Pekka I don't think link-local attack can be carried out through automatic tunnels (not to mention that they will fail the address checks).
After decapsulation, the packet is submitted for further input processing to look at the innner header. At this point, the source or destination (or both) are link local and the packet must to be forwarded off the link (the link in this case is the tunnel). So in effect you are attacking the decapsulator (a router in most cases). However, if the decapsulator is a multicast router, then you could pottentially attack other hosts on the lan, but not with the link-local threats documented below. -vlad Pekka Savola wrote: > > Hello folks, > > There was a draft on "local-link" security threats: > > http://www.ietf.org/internet-drafts/draft-kempf-ipng-netaccess-threats-00.txt > > Some of these may apply _remotely_ to nodes which implement automatic > tunneling mechanisms (autotunnel, 6to4, ...), too. > > Problem here is that if the automatic decapsulation is enabled, one can > send packets like: > > === > src=<pure_evil> > dst=<6to4/autotunnel router> > protocol=41 > > src6=fe80::1 > dst6=ff02::1 [or link-local unicast, or something] > hop limit=255 [<-- NOTE!] > [payload] > === > > Note! Tunneling decrements hop limit when encapsulating, so it cannot be > trusted. > > Naturally, this is possible with configured tunnels too, but as there's > usually some trust between the two parties, it's not as interesting. > With automatic tunneling and friends, there doesn't need to be. > > Problem here is that it's possible to receive packets to link-local > addresses of the pseudo-interface via autotunneling which have hop limit = > 255. > > The latter is bad because several mechanisms including stateless address > autoconfiguration partially depend on hop limit as a form of weak > authorization. > > This way, one can send e.g. valid link-local NS/NA/RA/RS packets that will > arrive on 6to4/autotunnel pseudo-interface. > > Luckily enough, these boxes most probably are configured as Routers not > Hosts; an exception could be e.g. this combined "6to4 host + router in the > same box" scenario. > > If the node doesn't act as a router, one could then inject e.g. router > advertisement messages on the pseudo-interface -- and they would be > processed -- from anywhere in the Internet. > > There might be some nasties for routers too. > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -- ++++++++++++++++++++++++++++++++++++++++++++++++++++ Vladislav Yasevich Tel: (603) 884-1079 Compaq Computer Corp. Fax: (435) 514-6884 110 Spit Brook Rd ZK03-3/T07 Nashua, NH 03062 -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
