IPv6 Type 0 Routing Header issues

Tim tim-projects at sentinelchicken.org
Wed Apr 25 13:22:00 CEST 2007


> I think it may actually be that we do not want nodes to process
> type 0 routing headers by default, but the network should pass them.
> The reason for this is that the type 0 headers have useful applications
> which could be secured by end hosts without getting the network
> involved at all. Then end hosts that want to use the routing header
> can, and those that don't are secure by default.

Then how would one deal with the "flux capacitor" attacks as described
at CanSecWest?  Eventually the bot herders will figure out how to use
this and flatten a few networks with little effort.

Also, combining ping-pong style RH0 attack with TCP handshake
amplification (or any other reflected amplification attacks that reverse
the source routing headers on reply and double or triple the number of
packets) gives you an even bigger amplification, which could target the
upstream routers of a victim network.  This would probably work even
better than smurf attacks did "back in the day" when one could still use
them.

Loose source routing is just a bad idea.  Yeah, great for testing, but
should be off by default on everything.  This lesson was learned long
ago, why are we repeating the same mistakes?  

That's my $0.02.
(Take it with a grain of salt, since I'm no networking expert.)

cheers,
tim


More information about the ipv6-ops mailing list