[ipv6hackers] RA guard evasion
Felix 'FX' Lindner
fx at recurity-labs.com
Wed May 15 00:10:44 CEST 2013
Hi,
On Tue, 14 May 2013 10:55:30 +0000 "Eric Vyncke (evyncke)"
<evyncke at cisco.com> wrote:
> There are even some efforts/initiatives at the IETF to remove
> fragmentation out of IPv6. As a security guy, I applause but I
> wonder, as a networking guy, whether it is feasible...
this puzzles me for quite some time now: A group (or vendor) comes up
with a mechanism (RA guard in this case, but that's not relevant). The
mechanism requires to inspect the payload of a packet, which, as
ambiguous as it may seem, is still a relatively well defined grammar.
The fairly obvious approach would be to match arbitrary input to that
grammar and act accordingly[1]. If the input matches the expected
grammar, reassemble the message, look at the payload and take a
decision. If it does not match the grammar, there is nothing to
consider: invalid packet, drop it.
This would mean that:
a) IPv6 is so ambiguously specified that no commonly agreed grammar
exists, which means that the protocol design failed.
b) The "efforts/initiatives at the IETF" aim at "fixing" the inability
of one or more implementations of the recognizer by changing the
grammar, causing unforseen side-effects, because they consider the
recognizer unfixable.
Are we really looking at grown-up people learning to communicate with
a baby in baby-talk, just because they can't figure out how to teach
proper language to a child?
cheers
FX
[1] http://langsec.org
--
Recurity Labs GmbH | Felix 'FX' Lindner
http://www.recurity-labs.com | fx at recurity-labs.com
Wrangelstrasse 4 | Fon: +49 30 69539993-0
10997 Berlin | PGP: A740 DE51 9891 19DF 0D05
Germany | 13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner
More information about the Ipv6hackers
mailing list