Type 0 Routing Headers: Weve long known they can be used in IPv4 to crazily bounce network packets back and forth between hops on their route, potentially causing denial of service.
Why in the world, then, are we seeing them again in IPv6?
“They havent learned their lesson,” said Nicolas Fischbach, senior manager of network engineering security at Colt Telecom Group, in Zurich, Switzerland, speaking of the designers whove been stitching together the network protocol for the Internet of the future. “When you look back at IPv4, [RH Type 0] was a major security issue that was shut down a long time ago.”
Fischbach spoke with eWEEK after the April CanSecWest security conference, where two researchers demonstrated how RH Type 0 in IPv6 can be used to cause a DDoS (distributed denial of service). The pair, EADS Corporate Research Center Research Engineers Philippe Biondi and Arnaud Ebalard, showed that when you can specify where your nodes route packets, you can create a loop—for example, from hop A to hop B to hop A to hop B—that exponentially jacks up Internet traffic, thus causing a DDoS.
The ability of users to route their own packets—a procedure optimized automatically in todays IPv4 Internet—allows not only DDoS attacks, but also the ability to bypass security. The well-known security issue has long since been removed from IPv4; by default, all routing engines now turn it off.
This vulnerability is easy to fix with RH-sensitive filters. Thats a good thing, Fischbach said, but the discovery points to the nasty surprises that may lie in wait as the Internet shifts to a new protocol version that hasnt had its wrinkles ironed out over a decade, as has IPv4. “Its just one example of how in moving from IPv4 to IPv6 people havent learned their lesson. Theyve created the same problem” that was fixed long ago, he said.
Bob Hinden, chairman of the IPv6 working group at Internet Engineering Task Force, said the group isnt seeing this “ingenious” exploit in the wild. “As far as I know, it only exists on PowerPoint,” he said.
Still, nobodys losing time in fixing it, he said. “The implementer community is rapidly enabling fixes and the standards body is rapidly trying to change it so it cant be used in a bad way,” Hinden said.
When asked how the IPv6 flaw differs from the well-known IPv4 flaw, Hinden said the new exploit has some novel ways to exploit headers that havent been used before. But, in essence, the two flaws differ mostly in that its possible to put more hops in the IPv6 exploit than with IPv4.
In the short term, Hinden said, people are disabling the exploit in code. The working group also is discussing whether to deprecate it completely so people wont include the flaw in code.
Whether that will satisfy Biondi and Ebalard is another matter.
IPv6 designers preferred useless functionalities over good sense, Biondi said during his presentation. RH0-related threats are not considered in the IPv6 spec. The Type 0 RH mechanism is of no use, except for attackers, he said, and the side effects against the whole infrastructure are terrible.
The researchers said they want filtering logic based on RH type; simple deactivation of RH processing as a default; limitation of extension headers nesting with low default value; and a distinction between strictly forwarded packets that a network would want to inspect and temporarily destined packets using a given network as a waypoint; access to final destination; and automatic handling of bad scope addresses.
The pair suggested protecting a network by preventing RH0 from entering; preventing hosts from processing the headers; and being MIPv6-friendly when possible (Type 2 headers, only understood by MIPv6-compliant stacks, allow specific filtering against Type 0 RH).