Re: [secdir] Routing loop attacks using IPv6 tunnels

Gabi Nakibly <gnakibly@yahoo.com> Wed, 19 August 2009 07:39 UTC

Return-Path: <gnakibly@yahoo.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6882628C35A for <secdir@core3.amsl.com>; Wed, 19 Aug 2009 00:39:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.518
X-Spam-Level:
X-Spam-Status: No, score=-0.518 tagged_above=-999 required=5 tests=[AWL=-0.216, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HTXWsSN9h9bk for <secdir@core3.amsl.com>; Wed, 19 Aug 2009 00:39:34 -0700 (PDT)
Received: from n65.bullet.mail.sp1.yahoo.com (n65.bullet.mail.sp1.yahoo.com [98.136.44.190]) by core3.amsl.com (Postfix) with SMTP id 5AF4428C34B for <secdir@ietf.org>; Wed, 19 Aug 2009 00:39:34 -0700 (PDT)
Received: from [216.252.122.217] by n65.bullet.mail.sp1.yahoo.com with NNFMP; 19 Aug 2009 07:39:06 -0000
Received: from [69.147.65.165] by t2.bullet.sp1.yahoo.com with NNFMP; 19 Aug 2009 07:39:06 -0000
Received: from [127.0.0.1] by omp500.mail.sp1.yahoo.com with NNFMP; 19 Aug 2009 07:39:06 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 677901.52976.bm@omp500.mail.sp1.yahoo.com
Received: (qmail 64125 invoked by uid 60001); 19 Aug 2009 07:39:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1250667546; bh=7bN4ZkxUxlGfnlbM+D2OvAFp+zdZ7kIMSeHOC/rBpu4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=GUVIG85O/ot5prUqbHB007EOirb0hIOc8t5Sh2Y+mC6dE5qXlqz1ZWRUZlecuLc162gUaY5Dp/w28aQv2SXOlTgjCEqEng6JDmfMgdShef55y90l2OgaHzvjwVUrtBkm8x22nq03TJ7UU/RyrQsKibt97FPE26QMtrsbfk8cNLw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=qklO4fYI4eclcb95Mpm7qg8Jvs9hzdDV2swgii21yNn6Z9Fdyrrg0UsWR9qucVpyvpzfECuoVzu2yua4MdW8PWdsy+LyZg7BjaDmGTN3ciSjpFYlC+W1tVWoCBarQXGfTh/GSEgf8zimvqswj0aD/p6WEG+c9beRnO0mInRJpMg=;
Message-ID: <528095.63282.qm@web45508.mail.sp1.yahoo.com>
X-YMail-OSG: 7q85LW4VM1lrswtKVNnoJbGcElDXfHFl9q_8EGzN14EcvrZYK35sib3cxM.CJ8vrU_LUJVa65AhrOZHuOL5OHAhd3eT5vS9gTNe5ijtyFVUaV83JSoS9VFDwABkozkndNA5a3B__cjOs1.Cz_rvPxse7sRi.6.Fm6BOU84jICLwCBsHrPlsu4rwSCbfwMnzW8hMmqmUxlke.FjMQ6kspemMbAeuds5po0SoMZXhqsk4NOh7YcvaoYNG99Ut1nAdM47Rry_195koYs2.RujzZA3T60qHDY0Wx1HpEP6R_CRcTVKTkiUs-
Received: from [89.138.133.93] by web45508.mail.sp1.yahoo.com via HTTP; Wed, 19 Aug 2009 00:39:06 PDT
X-Mailer: YahooMailRC/1358.27 YahooMailWebService/0.7.338.2
References: <789539.81531.qm@web45502.mail.sp1.yahoo.com> <200908171954.07106.remi@remlab.net> <726098.63579.qm@web45508.mail.sp1.yahoo.com> <6c60aa25c21d90342161a94ee190d34f@chewa.net>
Date: Wed, 19 Aug 2009 00:39:06 -0700
From: Gabi Nakibly <gnakibly@yahoo.com>
To: Rémi Denis-Courmont <remi@remlab.net>
In-Reply-To: <6c60aa25c21d90342161a94ee190d34f@chewa.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-202411197-1250667546=:63282"
Cc: v6ops <v6ops@ops.ietf.org>, ipv6@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2009 07:39:35 -0000

Remi,
Well, I also think that there should also be a proper check in the spec.
Notice, that there are valid cases in which looping a packet back to yourself is OK. For example, if two processes on the same host communicate with each other. However, I do think that an alert implementer of a Teredo server could avoid this loop.

Gabi




________________________________
From: Rémi Denis-Courmont <remi@remlab.net>
To: Gabi Nakibly <gnakibly@yahoo.com>
Cc: v6ops <v6ops@ops.ietf.org>; secdir@ietf.org; ipv6@ietf.org
Sent: Tuesday, August 18, 2009 2:51:30 PM
Subject: Re: Routing loop attacks using IPv6 tunnels


On Tue, 18 Aug 2009 02:29:58 -0700 (PDT), Gabi Nakibly <gnakibly@yahoo.com>
wrote:
> Indeed, the vulnerability of attack 5 was noted and fixed in Miredo.
> However, I am not aware of any updates to the Teredo specification to
> mitigate it. This means that new implementations will always be
vulnerable
> as in the case of Windows Server 2008 R2. This vulnerability was reported
> to Microsoft a few months ago. They have reproduced it on their end. A
fix
> should be released in the next RC.
> I did not realize that the attack can be successful also on Linux. Thanks
> for the correction.

Well, it is as simple as not looping packet back to yourself, isn't it?
There could be a warning in the spec, but it's really an implementation
error, I think.

> Please let me know the results of your check on attack #4.. If you wish, I
> can send you (off-list) the details of my setup for this attack. By the
> way, I encourage other people on the list to verify the attacks in
> different scenarios.

I managed to reproduce it. Single-homed NATs have absolutely no excuse in
forwarding a packet with their own IP address as the source. But yeah -
there is a problem.

-- 
Rémi Denis-Courmont