Re: Ra-Guard evasion (new Internet-Drafts)

[Fernando Gont <fernando () gont com ar>]

Hi, Mark,

On 06/01/2011 07:57 AM, Marc Heuse wrote:
> this surprised me for two things.
>
> First: Cisco was not aware. 

I mentioned this issue to at least one guy @ PSIRT.

Nevertheless, it has to tell what it takes for a vendor to be aware. I
have had some experience in the past in which I notified an issue to
vendors (more than one issue, more than one vendor), and they showed no
concerns. One year later they ended up publishing advisories in response
to the same issues, but reported much later than when we had reported them.


> So you tell you discovered this issue as
> well and you informed vendors, but the only vendor who really has RA
> support so far is Cisco, and they did not know. 

We had worked on this thing for a while. IIRC, I talked with a few guys
about this in November 2010 or so (including, IIRC, some guys involved
in NDPMon)-- For instance, I posted on the ipv6ops mailing-list (in
November/December 2010) a few comments noting that RA-Guard could be evaded.

(And, FWIW, vendors have been sitting on a number of other ND issues
that I asked them to perform on their systems for more than a year now.
-- as an example, see my slides for LACSEC 2011 at
http://www.gont.com.ar/talks)


> So I recommend that you don't keep your findings to your group but
> actively inform the vendors about that, and that not via an Internet draft.

It is not really up to me who gets informed of what, or when.
Nontheless, those times in which I got involved in the business of
"cooperating" with vendors, it didn't turn out to be the best thing on
which to spend time and energy.


> Second: it is always a race who is credited as the finder of an issue.
> As anybody can claim he had the vulnerability in his drawers for years,
> only the person who publishes it gets the credit, so sorry :-)

That wasn't the purpose of the note in my I-D. -- Sorry if it came
across like that. For the most part, it tried to make the point that the
work that we did had been carried out independently from your own
research.. but that we simply had not released our work. (i.e., that it
was not that I simply read a post of yours, and decided to write an I-D
about it).


> I had my attack tool since beginning of January :-) - which is pretty
> sure before your group discovered that, and I published first :-)

As noted, we were talking about this in November 2010, already.

However, as far as I'm concerned, this discussion is non-sensical. The
work that you've done on v6 security is more important than a specific
IPv6 vulnerability (whether this, or another one).

It was the first IPv6 attack suite that was publicly released (before I
worked on any of my tools or documents), and probably the first real
intent to advance IPv6 security.

We have a 200+ page document about IPv6 security waiting to be
published, and I hope that you get the credit you deserve for the work
you've done on IPv6 security. -- there's only a hadnful of us working on
v6 security (other than blah-blah about how IPsec usage is going to
increase, etc.)


> that being said I have started to inform vendors of two new IPv6
> vulnerability types now, and nobody has told them about these before either.

Please see slides 27-30 of:
http://www.gont.com.ar/talks/hacklu2009/fgont-hacklu2009-tcp-security.pdf (just
an example).

-- I'm just trying to make a point that things with vendors do not
always work as expected....

That aside (and *aside* from this RA-Guard thing), I should note that it
is usually only the discovery of vulnerabilities that gets credited, and
not the production of countermeasures -- which is, IMHO, rather unfair.


> But nontheless - good work, good draft proposals, thats the way to go
> with the issue.

Thanks for the comments! Any additional feedback that could help to
improve the documents will be highly appreciated.

P.S.: This whole thing is probably an indication that we should be
cooperating more between each other regarding IPv6 security....

Thanks,
-- 
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/