[dns-operations] IPv6 Type 0 Routing Header issues

Joe Abley jabley at ca.afilias.info
Mon Apr 23 20:39:54 UTC 2007 

On 23-Apr-2007, at 16:07, Nicolas FISCHBACH wrote:

> Very interesting presentation by Arnaud and Phil:
>
> http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
>
> If you only care about the DNS related bits, start on page 29.

The OpenBSD people have committed a patch to address (some of) this  
stuff; see below. There's a corresponding FreeBSD commit here:

   http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/ 
route6.c.diff?r1=1.12&r2=1.13

Jinmei and the KAME team also pointed out that RFC 4620 documents an  
additional mechanism for finding out addresses of devices, in  
addition to the "HOSTNAME.BIND CH TXT" approach on the slides: IPv6  
node information queries with the "Node Addresses" qtype can reveal  
additional interface addresses which can be incorporated into RH type  
0 loops. RFC 4620 specifies that queries should not be processed if  
they originate from a global address, but some implementations answer  
such probes anyway.

On some (most? all?) BSD platforms the processing of node information  
queries can be disabled using

   sysctl -w net.inet6.icmp6.nodeinfo=0

Note that I'm just passing on things that I have heard, and hence  
deserve no credit for any of it. However, if I have misunderstood  
anything and am propagating nonsense, that is all my own work :-)

Begin forwarded message:

> From: Marc Balmer <mbalmer at openbsd.org>
> Date: 23 April 2007 19:09:19 GMT+01:00
> To: security-announce at openbsd.org
> Subject: IPv6 Type 0 Route Header Design Flaw
>
> IPv6 type 0 route headers can be used to mount a DoS attack against
> hosts and networks.  This is a design flaw in IPv6 and not a bug in
> OpenBSD.
>
> This problem has been fixed in the OpenBSD CVS repository in the
> -current and -stable branches.  The -current snapshots of OpenBSD
> contain these fixes as well.
>
> It is recommended that users of OpenBSD update their kernel asap
> using cvs or manually apply the source code patches listed below.
>
> A source code patch for OpenBSD 4.0-stable can be downloaded from
> ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/012_route6.patch.
>
> A source code patch for OpenBSD 3.9-stable can be downloaded from
> ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/022_route6.patch.
>
>

More information about the dns-operations mailing list