From: George Kargiotakis <kargig@void.gr>
To: netdev@vger.kernel.org
Subject: Re: Linux kernel handling of IPv6 temporary addresses
Date: Thu, 27 Dec 2012 17:57:35 +0200 [thread overview]
Message-ID: <20121227175735.26c70cbb@lola.kot> (raw)
In-Reply-To: <20121114.180824.1930899985436392426.davem@davemloft.net>
Hello all,
I had previously informed this list about the issue of the linux kernel
losing IPv6 privacy extensions by a local LAN attacker.
Recently I've found that there's actually another, more serious in my
opinion, issue that follows the previous one. If the user tries to
disconnect/reconnect the network device/connection for whatever reason
(e.g. thinking he might gain back privacy extensions), then the device
gets IPs from SLAAC that have the "tentative" flag and never loses
that. That means that IPv6 functionality for that device is from then
on completely lost. I haven't been able to bring back the kernel to a
working IPv6 state without a reboot.
This is definitely a DoS situation and it needs fixing.
Here are the steps to reproduce:
== Step 1. Boot Ubuntu 12.10 (kernel 3.5.0-17-generic) ==
ubuntu@ubuntu:~$ ip a ls dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:8b:99:5d brd ff:ff:ff:ff:ff:ff
inet 192.168.1.96/24 brd 192.168.1.255 scope global eth0
inet6 2001:db8:f00:f00:ad1f:9166:93d4:fd6d/64 scope global temporary dynamic
valid_lft 86379sec preferred_lft 3579sec
inet6 2001:db8:f00:f00:5054:ff:fe8b:995d/64 scope global dynamic
valid_lft 86379sec preferred_lft 3579sec
inet6 fdbb:aaaa:bbbb:cccc:ad1f:9166:93d4:fd6d/64 scope global temporary dynamic
valid_lft 86379sec preferred_lft 3579sec
inet6 fdbb:aaaa:bbbb:cccc:5054:ff:fe8b:995d/64 scope global dynamic
valid_lft 86379sec preferred_lft 3579sec
inet6 fe80::5054:ff:fe8b:995d/64 scope link
valid_lft forever preferred_lft forever
ubuntu@ubuntu:~$ sysctl -a | grep use_tempaddr
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.eth0.use_tempaddr = 2
net.ipv6.conf.lo.use_tempaddr = 2
ubuntu@ubuntu:~$ nmcli con status
NAME UUID DEVICES DEFAULT VPN MASTER-PATH
Wired connection 1 923e6729-74a7-4389-9dbd-43ed7db3d1b8 eth0 yes no --
ubuntu@ubuntu:~$ nmcli dev status
DEVICE TYPE STATE
eth0 802-3-ethernet connected
//ping6 2a00:1450:4002:800::100e while in another terminal: tcpdump -ni eth0 ip6
ubuntu@ubuntu:~$ ping6 2a00:1450:4002:800::100e -c1
PING 2a00:1450:4002:800::100e(2a00:1450:4002:800::100e) 56 data bytes
64 bytes from 2a00:1450:4002:800::100e: icmp_seq=1 ttl=53 time=70.9 ms
--- 2a00:1450:4002:800::100e ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 70.994/70.994/70.994/0.000 ms
# tcpdump -ni eth0 host 2a00:1450:4002:800::100e
17:57:37.784658 IP6 2001:db8:f00:f00:ad1f:9166:93d4:fd6d > 2a00:1450:4002:800::100e: ICMP6, echo request, seq 1, length 64
17:57:37.855257 IP6 2a00:1450:4002:800::100e > 2001:db8:f00:f00:ad1f:9166:93d4:fd6d: ICMP6, echo reply, seq 1, length 64
== Step 2. flood RAs on the LAN ==
$ dmesg | tail
[ 1093.642053] IPv6: ipv6_create_tempaddr: retry temporary address regeneration
[ 1093.642062] IPv6: ipv6_create_tempaddr: retry temporary address regeneration
[ 1093.642065] IPv6: ipv6_create_tempaddr: retry temporary address regeneration
[ 1093.642067] IPv6: ipv6_create_tempaddr: regeneration time exceeded - disabled temporary address support
ubuntu@ubuntu:~$ sysctl -a | grep use_tempaddr
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.eth0.use_tempaddr = -1
net.ipv6.conf.lo.use_tempaddr = 2
//ping6 2a00:1450:4002:800::100e while in another terminal: tcpdump -ni eth0 ip6
ubuntu@ubuntu:~$ ping6 2a00:1450:4002:800::100e -c1
PING 2a00:1450:4002:800::100e(2a00:1450:4002:800::100e) 56 data bytes
64 bytes from 2a00:1450:4002:800::100e: icmp_seq=1 ttl=53 time=77.5 ms
--- 2a00:1450:4002:800::100e ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 77.568/77.568/77.568/0.000 ms
# tcpdump -ni eth0 host 2a00:1450:4002:800::100e
17:59:38.204173 IP6 2001:db8:f00:f00:5054:ff:fe8b:995d > 2a00:1450:4002:800::100e: ICMP6, echo request, seq 1, length 64
17:59:38.281437 IP6 2a00:1450:4002:800::100e > 2001:db8:f00:f00:5054:ff:fe8b:995d: ICMP6, echo reply, seq 1, length 64
//notice the change of IPv6 address to the one not using privacy extensions even after the flooding has finished long ago.
== Step 3. Disconnect/Reconnect connection ==
// restoring net.ipv6.conf.eth0.use_tempaddr to value '2' makes no difference at all for the rest of the process
# nmcli dev disconnect iface eth0
# nmcli con up uuid 923e6729-74a7-4389-9dbd-43ed7db3d1b8
ubuntu@ubuntu:~$ ip a ls dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:8b:99:5d brd ff:ff:ff:ff:ff:ff
inet 192.168.1.96/24 brd 192.168.1.255 scope global eth0
inet6 2001:db8:f00:f00:5054:ff:fe8b:995d/64 scope global tentative dynamic
valid_lft 86400sec preferred_lft 3600sec
inet6 fdbb:aaaa:bbbb:cccc:5054:ff:fe8b:995d/64 scope global tentative dynamic
valid_lft 86400sec preferred_lft 3600sec
inet6 fe80::5054:ff:fe8b:995d/64 scope link tentative
valid_lft forever preferred_lft forever
//Notice the "tentative" flag of the IPs on the device
//ping6 2a00:1450:4002:800::100e while in another terminal: tcpdump -ni eth0 ip6
ubuntu@ubuntu:~$ ping6 2a00:1450:4002:800::100e -c1
PING 2a00:1450:4002:800::100e(2a00:1450:4002:800::100e) 56 data bytes
^C
--- 2a00:1450:4002:800::100e ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
# tcpdump -ni eth0 host 2a00:1450:4002:800::100e
18:01:45.264194 IP6 ::1 > 2a00:1450:4002:800::100e: ICMP6, echo request, seq 1, length 64
Summary:
Before flooding it uses IP: 2001:db8:f00:f00:ad1f:9166:93d4:fd6d
After flooding it uses IP: 2001:db8:f00:f00:5054:ff:fe8b:995d --> it has lost privacy extensions
After disconnect/reconnect it tries to use IP: ::1 --> it has lost IPv6 connectivity
Best regards,
--
George Kargiotakis
https://void.gr
GPG KeyID: 0xE4F4FFE6
GPG Fingerprint: 9EB8 31BE C618 07CE 1B51 818D 4A0A 1BC8 E4F4 FFE6
next prev parent reply other threads:[~2012-12-27 16:03 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-14 21:14 Linux kernel handling of IPv6 temporary addresses George Kargiotakis
2012-11-14 21:29 ` David Miller
2012-11-14 23:03 ` George Kargiotakis
2012-11-14 23:08 ` David Miller
2012-11-16 21:27 ` Ben Hutchings
2012-12-27 15:57 ` George Kargiotakis [this message]
2012-12-27 16:54 ` Eric Dumazet
2012-12-28 17:19 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121227175735.26c70cbb@lola.kot \
--to=kargig@void.gr \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox