IETF Moves to Fix Critical IPv6 Security Flaw

Internet Engineering Task Force (IETF) engineers, reacting with unusual speed, have moved to address a serious security lapse in IPv6 before it becomes too widespread.

The bug, involving Type 0 Routing Headers, could allow attackers to greatly magnify the effectiveness of denial-of-service attacks, and was highlighted at a presentation at the CanSecWest security conference earlier this month. It is, in fact, the reappearance of an old problem that was eliminated from the current IPv4 system long ago.

The Type 0 RH bug is dangerous in itself, but according to security experts, its real significance is what it portends for the Internet as IPv6 becomes more widespread. It seems that IPv6 engineers have repeated many of the mistakes that existed in the old system, which are likely to take many users by surprise.

“The Type 0 RH mechanism is of no use, except for attackers, [and the] side effects against the whole infrastructure are terrible,” said Philippe Biondi and Arnaud Ebalard, security researchers from EADS, at their CanSecWest presentation on the issue. “IPv6 designers did not learn from IPv4 on that point. [They] also forgot some IPv4 best practices.”

Following the presentation, a number of organizations issued security alerts on the issue, advising users to switch off Type 0 RH handling or block packets using the mechanism.

Engineers have now submitted two proposals to the IETF on how to address the problem, either by switching Type 0 RH handling off by default or removing it from IPv6 entirely. Because IPv6 is still not very widely deployed, industry analysts have said they expect the problem to be removed entirely within three years.

But the real problem is that other such issues are likely to pop up as IPv6 moves more toward the mainstream, since it appears that the technology has repeated many of the mistakes originally built into IPv4. While many of IPv4’s bugs have been ironed out over time, those same issues will be encountered all over again as IPv6 is deployed, according to security experts.

The Type 0 RH mechanism allows a packet’s sender to indicate how the packet should be routed, overriding the routing knowledge present in a network—roughly equivalent to the “source routing” option in IPv4, according to security experts.

The problem is that there is no mechanism for preventing IPv6 routing headers from being used to route packets over the same link or links many times, so that an attacker can use the mechanism to make denial-of-service attacks more than 80 times more effective. This same problem has led to the effective elimination of IPv4 source routing.

“An attacker can ‘amplify’ a denial of service attack against a link between two vulnerable hosts; that is, by sending a small volume of traffic the attacker can consume a much larger amount of bandwidth between the two vulnerable hosts,” said FreeBSD developers in a security advisory.

In addition, FreeBSD said, “an attacker can use vulnerable hosts to ‘concentrate’ a denial of service attack against a victim host or network; that is, a set of packets sent over a period of 30 seconds or more could be constructed such that they all arrive at the victim within a period of 1 second or less.”

Specific attack scenarios envisioned by Biondi and Ebalard include a “one packet crash” for IPv6-enabled Cisco routers, and the prospect of being able to “crash the IPv6 Internet” or “plug off a country with a single packet.”

IPv4’s source routing feature allowed for similar attacks, but on a much smaller scale.

Other security implications, according to researchers, include performing remote network discovery, bypassing firewalls and getting around the Anycast system that has been put in place to protect the Internet’s core DNS servers from DoS attacks.

FreeBSD is advising users to put a solution in place that causes Type 0 routing headers to be ignored.

-Matthew Broersma, Techworld.com