[ipv6hackers] RA guard evasion

Eric Vyncke (evyncke) evyncke at cisco.com
Wed May 15 00:28:21 CEST 2013


Hello Felix

First, please accept my apologies if you felt that I was patronizing here... This was not my intent.

Regarding your last question, here is my point of view:
a) obviously IPv6 grammar is correct but of course attackers deviate from this grammar (e.g. overlapping fragments hence RFC 5722)
b) and indeed, for now and for the price (even for pricey switches) doing re-assembly at 10 Gbps per port is simply not affordable (even if doable), so, we (the vendors/industry/IETF) need to find a layman way to fix the attack...

Fragmentation (even overlapping fragmentation), huge extension header chains, ... and all specific IPv6 grammar cases are 'easy' to do in software (see host OS, firewalls or IPS supporting those) but the killing issue is hardware (for wirespeed) implementations :-(

Hope it helps and that we are in agreement on the above

-éric

> -----Original Message-----
> From: Felix 'FX' Lindner [mailto:fx at recurity-labs.com]
> Sent: mercredi 15 mai 2013 00:11
> To: IPv6 Hackers Mailing List
> Cc: Eric Vyncke (evyncke); Pivarník Jozef
> Subject: Re: [ipv6hackers] RA guard evasion
> 
> Hi,
> 
> On Tue, 14 May 2013 10:55:30 +0000 "Eric Vyncke (evyncke)"
> <evyncke at cisco.com> wrote:
> > There are even some efforts/initiatives at the IETF to remove
> > fragmentation out of IPv6. As a security guy, I applause but I wonder,
> > as a networking guy, whether it is feasible...
> 
> this puzzles me for quite some time now: A group (or vendor) comes up with a
> mechanism (RA guard in this case, but that's not relevant). The mechanism
> requires to inspect the payload of a packet, which, as ambiguous as it may
> seem, is still a relatively well defined grammar.
> 
> The fairly obvious approach would be to match arbitrary input to that
> grammar and act accordingly[1]. If the input matches the expected grammar,
> reassemble the message, look at the payload and take a decision. If it does
> not match the grammar, there is nothing to
> consider: invalid packet, drop it.
> 
> This would mean that:
> a) IPv6 is so ambiguously specified that no commonly agreed grammar exists,
> which means that the protocol design failed.
> b) The "efforts/initiatives at the IETF" aim at "fixing" the inability of
> one or more implementations of the recognizer by changing the grammar,
> causing unforseen side-effects, because they consider the recognizer
> unfixable.
> 
> Are we really looking at grown-up people learning to communicate with a baby
> in baby-talk, just because they can't figure out how to teach proper
> language to a child?
> 
> cheers
> FX
> 
> [1] http://langsec.org
> 
> --
> Recurity Labs GmbH           | Felix 'FX' Lindner
> http://www.recurity-labs.com | fx at recurity-labs.com
> Wrangelstrasse 4             | Fon: +49 30 69539993-0
> 10997 Berlin                 | PGP: A740 DE51 9891 19DF 0D05
> Germany                      |      13B3 1759 C388 C92D 6BBB
> HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner



More information about the Ipv6hackers mailing list