[Bro-Dev] bro-2.1 IPv6, headers, evasion and other fun things

Gregor Maier gregor at icir.org
Wed Feb 29 08:32:08 PST 2012

>> 4) IDS connection caching issue: Since IPv6 doesn't support
>> fragmentation, a Sender has to keep a copy of the packet in the IP stack
>> because  application doesn’t know if routers are going to fragment or
>> not and sender has to account for a possible ICMP error with frag bit
>> set. IDS has to be able to account for such situations and
>> re-transmissions.
> Hm.  IPv6 does support fragmentation but routers won't perform the fragmentation, it has to be done by the end point after doing PMTU with ICMPv6 (which we are going to support).  Could you explain more about what you meant?

The stack doesn't have to cache the packet. Does it really do that?  For 
TCP the stack can just rely on TCP retransmissions. Other IP packets are 
best effort anyways. And, as Seth pointed out, the sender should do PMTU 
first anyways.

>> 5) Neighbor discovery attack: ICMP6 can broadcast address for someone
>> else. It assumes that network is secure.  Also given ICMP6 messages are
>> routable where as with  ARP this was not a problem because ARP is/was
>> local to a subnet only.

Neighbor discovery is limited to the the local subnet only as well. The 
multicast address used has link-local scope. Routers should never 
forward these packages. So it should be just as (in-)secure as ARP.

OTOH, forged router advertisement message can become a problem, since it 
allows for an incredible easy way to redirect traffic. However, this too 
is a link-local problem.

>> 6) Address Priority issues: It is possible that part of attack uses a
>> link local address and other part uses the site address. BRO needs to
>> maintain a  state which can account for all the IP's assigned and used
>> by the host to assemble a connection/attack etc.
> You should only be able to see link local addresses if you are monitoring within a broadcast domain but even in that case I expect that over time people will figure out how to start profiling hosts and compiling lists of addresses that are all used by the same host.

Well, you can have multiple globally routable IPv6 addresses per host 
(cf. router advertisements). But in this case the 64 host bits uniquely 
identify a host even across prefixes (since they are based on the MAC 
address). (However, I can't recall how the privacy extension for 
creating the host part work -- they might change that)

In any ways, this will only affect attacks that span multiple 
connections since you can't change the destination IP within a connection.


More information about the bro-dev mailing list