One good piece of advice is never to read e-mails if you want to have a pleasant and relaxing weekend. Unfortunately, it is not so easy: open-source projects you are contributing to, friends, hobbies, and newsletters are all good reasons to read e-mails once in a while.

IPv6 is the next (current?) generation Internet protocol. It has been designed to overcome many limitations of IPv4 and fix some of the issues and weaknesses. Nevertheless, IPv6 fragmentation presented many vulnerabilities similar to the IPv4 ones in the past: new testing models were presented to check the presence of such problems.

In this work, we demonstrate that IPv6 fragmentation issues are still present today in operating systems because of the weakness of the model used to test their compliance. We also propose a new model that overcomes these limitations.

Recently, Mikrotik added a REST server as a new API for managing the router. It is a nice alternative to their proprietary API when automating RouterOS.

However, young software usually contains bugs. Sometimes, these bugs are security-related, and, together with not-so-safe defaults, they may create a vulnerability.

A few months ago, as part of our investigations on IPv6 security in the NetSecurityLab @ Sapienza University, we discovered a vulnerability that allows attackers to bypass rules in pf-based IPv6 firewalls in particular conditions. Let’s see some details of this vulnerability.