headers
Fernando Gont | 1 Sep 2011 12:10
Favicon

Re: HP A-series switches are affected, too. [WAS: More on IPv6 RA-Guard evasion (IPv6 security)]

Hi, Dan,

On 09/01/2011 06:32 AM, Dan Luedtke wrote:
> you addressed a problem that many vendors suffer from at the moment.
> Marc Heuse discovered this vulnerability, i guess, 

FWIW, "publicly-released first" != "discovered" (ask Cisco's PSIRT if in
doubt) -- anyway, I'm just trying to trigger discussion and get feedback...

> Based on Marc's ideas I tested the mentioned attack on Hewlett
> Packard's A-series switches, and I have to say that these attacks were
> successful. That stopped us from implementing IPv6 for a while in our
> network.

Do they ship with "RA-Guard"? -- Note that "hosts being vulnerable to
RA-based attacks" does not imply a vulnerable RA-Guard implementation.
The layer-2 might simply not ship with RA-Guard, it could ship with it
but not be enabled, etc.

Anyway... I'd bet that every implementation that "followed" the spec is
vulnerable....

> If you are interested, you can obtain my thesis as PDF-document here
> https://www.danrl.de/dl/bachelor-thesis-luedtke.pdf
> (Chapter Edge-Level might be the one of your interest)

Will certainly take a look. Thanks!

> By the way, I don't think it is a good idea to disallow any Extension
> Headers in ND-Messages,
(Continue reading)

Permalink | Reply |
headers
Dan Luedtke | 1 Sep 2011 12:44

Re: HP A-series switches are affected, too. [WAS: More on IPv6 RA-Guard evasion (IPv6 security)]

Hello Fernando,

On Thu, Sep 1, 2011 at 12:10 PM, Fernando Gont <fgont <at> si6networks.com> wrote:
>> Based on Marc's ideas I tested the mentioned attack on Hewlett
>> Packard's A-series switches, and I have to say that these attacks were
>> successful. That stopped us from implementing IPv6 for a while in our
>> network.
>
> Do they ship with "RA-Guard"? -- Note that "hosts being vulnerable to
> RA-based attacks" does not imply a vulnerable RA-Guard implementation.
> The layer-2 might simply not ship with RA-Guard, it could ship with it
> but not be enabled, etc.
I have to admit, I was a little bit sloppy about the term RA-Guard.
Every vendors has another name for the feature that *should* provide
protection from faked Router Advertisements, technically it is
sometimes like RA-Guard, in reality it is often a simple ACL wrapped
in a shiny new command. HP tried to implement it in their "Neighbor
Discovery Detection" feature of Comware, and they succeeded partly.
One has to craft some nasty packets to circumvent their protection,
but one still is able to do so.

> Anyway... I'd bet that every implementation that "followed" the spec is
> vulnerable....
Unfortunately :(

>> By the way, I don't think it is a good idea to disallow any Extension
>> Headers in ND-Messages,
>
> Consensus at the relevant IETF working-group (6man) seems to be to only
> ban the Fragment Header (when SEND is not employed).
(Continue reading)

Permalink | Reply |
headers
Marc Heuse | 1 Sep 2011 12:59
Picon
Favicon

Re: HP A-series switches are affected, too. [WAS: More on IPv6 RA-Guard evasion (IPv6 security)]


Am 01.09.2011 12:10, schrieb Fernando Gont:
> On 09/01/2011 06:32 AM, Dan Luedtke wrote:
>> you addressed a problem that many vendors suffer from at the moment.
>> Marc Heuse discovered this vulnerability, i guess, 
> 
> FWIW, "publicly-released first" != "discovered" (ask Cisco's PSIRT if in
> doubt) -- anyway, I'm just trying to trigger discussion and get feedback...

when I reported to PSIRT they were not aware of the issue - so who
called them first is unsettled :-) - however I published first ;-)

> Anyway... I'd bet that every implementation that "followed" the spec is
> vulnerable....

it is not mentioned in the RFC that an interface does have to support
unlimited autoconfigurated addresses on its interfaces, nor does it
state an upper limit. so its undefined and up to the implementor. And
those who thought about it and saw the DOS coming (Solaris, OpenBSD) put
limits, others didnt (everybody else).

>> If you are interested, you can obtain my thesis as PDF-document here
>> https://www.danrl.de/dl/bachelor-thesis-luedtke.pdf
>> (Chapter Edge-Level might be the one of your interest)

 <at> dan: nice paper.
ScreenOS has several DOS issues in their IPv6 implementation btw

>> By the way, I don't think it is a good idea to disallow any Extension
>> Headers in ND-Messages,
(Continue reading)

Permalink | Reply |
headers
Fernando Gont | 1 Sep 2011 13:27
Favicon

Re: HP A-series switches are affected, too. [WAS: More on IPv6 RA-Guard evasion (IPv6 security)]

Hi, Marc,

On 09/01/2011 07:59 AM, Marc Heuse wrote:
>> FWIW, "publicly-released first" != "discovered" (ask Cisco's PSIRT if in
>> doubt) -- anyway, I'm just trying to trigger discussion and get feedback...
> 
> when I reported to PSIRT they were not aware of the issue - so who
> called them first is unsettled :-) - however I published first ;-)

Again, please ask PSIRT. :-)

In any case, the world doesn't (or "shouldn't", at least) care about the
"who", but rather should care about the "what".

>> Anyway... I'd bet that every implementation that "followed" the spec is
>> vulnerable....
> 
> it is not mentioned in the RFC that an interface does have to support
> unlimited autoconfigurated addresses on its interfaces, nor does it
> state an upper limit. 

I was referring to the RA-Guard spec (RFC6105), and not the SLAAC spec.

> so its undefined and up to the implementor. And
> those who thought about it and saw the DOS coming (Solaris, OpenBSD) put
> limits, others didnt (everybody else).

One could argue that good programming practice means that you enforce
limits on everything. That said, I agree that implementation advice is
strongly needed.
(Continue reading)

Permalink | Reply |

Gmane