[LAC-TF] Fwd: Routing loop attacks using IPv6 tunnels

Nicolas Antoniello nantoniello at gmail.com
Mon Aug 17 13:15:39 BRT 2009


Les re-envío ya que puede ser de interes para todos.


---------- Forwarded message ----------
From: Gabi Nakibly
Date: Mon, Aug 17, 2009 at 12:21 PM
Subject: Routing loop attacks using IPv6 tunnels
To: v6ops <v6ops at ops.ietf.org>
Cc: secdir at ietf.org, ipv6 at ietf.org

Hi all,
I would like to draw the attention of the list to some research
results which my colleague and I at the National EW Research &
Simulation Center have recently published. The research presents a
class of routing loop attacks that abuses 6to4, ISATAP and Teredo. The
paper can be found at:

Here is the abstract:
IPv6 is the future network layer protocol for the Internet. Since it
is not compatible with its predecessor, some interoperability
mechanisms were designed. An important category of these mechanisms is
automatic tunnels, which enable IPv6 communication over an IPv4
network without prior configuration. This category includes ISATAP,
6to4 and Teredo. We present a novel class of attacks that exploit
vulnerabilities in these tunnels. These attacks take advantage of
inconsistencies between a tunnel's overlay IPv6 routing state and the
native IPv6 routing state. The attacks form routing loops which can be
abused as a vehicle for traffic amplification to facilitate DoS
attacks. We exhibit five attacks of this class. One of the presented
attacks can DoS a Teredo server using a single packet. The exploited
vulnerabilities are embedded in the design of the tunnels; hence any
implementation of these tunnels may be vulnerable. In particular, the
attacks were tested against the ISATAP, 6to4 and Teredo
implementations of Windows Vista and Windows Server 2008 R2.

I think the results of the research warrant some corrective action. If
this indeed shall be the general sentiment of the list, I will be
happy write an appropriate I-D. The mitigation measures we suggested
in the paper are the best we could think of to completely eliminate
the problem. However they are far from perfect since they would
require tunnel implementations to be updated in case new types of
automatic tunnels are introduced.

Your comments are welcome.


More information about the LACTF mailing list