[secdir] Routing loop attacks using IPv6 tunnels

Gabi Nakibly <gnakibly@yahoo.com> Mon, 17 August 2009 15:22 UTC

Return-Path: <gnakibly@yahoo.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id CD16628C173 for <secdir@core3.amsl.com>; Mon, 17 Aug 2009 08:22:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id N1ucoOYP1Alh for <secdir@core3.amsl.com>; Mon, 17 Aug 2009 08:22:13 -0700 (PDT)
Received: from n68.bullet.mail.sp1.yahoo.com (n68.bullet.mail.sp1.yahoo.com []) by core3.amsl.com (Postfix) with SMTP id B87B43A6E76 for <secdir@ietf.org>; Mon, 17 Aug 2009 08:22:13 -0700 (PDT)
Received: from [] by n68.bullet.mail.sp1.yahoo.com with NNFMP; 17 Aug 2009 15:21:13 -0000
Received: from [] by t1.bullet.sp1.yahoo.com with NNFMP; 17 Aug 2009 15:21:13 -0000
Received: from [] by omp203.mail.sp1.yahoo.com with NNFMP; 17 Aug 2009 15:21:13 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 24248.29488.bm@omp203.mail.sp1.yahoo.com
Received: (qmail 83234 invoked by uid 60001); 17 Aug 2009 15:21:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1250522472; bh=aFwhQp/2YAUeE6RiHthyLsD9Qv4v2E0QoYy/7DH9Ib8=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type; b=gklmzotnVChiwl3Avgw8BzwkZAi6REZ1273X2UzmCtoma7r9qA9/Iix5BaWWUNQTd5zyEOX1KIENjj122uGMZQUaIK1s7iW5aGwBOXMltGSkrevmvGb6yDcNJI+AdGjwHO6aZwbpDkM1Pj90wJIMswHUEDtn/2YWuxthWAvnSiQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:Cc:MIME-Version:Content-Type; b=acJr3zedFbpo32lqoBllfc9pYrM2Y33MYC69MS/r4l9zAXuA5XgtZOG2Hhu91gBOsU83E5ak6A4Ik7+ZGUxv62/NGuyCGSMnhMedgl6o7u6lR87MTfmDhXGlty1FVZjmVVNwDBPwuUn3wZ4teSh+mYM9VXSLEosgTn/KlmzRyA8=;
Message-ID: <789539.81531.qm@web45502.mail.sp1.yahoo.com>
X-YMail-OSG: wbhj3XYVM1nend3JxUs6Y_qC4.6wg5WEdsq8eavbVZlCDQ340jP0xBjqiV94KT4mqH88BsCMCdwa6fJ3oBQlfI4ZM4fh40oun5y847yvqbPiZvfKmcmZ97tjcpSA38DfSSGLTVRsvNMeQlz0Y6ORZ5gu5OFFp9y0cpFJ_LsWuJGMOzYCscUtWl1bMLCfaDmK0.ytUXXf1HW5qD9u09HZ98tkwQ00GqwvztM6Ri9KMRiaOYHKwTiBaMBdKUzfYZM4_EoYZOyVxEIphgwpBIk2ZvB5DT2g8EFmXAikYm0lMu.HtZuh4.fV
Received: from [] by web45502.mail.sp1.yahoo.com via HTTP; Mon, 17 Aug 2009 08:21:12 PDT
X-Mailer: YahooMailRC/1358.27 YahooMailWebService/0.7.338.2
Date: Mon, 17 Aug 2009 08:21:12 -0700
From: Gabi Nakibly <gnakibly@yahoo.com>
To: v6ops <v6ops@ops.ietf.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-619404899-1250522472=:81531"
X-Mailman-Approved-At: Mon, 17 Aug 2009 23:31:52 -0700
Cc: ipv6@ietf.org, secdir@ietf.org
Subject: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2009 15:22:13 -0000

Hi all,
I would like to draw the attention of the list to some research results which my colleague and I at the National EW Research & Simulation Center have recently published. The research presents a class of routing loop attacks that abuses 6to4, ISATAP and Teredo. The paper can be found at: http://www.usenix.org/events/woot09/tech/full_papers/nakibly.pdf

Here is the abstract:
IPv6 is the future network layer protocol for the Internet. Since it is not compatible with its predecessor, some interoperability mechanisms were designed. An important category of these mechanisms is automatic tunnels, which enable IPv6 communication over an IPv4 network without prior configuration. This category includes ISATAP, 6to4 and Teredo. We present a novel class of attacks that exploit vulnerabilities in these tunnels. These attacks take advantage of inconsistencies between a tunnel's overlay IPv6 routing state and the native IPv6 routing state. The attacks form routing loops which can be abused as a vehicle for traffic amplification to facilitate DoS attacks. We exhibit five attacks of this class. One of the presented attacks can DoS a Teredo server using a single packet. The exploited vulnerabilities are embedded in the design of the tunnels; hence any implementation of these tunnels may be vulnerable. In particular, the attacks were tested
 against the ISATAP, 6to4 and Teredo implementations of Windows Vista and Windows Server 2008 R2. 

I think the results of the research warrant some corrective action. If this indeed shall be the general sentiment of the list, I will be happy write an appropriate I-D. The mitigation measures we suggested in the paper are the best we could think of to completely eliminate the problem. However they are far from perfect since they would require tunnel implementations to be updated in case new types of automatic tunnels are introduced.

Your comments are welcome.