[ipv6hackers] RA guard evasion
Eric Vyncke (evyncke)
evyncke at cisco.com
Tue May 14 12:55:30 CEST 2013
Thanks for forwarding the document. And, indeed, it is known for about 2 years now that RAguard can be evaded (the first time I heard about it was in IPv6 Kongress in Germany).
As indicated by some of your readers, 'undetermined-transport' can help you and BTW, do not fear too much to drop legit packets as we still have to find such a legit packet with this weird fragmentation. I would even go further and, when undetermined-transport is not available, then dropping all fragments could be the last resort (and then I am afraid that you may drop some legit traffic -- yet to be seen though as MSS rules nowadays).
There are even some efforts/initiatives at the IETF to remove fragmentation out of IPv6. As a security guy, I applause but I wonder, as a networking guy, whether it is feasible...
BTW, even if Ra-guard is not the silver bullet against an attacker (see above), it is really useful for misconfigured CPE/hosts believing that there should be an IPv6 router :-)
Again, thanks for the writing
> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Matej Gregr
> Sent: lundi 13 mai 2013 16:25
> To: IPv6 Hackers Mailing List
> Cc: Pivarník Jozef
> Subject: [ipv6hackers] RA guard evasion
> Hi guys,
> most of you are familiar with the concept of RA guard and its ability to
> filter rogue RAs. We have tested 3 switches for access and distribution
> layer and found, that we are able to evade the protection quite easilly on
> all of them. First method is using fragment header and this is well known
> and documented behaviour. However, you are also able to evade the protection
> using several destination options headers (it depends on the platform). We
> believe, that this behaviour is not well documented, so we wrote an article.
> Comments are welcome.
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
More information about the Ipv6hackers