Re: Ra-Guard evasion (new Internet-Drafts)

[Marc Heuse <mh () mh-sec de>]

Hi Fernando,

to quote from your drafts:

> As part of the project "Security Assessment of the Internet Protocol
> version 6 (IPv6)" [CPNI-IPv6], we devised a number of techniques for
> circumventing the RA-Guard protection, which are described in the
> following sections of this document.  These techniques, and the
> corresponding tools to assess their effectiveness, had so far been
> made available only to vendors, in the hopes that they could
> implement counter-measures before they were publicly disclosed.
> However, since there has been some public discussion about these
> issues, it was deemed as appropiate to publish the present document.

this surprised me for two things.

First: Cisco was not aware. So you tell you discovered this issue as
well and you informed vendors, but the only vendor who really has RA
support so far is Cisco, and they did not know. I informed them.
So I recommend that you don't keep your findings to your group but
actively inform the vendors about that, and that not via an Internet draft.

Second: it is always a race who is credited as the finder of an issue.
As anybody can claim he had the vulnerability in his drawers for years,
only the person who publishes it gets the credit, so sorry :-)
I had my attack tool since beginning of January :-) - which is pretty
sure before your group discovered that, and I published first :-)

that being said I have started to inform vendors of two new IPv6
vulnerability types now, and nobody has told them about these before either.

But nontheless - good work, good draft proposals, thats the way to go
with the issue.

Greets,
Marc

> I've just published two new IETF Internet-Drafts, that document the
> problem of RA-Guard evasion, and propose mitigations.
>
> They are two Internet-Drafts:
>
> * "IPv6 Router Advertisement Guard (RA-Guard) Evasion", available at:
> http://tools.ietf.org/id/draft-gont-v6ops-ra-guard-evasion-00.txt
>
> * "Security Implications of the Use of IPv6 Extension Headers with IPv6
> Neighbor Discovery", available at:
> http://tools.ietf.org/id/draft-gont-6man-nd-extension-headers-00.txt
>
> The motivation for publishing these documents now (and not earlier or
> later) is discussed in the first I-D. ;-)
>
> Any comments on these documents will be more than welcome.

--
Marc Heuse
www.mh-sec.de

Marc Heuse - IT-Security Consulting

Ust.-Ident.-Nr.: DE244222388
PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A