[ipv6hackers] RA guard evasion
Felix 'FX' Lindner
fx at recurity-labs.com
Wed May 15 00:10:44 CEST 2013
On Tue, 14 May 2013 10:55:30 +0000 "Eric Vyncke (evyncke)"
<evyncke at cisco.com> wrote:
> There are even some efforts/initiatives at the IETF to remove
> fragmentation out of IPv6. As a security guy, I applause but I
> wonder, as a networking guy, whether it is feasible...
this puzzles me for quite some time now: A group (or vendor) comes up
with a mechanism (RA guard in this case, but that's not relevant). The
mechanism requires to inspect the payload of a packet, which, as
ambiguous as it may seem, is still a relatively well defined grammar.
The fairly obvious approach would be to match arbitrary input to that
grammar and act accordingly. If the input matches the expected
grammar, reassemble the message, look at the payload and take a
decision. If it does not match the grammar, there is nothing to
consider: invalid packet, drop it.
This would mean that:
a) IPv6 is so ambiguously specified that no commonly agreed grammar
exists, which means that the protocol design failed.
b) The "efforts/initiatives at the IETF" aim at "fixing" the inability
of one or more implementations of the recognizer by changing the
grammar, causing unforseen side-effects, because they consider the
Are we really looking at grown-up people learning to communicate with
a baby in baby-talk, just because they can't figure out how to teach
proper language to a child?
Recurity Labs GmbH | Felix 'FX' Lindner
http://www.recurity-labs.com | fx at recurity-labs.com
Wrangelstrasse 4 | Fon: +49 30 69539993-0
10997 Berlin | PGP: A740 DE51 9891 19DF 0D05
Germany | 13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner
More information about the Ipv6hackers