2006_freebsd_ipv6_stack.pdf

(479 KB) Pobierz

Walking through FreeBSD IPv6 stack

Clement Lecigne

clem1@FreeBSD.org

George V. Neville-Neil

gnn@FreeBSD.org

August 14, 2006

Abstract

IPv6 begins to be widely deployed around the world. More and

more operating systems like FreeBSD enable IPv6 by default. Indeed,

some IPv6 stacks were born during last years. Among these stacks, we

can distinguish two freely available and open implementations, KAME

mainly developed by six companies in Japan and implemented in

{Free,

Open, Net}BSD and USAGI developed by volunteers from Japan and

implemented in the Linux kernel. Currently, IPv6 stacks cohabit peace-

fully with IPv4 stacks. These new implementations added in Kernel

land have been written and coded by humans and there are already

left behind them some bugs, vulnerabilities and possible attacks.

Even if the ﬁrst RFC that describes this protocol was released in

1995, IPv6 is pretty new and we just begin to see researches, books, pa-

pers that cover this protocol. Thus IPv6 was my project for this google

Summer of Code. More precisely the project, proposed by FreeBSD,

covers security of the IPv6 protocol, the initial job was to review the

last years IPv6 stack vulnerabilities and saw if they were ﬁxed in the

KAME IPv6 stack used by FreeBSD but I extended the project by

trying to ﬁnd new vulnerabilities, new attacks and so on. This paper

tries to give an overview of the work made.

Introduction

Few years ago, security was one of the main purpose when the basic design

for IPv6 was decided. Indeed, IPv6 implements some security features like

IPSec, end-to-end fragmentation handling and so on. Nowadays, security is

a motivating factor for going to IPv6. In this way, we can ask if security

in IPv6 is really saﬀer than IPv4. This question summarizes my project

made during this google Summer of Code and this paper tries to answer by

describing works made around IPv6 security. It covers a bunch of diﬀerent

things. Indeed main goal of this document is to come up with a list of IPv6

possible attacks, a description of the oldest vulnerabilities, an overview of

the newest ones found in the KAME IPv6 stack, some new ways to do

OS ﬁngerprints and ﬁnally a list of tricks in order to evade/bypass IDS or

ﬁrewalls. Moreover, this paper also explains various mitigation techniques

and describes new tools developed during this summer.

Interesting readers will be able to evaluate other IPv6 stack implementa-

tions and/or protect their own IPv6 network.

Library improvements

Before getting started playing with IPv6 stack and possible attacks, I have

been improved two diﬀerent libraries that allowed me to forge IPv6 packets

easily. The ﬁrst one is the well known libnet library written by Mike D.

Schiﬀman that “makes programmer life easier”. Libnet has a pretty poor

and partial IPv6 support. Because libnet is still widely used, I do think that

improving its IPv6 support can be useful to someone. In this way programs

that use libnet could be ported to IPv6 without much more diﬃculties. The

second one is a python packet manipulation library called pcs and written

by my mentor George Neville-Neil. PCS stands for Packet Construction Set

and is a very powerful library that allows me to build packets in a couple of

seconds.

This part describes brieﬂy what was made around these both libraries.

2.1

Libnet improvements

As I said above, Libnet suﬀers from a poor IPv6 support. You can just

write basic IPv6 packets and cannot play with the new features like icmpv6.

However, Libnet is really well written and its author had anticipated this

implementation (i.e. naming convention). Thus, adding IPv6 support to

libnet was very easy like adding a new packet builder.

2.1.1

What has been made ?

So here is a list of things made around IPv6 in libnet.

•

ipv6 with extension headers support

•

icmpv6 support

•

ipcomp support

And what I plan to add.

•

dhcpv6 support

•

dnssec support

•

teredo support

2.1.2

One example

Instead of enumerating one by one each new APIs let us write a sample

program that use these new APIs in order to send an icmpv6 echo request

message.

There is no particular diﬀerence to IPv4 except that we must use the

link layer interface (e.g. bpf) to send out our packets. Indeed unlike raw

IPv4 socket, IPv6 does not allow complete manipulation of the IPv6 header.

There is no IPv6 analog to the IP HDRINCL socket option. However, Linux

does not respect the RFC and accepts IP HDRINCL on an IPv6 socket. This

behavior has been implemented to libnet and on Linux system we can send

IPv6 packets through a raw socket (i.e. LIBNET RAW6).

Here is the steps that we must respect in order to send an icmpv6 echo

request. Full source code can be reached

here.

l = libnet init(LIBNET LINK, "ral0", errbuf);

source = libnet name2addr6(l, "dead::beef", 0);

libnet build icmpv6 echo(...);

libnet build ipv6(...);

libnet build ethernet(...);

libnet write(l);

1. create a link layer socket using ral0 interface.

2. convert ipv6 address into network format.

3. build the icmpv6 echo request header. The parameters is the same to

its analog in icmpv4. If the checksum ﬁeld is set to zero libnet will

compute it automatically.

4. build the ipv6 header including ip source, ip destination, hop limit.

The size of the IPv6 header must not included in the IPv6 header

length ﬁeld.

5. build the ethernet header including hardware addresses and the ether-

type set to 0x86dd (ETHERTYPE IPV6).

6. packet is ready to be sent.

2.1.3

Where to get ?

I have tried to contact Mike - the libnet author - in order to add my

changes into the stable libnet version but unfortunately I still have not got

any answer yet. So I have made a patch against the last stable version of

libnet that includes all my changes and I have written a quick web page

with all the need to build libnet with my IPv6 support. This page can be

reached

here.

2.2

PCS

PCS is a set of Python modules and objects that make building network

protocol testing tools easier for the protocol developer. You can build packet

in a couple of seconds from scripts or directly through the python prompt.

It is licensed under BSD license.

2.2.1

What was made ?

I have added pretty the same things that I have been added into libnet

like IPv6 with extension headers support, icmpv6 support and so on.

2.2.2

A basic sample

Like above, let us write a basic sample to prove the power of PCS. . .

Plik z chomika:

musli_com

2006_freebsd_ipv6_stack.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: