Thoughts from ShmooconIX (2013)

(Image presumably (c) Shmoo group)

First off, I want to thank all of the organizers and speakers – everything went great, even including IPv6 connectivity for most of the event and only one broken chandelier (that I know of, anyway).

For those who don’t know, Shmoocon is a ~3 day security conference (Friday-Sunday) mostly broken up into three concurrently-running tracks:
“Build It”
“Belay It”
“Bring it on”
… these names give a pretty good idea of the topics that will be focussed on.

There are other talks as well, a “Train the trainer” schedule that runs partially parallel to those tracks, and “Fire Talks” after the main conference ends Friday and Saturday.  There are many other events going on – Ghost in the Shellcode, Barcode Shmarcode, Lockpick Village … it really is quite a packed event.
(The Fire Talks are about 20minutes long, vs. the main conference presnetations which run closer to an hour.)

Aside from being rather well-known for the quality of the talks (more on that later), Shmoocon is also infamous for selling all of their tickets in about 25 seconds.  The conference is intentionally kept small and reasonably priced, so selling all of the tickets is to be expected – but this rate of sell-out-age is amazing … and frustrating, as you burn up the F5 key on your keyboard trying to get tickets.
(The tickets are released in 3 different batches, and each batch uses up all of it’s ‘reservation tokens’ in 10 sconds or less … amazing!)

Another fantastic feature: all of the presentations are streamed live, and recorded.  These recordings are then made available, FREE.  This year’s recordings will eventually be posted at
(No ETA at the time of this writing.  Once posted, these are a great way to catch up on the ~2/3+ of the presnetations you missed!)

The Con
Anyway, let’s talk about a couple of the presentations – maybe get you fired up to go watch the videos (when they get posted).
(I won’t take up your whole day sharing the details for all of the talks I saw, if you want that see the very end of this post …)

#1 – Travis Goodspeed’s presentation about “Anti-Active Forensics” (aka Exploiting the USB Magic School Bus) was great.  Facedancer talks USB, and drives that wipe themselves in the face of “unusual access patterns (signifying forensic activity vs. normal user access)”.  (This was a Fire Talk)

#2 – Michael Rash’s “Port Knocking” presnetation was novel; and I think there could be a play for IPv6 there as well.  Michael, call me.

#3 – Chris Campbell’s “Pwn without tools” shows us the power of Power Shell and using Twitter for Command and Control (C2).  (This talk was also presented long-form at Epilogue, see below.)

Honorable mention goes to many of the presenters … Michelle’s Thin-Slicing (“fighting digital kudzu”), Georgia’s Smartphone Pentest Framework is of personal interest, Joe’s Becoming a Time Lord (“hacking NTP”, with props!) and G.Mark’s Hacking as an Act of War (“The DoD is for when the Dept of State fails”) were phenominal.

It may also go without saying, but I will say it anyway – the real value of attending this conference is just being in the same room(s) with all of these very smart people enaged in technical conversations and bouncing ideas back and forth; questioning and defending positions.
I might even more go so far as saying more information is exchanged in the hallways than in the presentations – learning via proximity :) .

The Northern Virginia Hackers (NoVaHa) put on a post-conference-conference called “Epilogue”.  This was a great day of great presentations as well, culminating in something that may make CCDC Blue Team’ers cry just a little bit.  An interesting experiment was to stream them all via Google Hangouts, which has the nifty benefit of also making them IPv6 reachable :) .
(Note: grecs was nive enough to catalog the videos from Epilogue,

(( For those really into self-abuse, you can follow my “stream of consciousness notes … (please excuse any typos, they were typed on a phone during the talks!):
Days 0, 1:
Day 2:
Epilogue:  ))

Feel free to ask me if you have any questions …
PS – It was good to see the return of the Shmooball!

An example of “trying and failing” to really do IPv6 …

One of the most common complaints an organization has when trying to move forward with an IPv6 deployment is “lack of vendor support”.  Whether that means your ISP cannot get you the connectivity you need (cough DISA FAIL cough) or that means criticial components of your infrastructre just can’t do it (yet?) – in either type of scneario, this is clearly suboptimal.

Another problem we run into is vendors that say they “do IPv6″, and even seem to live up to that, at first glance.  Only when a deployment commences do you then find out some “little things” that aren’t quite right …

Case in point: F5′s Big-IP Load Balancers.
These devices are fairly popular and claim pretty strong IPv6 capabilities.  And we can configure the virtual IPs (IPv4 and IPv6) that will be the public-facing side of a service being offered – nice, right?

However, these devices don’t do a couple things that we expected … 
* The “virtual inside address” – a Link Local IPv6 address that nodes will use as a default gateway – isn’t used properly.  The Big-IP’s source the Router Advertisements from the “physical Link Local Address”, not the virtual one.  FAIL!
* Additionally, the current version of code does not support managing the device over IPv6.  Even the newer version of code supports IPv4 *or* IPv6 for management, but not both concurrently.  LAME!

(In both cases, we are working with the vendor to try to mitigate this … do you have any similar stories to share?  Send them along!)
Just some quick thoughts on the types of things you need to think through as you deploy IPv6 in your network … I mean, you are (at the very least) starting this process aren’t you??

PS – for reference:
… feel free to dorp by there and let them know how important these items are for you :) .

As another year closes, how is IPv6 looking for you?

While a bit cliche, the last days of each year are a good opportunity to reflect on the year – progress made, problems solved, insights gained – and to look towards those same things for the upcoming year.

2012 saw Google measuring IPv6 traffic clearing over 1% of overall traffic – while 1% is still too low, check the chart.  The phrase “hockey stick” comes to mind – it will be very interesting to see if this exponential growth trend continues (or accelerates).

2012 saw “World IPv6 Launch” happen, a very successful follow-up to “World IPv6 Day” in 2011.  ”This time it is for real”, meaning not just a 24 hour light-up of some Ipv6-capable site; but a permanent light-up of IPv6 of your primary site.  And getting ISPs to commit to lighting up some customers as well.

(Sidenote:  I personally benefit from this in that Comcast has deployed native IPv6 in  my service region.  I have native IPv6 at my home; not because I ‘know someone’ and not because I configured a tunnel or loaded custom hacked-up firmware on my CPE.  I have native IPv6 because my ISP supports it, my cable modem happens to be DOCSIS3.0 capable, my off-the-shelf CPE (Linksys 4200v2, if you must ask) does DHCPv6 and because all of the computing things in my house support it.  Win!!)

2012 also saw the US federal government’s “OMB2012″ deadline come to pass.  And while many agencies failed to meet it, many did (kudos to the Department of Veterans Affairs ( and even those that didn’t – hopefully they have started down the right path.  A great guide to these requirements, and the now-on-deck 2014 deadline is available in the “Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government

In our view, 2012 is also the year when having an IPv6 presence on the Internet became An Important Thing.  sadly, many environments that have taken this bold step often fail to maintain the same level of service, support and monitoring as their IPv4 offerings.  To that end, we encourage the use of something like IPv6Sonar to monitor the status and performance of you site, over both IPv4 and IPv6.

Anecdotally, 2012 has also seen the training work continue to accelerate.  This is a Good Thing, as understanding IPv6 is an important step in getting it deployed – and we have a long way to go in spreading this knowledge!

On the topic of sharing information, another pet peeve of mine: articles authored in such a way that they could easily be misunderdstood.  For example, this article makes several valid points – but also raises points that require more clarification to avoid misunderstandings.
(Also, note that NAT-PT has officially been deprecated – DNS64/NAT64* is where it is at; (go read about that here and here!))

* – as a final aside: IPv6-only devices are something many have said will not happen in the near future, but clearly that is short-sighted and ignores one very important aspect for certain deployment scenarios.  Such as my phone.  In the interest of mitigating certain technical and economic impacts of dual-stacking cellular devices, my carrier** has elected to make IPv6-only an option for connecting to their network (and it is an option for now, the user needs to reconfigure the phone to do this).  Naturally, I continue to need access to IPv4-only sites – and this happens via DNS64/NAT64!

** – OK, I lied.  One more aside – while my carrier is doing this great work in getting IPv6-only devices deployed, note that their website is IPv4-only.  That’s right, I actually need to use their DNS64/NAT64 implementation to get to their own website.  Insert the “sad trombone” sound here …


And I close with a smile – feel free to take a minute (less, actually!) to watch our video about how you might approach your IPv6 training needs :) .


I hope you had a fantastic 2012, and are looking forward to an even more IPv6-enabled 2013!
/Your humble IPv6 servant