21 - STUDENT - eduroam and IPv6

Marko Dolničar (Slovenia)

In the last year’s poster, we have identified a problem in the sample Eduroam network configuration provided by our NREN, that enables an authenticated user to obtain another IP address which cannot be matched to the user’s real MAC address in the log files.
A new sample configuration that mitigates the aforementioned attack was prepared in cooperation with our NREN, but new research uncovered a possible DoS attack on the users that are connected to the same AP. With no ideal resolution of the problem on autonomous access points we researched ARP poisoning detection. As Arpwatch only succeeded in detection when the drone running it was poisoned as well, we developed the idea of a similar tool that would combine information from dhcpd log files, L3 switch ARP tables and access point association lists in real time and alert the administrators of any ongoing attacks.
Since modern operating systems prefer IPv6 to IPv4, we set up a rogue Router Advertisement daemon and a 6to4 tunnel on IPv4 only Eduroam to create an IPv6 MITM attack. Further more, some of the Eduroam networks in Slovenia already boast a dual stack configuration, which is why we dived into the research of IPv6 network security and tried some of the known IPv6 attacks in these networks. We discovered that there is no ideal configuration to mitigate all the problems so we looked at detection of problems with NDPMon and similar software.

Download file