Weekly Edition
Return to the Security page
| |||||||||||||
IPv6 source routing: history repeats itselfA feature slipped into the IPv6 protocol because of political, rather than technical, considerations and has, perhaps unsurprisingly, come back to haunt the IPv6 working group. It also caused a recent Linux kernel release that disables a particular routing 'feature' of IPv6 by default; it also allows administrators to enable it if they wish. Even a cursory look at the IPv6 routing header type 0 (RH0) might lead one to remember a similar IPv4 feature that eventually fell out of favor: source routing. Mostly used as a diagnostic tool, source routing allows a packet to specify the route, as a list of IP addresses, that should be used to reply to it. This capability was abused in IP address spoofing attacks by enabling the spoofer to see responses that normally would be routed directly to the spoofed address. Because of this (and other source routing abuses), most routers are configured to drop packets that have source routing information and have been since the mid-90s. Ten years or more would seem to be enough time to ensure that the 'next generation' of IP (IPv6 was originally billed as 'IPng') missed out on repeating these mistakes of the past; sadly, that is not the case. IPv6 introduces something called a 'routing header' into the protocol as part of the extension headers, which are meant to replace the IPv4 options field. Three types of routing header are defined, one of which is unused (type 1) and another which is only used by Mobile IPv6 implementations (type 2). It is the third (type 0) that is the cause of all the current uproar. Also known as RH0 headers, they contain a list of hosts to be 'visited' on the way back to the source address. It should be noted that the IPv6 RFC mentions IPv4 source routing as part of the description of RH0. A presentation (PDF) at the CanSecWest 2007 conference outlined several vulnerabilities with RH0 and that led to the kernel changes in 2.6.20.9. The biggest vulnerability appears to be in the amplification effect that can be caused by listing hosts multiple times in the 'route'. One packet can then cause what are essentially multiple copies of itself to be sent back and forth between the hosts listed in the header. This can be used to multiply the traffic in a denial of service attack as well as masking the source of the attack. The BSD operating systems have also released new versions to address this problem and the router vendors will not be far behind. (It should be noted that a bug in the original Linux fix was addressed in 2.6.20.10 and because 2.6.21 had been released in the interim, in 2.6.21.1 as well.) Given that the problems with source routing are known and that the parallels between RH0 and source routing are also known, how did we get to the point where this kind of feature was added into IPv6? The Internet Engineering Task Force (IETF) IPv6 working group is discussing some of that in a thread on their mailing list. A memorable rant by Theo de Raadt seems to indicate that 'academics' in the process forced the inclusion of RH0 through politics. Paul Vixie commiserates and indicates that he sees it as more evidence that the IETF is largely irrelevant in setting internet standards today. In addition, no one responding to the thread seems to be able to come up with a particularly valid use case for the feature. This would appear to be a classic case of ignoring the past and being doomed to repeat it, but it would also appear that the politics of standards bodies played a role. We certainly are not well served when political considerations trump security (or, really, any technical) considerations. Hopefully this will be yet another object lesson for those of a political bent. (Log in to post comments)
IPv6 source routing: history repeats itself Posted May 3, 2007 2:12 UTC (Thu) by imcdnzl (guest, #28899) [Link] I think it's a bit disingenuous to blame the IETF. It's always easy to blame "them" (whoever them is) rather than "us" as it shifts the blame.
I've been implementing RFCs in the kernel and found issues with them too. However I went and told people in the IETF and worked with them and they fixed the issue. They also remarked about how O/S developers don't interact with the IETF. Yes it is a different culture (academic) but that is not an excuse.
We need the IETF - remember how there used to be Compuserve, AOL etc and all proprietary? The IETF is relevant as I'm sure nobody wants the Internet to stagnate.
So instead of blaming somebody, talk to them instead.
IPv6 source routing: history repeats itself Posted May 3, 2007 2:42 UTC (Thu) by bronson (subscriber, #4806) [Link] Did you read the third paragraph in Paul Vixie's reply? He's telling Theo why his rant was a little misguided...the second and more important error is to assume that ietf is relevant. if you look carefully you'll see that the SSH protocol has been shaped far more by your OpenSSH effort than by the ietf or any commercial vendors, and SMTP likewise more by Sendmail and Postfix than by ietf or any commercial vendors, and DNS likewise more by BIND than by ietf or any commercial vendors. in the old days, ietf consensus could make or wreck an idea. these are not those days. compared to the power and relevance of open source software, ietf may as well be declared dead for all the relevance it has at this stage.I have to agree. The IETF seems to have fallen clean off the leading edge. Ajax? Bonjour? SSH? There's fantastic innovation in networking and the IETF is largely absent. Personally, I don't see this as a bad thing.
IPv6 source routing: history repeats itself Posted May 3, 2007 4:30 UTC (Thu) by imcdnzl (guest, #28899) [Link] The IETF often, but not always, standardise things after the event. For example Bonjour is in RFC 3927 to quote one of your examples. Ajax is not a network protocol, which is what the IETF is about. They do take care of a number of underlying standards though which Ajax relies on.
They are also continuing to refine IPv6 which I think most people will agree is necessary and also they are working on new protocols such as DCCP (RFC 4330) which aims to do a better job than UDP in many areas.
Yes they can be out of touch but so can kernel developers. I think we need to work to bridge the gaps (I'm contributing to both).
IPv6 source routing: history repeats itself Posted May 10, 2007 10:13 UTC (Thu) by slamb (guest, #1070) [Link] The IETF often, but not always, standardise things after the event. And I'd argue that's the proper role for a standards body - never make a standard without at least three interoperable implementations, and preferably don't even bother with a draft until there's at least one. Standards are not for innovation. I've been involved with a protocol designed by a standards body which did not understand this, and it is a train wreck.
IPv6 source routing: history repeats itself Posted May 12, 2007 5:39 UTC (Sat) by jwalden (guest, #41159) [Link] Quick correction for people following the RFC number: DCCP is RFC 4340.
IPv6 source routing: history repeats itself Posted May 3, 2007 7:28 UTC (Thu) by Gunner (guest, #1448) [Link] I don't really get all this hostility towards the IETF.Okay, so they made a serious mistake in the protocol and boo on them for that. But, what about all the people that implemented the protocol according to their specification?
Why did they implement this at all? Shouldn't they have realized that it was a mistake and say no, we choose to skip this part. Or at least limit it in some way? After all, those who implemented it probably had just as much experience in the nitty-gritty details of networking(or more) than the academic people at the IETF.
If this is a serious problem(and it appears to be just that), then the IETF and those who implemented it share an equal blame, imo.
IPv6 source routing: history repeats itself Posted May 3, 2007 9:01 UTC (Thu) by dw (subscriber, #12017) [Link] I more or less agree with you, but I'd be quicker to believe that the IETF is in fact blameless in providing a standardized protocol that can do all the same things as its predecessor. Sure, source routing is bad on the Internet, but how many IP networks exist outside of the Internet?* This header might be the make-or-break for some large private company that would otherwise have stuck with IPv4.
The fact that this was enabled by default in multiple OSes is funny if nothing else. It's exactly the reason we're still "moving towards" IPv6, so fun stuff like this can be found.
Nobody is to blame. The standards people are doing what standards people do best (producing standards that appear to contain as much noise/dross as content) and the programmers are doing what the programmers do (writing code for fun, worrying about the more boring parts like security later).
David.
* = If you reply to this with something like "well omg lol they should stop using source routing" then I will find you and kick you in the ass very hard.
IPv6 source routing: history repeats itself Posted May 3, 2007 9:50 UTC (Thu) by job (guest, #670) [Link] I agree with you completely. This IETF bashing is proving very silly. IPv6 is a pretty solid job, considering what it's up against, and the only reason it's still a work in progress is because nobody wants it really yet.
IPv6 source routing: history repeats itself Posted May 3, 2007 13:55 UTC (Thu) by Los__D (guest, #15263) [Link] well omg lol they should stop using source routing!
*WHAM* Ouch!
No, I agree 100% :)
Private IPv6 networks?? Posted May 6, 2007 13:06 UTC (Sun) by dthurston (guest, #4603) [Link] Sure, source routing is bad on the Internet, but how many IP networks exist outside of the Internet?Isn't the point of IPv6 to prevent a need for private IP networks? Sure, some organizations might want private networks for security, but I find it hard to believe that there are any that are so big they can't use IPv4...
IPv6 is an unneeded change in the first place Posted May 10, 2007 13:30 UTC (Thu) by rogblake (guest, #18258) [Link] Actually, I intend to stick with IPV4 indefinitely as I see absolutely no need for IPV6. I simply have no intention of learning or using this unnecessary new protocol. (New Linux distributions seem to have it enabled by default, first thing I do on a fresh installation is to get rid of IPV6.)
Of course the day may come when it is no longer feasible to use IPV4, but given the overall slow rate of adoption I'll most likely be retired and off of the internet by then.
IPv6 is an unneeded change in the first place Posted May 12, 2007 12:58 UTC (Sat) by niner (subscriber, #26151) [Link] So I guess you belong to the 4.5% of human population that owns 74% of all IPv4 addresses then, namely the USA. Well, lucky you.
IPv6 is an unneeded change in the first place Posted May 13, 2007 9:19 UTC (Sun) by dlang (✭ supporter ✭, #313) [Link] so it sounds like more of the unused address space needs to be allocated (and some of the early allocations to companies should be reclaimed)
IPv6 source routing: history repeats itself Posted May 3, 2007 10:01 UTC (Thu) by jeroen (subscriber, #12372) [Link] It's a lot easier to shout at IETF for doing wrong and try to hide the fact that you haven't seen this problem either for the last 10 years. People can rant what they want, but almost everybody has been ignoring IPv6. It seems that only recently people start taking some interest in it, probably because it's inevitable that we have to switch to IPv6 in the next few years.
And the fact that everybody is so upset about this bug IMHO shows the relevance of the IETF...
Hostility towards the IETF Posted May 3, 2007 16:45 UTC (Thu) by pflugstad (subscriber, #224) [Link] I think a lot of the hostility towards the IETF is because it _used to be_ the place to go to do real technical standardization work, including developing new protocols and fixing problems; with (hopefully) little or no politics involved
Then 1995 happened, and the Internet became big business, and the IETF has since been infested with commercial/competing interesting and has fallen afoul of most other technical standards bodies. Just look at all the crap that OSI/ITU/etc has issued over the years, almost all of which is irrelevant and unimplementable. Witness the insanity of ISDN (or pick any of a dozen other "standardized" protocols that really weren't).
So I think the hostility is mainly from those who remember the "Good old days" of the IETF. We want the IETF to be the technology leader it was perceived to be when the Internet protocols were created (TCP/IP) - with the clarity and technical focus that it used to have.
I think Paul Vixie nailed it on the head when he said that the IETF was no longer relevant: Open Source software has become the way to meet the the implementation requirements for the IETF, and as such, it basically sets the standard. All the IETF really does at this point is rubber stamp what the open source software is actually implementing, maybe with a little formalization thrown in to make things more orthogonal, but that's about it.
Anyway, my 2 cents...
Hostility towards the IETF Posted May 3, 2007 22:17 UTC (Thu) by BackSeat (subscriber, #1886) [Link] Open Source software has become the way to meet the the implementation requirements for the IETF, and as such, it basically sets the standard.Open Source isn't the first to set standards by writing code that then becomes standard. Just look at the old proprietary Unixes and Microsoft. Yes, Open Source makes it a little bit better, but it would surely be better still to work with the IETF to develop the standards before, or possibly with, the code.
Hostility towards the IETF Posted May 10, 2007 10:19 UTC (Thu) by slamb (guest, #1070) [Link] Yes, Open Source makes it a little bit better, but it would surely be better still to work with the IETF to develop the standards before, or possibly with, the code.No, that would be a disaster. Stuff like CWMP happens when you standardize too early - protocols with many flawed ideas that become obvious when you later reach the implementation stage. For example, CWMP's SOAP bindings are so messed up that no vendor is using standard libraries, which was the goal of using SOAP. If they'd waited to implementation stage, this would have been obvious.
IPv6 source routing: history repeats itself Posted May 3, 2007 10:09 UTC (Thu) by ekj (subscriber, #1524) [Link] That is overstating it. Political considerations certainly should play some role in some decisions that are also technical in nature.For that matter, some considerations are of such a nature that its hard to say if they're political or technical. Insisting on Open Source and/or Open Protocols, for example;
So, which is it ? And is it really true that the political reasons should be completely ignored ? Raymond insists that we're only about practical technical superiority. I don't think thats true. Nor do I think we'd be better off if we where.
IPv6 source routing: history repeats itself Posted May 4, 2007 14:17 UTC (Fri) by nlucas (subscriber, #33793) [Link] I confess I don't see where is the political decision to include the IPv6 source routing.
From what is described it seems someone made the IPv6 specification by going over the IPv4 spec, and (maybe because that person wasn't a security expert) included on the IPv6 spec the same feature already found on the first spec.
Where is the political part of this? It seems more like a mis-informed technical decision.
Were the WEP design errors also a political decision because they were not made by security experts?
|
|||||||||||||