[OCCAID] Routing Header 0 Vulnerability
James
james at towardex.com
Tue Apr 24 11:16:34 EDT 2007
Many of you are probably already aware of this:
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
We're in the process of taking the following steps to mitigate the impact on our network:
For areas where Cisco based platform is or will be in use: ``no ipv6 source-route'' command is being applied to turn off RH processing.
For areas where stock FreeBSD 5.x and 6.x is or will be in use: will require upgrade to apc6 patch. Ip6fw may be temporarily used to filter RH0's, but boxes using pf(4) without ip6fw loaded may be required to upgrade anyway.
For areas where apc4 based FreeBSD 4.11 is or will be in use (note that 80% of OCCAID routers run on apc4-fbsd4.11 platform): mls apc during its forwarding stage defers all requests for hop-by-hop and routing header options to interface ``lo0'' for further processing by standard kernel's TCP/IPv6 stack. Route Processor receive-path filters are being applied on lo0 to prevent routing headers from ever reaching the kernel tcp/ipv6 stack.
Feasibilities and options to filter RH0 network-wide are being looked into as well.
It will take a number of weeks to get the mitigation procedures applied to all routers throughout the AS.
regards,
james
More information about the Occaid
mailing list