Contributed by deanna on from the with prejudice dept.
IPv6 routing headers are a type of 'super source routing', and pose a significant and serious risk to hosts and the internet. That this host-controlled routing even came into existence once again shows how broken the IETF process is. Disable this source routing, with prejudice.
More info about the issue may be found in this set of slides presented by Philippe Biondi and Arnaud Ebalard last week at CanSecWest.
Source code patches are available for OpenBSD 4.0 and 3.9.
(Comments are closed)
By Anonymous Coward (207.59.237.99) on
Thus, it is with the best wishes and a heavy heart that I need to talk to you about your current relationship.
Sure, your Engineering Task Force comes highly recommended, and has an impressive list of credentials. But, Internet, it's obvious that this relationship has been disastrous, leaving you insecure and in need of constant reinforcement in order to just hold yourself together.
I love you, and you're better than that. I've SEEN you better than that. You need to find it within yourself to be the best internet you can be.
Thanks for all the porn,
- User
Comments
By Anonymous Coward (87.14.172.139) on
By Anonymous Coward (204.9.40.20) on
Comments
By Igor Sobrado (sobrado) on
The IPv6 type 0 routing header is comparable to IPv4 source routing but it *must* be processed by all nodes (not only by routers); that is the way the routing header has been defined and standardized. So, at least ingress and (conceivably) egress filtering is required to assure security. IPv4's loose and strict source routing must be done in multi-homed intermediate systems, so nodes and firewalls are usually not participating in LSRR and SSRR. The former opens a lot of ways to circumvent security.
Sadly, the IPv6 type 2 routing header is not very secure either; it is required for MIPv6, a good approach to mobility. Up to my knowledge, IPv6 type 1 routing header never abandoned its experimental status.
Comments
By Anonymous Coward (204.9.40.20) on
>
> The IPv6 type 0 routing header is comparable to IPv4 source routing but it *must* be processed by all nodes (not only by routers); that is the way the routing header has been defined and standardized. So, at least ingress and (conceivably) egress filtering is required to assure security. IPv4's loose and strict source routing must be done in multi-homed intermediate systems, so nodes and firewalls are usually not participating in LSRR and SSRR. The former opens a lot of ways to circumvent security.
I read 791 to also require IP LSRR and SSRR to be processed by any implementations that claim to be compliant with 791, there's no distinction between host and router in the standard. 1123 doesn't say anything either way.
If memory serves, BSD had a bad history with LSRR and SSRR, originally being supported always and without a knob to disable it. We got burned, we learned, and now there are knobs, off by default.
By Cobalt (70.162.93.223) on
Comments
By Matthew R. Dempsky (15.227.137.70) on
By Rod Whitworth (yendor) rego@witworx.com on
By Janos Mohacsi (194.67.205.95) on
Comments
By art (84.79.228.107) on
consensus is bullshit. It depends on how you ask the question. Simple example:
- Should we remove the X header from the standard? No, because there is no consensus to remove it.
- Should we keep the X header in the standard? No, because there is no consensus to keep it.
By Anonymous Coward (87.210.142.234) on
You say the ipv6 community was aware of the dangers... but you decided to keep the mechanism anyway. Wow.
By Anonymous Coward (81.57.42.108) on
How to do this ?
After a quick search through pf.conf(5), I didn't found anything.
Comments
By Janos Mohacsi (194.67.205.95) on
>
> How to do this ?
>
> After a quick search through pf.conf(5), I didn't found anything.
>
block in quick inet6 proto ipv6-route from any to any
Comments
By sthen (85.158.44.149) on
This doesn't work on a plain OpenBSD installation (/etc/protocols doesn't list 43/ipv6-route). Does it work properly anyway (including the case where the routing header isn't the first extension header)?
By Anonymous Coward (204.9.40.20) on
Here's an opportunity for someone to do some good. There should be a good ability in PF to filter out IPv6 option headers.
Comments
By sthen (85.158.44.149) on
Well, that happens sometimes when the standards are broken.
> Here's an opportunity for someone to do some good. There should be a good ability in PF to filter out IPv6 option headers.
An extension to 'scrub' might be a good place for this.
Things over in Cisco-land aren't as safe as the slides would have you believe, btw.
Comments
By Anonymous Coward (194.67.205.95) on
>
> Well, that happens sometimes when the standards are broken.
>
> Here's an opportunity for someone to do some good. There should be a good ability in PF to filter out IPv6 option headers.
>
> An extension to 'scrub' might be a good place for this.
It is almost there:
block in quick inet6 proto ipv6-route from any to any
here I would like to see
block in quick inet proto ipv6-route 0,1 from any to any
Regards,
By Anonymous Coward (194.25.2.250) on
Apply by doing:
cd /usr/src
patch -p0 < 012_route6.patch