Hello to the list and RA guard evasion technique

Marc Heuse mh at mh-sec.de
Sun May 29 14:14:23 CEST 2011 

Am 29.05.2011 13:58, schrieb Steinar H. Gunderson:
> Den 29. mai 2011 13:53 skrev Eric Vyncke (evyncke) <evyncke at cisco.com> følgende:
>> But, you obviously have found a work-around around the work-around: overlapping fragments. Especially if hosts accept it... (which is weird BTW but what can we do?).
> 
> An open question is whether one should treat this as a bug in the end
> systems. Shouldn't packets with overlapping fragments just be treated
> as malformed and dropped? Or would checking for this have a
> significant performance cost?

In my opinion its a bug in the end-systems - however it has been around
for several decades.

There RFC5722 for this (http://tools.ietf.org/rfc/rfc5722.txt) which
came out 18 months ago which basically says all systems doing IPv6
fragment reassembling should drop the reassembled packet if there were
overlaps.

It basically depends on the operating systems vendors if they implement
it or not. I wrote a test-suite for this (and other possible
fragmentation issues) two weeks ago, but havent had the time to test it
against various targets. This is planned for next week however.


Am 29.05.2011 12:20, schrieb Martin Millnert:
> Seems to me that "attack-proof" networks then require [...] or
> compartmentalization of your ports such that they share broadcast
> domains only in such sets where RA attacks are allowed to occur
> between the ports.

giving this some though this is actually I feasible solution in my
opinion. as you would only forward multicast traffic that is required
(e.g. RA from the defined router ports, MLD queries from the defined
router ports, etc.) you have a whitelist instead of a blacklist and this
is way better to enfore and secure.
RA guard is a blacklist approach and is way easier defeat because of that.
But the cost of such a switch/router would be increased.
A good idea anyway.

> And if you are going to spend the money on a switch which can
> re-assemble packets, you have essentially bought a routing switch,
> and you can then just do it the right way. :)

basically what you would need is a firewall feature set in the switch.
that costs a lot (cpu, memory, logic => $$$)

Greets,
Marc

--
Marc Heuse
Mobil: +49 177 9611560
Fax: +49 30 37309726
www.mh-sec.de

Marc Heuse - IT-Security Consulting
Winsstr. 68
10405 Berlin

Ust.-Ident.-Nr.: DE244222388
PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A

More information about the ipv6-ops mailing list