super lossy, you just increase the number of
retransmissions.
There's no guessing.
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
/comment on the 6man wg mailing list
(https://www.ietf.org/mailman/listinfo/ipv6), that´d be fabulous.
But we'll appreciate your feedback off-line, on this list, etc. (that'd
still be great ;-) )
Thanks in advance!
Regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
P
Hi,
FYI. RFC 9288, "Recommendations on the Filtering of IPv6 Packets
Containing IPv6 Extension Headers at Transit Routers" (available at:
https://www.rfc-editor.org/rfc/rfc9288)
FWIW, IMO most of the value is in the analysis of what
protocols/features use what EHs, and what would break (if a
y night, someone doing the same thing with altruistic
> intent might not be such a bad thing.
>
> - Matt
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Hi, Ronald,
On 21/6/22 03:53, Ronald F. Guilmette wrote:
In message <7c5f9d80-8686-07bb-b6ed-6e41fa1e1...@si6networks.com>,
Fernando Gont wrote:
Note: What's most usually done out there is scanning for ports, rather
than for vulnerabilities.
Yes, and at least some of the respon
you need to deal with, anyway).
What's left probably falls into the DoS-like category... but is normally
more targetted than sent to random networks/whole Internet.
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
s.
Thanks!
Regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
the responsible organization for the network prefixes get
the scan results.
Thanks,
--
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
SP asked for it.
Thanks,
--
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
item of the IPv6 Operations WG of the IETF.
Title : Operational Implications of IPv6 Packets
with
Extension Headers
Authors : Fernando Gont
Nick Hilliard
Gert Doering
Warren Kumari
DP port to 58921. My clock synced perfectly.
>
> So your goal is to find the devices that don't follow this behaviour,
> right?
> No. The goal of our I-D is that NTP clients randomize their source
> port -- there's no need for clients to use port 123, and using that
> p
behind the same NAT to external
> NTP servers
Please let me know if what I wrote above clarifies our intent.
Thanks!
Regards,
--
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
Hi, Bjørn,
On Thu, 2021-06-10 at 12:10 +0200, Bjørn Mork wrote:
> Fernando Gont via NANOG writes:
>
> > What has been reported to us is that some boxes do not translate
> > the
> > src port if it's a privileged port.
> >
> > IN such scenarios, NTP imp
NTP clients
behind the same NAT device
Thanks!
Regards,
--
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
tems in the internal real of the NAT try to use the same privileged
port (say, 123) simultaneously, things wouldn't work.
Thanks,
--
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
his type of NATs?
Thanks!
Regards,
--
Fernando Gont
Director of Information Security
EdgeUno, Inc.
PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
Subject: IPv6 addressing: Gaps?
(draft-gont-v6ops-ipv6-addressing-considerations)
Date: Fri, 12 Feb 2021 18:50:48 -0300
From: Fernando Gont
To: IPv6 Operations
Folks,
In the aforementioned document
(https://tools.ietf.org/html/draft-gont-v6ops-ipv6-addressing-considerations),
we have tried
Folks,
FYI.
P.S.: The relevant IETF wg list is:
https://www.ietf.org/mailman/listinfo/v6ops
Thanks,
Fernando
Forwarded Message
Subject: [v6ops] WGLC on draft-ietf-v6ops-ipv6-ehs-packet-drops
Date: Mon, 19 Oct 2020 12:35:34 -0700
From: Fred Baker
To: IPv6 Operations
I'
I just meant to forward your
request, and let folks know what the email alias for the chairs is
(sometimes I get it wrong myself e.g. @ietf.org vs. @tools.ietf.org).
I just didn't say "send your support comments" because I didn't want to
bias the request.
My apologies,
--
Fe
tf.org/arch/search/?qdr=a&q=%22Operational
Implications of IPv6 Packets with Extension Headers%22
https://datatracker.ietf.org/doc/draft-gont-v6ops-ipv6-ehs-packet-drops
https://tools.ietf.org/html/draft-gont-v6ops-ipv6-ehs-packet-drops
"Operational Implications of IPv6 Packets with Ext
,
Fernando
Forwarded Message
Subject: New Version Notification for
draft-gont-v6ops-ipv6-ehs-packet-drops-04.txt
Date: Sat, 25 Jul 2020 22:28:50 -0700
From: internet-dra...@ietf.org
To: Fernando Gont , Gert Doering
, Geoff Huston , Warren Kumari
, Nick Hilliard
A new version of
Folks,
A while ago some of us started working on an IETF draft to document and
mitigate some issues experienced by SLAAC in the face of some
renumbering events. Such work has resulted in three small documents.
* draft-gont-v6ops-slaac-renum (problem statement)
* draft-gont-v6ops-slaac-renum (CPE
On 3/12/19 17:47, Mark Andrews wrote:
>
>
>> On 4 Dec 2019, at 02:04, Fernando Gont wrote:
>>
>> On 3/12/19 00:12, Mark Andrews wrote:
>>>
>>>
>>>> On 3 Dec 2019, at 13:31, Valdis Klētnieks wrote:
>>>>
>>>> O
rced so you don’t need your own IPv4 addresses for that.
> Then there is in the cloud for other services, again you don’t need your own
> IPv4
> addresses.
Wwll, yeah.. you don't need IPv4 addresses if you are going to be using
somebody else's networks and services. Not that you should, though
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Date: Wed, 23 Oct 2019 03:51:32 -0500
From: Fernando Gont
To: IPv6 Operations
Folks,
Earlier this year there was a lot of discussion about slaac renumbering
problems. Our original I-D covered everything from the problem statement
to proposed protocol updates and operational workarounds.
Base
rg/blog/2019/02/ipv6-security-faq
Thanks!
Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Hi, Bill,
Thanks for the feedback! In-line
On 10/3/19 13:54, William Herrin wrote:
>
>
> On Fri, Mar 8, 2019 at 3:32 AM Fernando Gont <mailto:fg...@si6networks.com>> wrote:
>
> If you follow the 6man working group of the IETF you may have seen a
> bu
y) upon restart
We are looking forward to more input on the document (or any comments on
the issue being discussed), particularly from operators.
So feel free to send your comments on/off list as you prefer
Thanks!
Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Bs, since they may trigger
fragmentation even for protocols that you'd assume would never emply
fragmentation.
Thanks!
Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
d be added, or have
comments on the answers, please do let me know -- the document can
eventually be revised.
Thanks!
Cheers,
--
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
On 6/3/19 03:29, Mark Andrews wrote:
>
>
>> On 6 Mar 2019, at 3:37 pm, Fernando Gont wrote:
>>
>> On 6/3/19 01:09, Mark Andrews wrote:
>>>
>>>
>>>> On 6 Mar 2019, at 1:30 pm, Fernando Gont wrote:
>>>>
>>>> On 3/3/19
On 6/3/19 01:09, Mark Andrews wrote:
>
>
>> On 6 Mar 2019, at 1:30 pm, Fernando Gont wrote:
>>
>> On 3/3/19 18:04, Mark Andrews wrote:
>>> There are lots of IDIOTS out there that BLOCK ALL ICMP. That blocks PTB
>>> getting
>>> back to the T
a protocol
> failure. It is shitty implementations.
Not to play devil's advocate but the IETF fot to publish a spec for ECMP
use of Flow Labels only a few years ago.
For quite a while, they were unasable... and might still be, for some
implementations.
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
. The amount of +20 year old
> equipment on the
> net is minimal.
>
> That said modern OS’s don’t need other equipment to “protect" them from ICMP
> of any form.
>
These news don't help in that direction:
https://www.theregister.co.uk/2016/06/02/cisco_warns_
is to actually move away from
ICMPv6-based PMTUD, to the extent that is possible. (RFC4821).
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
kind of fragmentation.
Still, that's certainly not panacea. See:
https://tools.ietf.org/html/rfc7872
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
gt;
> support@cloudflare answered me that because I'm not the owner of
> concerned site,
> and because of security reasons, they wouldn't investigate further.
>
> are there security concerns with ICMP-too-big ?
Please see: https://tools.ietf.org/html/rfc5927
Hello, Valdis,
On 12/11/2017 10:44 AM, valdis.kletni...@vt.edu wrote:
> On Mon, 11 Dec 2017 09:23:11 -0300, Fernando Gont said:
>
>> Anyone can comment on the UPnP support for IPv6 in home routers?
>>
>> Those that I have checked have UPnP support for IPv4, but not for
(local ip, local port, remote ip, remote port)
basis, which kind of sucks -- as one would want to be able to whitelist
all ports for a given IP address, or at least (local ip, local port).
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6
pply to DHCPv6 snooping et al.
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
u'll have at least a few
#facepalm moments.
Thanks,
Fernando
Forwarded Message
Subject: New I-D: SLAAC and DHCPv6 (Fwd: New Version Notification for
draft-gont-v6ops-host-configuration-00.txt)
Date: Tue, 28 Feb 2017 05:13:25 -0300
From: Fernando Gont
To: IPv6 Operations
F
On 01/12/2017 11:14 PM, Mark Andrews wrote:
> In message
>
> , Fernando Gont writes:
>> El 12/1/2017 16:32, "Saku Ytti" escribi=C3=B3:
>>
>> On 12 January 2017 at 17:02, Fernando Gont wrote:
>>> That's the point: If you don't allow f
On 01/12/2017 11:07 PM, Mark Andrews wrote:
> In message
>
> , Fernando Gont writes:
>> El 12/1/2017 16:28, "Mark Andrews" escribi=C3=B3:
>>
>>> In message <11ff128d-2fba-7c26-4a9c-5611433d8...@si6networks.com>, Fernando
>>> Gont writes
El 12/1/2017 16:32, "Saku Ytti" escribió:
On 12 January 2017 at 17:02, Fernando Gont wrote:
> That's the point: If you don't allow fragments, but your peer honors
> ICMPv6 PTB<1280, then dropping fragments creates the attack vector.
Thanks. I think I got it no
El 12/1/2017 16:28, "Mark Andrews" escribió:
In message <11ff128d-2fba-7c26-4a9c-5611433d8...@si6networks.com>, Fernando
Gon
t writes:
> Hi, Saku,
>
> On 01/12/2017 11:43 AM, Saku Ytti wrote:
> > On 12 January 2017 at 13:19, Fernando Gont
wrote:
> >
> &
y
be fixed ipv6 header + ehs).
Cheers,
Fernando
El 12/1/2017 16:32, "Saku Ytti" escribió:
> On 12 January 2017 at 17:02, Fernando Gont wrote:
> > That's the point: If you don't allow fragments, but your peer honors
> > ICMPv6 PTB<1280, then dropping fragment
Hi, Saku,
On 01/12/2017 11:43 AM, Saku Ytti wrote:
> On 12 January 2017 at 13:19, Fernando Gont wrote:
>
> Hey,
>
>> I'm curious about whether folks are normally filtering ICMPv6 PTB<1280
>> and/or IPv6 fragments targeted to BGP routers (off-list datapoints are
forementioned routers will themselves be
the ones dropping their own traffic.
cut here
Is this something waiting to be exploited? Am I missing something?
Thanks,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
distribution.
The RFC Editor Team
Association Management Solutions, LLC
___
v6ops mailing list
v6...@ietf.org
https://www.ietf.org/mailman/listinfo/v6ops
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5
ed-rfc-7707_12.html>
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
:
and CC
.
P.S.: You can find a number of pointers to articles and other related
work on this topic here:
<http://blog.si6networks.com/2015/12/the-controversial-ipv6-extension-headers.html>
Thanks!
Best regards,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP
e-check in a week or so)
* Videos: <https://www.youtube.com/user/SI6Networks>
On-line communities
* IPv6 Hackers mailing-list:
<http://lists.si6networks.com/listinfo/ipv6hackers/>
* IPv6 Hackers web site: <http://www.ipv6hackers.org>
This site includes the slideware (and v
or avoiding the use of IPv6 EHs where possible.
Thanks!
Best regards,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Folks,
FYI -- currently being discussed on v6...@ietf.org
Cheers,
Fernando
Forwarded Message
Subject: DoS attacks (ICMPv6-based) resulting from IPv6 EH drops
Date: Tue, 19 Aug 2014 09:00:15 -0300
From: Fernando Gont
To: IPv6 Operations
CC: 'op...@ietf.org'
F
Folks,
FYI:
<http://www.ietf.org/internet-drafts/draft-gont-v6ops-ipv6-ehs-in-real-world-00.txt>.
Comments welcome.
Thanks!
Fernando
Forwarded Message
Subject: New I-D: IPv6 Extension Headers in the Real World
Date: Fri, 08 Aug 2014 00:04:37 -0400
From: Fernando Go
a document may or may not be totally in
> scope for a "firewall" document, but should talk about concepts like
> default-deny inbound traffic, stateful inspection and the use of address
> space that is not announced to the Internet and/or is completely blocked
> at borders fo
ginning.
I cannot speak for that, unfortunately. But I can tell you that the
reason for which we posted a note on this list regarding our I-D is
because your feedback does matter to us (us == at least the co-authors
of this document)
Thanks!
Best regards,
--
Fernando Gont
e-mail: ferna...
much better if more people weigh) in
is exactly what we're looking for. Such that when we apply the
corresponding changes, and folks from other circles complain about them,
I can point them to this sort of discussion.
Thanks!
Best regards,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
le to identify cases
> where a devices may under-perform in the presence of IPv6
> traffic (see e.g. [FW-Benchmark]). XXX: This note may be
> removed before publication if deemed appropriate.
Because he RFCs we reference do require to make the measuremen
, please do let us know (please CC
, such that all
co-authors receive your feedback).
FWIW, this I-D is being discussed on the IETF opsec wg list
(, <https://www.ietf.org/mailman/listinfo/opsec>).
Thanks!
Best regards,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.co
in
> actual data.
>
> Anybody have any pointers? IPv4 and IPv6 are both interesting.
Probably off-topic, but since you mentioned reliability of IPv6
fragmentation:
*
<http://www.iepg.org/2013-11-ietf88/fgont-iepg-ietf88-ipv6-frag-and-eh.pdf>
* <http://www.iepg.org/2014-03-02-
y stable if you ahve a MAC->IPv6
mapping "database", or something else?
Cheers,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
any intent/mechanism for them to
be as "stable" as possible? Or is it usual for hosts to get a new
address for each lease?
P.S.: I understand this is likely to vary from one implementation to
another... so please describe which implementation/version you're
referring to.
Thanks!
Best reg
Folks,
FYI. Thought this might be of interest.
P.S.: Input/comments welcome
Thanks!
Cheers,
Fernando
Original Message
Subject: Some stats on IPv6 fragments and EH filtering on the Internet
Date: Mon, 04 Nov 2013 15:01:48 -0800
From: Fernando Gont
To: 6...@ietf.org &l
techtarget.com/tip/IPv6-addressing-requires-special-attention-to-ensure-security>
(the ful article is available at the aforementioned URL, *without* the
need to register --- just scroll down past the ad as necessary).
Thanks,
- --
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6network
tools, testing, and/or measurements.
- cut here
- --
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- --
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9
ks.com/community/mailing-lists.html>.
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 32
t least) the latest versions of Linux, FreeBSD,
NetBSD, OpenBSD, and Mac OS X.
Please send any bug reports and/or feature requests to
.
As always, you can get the latest news on IPv6 security research and
tools by following us on Twitter: @SI6Networks.
Thanks!
Best regards,
- --
Fernan
VPN software, thus opening the door to security
vulnerabilities, such as VPN traffic leaks. In this tip, we'll discuss
how these VPN security issues arise and the various mitigation options
available for containing VPN traffic leaks.
cut here
P.S.: Any comments will be welcome.
Than
vs non-initial fragments? -- If
so, in theory *both* might be missing the upper layer information. IN
practice, the first-fragment won't. If it does, feel free to drop it.
Cheers,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
ng?
If it doesn't, it's not "like what NDPMon has been delivering for
several years already".
For instance, ipv6mon is not meant to be analogous to arpwatch, and is
*not* meant to detect ND attacks.
Thanks,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.co
ng
trainings <http://www.hackingipv6networks.com/upcoming-t>
Follow us on twitter: @SI6Networks
Best regards,
- --
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- --
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6netw
e not yet been
applied, most likely it just means that I'm catching-up with them
(feel free to resend!).
Thanks!
Best regards,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
s according to some of
the examples in the manuals (and report any problems), that would be
great, too.
P.S.: If you've sent patches and your patches have not yet been
applied, most likely it just means that I'm catching-up with them
(feel free to resend!).
Thanks!
Best regard
. sigh :-) ).
Any feedback will be welcome.
P.S.: The slideware at:
<http://www.si6networks.com/presentations/hip2012/fgont-hip2012-hacking-ipv6-networks-training.pdf>
might give you some hints regarding how to use some of the tools.
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fg
draft-gont-6man-slaac-dns-config-issues-00.txt
has been successfully submitted by Fernando Gont and posted to the
IETF repository.
Filename:draft-gont-6man-slaac-dns-config-issues
Revision:00
Title: Current issues with DNS Configuration Options for SLAAC
Creation date:
be worse than v4, not (necessarily/only) for the protocol itself --
please see slide 8 of
<http://www.si6networks.com/presentations/deepsec2011/fgont-deepsec2011-ipv6-security.pdf>
Cheers,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
hears in IETF corridors things like "not
everyone needs privacy" from some mobile vendors... (sigh)
> PS: I still like your RFC about stable privacy addresses.
Thanks. That's where the "meat" is.. FWIW, articles such as the one I
forwarded are mostly meant to raise awareness, such that folks in the
position of implementing stuff such as
draft-ietf-6man-stable-privacy-addresses actually do it.
> PPS: There seems to be a diagram missing in the discussion of embedded
> MAC addresses, after the word "syntax".
Will check.
Thanks!
Cheers,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
cusses different *alternative* mitigations
for the forementioned problem. Your input will be very appreciated.
Thanks!
Best regards,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
ustify
> the headline "Analysis: Vast IPv6 address space actually enables IPv6
> attacks." Whomever wrote that should share their stash.
FWIW, the headline was replaced prior to publication. Put another way: I
agree with your comment regarding the headline.
Cheers,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
e.
>> You can get "news" about this sort of stuff by following
>> @SI6Networks on Twitter.
>
> "news" in quotes is appropriate given it's really eyeball harvesting
> for marketing purposes.
Please do the math regarding the number of posts/tweet
r this document is available at:
<http://www.ietf.org/mail-archive/web/ipv6/current/msg15990.html>
IMO, these two I-Ds propose small spec updates which could result in
concrete operational and security benefits.
Thanks!
Best regards,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6netw
ables-IPv6-attacks>
(FWIW, it's a human-readable version of the IETF Internet-Draft I
published a month ago or so about IPv6 host scanning (see:
<http://tools.ietf.org/html/draft-gont-opsec-ipv6-host-scanning>))
You can get "news" about this sort of stuff by following @SI6Netwo
etworks
ipv6hackers mailing-list:
<http://lists.si6networks.com/listinfo/ipv6hackers/>
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.
ets>
Apologies for the possible inconvenience.
Thanks,
Fernando
On 04/24/2012 07:20 AM, Fernando Gont wrote:
> Folks,
>
> We've published a new IETF I-D entitled "Security Implications of IPv6
> on IPv4 networks".
>
> The I-D is available at:
> <
(http://lists.si6networks.com/listinfo/ipv6hackers/), comments were that
no vendor had addressed this, yet.
Thanks,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
iscusses the security implications of native IPv6
support and IPv6 transition/co-existence technologies on "IPv4-only"
networks, and describes possible mitigations for the aforementioned
issues.
cut here
Any feedback will be very welcome.
Thanks!
Best regards,
fy?
> Such as the exploit of vulnerable HTTP clients who _navigate to the
> attacker controlled web page_, walking directly into their hands,
> instead of worms "searching for needles in haystacks".
Well, this is part of alternative scanning techniques, which so far
FYI
Original Message
Subject: IPv6 host scanning in IPv6
Date: Fri, 20 Apr 2012 03:57:48 -0300
From: Fernando Gont
Organization: SI6 Networks
To: IPv6 Hackers Mailing List
Folks,
We've just published an IETF internet-draft about IPv6 host scanning
attacks.
Folks,
FYI,
<http://blog.si6networks.com/2012/02/ipv6-nids-evasion-and-improvements-in.html>
It contains some test results regarding the implementation of RFC 5722
and draft-ietf-6man-ipv6-atomic-fragments.
Thanks,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.c
regards,
Fernando
Original Message
Subject: RA-Guard: Advice on the implementation (feedback requested)
Date: Wed, 01 Feb 2012 21:44:29 -0300
From: Fernando Gont
Organization: SI6 Networks
To: IPv6 Operations
Folks,
We have just published a revision of our I-D
ity topics are considered "off topic". Subscription to the list is
open to the community.
cut here
You can subscribe to the mailing-list here:
http://lists.si6networks.com/listinfo/ipv6hackers/
Thanks!
Best regards,
--
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@acm
1 - 100 of 131 matches
Mail list logo