[ipv6hackers] RA guard evasion
Matej Gregr
igregr at fit.vutbr.cz
Tue May 14 13:51:41 CEST 2013
Eric,
thanks for your comment, but it rises some questions for me.
1) Indeed, fragmentation is known topic. But, have you been aware, that
fragmentation is not the only way, how to evade the RA guard policy?
Personally, I was not aware of any other information pointing, that you
can also awade the ra guard with specific number of extension headers
and thats the reason, why the article was published.
2) Legit packets are for example MLD reports, which are using hop-by-hop
header and these packets will be filtered with the
undertermined-transport (tested). My understanding is, that the switches
will not be able to build mld snooping database, thus all NS/NA traffic
will be broadcasted (same situation as you don't have mld capable
devices). Actually one of the reasons, why ICMPv6 is so loved by IPv6
friendly people is, that the address resolution is multicasted instead
of broadcasted and you will disable the feature by using the
undetermined-transport ACL.
M.
On 05/14/2013 12:55 PM, Eric Vyncke (evyncke) wrote:
> Matej
>
> Thanks for forwarding the document. And, indeed, it is known for about 2 years now that RAguard can be evaded (the first time I heard about it was in IPv6 Kongress in Germany).
>
> As indicated by some of your readers, 'undetermined-transport' can help you and BTW, do not fear too much to drop legit packets as we still have to find such a legit packet with this weird fragmentation. I would even go further and, when undetermined-transport is not available, then dropping all fragments could be the last resort (and then I am afraid that you may drop some legit traffic -- yet to be seen though as MSS rules nowadays).
>
> There are even some efforts/initiatives at the IETF to remove fragmentation out of IPv6. As a security guy, I applause but I wonder, as a networking guy, whether it is feasible...
>
> BTW, even if Ra-guard is not the silver bullet against an attacker (see above), it is really useful for misconfigured CPE/hosts believing that there should be an IPv6 router :-)
>
> Again, thanks for the writing
>
> -éric
>
>
>> -----Original Message-----
>> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
>> bounces at lists.si6networks.com] On Behalf Of Matej Gregr
>> Sent: lundi 13 mai 2013 16:25
>> To: IPv6 Hackers Mailing List
>> Cc: Pivarník Jozef
>> Subject: [ipv6hackers] RA guard evasion
>>
>> Hi guys,
>> most of you are familiar with the concept of RA guard and its ability to
>> filter rogue RAs. We have tested 3 switches for access and distribution
>> layer and found, that we are able to evade the protection quite easilly on
>> all of them. First method is using fragment header and this is well known
>> and documented behaviour. However, you are also able to evade the protection
>> using several destination options headers (it depends on the platform). We
>> believe, that this behaviour is not well documented, so we wrote an article.
>> http://6lab.cz/article/rogue-router-advertisement-attack/
>> Comments are welcome.
>>
>> Regards,
>> Matej
>> _______________________________________________
>> Ipv6hackers mailing list
>> Ipv6hackers at lists.si6networks.com
>> http://lists.si6networks.com/listinfo/ipv6hackers
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>
More information about the Ipv6hackers
mailing list