At present, with the continuous development of Internet applications, IPv4 addresses are gradually lagging behind in the world, and the voice for IPv6 addresses is becoming stronger and stronger. However, is IPv6 ready to serve today’s network devices?
IPv6 was born to replace the traditional IPv4 protocol. When IPv6 is formulated and improved, it is enabled to repair the security defects in IPv4 protocol. The original IPv4 security option IPSec (Internet Protocol Security) is added to IPv6 protocol to eliminate the network security problems caused by the adoption of IPv4 protocol. In fact, new communication protocols such as IPv6 will also have some unexpected design vulnerabilities. And when the network system and terminal equipment transition to IPv6 protocol, a variety of new security vulnerabilities may be derived get more at spoto.
For example, the “atomic fragment” vector that has long been suspected of causing IPv6 Security Vulnerabilities has been pointed out that it may lead to fragment attacks on large-scale core network routers. For IPv4, fragment attack is a very common attack method. Its main purpose is to avoid the detection of firewall and intrusion detection system. The easily detected malicious data signature is dispersed into several packets, which makes it difficult for the firewall and intrusion detection system to effectively detect the intention of the original packet. In IPv6, only source end can divide packets, and the size of the divided packets can be specified according to the maximum MTU measured by the path from the source end to the destination end. Generally, the normal IPv6 packet is 1280 bytes, that is, the minimum packet size of IPv6, and the last transmitted packet size is usually less than 1280 bytes. At the same time, it is very difficult to deal with overlapping fragments because different destination systems use different ways to reorganize packets.
For IPv6, when the host receives a message less than 1280 bytes (minimum IPv6 MTU), it is unable to segment it into several segments. At this time, IPv6 atomic fragments containing fragment header information with offset value of 0 and MF bit of 0 will be sent. The key is that these atomic fragments will become Denial of Service (DoS) attack vectors, and then threaten the safe operation of the core router.
Therefore, Fernando Gont, one of the contributors of the international Internet Engineering Task Force (IETF), has officially submitted the RFC 8021 document to classify this situation in the IPv6 protocol into the “deemed harmful” list to urge the industry to pay attention to this problem. This vulnerability in IPv6 protocol will exist in any product adopting the protocol, which means that current mainstream core network equipment suppliers, such as Cisco, juniper network, Ericsson, Huawei, etc., must pay attention to and deal with it, so as to avoid the risk of atomic fragment attack caused by protocol level vulnerabilities https://cciedump.spoto.net/.