IETF Engineers Propose Disconnecting Vulnerable IPv6 Feature

Earlier this month, two consulting engineers affiliated with the Internet Engineering Task Force formally proposed the simplest, though easily the most drastic, measure to deal with a diagnostic feature of new IPv6 routing that Cisco learned the hard way two years ago could enable a denial-of-service attack on the Internet's core routers: They recommend turning it off.

As SecurityFocus correspondent Robert Lemos first reported yesterday, two consultants have issued formal drafts to the IETF that officially place on the table for discussion and debate the prospects of disusing the so-called "Type 0 Routing Header." At a security conference in Vancouver last month, a demonstration entitled "Fun with IPv6 Routing Headers" effectively convinced engineers that the problem Cisco first encountered - and warned its customers about in July 2005 - continues to exist.

Since the conference, FreeBSD Unix developers have been working to implement changes to software drivers that simply ignore Type 0 routing, or "RH0," in the absence of any suggested workarounds.

But the IETF consultants' suggestions go closer to the heart of the matter, without wasting words. A network architect for Canadian DNS registrar Afilias, Joe Abley, submitted a draft whose Implementation section reads, in its entirety, "Compliant IPv6 hosts and routers MUST NOT transmit IPv6 datagrams containing RH0."

The technique called "source routing" originated with IPv4, and enabled an IP packet to specify the precise route it should take to reach its destination, up to 9 hops, rather than let the router forward the packet in the general direction of its destination as IP routers normally do. RH0's purpose was said to enable remote router diagnostics, especially when a remote system needs to inquire about a specific router's relative "health."

But in a time and place where more people like to take things apart than build them, source routing ultimately became exploited. In a typical DOS attack, multiple systems could issue coordinated packets to a specific pair of routers, perhaps deep within the Internet core, whose Type 0 paths instruct them to ping-pong those packets between each other. For the IPv6 version of source routing, packets could contain dozens of maliciously crafted, back-and-forth paths, making it easier for malicious sources to deploy attacks on the IP router core from fewer locations.

Another pair of security consultants who are actually IPv6 proponents, attending the same security conference, described the problem engineers face with the following phrase in their presentation: "Collapse the IPv6 Internet, plug off a country with a simple packet."

Private security consultant George Neville-Neil, in his IETF draft, suggested a slightly less drastic measure: Turn off RH0 by default, while engineers work on a way to implement trust between routers in the meantime. "IPv6 type 0 routing header processing should be disabled by default," Neville-Neil wrote. "However, this document does not provide "tighter" specification for type 0 routing header...It is expected that the people who enable routing header processing will appropriately restrict its use to trusted parties."

If Neville-Neil's suggestion is heeded, engineers from Cisco and elsewhere would need to work on ways to make routers more "trusted," which could mean implementing something akin to the Trusted Platform Module. In such a case, the question becomes, how much more expensive would that make routers to manufacture, deploy, and maintain - and who would end up paying that cost?