[ipv6hackers] IPv6 Security research

Marc Heuse mh at mh-sec.de
Mon Mar 26 14:39:47 CEST 2012

Am 26.03.2012 13:45, schrieb Fernando Gont:
> On 03/26/2012 08:57 AM, Marc Heuse wrote:
>> And Cisco cant fix RA guard. The mitigation techniques must be
>> implemented on the client side, like the "drop overlapping fragments"
>> stuff, or not allowing extension headers for NDP/RA packets etc.
>> Only then RA guard can work.
> That's not correct.
> RA-Guard *can* be fixed. Please see:
> <http://tools.ietf.org/id/draft-ietf-v6ops-ra-guard-implementation-02.txt>.

I know your draft and yes, it is not fully fixed.

here is how to bypass your recommended fixes:

send the following 1st packet:
ipv6 | fragmentationhdr | dsthdr (1200 bytes) | icmp6 echo request

and then the 2nd packet:
ipv6 | fragmentationhdr | dsthdr (8bytes) | icmp6 router advertisement

where the frag id is the same and the offset of the 2nd packet points to
byte 1992 of the dsthdr in the first pkt.

the fix: implement overlap fragmentation protection in the clients.

the only way to "fix" this in RA guard would be to drop all packets that
have any extension header type following an fragmentation header. and no
one would implement this as it might break future features.

>> P.S. funny that you are doing your IPv6 talk after my keynote at hackito
>> ergo sum in Paris in a few weeks. I have the feeling this is not a
>> coincidence :-)
> Not sure what you mean...

those who can read the agenda are in advantage:


Marc Heuse

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the Ipv6hackers mailing list