Bugtraq mailing list archives

Re: [Full-disclosure] HP A-series switches are affected, too. [WAS: More on IPv6 RA-Guard evasion (IPv6 security)]

From: Fernando Gont <fgont () si6networks com>
Date: Thu, 01 Sep 2011 07:10:27 -0300

Hi, Dan,

On 09/01/2011 06:32 AM, Dan Luedtke wrote:

you addressed a problem that many vendors suffer from at the moment.
Marc Heuse discovered this vulnerability, i guess,


FWIW, "publicly-released first" != "discovered" (ask Cisco's PSIRT if in
doubt) -- anyway, I'm just trying to trigger discussion and get feedback...

Based on Marc's ideas I tested the mentioned attack on Hewlett
Packard's A-series switches, and I have to say that these attacks were
successful. That stopped us from implementing IPv6 for a while in our
network.


Do they ship with "RA-Guard"? -- Note that "hosts being vulnerable to
RA-based attacks" does not imply a vulnerable RA-Guard implementation.
The layer-2 might simply not ship with RA-Guard, it could ship with it
but not be enabled, etc.

Anyway... I'd bet that every implementation that "followed" the spec is
vulnerable....

If you are interested, you can obtain my thesis as PDF-document here
https://www.danrl.de/dl/bachelor-thesis-luedtke.pdf
(Chapter Edge-Level might be the one of your interest)


Will certainly take a look. Thanks!

By the way, I don't think it is a good idea to disallow any Extension
Headers in ND-Messages,


Consensus at the relevant IETF working-group (6man) seems to be to only
ban the Fragment Header (when SEND is not employed).

A more conservative approach would be to simply require that the
upper-layer header be present in the first fragment. (i.e., that the
first fragment contains all the information that you need to apply an ACL).

I'd like switches to discard ND-Messages with
more that e.g. 3 chained headers.


The point was that this could be expensive (if at all possible) for the
RA-Guard implementation to do.

But that is another conversation...
I subscribed to the IPv6 Hackers mailing list, maybe we will have some
discussion about that over there.


Yep... will post something right now, and see if that triggers discussion.

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fgont () si6networks com
web: http://www.si6networks.com

Current thread:

Re: [Full-disclosure] HP A-series switches are affected, too. [WAS: More on IPv6 RA-Guard evasion (IPv6 security)] Dan Luedtke (Sep 01)
- <Possible follow-ups>
- Re: [Full-disclosure] HP A-series switches are affected, too. [WAS: More on IPv6 RA-Guard evasion (IPv6 security)] Fernando Gont (Sep 01)
  - Re: [Full-disclosure] HP A-series switches are affected, too. [WAS: More on IPv6 RA-Guard evasion (IPv6 security)] Dan Luedtke (Sep 01)
  - Re: [Full-disclosure] HP A-series switches are affected, too. [WAS: More on IPv6 RA-Guard evasion (IPv6 security)] Marc Heuse (Sep 01)
    - Re: [Full-disclosure] HP A-series switches are affected, too. [WAS: More on IPv6 RA-Guard evasion (IPv6 security)] Fernando Gont (Sep 01)