Re: [secdir] Routing loop attacks using IPv6 tunnels

Gabi Nakibly <gnakibly@yahoo.com> Tue, 18 August 2009 09:33 UTC

Return-Path: <gnakibly@yahoo.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 712873A6DE3 for <secdir@core3.amsl.com>; Tue, 18 Aug 2009 02:33:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.8
X-Spam-Level:
X-Spam-Status: No, score=-0.8 tagged_above=-999 required=5 tests=[AWL=-0.498, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, MIME_8BIT_HEADER=0.3, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ElKocG8sa5jR for <secdir@core3.amsl.com>; Tue, 18 Aug 2009 02:33:23 -0700 (PDT)
Received: from n78.bullet.mail.sp1.yahoo.com (n78.bullet.mail.sp1.yahoo.com [98.136.44.42]) by core3.amsl.com (Postfix) with SMTP id 4AF3E3A6DF2 for <secdir@ietf.org>; Tue, 18 Aug 2009 02:33:23 -0700 (PDT)
Received: from [216.252.122.217] by n78.bullet.mail.sp1.yahoo.com with NNFMP; 18 Aug 2009 09:29:59 -0000
Received: from [69.147.84.88] by t2.bullet.sp1.yahoo.com with NNFMP; 18 Aug 2009 09:29:58 -0000
Received: from [127.0.0.1] by omp204.mail.sp1.yahoo.com with NNFMP; 18 Aug 2009 09:29:58 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 896605.44181.bm@omp204.mail.sp1.yahoo.com
Received: (qmail 63969 invoked by uid 60001); 18 Aug 2009 09:29:58 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1250587798; bh=Xog9xZ5c5UeuLK5xjiGcY3IlKftxHwVbSeOxGNAv/e4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=kMCSK5bHviRPpp7J0s2MRCI2a6c8+1+Qr2txf9ORTR4zR+zDWE50Nam/HCsdY3kq5BC2AmtjZXX0GyRvW75oqlcolG29bfb/GZkhmR5y4w8U/7CieXq1+6xrEnEF9V1ihZAFJGwhw5XIlEtPQQS5WUKgLvtwjolSDGz/lhYq3co=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=ye8fVTICRwVLgrpcxbItMxp4a9qB+0evHYmayEke/eZFKxCnNM98uLga1qUpxr+YLlps5tj3niEV6NGtcQOjIDMSxnPtommJlqJOfm2ic4PUSPvEX1b0WlFX/UpboPM2yQZSzgZkgN9838baYPsu1Cg7XEh/1cbWcx5aqdStZwA=;
Message-ID: <726098.63579.qm@web45508.mail.sp1.yahoo.com>
X-YMail-OSG: PuL04akVM1nrwaa8C1Zdq8RfdVDvtbNk50H_YjqX7uR.fHDa7HcfS3XJBZ95VzonvXg_vy8iPV3Dpz4O_HSfC_nPoco58MX1TNmhzqOyEaAQm3sNNvLUWaqYiJ_GxqWNWGodWVxPFpXRCypVj.lSPxApZnrJ5xYZoRlaBXMt0HWb2MKMLLZVbHESuO3VO9cJglkCx1e_XRdte6qSxW_m3BTO2L1W9JY7L2vJNyiDBzXMvBhCDNzdf07mfFferaz4DWu99t53xHeLuPVIiuMGcFqrtUTMOZV47Ub4NZN0ZKG9zkS3GL0-
Received: from [89.138.113.91] by web45508.mail.sp1.yahoo.com via HTTP; Tue, 18 Aug 2009 02:29:58 PDT
X-Mailer: YahooMailRC/1358.27 YahooMailWebService/0.7.338.2
References: <789539.81531.qm@web45502.mail.sp1.yahoo.com> <200908171954.07106.remi@remlab.net>
Date: Tue, 18 Aug 2009 02:29:58 -0700 (PDT)
From: Gabi Nakibly <gnakibly@yahoo.com>
To: =?iso-8859-1?Q?R=E9mi_Denis-Courmont?= <remi@remlab.net>
In-Reply-To: <200908171954.07106.remi@remlab.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1408785047-1250587798=:63579"
X-Mailman-Approved-At: Tue, 18 Aug 2009 02:42:02 -0700
Cc: v6ops <v6ops@ops.ietf.org>, ipv6@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2009 09:33:24 -0000

Indeed, the vulnerability of attack 5 was noted and fixed in Miredo. However, I am not aware of any updates to the Teredo specification to mitigate it. This means that new implementations will always be vulnerable as in the case of Windows Server 2008 R2. This vulnerability was reported to Microsoft a few months ago. They have reproduced it on their end. A fix should be released in the next RC.
I did not realize that the attack can be successful also on Linux. Thanks for the correction.

Please let me know the results of your check on attack #4. If you wish, I can send you (off-list) the details of my setup for this attack. By the way, I encourage other people on the list to verify the attacks in different scenarios.

Gabi

 

________________________________
From: Rémi Denis-Courmont <remi@remlab.net>
To: Gabi Nakibly <gnakibly@yahoo.com>
Cc: v6ops <v6ops@ops.ietf.org>rg>; secdir@ietf.org; ipv6@ietf.org
Sent: Monday, August 17, 2009 7:54:06 PM
Subject: Re: Routing loop attacks using IPv6 tunnels

Le lundi 17 août 2009 18:21:12 Gabi Nakibly, vous avez écrit :
> Hi all,
> I would like to draw the attention of the list to some research results
> which my colleague and I at the National EW Research & Simulation Center
> have recently published. The research presents a class of routing loop
> attacks that abuses 6to4, ISATAP and Teredo. The paper can be found at:
> http://www.usenix.org/events/woot09/tech/full_papers/nakibly.pdf

Attack E has been known for at least 2 years, though I do not have a Microsoft 
implementation to verify: http://www.remlab.net/miredo/mtfl-sa-0603.shtml.en

Note that it *does* affect Linux-based in the sense that a non-privileged 
local user could screw up (an unlikely scenario on a Teredo server, anyway).


I'm now trying to verify attack D.


-- 
Rémi Denis-Courmont
http://www.remlab.net/