Re: [secdir] Routing loop attacks using IPv6 tunnels

Rémi Denis-Courmont <remi@remlab.net> Tue, 18 August 2009 11:53 UTC

Return-Path: <remi@remlab.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E11F43A67A3; Tue, 18 Aug 2009 04:53:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.067
X-Spam-Level:
X-Spam-Status: No, score=-2.067 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LnUTjGX4HegI; Tue, 18 Aug 2009 04:53:34 -0700 (PDT)
Received: from yop.chewa.net (yop.chewa.net [91.121.105.214]) by core3.amsl.com (Postfix) with ESMTP id 1802C3A676A; Tue, 18 Aug 2009 04:53:34 -0700 (PDT)
Received: by yop.chewa.net (Postfix, from userid 33) id 4C342494; Tue, 18 Aug 2009 13:51:30 +0200 (CEST)
To: Gabi Nakibly <gnakibly@yahoo.com>
MIME-Version: 1.0
Date: Tue, 18 Aug 2009 13:51:30 +0200
From: =?UTF-8?Q?R=C3=A9mi_Denis-Courmont?= <remi@remlab.net>
Organization: Remlab.net
In-Reply-To: <726098.63579.qm@web45508.mail.sp1.yahoo.com>
References: <789539.81531.qm@web45502.mail.sp1.yahoo.com> <200908171954.07106.remi@remlab.net> <726098.63579.qm@web45508.mail.sp1.yahoo.com>
Message-ID: <6c60aa25c21d90342161a94ee190d34f@chewa.net>
X-Sender: remi@remlab.net
User-Agent: RoundCube Webmail/0.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Tue, 18 Aug 2009 05:05:29 -0700
Cc: v6ops <v6ops@ops.ietf.org>, ipv6@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2009 11:53:35 -0000

On Tue, 18 Aug 2009 02:29:58 -0700 (PDT), Gabi Nakibly <gnakibly@yahoo.com>
wrote:
> Indeed, the vulnerability of attack 5 was noted and fixed in Miredo.
> However, I am not aware of any updates to the Teredo specification to
> mitigate it. This means that new implementations will always be
vulnerable
> as in the case of Windows Server 2008 R2. This vulnerability was reported
> to Microsoft a few months ago. They have reproduced it on their end. A
fix
> should be released in the next RC.
> I did not realize that the attack can be successful also on Linux. Thanks
> for the correction.

Well, it is as simple as not looping packet back to yourself, isn't it?
There could be a warning in the spec, but it's really an implementation
error, I think.

> Please let me know the results of your check on attack #4. If you wish, I
> can send you (off-list) the details of my setup for this attack. By the
> way, I encourage other people on the list to verify the attacks in
> different scenarios.

I managed to reproduce it. Single-homed NATs have absolutely no excuse in
forwarding a packet with their own IP address as the source. But yeah -
there is a problem.

-- 
Rémi Denis-Courmont