Re: [secdir] Routing loop attacks using IPv6 tunnels

Gabi Nakibly <> Wed, 19 August 2009 07:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6882628C35A for <>; Wed, 19 Aug 2009 00:39:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.518
X-Spam-Status: No, score=-0.518 tagged_above=-999 required=5 tests=[AWL=-0.216, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HTXWsSN9h9bk for <>; Wed, 19 Aug 2009 00:39:34 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 5AF4428C34B for <>; Wed, 19 Aug 2009 00:39:34 -0700 (PDT)
Received: from [] by with NNFMP; 19 Aug 2009 07:39:06 -0000
Received: from [] by with NNFMP; 19 Aug 2009 07:39:06 -0000
Received: from [] by with NNFMP; 19 Aug 2009 07:39:06 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 64125 invoked by uid 60001); 19 Aug 2009 07:39:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1250667546; bh=7bN4ZkxUxlGfnlbM+D2OvAFp+zdZ7kIMSeHOC/rBpu4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=GUVIG85O/ot5prUqbHB007EOirb0hIOc8t5Sh2Y+mC6dE5qXlqz1ZWRUZlecuLc162gUaY5Dp/w28aQv2SXOlTgjCEqEng6JDmfMgdShef55y90l2OgaHzvjwVUrtBkm8x22nq03TJ7UU/RyrQsKibt97FPE26QMtrsbfk8cNLw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024;; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=qklO4fYI4eclcb95Mpm7qg8Jvs9hzdDV2swgii21yNn6Z9Fdyrrg0UsWR9qucVpyvpzfECuoVzu2yua4MdW8PWdsy+LyZg7BjaDmGTN3ciSjpFYlC+W1tVWoCBarQXGfTh/GSEgf8zimvqswj0aD/p6WEG+c9beRnO0mInRJpMg=;
Message-ID: <>
X-YMail-OSG: 7q85LW4VM1lrswtKVNnoJbGcElDXfHFl9q_8EGzN14EcvrZYK35sib3cxM.CJ8vrU_LUJVa65AhrOZHuOL5OHAhd3eT5vS9gTNe5ijtyFVUaV83JSoS9VFDwABkozkndNA5a3B__cjOs1.Cz_rvPxse7sRi.6.Fm6BOU84jICLwCBsHrPlsu4rwSCbfwMnzW8hMmqmUxlke.FjMQ6kspemMbAeuds5po0SoMZXhqsk4NOh7YcvaoYNG99Ut1nAdM47Rry_195koYs2.RujzZA3T60qHDY0Wx1HpEP6R_CRcTVKTkiUs-
Received: from [] by via HTTP; Wed, 19 Aug 2009 00:39:06 PDT
X-Mailer: YahooMailRC/1358.27 YahooMailWebService/0.7.338.2
References: <> <> <> <>
Date: Wed, 19 Aug 2009 00:39:06 -0700
From: Gabi Nakibly <>
To: Rémi Denis-Courmont <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-202411197-1250667546=:63282"
Cc: v6ops <>,,
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Aug 2009 07:39:35 -0000

Well, I also think that there should also be a proper check in the spec.
Notice, that there are valid cases in which looping a packet back to yourself is OK. For example, if two processes on the same host communicate with each other. However, I do think that an alert implementer of a Teredo server could avoid this loop.


From: Rémi Denis-Courmont <>
To: Gabi Nakibly <>
Cc: v6ops <>;;
Sent: Tuesday, August 18, 2009 2:51:30 PM
Subject: Re: Routing loop attacks using IPv6 tunnels

On Tue, 18 Aug 2009 02:29:58 -0700 (PDT), Gabi Nakibly <>
> Indeed, the vulnerability of attack 5 was noted and fixed in Miredo.
> However, I am not aware of any updates to the Teredo specification to
> mitigate it. This means that new implementations will always be
> as in the case of Windows Server 2008 R2. This vulnerability was reported
> to Microsoft a few months ago. They have reproduced it on their end. A
> should be released in the next RC.
> I did not realize that the attack can be successful also on Linux. Thanks
> for the correction.

Well, it is as simple as not looping packet back to yourself, isn't it?
There could be a warning in the spec, but it's really an implementation
error, I think.

> Please let me know the results of your check on attack #4.. If you wish, I
> can send you (off-list) the details of my setup for this attack. By the
> way, I encourage other people on the list to verify the attacks in
> different scenarios.

I managed to reproduce it. Single-homed NATs have absolutely no excuse in
forwarding a packet with their own IP address as the source. But yeah -
there is a problem.

Rémi Denis-Courmont