Re: Destination options attack

To: "Markku Savela" <msa at burp.tkv.asdf.org>
Subject: Re: Destination options attack
From: "Vishwas Manral" <vishwas.ietf at gmail.com>
Date: Mon, 28 May 2007 13:41:46 -0700
Cc: manoj at ipinfusion.com, ipv6 at ietf.org, pekkas at netcore.fi
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YXJuoH40NU0363KIUt2vt+LoSROYM3a+gz47oLTq7othmgOihaWxwh2CkF7FcbEx6tHyB2Rf6tb2EMm4c4TFsoQFjALVCZ7OhLg7Oa5HCJHyCW/e33Iv67oN6agzqz3G7TAEK3KPL7u/ckktAkRtGC78vS/Yoedg7l6oleu2pEY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=KS1OWXoZ+Dnk5M3viWAOUYTfw0ynOhfClIZZpk2toiNG/pa9BH2fIWVqD/roslJ1vDx9mHPEasNEuHl+Y6nPFKqZndq6tmgnxFX1JZFSacmiWGC39U1v7wY2VIX5GW64VhPG9epm39A9ayLTJKnpctaVzJn+lNM43lxnFjIO74Q=
In-reply-to: <200705282032.l4SKWHYN009484@burp.tkv.asdf.org>
List-help: <mailto:ipv6-request@ietf.org?subject=help>
List-id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-post: <mailto:ipv6@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
References: <77ead0ec0705281139x1eb48a22t762e8f5e2abcd184@mail.gmail.com> <Pine.LNX.4.64.0705282241331.30480@netcore.fi> <77ead0ec0705281259h7b5d3512r4589c9559bc29795@mail.gmail.com> <200705282032.l4SKWHYN009484@burp.tkv.asdf.org>

Hi Markku,

The following is a quote RFC2460.

  The Option Type identifiers are internally encoded such that their
  highest-order two bits specify the action that must be taken if the
  processing IPv6 node does not recognize the Option Type:

   O
   O
   O

     10 - discard the packet and, regardless of whether or not the
          packet's Destination Address was a multicast address, send an
          ICMP Parameter Problem, Code 2, message to the packet's
          Source Address, pointing to the unrecognized Option Type.
  O
  O
  O

Thanks,
Vishwas

On 5/28/07, Markku Savela <msa at burp.tkv.asdf.org> wrote:


> > On Mon, 28 May 2007, Vishwas Manral wrote:
> > > I noticed one more security issue like the Destination options header
> > > attack. A packet is sent by using a destination header as a Multicast
> > > Group address, and source address of the machine to be attacked. A
> > > random Option type is added to the destination Options header, which
> > > has the highest order two bits as 10 (send ICMP Reply to the source).
> > >
> > > The above would cause ICMP packets to be sent to the source address
> > > from all members of the multicast group to the source. This could very
> > > eaily overwhelm the source

No. Stack is not supposed to send ICMP error report, if the destination
of the triggering packet was sent to a multicast or any kind of
broadcast address (including broadcast MAC).

--
Markku Savela


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6 at ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

References:
- Destination options attack
  - From: Vishwas Manral
- Re: Destination options attack
  - From: Pekka Savola
- Re: Destination options attack
  - From: Vishwas Manral

Prev by Date: Re: Destination options attack
Next by Date: draft-ietf-ipv6-deprecate-rh0-01-candidate-00
Previous by thread: Re: Destination options attack
Next by thread: Re: Destination options attack
Index(es):
- Date
- Thread

Re: Destination options attack

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.