Hello to the list and RA guard evasion technique
mh at mh-sec.de
Thu Jun 2 11:34:38 CEST 2011
Am 01.06.2011 06:26, schrieb Fernando Gont:
> On 05/29/2011 08:58 AM, Steinar H. Gunderson wrote:
>> Den 29. mai 2011 13:53 skrev Eric Vyncke (evyncke) <evyncke at cisco.com> følgende:
>>> But, you obviously have found a work-around around the work-around: overlapping fragments. Especially if hosts accept it... (which is weird BTW but what can we do?).
>> An open question is whether one should treat this as a bug in the end
>> systems. Shouldn't packets with overlapping fragments just be treated
>> as malformed and dropped? Or would checking for this have a
>> significant performance cost?
> As far as the current specs are concerned, overlapping fragments are not
> allowed, and hosts received them should discard them.
I checked all major OS on this one this week.
All of them (linux, osx, freebsd, openbsd, windows, solaris, qnx) accept
And there is a simple reason for that - there are a lot of tcp/ip
implementations in the world that are broken. if you harden your stack,
it means that you prevent communication to some system types. thats why
all the vendors allow overlapping fragments among other things.
but there should be at least a sysctl setting to enable dropping of
But until then (and/or the droppage of ND/RA with extension headers) it
must be clearly communicated that RA Guard is an effective measure only
for accidental RAs, not for malicious ones.
pointing fingers and saying "if the OS guys would implement rfc a, b and
c" is not a good excuse why your $$$ security mechanism is not working.
Mobil: +49 177 9611560
Fax: +49 30 37309726
Marc Heuse - IT-Security Consulting
PGP: FEDD 5B50 C087 F8DF 5CB9 876F 7FDD E533 BF4F 891A
More information about the ipv6-ops