Hello all,
When discussing Linux IPv6 implementation, David Stevens
<[EMAIL PROTECTED]> brought up a problem with routing header w/
Hosts.
RFC2460 (The IPv6 Spec) assumes that all _nodes_ (note not routers)
forward source routed packets.
Routing header works so that the next hop is always written to destination
address field and the rest of the path to routing header fields.
Problem with this is that:
1) it's impossible to authenticate using AH or the like as the header is
rewritten all the time
2) it allows you to use _any_ IPv6 node to reflect your traffic (, even
to locations that wouldn't normally be routable)
For example: or even:
host1 --- rtr1 - INET - rtr2 --- host2 - rtr2 --- host2
| / |
rtr3 -/ host3
|
host3
or even (same link):
- rtr2 -+- host2
|
+- host3
rtr2 performs strict ingress filtering on tcp destination port 80. host2
is a web server. (IMO, we _cannot_ assume every device in the path must
be knowledgeable of all the possible extension headers, and implications
of parsing them).
Now host1 could write a packet to dst host2, dport 80, with routing header
to: 'rtr3, host3' (or even just 'host3', there need not necessarily be
rtr3). (To avoid this, you would have to perform strict ingress filtering
in _all_ of your links, be they internal or not).
Now you can pass traffic unmolested to internal hosts. Or even John Doe
in the Internet!
Needless to say this will result in very, very much ugliness sooner or
later!
There is no reason to believe IPv6 Routing Header is any better from
security point of view than IPv4 source routing. And IPv4 source routing
is disabled, luckily, very often.
This won't help:
--8<--
Security Considerations
The security features of IPv6 are described in the Security
Architecture for the Internet Protocol [RFC-2401].
--8<--
At this point one could say a classic "WTF? Over." With this important
core protocols, we definitely _must not_ hide _all_ the security
considerations under the carpet by ambiguous reference to the ipsec
security pixie dust.
More discussion on approaches to tackle this is needed, but IMO:
Forwarding datagrams with Routing Header SHOULD be configurable.
On Hosts, Routing Header MUST be ignored by default.
On Routers, Routing Header SHOULD be ignored by default.
(I'd only recommend allowing routing header on in backbone routers)
Does disabling routing header break anything significant? If it does, the
security of that must be analyzed as well.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
