Microsoft, Juniper urged to patch dangerous IPv6 DoS hole
MORE URGING: Microsoft security expert warns over SharePoint data at risk
Some Windows networking consultants are so concerned about the hole and Microsoft’s lack of interest in fixing it, that they have been warning users directly. “There is a serious Windows vulnerability for RA flooding as a denial-of-service attack on wired LANs. It only takes between 5 to 20 packets to CPU-bound every Windows 7 or Server 2008 machine on that subnet,” said Microsoft MVP Ed Horley, Principal Solutions Architect at Groupware Technology to attendees of the Rocky Mountain IPv6 Summit in Denver, Colo., last week. “I have heard rumor it can also lock out Playstation 2 and Xbox consoles. With enough packets it requires a hard reboot to recover.”
Although several workarounds exist, each has a significant drawback. One is to turn off IPv6, which also disables new Microsoft technologies that rely on it, such as DirectAccess, a service that allows Windows 7 machines to have an always-on remote access connection to Windows Server 2008 R2 servers. Remote Access is touted as a money-saving option as it replaces the need for a separate VPN in Windows environments.
Experts also advise using a router that has implemented a Cisco technology called RA Guard – and while Cisco routers support RA Guard, not all routers do. RA Guard was submitted as an informational document to the IETF, RFC 6105, but it is not on track to become a standard.
Juniper, for instance, has no intention of implementing it and is instead waiting for IETF RFC 6164. “RFC 6105 IPv6 Router Advertisement Guard, published about nine weeks ago, is an informational RFC, as opposed to an IETF Standard, that documents Cisco’s proprietary RA-Guard technology. Cisco asserts that at least one of their patent applications (US PPA 20080307516) covers this technology. While Cisco has stated that should RFC 6105 become a standard then they will make a royalty-free license available, since this is not yet a standard there is no such option. We can however achieve much the same functionality simply by applying access control lists,” said Juniper’s Peter Lunk, director of product marketing for high-end security systems.
Lunk added: “Conversely, RFC 6164, released last month, is a ‘standards track’ RFC (which is to say on the way to being, but not yet, a standard) supported by Juniper, Google and IBM and others that addresses many of the same issues in a much more open manner. We expect this to be ratified as a full standard at the next IETF meeting in July.”
BACKGROUND: Jeff Doyle on the case for enterprise IPv6
Heuse has also called Juniper out on the carpet for dragging its feet to fix the hole. Juniper’s Lunk argues that the RA advertisement problem stems from a flaw in the ICMPv6 protocol and should be fixed by the IETF.
“The flaw in the ICMPv6 protocol has only been identified in a small subset of older Juniper products, and only when configured as a host rather than a router,” he said. “According to the protocol, devices configured as hosts must accept and process all advertised routes. This is an inherently dangerous thing to do. If our customers must use auto-configure mode on the IPv6 host on an open LAN, then we strongly recommend whitelisting sources of acceptable routes which will protect them from bogus advertisements.”
Comments are closed.