Hello to the list and RA guard evasion technique

Marc Heuse mh at mh-sec.de
Sun May 29 11:40:19 CEST 2011 

Hi guys,

as Fernando Gont, Eric Vyncke and quite some more clever IPv6 heads are
on this list, I subscribed and will join the (security) discussions.

I am the author of the thc-ipv6 toolkit and have so far done quite some
ipv6 security/vulnerability research. The newest issue I published is
bypassing the RA Guard security features on Cisco switches.

Note that this technique also bypasses the following configuration Eric
recommended for switches that have layer 3 ACL capabilities but do not
support RA guard:
    deny icmp any any router-advertisement
    permit any any

And it also bypasses NDPmon/RAfixd/RAmond.


Attack:
=======
Make the evil Router Advertisement fragmented and put the ICMPv6 into
the second fragment, eg. by putting a very large Destination extension
header before the ICMPv6 part.

So the packets look like:

Fragment 1:
 IPv6 Header
 Fragmentation Header
 Destination Header (~1400 bytes)

Fragment 2:
 IPv6 Header
 Fragmentation Header
 Destination Header (continued with some bytes)
 ICMPv6 with RA


Workaround:
===========
To prevent this attack, put the following IPv6 ACL on all ports:

    deny ip any any undetermined-transport

This will drop all packets where the switch is not able to identify the
IPv6 transport type like in this attack. Note that this might drop some
unusual valid traffic too.


Workaround Bypass:
==================
Craft the packets in a way so that the first fragment has an ICMPv6 echo
request and the second fragment overwrites the first fragment with the
ICMPv6 router advertisement.

Fragment 1:
 IPv6 Header
 Fragmentation Header
 Destination Header (8 bytes)
 ICMPv6 with Echo Request

Fragment 2:
 IPv6 Header
 Fragmentation Header with offset == 1 (equals position of 8th byte ==
start of Echo Request in first fragment)
 ICMPv6 with RA

Note that the handling of overlapping fragments differs between
platforms, some take the first fragment received, others the latest, so
send the packets accordingly to your target.


Other implementations
=====================
Works on all implementations so far I tested, on some e.g. NDPmon it is
way simpler, you have have to add an empty hop-by-hop header and it goes
blind for NDP and RA attacks.


Basically, if just want to prevent accidental RA's on the network, then
all the tools and mechanisms are fine.
But if you want to prevent attacks, the only secure way is packet
reassembling/verification in the switches - and that is not a good idea
for performance and availability reasons (RAM, CPU, ...).

Greets,
Marc

--
Marc Heuse
Mobile: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de

Marc Heuse - IT-Security Consulting

Ust.-Ident.-Nr.: DE244222388
PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the ipv6-ops mailing list