Proper client behavior in presence of multiple router advertisements?
Shadow Hawkins on Saturday, 24 January 2009 22:48:14
I'm wondering what is the proper IPv6 client behavior when in presence of multiple routers sending out router advertisements -- that is, when a client is receiving more than one set of stateless autoconfig addressing information and more than one default route.
I've been experimented with a similar situation and it seems the client gets broken. What I'm observing is the the client gets two global addresses and two default routes. However, it's use of these is flawed. It may pick one of the addresses to use and one of the routes to use -- but those may not MATCH. Thus, it may send a packet using the default router it derived from one router advertisement but using the source network address it derived from the other router advertisement. Naturally, when this sort of packet gets sent up the SixXS tunnel, the router at the first hop rejects it -- it bounces back: "ICMPv6 Unreachable (Port unreachable)".
Looking at RFC2461, I don't see any guidance on what should happen in the presence of multiple RA's. I also found that a draft standard is in the works to iron out this ambiguity. Interestingly, radvd has had support for this draft's provisions for years. However, major OS's don't seem to. In my testing, niether OSX 10.5.6, XP SP3, nor Linux 2.6.18-92.1.22.el5 support the draft, (athough new Linux kernels may).
Does this mean that an IPv6 segment can be practically brought down simply by a second set of router advertisements?
Proper client behavior in presence of multiple router advertisements?
Jeroen Massar on Monday, 26 January 2009 01:44:26 Does this mean that an IPv6 segment can be practically brought down simply by a second set of router advertisements?
That is correct, but that is the case at hand with all methods where you have the ability to send packets onto a local network, e.g. by faking arps/dhcp/etc etc etc to basically man in the middle a local network.
As such, ALWAYS make sure that that all nodes on a network are secure and restrict access to your network.
In the case of a wrong source address, you won't get ICMP "Port Unreachables", those should be "Admin Unreachables".
It is quite difficult to defend against this unless the switches in your network can snoop it. The RA-attack can be fully spoiled of course by sticking every host in its own VLAN, then you completely cut them off. You will be breaking things like SMB then though unless you configure them to forward their announcements to the other VLANs (but then your network is vulnerable still again on that spot ;) Better keep everything secure then (which of course simply is not always 100% possible as everything can be hacked and broken)...
Running arpwatch, doing 802.1x (that is L2 Authentication, not the Wireless standards) are thus good steps to at least avoiding unknown nodes getting onto your network. You then still need to secure the individual hosts. Monitoring then for new RAs, new MACs and then unsuspected traffic is the next step.
Proper client behavior in presence of multiple router advertisements?
Shadow Hawkins on Monday, 26 January 2009 19:05:29
Faking arps/man in the middle require some sort of malice -- although, granted, someone bringing up a rogue radvd takes no more of a mistake than a rogue DHCP. I guess it's a matter of hackproof vs. foolproof. Nothing, of course, is hackproof, but as more intelligence can be built into protocols, they can become more foolproof.
To the point, this IPv6 behavior seem so avoidable. When a client has one than one global address, why doesn't it ONLY use a source address that matches the default router its using. Isn't that a no-brainer? In IPv4, if an interface had multiple aliases, it wouldn't communicate with the router on one alias' network using the source address from another alias.
It seems to me, the logical way to handle multiple default routes would be use one route (along with its matching source address) and simply hold the other in case the other one expired, which would provide some sort of redundancy. Instead, it just breaks. Am I overlooking something?
In the case of a wrong source address, you won't get ICMP "Port Unreachables", those should be "Admin Unreachables".
Wireshark is showing "Port Unreachable":
Internet Control Message Protocol v6
Type: 1 (Unreachable)
Code: 4 (Port unreachable)
Checksum: 0x559e [correct]
Internet Protocol Version 6
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 16
Next header: ICMPv6 (0x3a)
Hop limit: 62
Source: 2001:0db8:1234:5::2 (2001:0db8:1234:5::2)
Destination: 2001:838:1:1:210:dcff:fe20:7c7c (2001:838:1:1:210:dcff:fe20:7c7c)
Proper client behavior in presence of multiple router advertisements?
Jeroen Massar on Wednesday, 28 January 2009 12:56:21 It seems to me, the logical way to handle multiple default routes would be use one route (along with its matching source address) and simply hold the other in case the other one expired, which would provide some sort of redundancy. Instead, it just breaks. Am I overlooking something?
Yes, that implementations are immature ;)
Provide patches and comments to the implementors is the only way.
Generally people only have 1 prefix in their network and then you don't run into this.
Posting is only allowed when you are logged in. |