The Internet Engineering Task Force (IETF) has published RFC 8021 entitled 'Generation of IPv6 Atomic Fragments Considered Harmful.' The vast majority of folk will have fallen asleep by the third word in, namely IPv6.

However, read further and you will discover that atomic fragmentation is a DoS attack vector that can hit routers in the largest scale core networks and that OpenBSD and Linux stacks are patched, but some server and router implementations remain at risk as do Linux servers not using a patched kernel.

You will also discover that atomic fragments are serious enough to have now been added to the IETF 'considered harmful' list.

Here comes the technical bit: according to RFC 6946, the IPv6 spec allows packets to contain a fragment header, without the packet actually being fragmented into multiple pieces. These are the atomic fragments referred to in RFC 8021.

By forging ICMPv6 'Packet Too Big' error messages, an attacker could trick hosts to employ these atomic fragments and launch a fragmentation-based attack against that traffic.

"In cyber-security circles, it's been well known for years that excessive fragmentation attacks can cause denial of service conditions on systems that are sensitive to this category of attack," says Stephen Gates, chief research intelligence analyst at NSFOCUS. For IPv4 these attacks are no longer an issue as most all the relevant technologies have been patched to prevent the possibility. "It appears IPv6 will be no different," Stephen concludes, "once this issue is resolved."

But it does open up a bigger can of worms, in as far as the wider IPv6 threatscape is concerned, according to Geoff Jones, director of pen testing specialists Cyberis Limited. "Even security conscious organisations are failing when it comes to IPv6," Geoff said, adding that his organisation consistently sees "system administrators failing to firewall hosts correctly from IPv6 traffic".

They configure iptables on a Linux box but forget to configure ip6tables. Yet the autoconfiguration of hosts, and existence of the 'all-nodes' address, allows an adversary with physical access to a network an extremely quick and efficient way of finding potential targets.

So isn't it time everyone started taking IPv6 security seriously?

This article originally appeared at scmagazineuk.com