From: Rémi Denis-Courmont <remi@remlab.net>
To: Gabi Nakibly <gnakibly@yahoo.com>
Cc: v6ops <v6ops@ops.ietf.org>; secdir@ietf.org; ipv6@ietf.org
Sent: Tuesday, August 18, 2009 2:51:30 PM
Subject: Re: Routing loop attacks using IPv6 tunnels
On Tue, 18 Aug 2009 02:29:58 -0700 (PDT), Gabi Nakibly <
gnakibly@yahoo.com>
wrote:
> Indeed, the vulnerability of attack 5 was noted and fixed in Miredo.
> However, I am not aware of any updates to the Teredo specification to
> mitigate it. This means that new implementations will always be
vulnerable
> as in the case of
Windows Server 2008 R2. This vulnerability was reported
> to Microsoft a few months ago. They have reproduced it on their end. A
fix
> should be released in the next RC.
> I did not realize that the attack can be successful also on Linux. Thanks
> for the correction.
Well, it is as simple as not looping packet back to yourself, isn't it?
There could be a warning in the spec, but it's really an implementation
error, I think.
> Please let me know the results of your check on attack #4. If you wish, I
> can send you (off-list) the details of my setup for this attack. By the
> way, I encourage other people on the list to verify the attacks in
> different scenarios.
I managed to reproduce it. Single-homed NATs have absolutely no excuse in
forwarding a packet with their own IP address as the source. But yeah -
there is a problem.
--
Rémi
Denis-Courmont