[ipv6hackers] RA guard evasion

Fernando Gont fgont at si6networks.com
Wed May 15 02:06:22 CEST 2013


On 05/13/2013 11:24 AM, Matej Gregr wrote:
> Hi guys,
>   most of you are familiar with the concept of RA guard and its ability
> to filter rogue RAs. We have tested 3 switches for access and
> distribution layer and found, that we are able to evade the protection
> quite easilly on all of them. First method is using fragment header and
> this is well known and documented behaviour. However, you are also able
> to evade the protection using several destination options headers (it
> depends on the platform). We believe, that this behaviour is not well
> documented, so we wrote an article.
> http://6lab.cz/article/rogue-router-advertisement-attack/

Do you mean that there's a difference between including one Dst Option
Header (as in Section 2.1 of
<http://tools.ietf.org/id/draft-ietf-v6ops-ra-guard-implementation-07.txt>)
vs. multiple Dst Option headers?

Maybe it has to do with how many bytes into the packet the layer-2
device can see/inspect?

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont at si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492







More information about the Ipv6hackers mailing list