ICMPv6 Security

3 Situationen:

  1. Host
  2. Site
  3. ISP

3 Ansätze

  1. ICMP type
  2. address type
  3. address scope

ICMPv6 Nutzen

  1. Error Msgs (4 Arten und Unterarten)

  2. Discovery of

2.1. Routers

2.2. Hosts

2.2.1. DAD

2.2.2. Neighbour Solicitation

2.2.3. Neighbour Advertisement

2.2.4. Router Solicitation

2.2.5. Router Advertisement

2.2.6. Neighbour Unreachability Discovery NUD

2.2.7. SEND

2.2.8. Multicast

2.2.9. mobile ipv6 / SeaMoBY

ICMPv6 Ansätze

Ansatz 1: TYPE

Ansatz 2: Scope

Source:

Dest:

Ansatz 3: Scope

Schutzziele

Schutzziele

Filtrierung

Transit

Muss durch
type name
1    destination unreachable
2    pkg too big
3    time exceeded (code 0)
4    parameter problem (code 1,2)
128  echo request
129  echo respone
Sollte durch
type name
3    time exceeded (code 1)|
4    param problem (code 0)|
144  home agent address discovery request|
145  home agent address discovery response|
146  mobile prefix solicitation|
147  mobile prefix advertisement|
Fliegt eh raus
type name
133  router solicitation
134  router advertisement
135  neighbour solicitation
136  neighbour advertisement
141  reverse neighbour solicitation
142  reverse neighbour advertisement
130  listener query
131  listener report
132  listener done
143  listener report v2
148  SEND cert path solicitation
149  SEND cert path advertisement
151  multicast router advertisement
152  multicast router solicitation
153  multicast router termination
Selber machen
type     name 
150      SeaMoBy 
5-99     unallocated by IANA 
102-126  " " 
154-199  " " 
202-254  " "
Sollte geschmissen werden, bis ein gutes Argument vorliegt
type            name 
139             node information query 
140             node information response 
138             router renumbering 
100,101,200,201 experimental 
127,255         extensions

Site

Muss durch
type name 
1    destination unreachable 
2    pkg too big 
3    time exceeded (code 1) 
4    parameter problem (code 1,2) 
128  echo request 
129  echo respone 
133  router solicitation 
134  router advertisement 
135  neighbour solicitation 
136  neighbour advertisement 
141  reverse neighbour solicitation 
142  reverse neighbour advertisement 
130  listener query 
131  listener report 
132  listener done 
143  listener report v2 
148  SEND cert path solicitation 
149  SEND cert path advertisement 
151  multicast router advertisement 
152  multicast router solicitation 
153  multicast router termination
Sollte durch
type name 
3    time exceeded (code 1) 
4    parameter problem (code 0)
Fliegt eh raus
type name 
138  router renumbering 
144  home agent address discovery request 
145  home agent address discovery response 
146  mobile prefix solicitation 
147  mobile prefix advertisement 
150  SeaMoBy
Selber machen
type    name 
137     redirect 
139     node information query 
140     node information response 
5-99    unallocated by IANA 
102-126 " " 
154-199 " " 
202-254 " "
Sollte geschmissen werden, bis ein gutes Argument vorliegt
type            name
100,101,200,201 experimental
127,255         extensions
154-199         unallocated by IANA
202-254         unallocated by IANA