[ipv6hackers] RA guard evasion

Eric Vyncke (evyncke) evyncke at cisco.com
Wed May 15 01:00:01 CEST 2013


Hello Matej,

Thanks for your reply.

Regarding 1), yes, it is relatively known that switches can only do so much inspection in TCAM at wirespeed, this means that any ACL (and RAguard is based on an ACL intercepting the traffic to be sent to the smart route processor) has a limit there. This is heavily platform/vendor dependent as you can guess.

Regarding 2), 'undetermined-transport' description is usually (my fault as well) oversimplified into 'fragmented extension header chain' while it is actually matching all packets where there is not enough layer-4 information (TCP/UDP/SCTP ports or ICMP code/type). Of course, Cisco implementation (again see my email address) should be able to skip any extension header (including HbH)... so this behavior is surprising to me. Really. Let's talk off-line about this if you do not mind because MLD snooping can be helpful (even if it can lead to severe scalability issues esp. when using temporary addresses)

Thanks in advance for the follow-up for 2) :-)

Regards

-éric

> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> bounces at lists.si6networks.com] On Behalf Of Matej Gregr
> Sent: mardi 14 mai 2013 13:52
> To: ipv6hackers at lists.si6networks.com
> Subject: Re: [ipv6hackers] RA guard evasion
> 
> Eric,
>   thanks for your comment, but it rises some questions for me.
> 
> 1) Indeed, fragmentation is known topic. But, have you been aware, that
> fragmentation is not the only way, how to evade the RA guard policy?
> Personally, I was not aware of any other information pointing, that you can
> also awade the ra guard with specific number of extension headers and thats
> the reason, why the article was published.
> 
> 2) Legit packets are for example MLD reports, which are using hop-by-hop
> header and these packets will be filtered with the undertermined-transport
> (tested). My understanding is, that the switches will not be able to build
> mld snooping database, thus all NS/NA traffic will be broadcasted (same
> situation as you don't have mld capable devices). Actually one of the
> reasons, why ICMPv6 is so loved by IPv6 friendly people is, that the address
> resolution is multicasted instead of broadcasted and you will disable the
> feature by using the undetermined-transport ACL.
> 
> M.
> 
> On 05/14/2013 12:55 PM, Eric Vyncke (evyncke) wrote:
> > Matej
> >
> > Thanks for forwarding the document. And, indeed, it is known for about 2
> years now that RAguard can be evaded (the first time I heard about it was in
> IPv6 Kongress in Germany).
> >
> > As indicated by some of your readers, 'undetermined-transport' can help
> you and BTW, do not fear too much to drop legit packets as we still have to
> find such a legit packet with this weird fragmentation. I would even go
> further and, when undetermined-transport is not available, then dropping all
> fragments could be the last resort (and then I am afraid that you may drop
> some legit traffic -- yet to be seen though as MSS rules nowadays).
> >
> > There are even some efforts/initiatives at the IETF to remove
> fragmentation out of IPv6. As a security guy, I applause but I wonder, as a
> networking guy, whether it is feasible...
> >
> > BTW, even if Ra-guard is not the silver bullet against an attacker
> > (see above), it is really useful for misconfigured CPE/hosts believing
> > that there should be an IPv6 router :-)
> >
> > Again, thanks for the writing
> >
> > -éric
> >
> >
> >> -----Original Message-----
> >> From: ipv6hackers-bounces at lists.si6networks.com [mailto:ipv6hackers-
> >> bounces at lists.si6networks.com] On Behalf Of Matej Gregr
> >> Sent: lundi 13 mai 2013 16:25
> >> To: IPv6 Hackers Mailing List
> >> Cc: Pivarník Jozef
> >> Subject: [ipv6hackers] RA guard evasion
> >>
> >> Hi guys,
> >>   most of you are familiar with the concept of RA guard and its
> >> ability to filter rogue RAs. We have tested 3 switches for access and
> >> distribution layer and found, that we are able to evade the
> >> protection quite easilly on all of them. First method is using
> >> fragment header and this is well known and documented behaviour.
> >> However, you are also able to evade the protection using several
> >> destination options headers (it depends on the platform). We believe,
> that this behaviour is not well documented, so we wrote an article.
> >> http://6lab.cz/article/rogue-router-advertisement-attack/
> >> Comments are welcome.
> >>
> >> Regards,
> >> Matej
> >> _______________________________________________
> >> Ipv6hackers mailing list
> >> Ipv6hackers at lists.si6networks.com
> >> http://lists.si6networks.com/listinfo/ipv6hackers
> > _______________________________________________
> > Ipv6hackers mailing list
> > Ipv6hackers at lists.si6networks.com
> > http://lists.si6networks.com/listinfo/ipv6hackers
> >
> 
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers



More information about the Ipv6hackers mailing list