What is wrong with the IPv6 RA protocol ? - FEHCom
What is wrong with the IPv6 RA protocol ? - FEHCom
What is wrong with the IPv6 RA protocol ? - FEHCom
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
3.2 Sending Unicast <strong>RA</strong> messages<br />
Though <strong>the</strong> current implementation of <strong>the</strong><br />
<strong>RA</strong>DVD supports in principal – according<br />
to RFC 4861 section 6.2.6 – sending of unicast<br />
<strong>RA</strong> messages, th<strong>is</strong> mechan<strong>is</strong>m <strong>is</strong> almost<br />
useless, since<br />
it requires to reg<strong>is</strong>ter <strong>the</strong> respective clients<br />
per <strong>IPv6</strong> address,<br />
and <strong>the</strong>refore does by construction not support<br />
<strong>IPv6</strong> privacy extension,<br />
does not allow a mixture of multicast and<br />
unicast <strong>RA</strong> messages.<br />
In fact, if th<strong>is</strong> option <strong>is</strong> turned on –<br />
but no <strong>IPv6</strong> clients are explicitly included –<br />
<strong>RA</strong>DVD does not respond to any Router Solications<br />
nor does it offer Unsolicited Router<br />
Advert<strong>is</strong>ements, since <strong>the</strong>y depend on multicasting.<br />
3.3 Abuse of Router Advert<strong>is</strong>ements<br />
The simplicity of setting up a <strong>IPv6</strong> network<br />
<strong>with</strong> Router Advert<strong>is</strong>ement Daemons has (of<br />
course) d<strong>is</strong>advantages.<br />
Prefix exhaustion:<br />
Router Advert<strong>is</strong>ements cause hosts <strong>with</strong> enabled<br />
Prefix D<strong>is</strong>covery to generate new <strong>IPv6</strong><br />
addresses based on <strong>the</strong> advert<strong>is</strong>ed Prefix<br />
and/or to update <strong>the</strong>ir routing table. Th<strong>is</strong><br />
procedure <strong>is</strong> triggered by solicited or unsolicited<br />
advert<strong>is</strong>ement on <strong>the</strong> (local) link segment.<br />
Any router advert<strong>is</strong>ements – as we d<strong>is</strong>cussed<br />
– are addressed to <strong>the</strong> All-Nodes multicast<br />
address ff02::1.<br />
A recipient node <strong>is</strong> unable to d<strong>is</strong>tingu<strong>is</strong>h<br />
whe<strong>the</strong>r <strong>the</strong> sender of <strong>RA</strong> message <strong>is</strong> a valid<br />
router or not. Any malicious node can send<br />
prefix information <strong>with</strong> (in)valid data to <strong>the</strong><br />
All-Nodes address and <strong>the</strong>reby undermining<br />
all attached nodes. In contrast, any node on<br />
8<br />
<strong>the</strong> link segment <strong>is</strong> required to follow a router<br />
which <strong>is</strong> advert<strong>is</strong>ing new prefix information<br />
and to process <strong>the</strong> received information accordingly.<br />
Current Microsoft Windows systems suffer<br />
from not limiting <strong>the</strong> generated <strong>IPv6</strong> addresses<br />
triggered by router advert<strong>is</strong>ements. As<br />
a result, it <strong>is</strong> possible to freeze such systems<br />
by simply send <strong>the</strong>m a huge amount of router<br />
advert<strong>is</strong>ements containing prefix information.<br />
Windows will try to handle all of <strong>the</strong>m until<br />
resource exhaustion. To gain access to <strong>the</strong><br />
machine again a cold reboot <strong>is</strong> necessary.<br />
Route obfuscation:<br />
By <strong>the</strong> virtue of <strong>the</strong> <strong>RA</strong> <strong>protocol</strong> routers are<br />
able to define a route preference. Th<strong>is</strong> information<br />
<strong>is</strong> used to enable <strong>the</strong> possibility setting<br />
up multiple routers <strong>with</strong>in a link segment and<br />
denoting <strong>the</strong>ir order to <strong>the</strong> nodes.<br />
As <strong>with</strong> <strong>the</strong> prefix information, a node <strong>is</strong><br />
not able to determine whe<strong>the</strong>r <strong>the</strong> announced<br />
routing information <strong>is</strong> valid or not.<br />
According to that, an attacker can set up a<br />
fake router trying to announce itself as default<br />
gateway <strong>with</strong> <strong>the</strong> highest preference. As a result,<br />
<strong>the</strong> attacker <strong>is</strong> able to capture <strong>the</strong> entire<br />
<strong>IPv6</strong> traffic routed outside <strong>the</strong> link segment.<br />
The ’Hackers Choice’ 1 released a set of tools<br />
[3] to investigate weaknesses in <strong>the</strong> current implementations<br />
of <strong>the</strong> <strong>IPv6</strong> <strong>protocol</strong>. A more<br />
detailed presentation about <strong>the</strong> tools can be<br />
found at 27C3’s website [17].<br />
Two of <strong>the</strong>m cover <strong>the</strong> attacks l<strong>is</strong>ted above:<br />
flood_router6 <strong>is</strong> a tool to flood <strong>the</strong> link<br />
segment <strong>with</strong> router advert<strong>is</strong>ements containing<br />
prefix information. When started,<br />
<strong>the</strong> resulting attack causes a DoS on affected<br />
systems. All current Windows systems<br />
are impacted.<br />
1 http://thc.org/