Re: [secdir] Routing loop attacks using IPv6 tunnels

" Rémi Denis-Courmont" <remi@remlab.net> Mon, 17 August 2009 16:54 UTC

Return-Path: <remi@remlab.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2911828C191; Mon, 17 Aug 2009 09:54:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQzYNEUYqOko; Mon, 17 Aug 2009 09:54:47 -0700 (PDT)
Received: from yop.chewa.net (yop.chewa.net [91.121.105.214]) by core3.amsl.com (Postfix) with ESMTP id A729528C2B8; Mon, 17 Aug 2009 09:54:06 -0700 (PDT)
Received: from basile.remlab.net (cs27060099.pp.htv.fi [89.27.60.99]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: remi) by yop.chewa.net (Postfix) with ESMTPSA id 07D462D4; Mon, 17 Aug 2009 18:54:09 +0200 (CEST)
From: "=?iso-8859-15?q?R=E9mi?= Denis-Courmont" <remi@remlab.net>
Organization: Remlab.net
To: Gabi Nakibly <gnakibly@yahoo.com>
Date: Mon, 17 Aug 2009 19:54:06 +0300
User-Agent: KMail/1.12.0 (Linux/2.6.30.4; KDE/4.3.0; i686; ; )
References: <789539.81531.qm@web45502.mail.sp1.yahoo.com>
In-Reply-To: <789539.81531.qm@web45502.mail.sp1.yahoo.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
Message-Id: <200908171954.07106.remi@remlab.net>
X-Mailman-Approved-At: Mon, 17 Aug 2009 23:31:52 -0700
Cc: v6ops <v6ops@ops.ietf.org>, ipv6@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2009 16:54:48 -0000

Le lundi 17 août 2009 18:21:12 Gabi Nakibly, vous avez écrit :
> Hi all,
> I would like to draw the attention of the list to some research results
> which my colleague and I at the National EW Research & Simulation Center
> have recently published. The research presents a class of routing loop
> attacks that abuses 6to4, ISATAP and Teredo. The paper can be found at:
> http://www.usenix.org/events/woot09/tech/full_papers/nakibly.pdf

Attack E has been known for at least 2 years, though I do not have a Microsoft 
implementation to verify: http://www.remlab.net/miredo/mtfl-sa-0603.shtml.en

Note that it *does* affect Linux-based in the sense that a non-privileged 
local user could screw up (an unlikely scenario on a Teredo server, anyway).


I'm now trying to verify attack D.


-- 
Rémi Denis-Courmont
http://www.remlab.net/