[ipv6hackers] RA guard evasion

Felix 'FX' Lindner fx at recurity-labs.com
Wed May 15 00:10:44 CEST 2013


On Tue, 14 May 2013 10:55:30 +0000 "Eric Vyncke (evyncke)"
<evyncke at cisco.com> wrote:
> There are even some efforts/initiatives at the IETF to remove
> fragmentation out of IPv6. As a security guy, I applause but I
> wonder, as a networking guy, whether it is feasible...

this puzzles me for quite some time now: A group (or vendor) comes up
with a mechanism (RA guard in this case, but that's not relevant). The
mechanism requires to inspect the payload of a packet, which, as
ambiguous as it may seem, is still a relatively well defined grammar.

The fairly obvious approach would be to match arbitrary input to that
grammar and act accordingly[1]. If the input matches the expected
grammar, reassemble the message, look at the payload and take a
decision. If it does not match the grammar, there is nothing to
consider: invalid packet, drop it.

This would mean that:
a) IPv6 is so ambiguously specified that no commonly agreed grammar
exists, which means that the protocol design failed.
b) The "efforts/initiatives at the IETF" aim at "fixing" the inability
of one or more implementations of the recognizer by changing the
grammar, causing unforseen side-effects, because they consider the
recognizer unfixable.

Are we really looking at grown-up people learning to communicate with
a baby in baby-talk, just because they can't figure out how to teach
proper language to a child?


[1] http://langsec.org

Recurity Labs GmbH           | Felix 'FX' Lindner 
http://www.recurity-labs.com | fx at recurity-labs.com 
Wrangelstrasse 4             | Fon: +49 30 69539993-0
10997 Berlin                 | PGP: A740 DE51 9891 19DF 0D05  
Germany                      |      13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner

More information about the Ipv6hackers mailing list