Remi, Well, I also think that there should also be a proper check in the spec. Notice, that there are valid cases in which looping a packet back to yourself is OK. For example, if two processes on the same host communicate with each other. However, I do think that an alert implementer of a Teredo server could avoid this loop.
Gabi ________________________________ From: Rémi Denis-Courmont <r...@remlab.net> To: Gabi Nakibly <gnaki...@yahoo.com> Cc: v6ops <v6...@ops.ietf.org>; sec...@ietf.org; ipv6@ietf.org Sent: Tuesday, August 18, 2009 2:51:30 PM Subject: Re: Routing loop attacks using IPv6 tunnels On Tue, 18 Aug 2009 02:29:58 -0700 (PDT), Gabi Nakibly <gnaki...@yahoo.com> wrote: > Indeed, the vulnerability of attack 5 was noted and fixed in Miredo. > However, I am not aware of any updates to the Teredo specification to > mitigate it. This means that new implementations will always be vulnerable > as in the case of Windows Server 2008 R2. This vulnerability was reported > to Microsoft a few months ago. They have reproduced it on their end. A fix > should be released in the next RC. > I did not realize that the attack can be successful also on Linux. Thanks > for the correction. Well, it is as simple as not looping packet back to yourself, isn't it? There could be a warning in the spec, but it's really an implementation error, I think. > Please let me know the results of your check on attack #4.. If you wish, I > can send you (off-list) the details of my setup for this attack. By the > way, I encourage other people on the list to verify the attacks in > different scenarios. I managed to reproduce it. Single-homed NATs have absolutely no excuse in forwarding a packet with their own IP address as the source. But yeah - there is a problem. -- Rémi Denis-Courmont
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------