[ipv6hackers] Local-link traffic injection through tunneling ?

Owen DeLong owend at he.net
Mon Jul 15 20:49:47 CEST 2013


> As far as I know, IPv6 well-known attacks rely on NDP which are mostly Local-link attacks  (except NDP exhaustion if my memories are correct).

Most of them, but not all.

Also, NDP exhaustion is technically link local, but can be triggered remotely.

> What I was wondering is : by establishing a tunnel from outside the network to an internal IPv6 node, is it possible to target that node with NDP local-link attacks from outside the network ? In other words and more generally, does the tunnel act as a link-layer in that case ? If so, do the attacker's machine, the target node and the other nodes that share it local-link become all part of the same link when a such tunnel is established ?

Theoretically, it shouldn't be because getting from the tunnel to the attacked link should use the tunnel termination host as a router which shouldn't pass the link local packet.

However, if the tunnel is a malicious tunnel terminating on a compromised host, then all bets are off. On the other hand, if you have compromised the host to that level, then the host can generate the link local packets anyway.

> Also, just to be clear about it, if a such tunnel is established with an internal router, local-link encapsulated traffic won't be emitted on the network because routers are not supposed to do so am I right ?

I think you are drawing a distinction between a host and a router where none exists. Any device which meets the following two tests:
	1.	Has multiple IPv6 links
	2.	Forwards packets received on one link to one or more of the others.

Is, by definition, an IPv6 router. It doesn't matter whether it comes in a Cisco box or a Dell box or an HP box. It doesn't matter whether it has a serial console or a VGA display interface. It doesn't matter whether it is sold as a computer or a router, once you have it meeting those two tests, it is a router.

Any router should follow the rule against forwarding link local packets. Compromised machines, regardless of whether they are routers, are supposed to be routers, or otherwise cannot be depended on to follow the rules.

Owen




More information about the Ipv6hackers mailing list