2011
DOI: 10.17487/rfc6274
|View full text |Cite
|
Sign up to set email alerts
|

Security Assessment of the Internet Protocol Version 4

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
17
0

Year Published

2012
2012
2018
2018

Publication Types

Select...
3
2
1

Relationship

1
5

Authors

Journals

citations
Cited by 19 publications
(17 citation statements)
references
References 15 publications
0
17
0
Order By: Relevance
“…The security implications of IP fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An attacker can leverage the generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual fragmentation of packets is not needed) and can subsequently perform any type of fragmentation-based attack against legacy IPv6 nodes that do not implement [RFC6946].…”
Section: Security Implications Of the Generation Of Ipv6 Atomic Fragmmentioning
confidence: 99%
“…The security implications of IP fragmentation have been discussed at length in [RFC6274] and [RFC7739]. An attacker can leverage the generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow (in scenarios in which actual fragmentation of packets is not needed) and can subsequently perform any type of fragmentation-based attack against legacy IPv6 nodes that do not implement [RFC6946].…”
Section: Security Implications Of the Generation Of Ipv6 Atomic Fragmmentioning
confidence: 99%
“…We show how the use of globally-incrementing IP-ID field in IP headers, provides side-channel allowing effective off-path traffic analysis. The use of globally-incrementing IP-ID is recognized, in [17], as a common practice with known security implications; e.g., both globally-incrementing and per-destination incrementing IP-ID allow interception, injection and discarding of fragmented traffic [15]. Globally-incrementing IP-ID can allow estimation of the number of packets sent [32], stealth-scan for open ports (idle scan) [31] and counting hosts behind NAT [5].…”
Section: Related Workmentioning
confidence: 99%
“…The attack in Section 3 can be prevented by simply moving from globally-incrementing IP-ID to per-destination IP-ID; this would preferably be done by hosts, but until hosts do so 2 , a firewall can implement this by adding (pseudo)random per-destination offset to the IP-ID. See analysis and better ways to fix the IP-ID in [15,17].…”
Section: Defense Mechanismsmentioning
confidence: 99%
“…Di↵erent sources suggest that servers and routers are usually numbered through manual assignment or DHCPv6, not using SLAAC or privacy extensions [10,14,21]. In fact, DHCPv6 and manual assignment are even recommended [30].…”
Section: Preparation Phasementioning
confidence: 99%
“…At recent security conferences, security researchers have discussed flaws in both the IPv6 protocol and its implementations [3,10,14]. Since IPv6 replaces IPv4 as network layer protocol, future network security activities can also be subject to change.…”
Section: Introductionmentioning
confidence: 99%