Discussion:
[ipv6hackers] ICMPv6 RA ignored with EH
Matej Gregr
2014-11-03 15:48:40 UTC
Permalink
Hello,
I have noticed, that recent OSs (Windows, Ubuntu) ignore ICMPv6 RA if
the packet contains any EH - e.g. destination options. Is this behaviour
documented in some RFC/draft? I am aware of RFC 6980, but the RFC
forbids only fragmentation header in ND protocol not all extension headers.

Thanks,

M.
Eric Vyncke (evyncke)
2014-11-03 16:30:19 UTC
Permalink
This would be a kind of good news (albeit too strict IMHO), perhaps an
overzealous interpretation of RFC 7112?

Can you confirm this behavior? Again, this would be GOOD news because
networking devices can do only a limited amount of checks on RA for a
reasonable price

-éric
Post by Matej Gregr
Hello,
I have noticed, that recent OSs (Windows, Ubuntu) ignore ICMPv6 RA if
the packet contains any EH - e.g. destination options. Is this behaviour
documented in some RFC/draft? I am aware of RFC 6980, but the RFC
forbids only fragmentation header in ND protocol not all extension headers.
Thanks,
M.
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Matej Gregr
2014-11-03 17:33:02 UTC
Permalink
Yes Éric, I can confirm it. If I send a ICMPv6 RA, Windows 7 and Ubuntu
14.04 accept the packet and configure themselves accordingly. If I send
the same packet with destination option header, the packet is ignored.
Windows firewall, ip6tables are turned off. Centos 6.5 still accepts RA
with any EH. Yes, I agree, that ignoring RA with EH is a good thing from
the security point of view, but, doesn't this behaviour violate the RFC
2460?

M.
Post by Eric Vyncke (evyncke)
This would be a kind of good news (albeit too strict IMHO), perhaps an
overzealous interpretation of RFC 7112?
Can you confirm this behavior? Again, this would be GOOD news because
networking devices can do only a limited amount of checks on RA for a
reasonable price
-éric
Post by Matej Gregr
Hello,
I have noticed, that recent OSs (Windows, Ubuntu) ignore ICMPv6 RA if
the packet contains any EH - e.g. destination options. Is this behaviour
documented in some RFC/draft? I am aware of RFC 6980, but the RFC
forbids only fragmentation header in ND protocol not all extension headers.
Thanks,
M.
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Antonios Atlasis
2014-11-03 18:02:28 UTC
Permalink
Hi Matej,

can you please clarify the exact options that you use in the Destination
Options header? If I recall correctly from some tests of mine, there were
cases that some OS respond to some packets when for instance some valid or
specific Options are used in the EH and not in other cases. I am just
wondering if this is the case in your tests too, or if your findinings are
more generic one.

Best

Antonios
Post by Matej Gregr
Yes Éric, I can confirm it. If I send a ICMPv6 RA, Windows 7 and Ubuntu
14.04 accept the packet and configure themselves accordingly. If I send
the same packet with destination option header, the packet is ignored.
Windows firewall, ip6tables are turned off. Centos 6.5 still accepts RA
with any EH. Yes, I agree, that ignoring RA with EH is a good thing from
the security point of view, but, doesn't this behaviour violate the RFC
2460?
M.
Post by Eric Vyncke (evyncke)
This would be a kind of good news (albeit too strict IMHO), perhaps an
overzealous interpretation of RFC 7112?
Can you confirm this behavior? Again, this would be GOOD news because
networking devices can do only a limited amount of checks on RA for a
reasonable price
-éric
Post by Matej Gregr
Hello,
I have noticed, that recent OSs (Windows, Ubuntu) ignore ICMPv6 RA if
the packet contains any EH - e.g. destination options. Is this behaviour
documented in some RFC/draft? I am aware of RFC 6980, but the RFC
forbids only fragmentation header in ND protocol not all extension headers.
Thanks,
M.
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Matej Gregr
2014-11-03 19:46:12 UTC
Permalink
Hi Antonios,
I used empty option, Hop-by-Hop router alert, destination options home
agent. All options are ignored. Which option did you use in your tests?

M.
Post by Antonios Atlasis
Hi Matej,
can you please clarify the exact options that you use in the Destination
Options header? If I recall correctly from some tests of mine, there were
cases that some OS respond to some packets when for instance some valid or
specific Options are used in the EH and not in other cases. I am just
wondering if this is the case in your tests too, or if your findinings are
more generic one.
Best
Antonios
Post by Matej Gregr
Yes Éric, I can confirm it. If I send a ICMPv6 RA, Windows 7 and Ubuntu
14.04 accept the packet and configure themselves accordingly. If I send
the same packet with destination option header, the packet is ignored.
Windows firewall, ip6tables are turned off. Centos 6.5 still accepts RA
with any EH. Yes, I agree, that ignoring RA with EH is a good thing from
the security point of view, but, doesn't this behaviour violate the RFC
2460?
M.
Post by Eric Vyncke (evyncke)
This would be a kind of good news (albeit too strict IMHO), perhaps an
overzealous interpretation of RFC 7112?
Can you confirm this behavior? Again, this would be GOOD news because
networking devices can do only a limited amount of checks on RA for a
reasonable price
-éric
Post by Matej Gregr
Hello,
I have noticed, that recent OSs (Windows, Ubuntu) ignore ICMPv6 RA if
the packet contains any EH - e.g. destination options. Is this behaviour
documented in some RFC/draft? I am aware of RFC 6980, but the RFC
forbids only fragmentation header in ND protocol not all extension headers.
Thanks,
M.
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Antonios Atlasis
2014-11-03 19:54:41 UTC
Permalink
Hi Matej,

thanks for your reply.
Post by Matej Gregr
Hi Antonios,
I used empty option, Hop-by-Hop router alert, destination options home
agent. All options are ignored.
As Jen pointed out correctly, if you use the same Options in Echo Request
messages, for instance, do you get a reply back? Or it is just in the case
of RAs?

Which option did you use in your tests?
I am currently abroad, and I have not my files with me but I will try to
reproduce some of them very quickly and I will come back.

Best

Antonios
Post by Matej Gregr
M.
Post by Antonios Atlasis
Hi Matej,
can you please clarify the exact options that you use in the Destination
Options header? If I recall correctly from some tests of mine, there were
cases that some OS respond to some packets when for instance some valid
or
Post by Antonios Atlasis
specific Options are used in the EH and not in other cases. I am just
wondering if this is the case in your tests too, or if your findinings
are
Post by Antonios Atlasis
more generic one.
Best
Antonios
Post by Matej Gregr
Yes Éric, I can confirm it. If I send a ICMPv6 RA, Windows 7 and Ubuntu
14.04 accept the packet and configure themselves accordingly. If I send
the same packet with destination option header, the packet is ignored.
Windows firewall, ip6tables are turned off. Centos 6.5 still accepts RA
with any EH. Yes, I agree, that ignoring RA with EH is a good thing from
the security point of view, but, doesn't this behaviour violate the RFC
2460?
M.
Post by Eric Vyncke (evyncke)
This would be a kind of good news (albeit too strict IMHO), perhaps an
overzealous interpretation of RFC 7112?
Can you confirm this behavior? Again, this would be GOOD news because
networking devices can do only a limited amount of checks on RA for a
reasonable price
-éric
Post by Matej Gregr
Hello,
I have noticed, that recent OSs (Windows, Ubuntu) ignore ICMPv6 RA if
the packet contains any EH - e.g. destination options. Is this
behaviour
Post by Antonios Atlasis
Post by Matej Gregr
Post by Eric Vyncke (evyncke)
Post by Matej Gregr
documented in some RFC/draft? I am aware of RFC 6980, but the RFC
forbids only fragmentation header in ND protocol not all extension headers.
Thanks,
M.
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
_______________________________________________
Ipv6hackers mailing list
http://lists.si6networks.com/listinfo/ipv6hackers
Jen Linkova
2014-11-03 18:10:43 UTC
Permalink
Post by Matej Gregr
Hello,
I have noticed, that recent OSs (Windows, Ubuntu) ignore ICMPv6 RA if
the packet contains any EH - e.g. destination options. Is this behaviour
documented in some RFC/draft? I am aware of RFC 6980, but the RFC
forbids only fragmentation header in ND protocol not all extension headers.
The question is 'is the system in question dropping just RAs or *any*
IPv6 packet with a Destination Option header'.
Because it's quite possible that any v6 packets containing the
Destination Option header (I also assume that the header is correctly
formed and has the correct Option Type set) are getting dropped.
--
SY, Jen Linkova aka Furry
Matej Gregr
2014-11-03 20:11:52 UTC
Permalink
Post by Jen Linkova
Post by Matej Gregr
Hello,
I have noticed, that recent OSs (Windows, Ubuntu) ignore ICMPv6 RA if
the packet contains any EH - e.g. destination options. Is this behaviour
documented in some RFC/draft? I am aware of RFC 6980, but the RFC
forbids only fragmentation header in ND protocol not all extension headers.
The question is 'is the system in question dropping just RAs or *any*
IPv6 packet with a Destination Option header'.
Because it's quite possible that any v6 packets containing the
Destination Option header (I also assume that the header is correctly
formed and has the correct Option Type set) are getting dropped.
Hello Jen,
no, only ICMPv6 RA (maybe NS/NA also, but I haven't checked them yet).
The other traffic is ok. E.g. I can receive reply for ping, where the
echo-request has DO included or I can create a TCP connection even if
the DO is included.

M.
Fernando Gont
2014-11-24 06:47:30 UTC
Permalink
Hi, Matej,
Post by Matej Gregr
Hello Jen,
no, only ICMPv6 RA (maybe NS/NA also, but I haven't checked them yet).
The other traffic is ok. E.g. I can receive reply for ping, where the
echo-request has DO included or I can create a TCP connection even if
the DO is included.
FWIW, this might be a desired feature, or a bug resulting from the
internals of how the "RA advertising daemon" is implemented. Dumb
example: if you were to code the RA daemon by using, say, libpcap and
you enforced a filter based on the "Next Header" value of the main IPv6
header, packets with any EHs would not pass the filter and wuld hnce get
dropped. -- most likely this is not how the daemon you're employing is
implemented.. but I guess there could be something like this going on in
some implementations of the IP6 Sockets API?

Thanks,
--
Fernando Gont
SI6 Networks
e-mail: ***@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Loading...