Re: [secdir] Routing loop attacks using IPv6 tunnels

Rémi Denis-Courmont <> Tue, 18 August 2009 11:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E11F43A67A3; Tue, 18 Aug 2009 04:53:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.067
X-Spam-Status: No, score=-2.067 tagged_above=-999 required=5 tests=[AWL=0.232, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LnUTjGX4HegI; Tue, 18 Aug 2009 04:53:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1802C3A676A; Tue, 18 Aug 2009 04:53:34 -0700 (PDT)
Received: by (Postfix, from userid 33) id 4C342494; Tue, 18 Aug 2009 13:51:30 +0200 (CEST)
To: Gabi Nakibly <>
MIME-Version: 1.0
Date: Tue, 18 Aug 2009 13:51:30 +0200
From: Rémi Denis-Courmont <>
In-Reply-To: <>
References: <> <> <>
Message-ID: <>
User-Agent: RoundCube Webmail/0.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Tue, 18 Aug 2009 05:05:29 -0700
Cc: v6ops <>,,
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 18 Aug 2009 11:53:35 -0000

On Tue, 18 Aug 2009 02:29:58 -0700 (PDT), Gabi Nakibly <>
> Indeed, the vulnerability of attack 5 was noted and fixed in Miredo.
> However, I am not aware of any updates to the Teredo specification to
> mitigate it. This means that new implementations will always be
> as in the case of Windows Server 2008 R2. This vulnerability was reported
> to Microsoft a few months ago. They have reproduced it on their end. A
> should be released in the next RC.
> I did not realize that the attack can be successful also on Linux. Thanks
> for the correction.

Well, it is as simple as not looping packet back to yourself, isn't it?
There could be a warning in the spec, but it's really an implementation
error, I think.

> Please let me know the results of your check on attack #4. If you wish, I
> can send you (off-list) the details of my setup for this attack. By the
> way, I encourage other people on the list to verify the attacks in
> different scenarios.

I managed to reproduce it. Single-homed NATs have absolutely no excuse in
forwarding a packet with their own IP address as the source. But yeah -
there is a problem.

Rémi Denis-Courmont