Early adopters of IPv6 have been warned that an oversight in the IPv6 specifications could leave networks vulnerable to DDoS attacks. The issue is caused by Type 0 Routing Headers. These headers allow the source of a data packet to specify addresses via which that packet should be routed.
Type 0 Routing Headers have presented a major security issue and are disabled by default in almost all IPv4 routing engines. The Type 0 Routing Header feature enables something often described as loose source routing; this can be exploited by attackers to create a loopback style denial of service attack. Packets can be sent to node A with a routing path directing it via node B, then back to node A, and so on. The packets will bounce backwards and forwards quickly increasing traffic. In IPv4 up to nine additional routing addresses can be added to the headers; this has increased to 88 under IPv6 specifications, which obviously increases the potential for trouble by the same factor. The Register reports one network engineer saying, “It is exactly that: The reintroduction of the IPv4 loose source routing mechanism in the IPv6 world and on steroids.”
There are two solutions to the problem: get rid of the feature completely or ensure that everyone turns it off unless it’s really needed. Many routers as well as BSD-based operating systems have already disabled Type 0 Routing Headers, automatically dropping any packets that contain them.
Surprisingly, Cisco did not seem to pick up on this. Although IPv6 is disabled as default on most Cisco routers, the Type 0 Routing Headers are not always filtered once IPv6 is enabled. Cisco has released an advisory and accompanying fix. The advisory cautions users that if exploited, this vulnerability could cause memory corruption which creates the opportunity for remote code execution. This ultimately opens up the potential for full compromise of the route. If code execution fails, then the attempt will likely crash the device causing a denial of service.
So far exploitation of this hasn’t been observed in the wild. While migration to IPv6 is seen as unavoidable in the longer term, there are very few adopting the technology at this time. As adoption of IPv6 slowly increases, we will likely see a few more oversights and glitches such as this one being ironed out.
The adoption of IPv6 is being driven primarily by the exhaustion of IPv4 address space. While some time ago the issue of address consumption made the deployment of IPv6 look quite urgent, the introduction of classless inter-domain routing (CIDR) and network address translation (NAT) has alleviated much of this concern in the short term. Reports from organisations such as Cisco and APNIC estimate that IPv4 address space could be consumed entirely anytime from 2011 – 2023, depending on whether or not unused addresses can be reclaimed. The White House’s Office of Management has mandated that all federal agencies must have moved their backbones to IPv6 by June 2008 -- the US Department of Defence also aims to complete its transition by 2008.
This blip is a reminder to organisations that while a transition to IPv6 may not be essential in the short term, it is slowly creeping up on us and will eventually be unavoidable.
I would be interested to hear about your thoughts on IPv6. Has anyone deployed it yet?