Indeed, the vulnerability of attack 5 was noted and fixed in Miredo. However, I am not aware of any updates to the Teredo specification to mitigate it. This means that new implementations will always be vulnerable as in the case of Windows Server 2008 R2. This vulnerability was reported to Microsoft a few months ago. They have reproduced it on their end.. A fix should be released in the next RC.
I did not realize that the attack can be successful also on Linux. Thanks for the correction.
Please let me know the results of your check on attack #4. If you wish, I can send you (off-list) the details of my setup for this attack. By the way, I encourage other people on the list to verify the attacks in different scenarios.
Gabi
From: Rémi Denis-Courmont <remi@remlab.net>
To: Gabi Nakibly <gnakibly@yahoo.com>
Cc: v6ops <v6ops@ops.ietf.org>; secdir@ietf.org; ipv6@ietf.org
Sent: Monday, August 17, 2009 7:54:06 PM
Subject: Re: Routing loop attacks using IPv6 tunnels
Le lundi 17 août 2009 18:21:12 Gabi Nakibly, vous avez écrit :
> Hi all,
> I would like to draw the attention of the list to some research results
> which my colleague and I at the National EW Research & Simulation Center
> have recently published. The research presents a class of routing loop
> attacks that abuses 6to4, ISATAP and Teredo. The paper can be found at:
>
http://www.usenix.org/events/woot09/tech/full_papers/nakibly.pdf
Attack E has been known for at least 2 years, though I do not have a Microsoft
implementation to verify: http://www.remlab.net/miredo/mtfl-sa-0603.shtml.en
Note that it *does* affect Linux-based in the sense that a non-privileged
local user could screw up (an unlikely scenario on a Teredo server, anyway).
I'm now trying to verify attack D.
--
Rémi Denis-Courmont
http://www.remlab.net/