ra6 - A security assessment tool for attack vectors based on ICMPv6 Router
Advertisement messages
ra6 [
-i INTERFACE] [-s SRC_ADDR[/LEN]] [-d DST_ADDR] [-y
FRAG_SIZE] [-u DST_OPT_HDR_SIZE] [-U DST_OPT_U_HDR_SIZE] [-H HBH_OPT_HDR_SIZE]
[-S LINK_SRC_ADDR] [-D LINK_DST_ADDR] [-c CUR_HOP] [-t ROUTER_LIFETIME] [-r
REACHABLE_TIME] [-x RETRANS_TIMER] [-m] [-o] [-a] [-q] [-p PREFERENCE] [-E
LINK_ADDR] [-e] [-P PREFIX/LEN[#FLAGS[#VALID[#PREFERRED]]]] [-M MTU] [-N
[LIFETIME[#DNS_ADDR]]] [-R PREFIX/LEN[#PREF[#LIFETIME]]] [-f N_PREFIXES] [-F
N_SOURCES] [-w N_ROUTES] [-W N_ADDRS[#ADDRSPEROPT]] [-j PREFIX[/LEN]] [-k
PREFIX[/LEN]] [-J LINK_ADDR] [-K LINK_ADDR] [-b PREFIX[/LEN]] [-g
PREFIX[/LEN]] [-B LINK_ADDR] [-G LINK_ADDR] [-L] [-v] [-h]
ra6 allows the assessment of IPv6 implementations with respect to a
variety of attacks based on ICMPv6 Router Advertisement messages. This tool is
part of the SI6 Networks' IPv6 Toolkit: a security assessment suite for the
IPv6 protocols.
This tool has two modes of operation: active and passive. In active mode, the
tool attacks a specific target, while in passive mode the tool listens to
traffic on the local network, and launches an attack in response to such
traffic. Active mode is employed when an Ethernet destination address and/or
an IPv6 destination address are specified. Passive mode is employed when the
"-L" option (or its long variant "--listen") is specified.
In passive mode, the ra6 tool listens for incoming Router Solicitation
messages and responds with the Router Advertisement attack messages. If both a
destination address and the "-L" option are specified, the tool
firstly employs active mode to attack the specified target, and then enters
passive mode to respond to Router Solicitation messages with Router
Advertisement attack packets.
ra6 takes its parameters as command-line options. Each of the options can
be specified with a short name (one character preceded with the hyphen
character, as e.g. "-i") or with a long name (a string preceded with
two hyphen characters, as e.g. "--interface").
Depending on the amount of information (i.e., options and option data) to be
conveyed into the Router Advertisements, it may be necessary for ra6 to split
that information into more than one Router Advertisement message. This may be
particularly the case when the "flood-prefixes",
"--flood-routes", or "--flood-dns" options are used. Also,
when the ra6 tool is instructed to flood the victim with Router Advertisements
from different sources ("--flood-sources" option), multiple packets
may need to be generated. ra6 supports IPv6 fragmentation, which may be of use
if a large amount of information needs to be conveyed within a single Router
Advertisement message. IPv6 fragmentation is not enabled by default, and must
be explicitly enabled with the "-y" option.
The tool supports filtering of incoming Router Solicitation messages based on
the Ethernet Source Address, the Ethernet Destination Address, the IPv6 Source
Address, and the IPv6 Destination Address. There are two types of filters:
"block filters" and "accept filters". If any "block
filter" is specified, and the incoming Router Solicitation message
matches any of those filters, the message is discarded (and thus no Router
Advertisements are sent in response). If any "accept filter" is
specified, incoming Router Solicitation messages must match the specified
filters in order for the ra6 tool to respond with Router Advertisement
messages.
-
-i INTERFACE, --interface INTERFACE
- This option specifies the network interface that the tool
will use. If the destination address ("-d" option) is a
link-local address, or the "listening" ("-L") mode is
selected, the interface must be explicitly specified. The interface may
also be specified along with a destination address, with the
"-d" option.
-
-s SRC_ADDR, --src-address SRC_ADDR
-
This option specifies the IPv6 Source Address (or IPv6 prefix) to be used
for the Router Advertisement messages. If left unspecified, a randomized
link-local unicast (fe80::/64) address is selected.
-
-d DST_ADDR, --dst-address DST_ADDR
-
This specifies the IPv6 Destination Address of the Router Advertisement
messages. If this option is left unspecified, but the Ethernet Destination
Address is specified, the "all-nodes link-local multicast"
address (ff02::1) is selected as the IPv6 Destination Address.
When operating in passive mode ("-L" option), the IPv6 Destination
Address is selected according to the IPv6 Source Address of the Router
Solicitation message. If the IPv6 Source Address of the Router
Solicitation is the unspecified address (::), the "all-nodes
link-local multicast" address (ff02::1) is used as the IPv6
Destination Address. Otherwise, the IPv6 Source Address of the incoming
Router Solicitation message is used as the IPv6 Destination Address of the
outgoing Router Advertisement messages.
- --hop-limit, -A
-
This option specifies the Hop Limit of the Router Advertisement messages. It
defaults to 255. Note that IPv6 nodes are required to check that the Hop
Limit of incoming Router Advertisement messages is 255. Therefore, this
option is only useful to assess whether an IPv6 implementation fails to
enforce the aforementioned check.
-
-y SIZE, --frag-hdr SIZE
-
This option specifies that the resulting packet must be fragmented. The
fragment size must be specified as an argument to this option.
-
-u HDR_SIZE, --dst-opt-hdr HDR_SIZE
-
This option specifies that a Destination Options header is to be included in
the resulting packet. The extension header size must be specified as an
argument to this option (the header is filled with padding options).
Multiple Destination Options headers may be specified by means of multiple
"-u" options.
-
-U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE
-
This option specifies a Destination Options header to be included in the
"unfragmentable part" of the resulting packet. The header size
must be specified as an argument to this option (the header is filled with
padding options). Multiple Destination Options headers may be specified by
means of multiple "-U" options. This option is only valid if the
"-y" option is specified (as the concept of "unfragmentable
part" only makes sense when fragmentation is employed).
-
-H HDR_SIZE, --hbh-opt-hdr HDR_SIZE
-
This option specifies that a Hop-by-Hop Options header is to be included in
the resulting packet. The header size must be specified as an argument to
this option (the header is filled with padding options). Multiple
Hop-by-Hop Options headers may be specified by means of multiple
"-H" options.
- --curhop, -c
-
This option specifies the CurHop value that is included in Router
Advertisement messages. This is the value that nodes should use for the
"Hop Limit" field of the IPv6 packets they send. If this option
is not specified, the CurHop value defaults to 255.
- --lifetime, -t
-
This option specifies the Router Lifetime value that is included in Router
Advertisement messages. The Router Lifetime is the amount of time (in
seconds) that the router can be used as a "default router". If
this option is left unspecified, a Router Lifetime value of 9000 seconds
is selected.
- --reachable, -r
-
This option specifies the Reachable Time value that is included in Router
Advertisement messages. The Router Lifetime is the amount of time in
milliseconds that a neighbor is considered "reachable" after a
reachability confirmation. If this option is left unspecified, a Reachable
Time of 0xffffffff ("infinity") is selected.
- --retrans, -x
-
This option specifies the Retrans Timer value that is included in Router
Advertisement messages. The Retrans Timer specifies the amount of time in
milliseconds between retransmitted Neighbor Solicitation messages (with
‘0’ meaning "unspecified by this router"). If this
option is left unspecified, a Retrans Timer of 4000 milliseconds is
selected.
- --managed, -m
-
This option causes the ra6 tool to set the ‘M’ (Managed) bit
in the Router Advertisement messages that it sends. The ‘M’
bit indicates that network configuration is "managed" (e.g.,
DHCPv6 should be used instead). If left unspecified, the ‘M’
bit is not set.
- --other, -o
-
This option causes the ra6 tool to set the ‘O’
("Other") bit in the Router Advertisement messages that it
sends. The ‘O’ bit indicates that additional configuration
information is available through other means (e.g., DHCPv6). If left
unspecified, the ‘O’ bit is not set.
- --home-agent, -a
-
This option causes the ra6 tool to set the ‘H’ ("Home
Agent") bit in the Router Advertisement messages that it sends (the
‘H’ bit is specified in RFC 3775). If this option is left
unspecified, the ‘H’ bit is not set.
- --nd-proxy, -q
-
This option causes the ra6 tool to set the ‘P’ ("ND
Proxy") bit in the Router Advertisement messages that it sends (the
"P" bit is specified in RFC4389). If this option is left
unspecified, the ‘P’ bit is not set.
- --preference, -p
-
This option specifies the Preference field of the Router Advertisement
messages, with "1" meaning "High", "0"
meaning "Normal", and "-1" meaning "low"
(the value "-2" is forbidden). If left unspecified, a Preference
value of "1" (High) is selected.
-
-S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR
-
This option specifies the link-layer Source Address of the Router
Advertisement messages (this option is only valid for Ethernet
interfaces). If left unspecified, the link-layer Source Address is
randomized.
When operating in passive mode, the link-layer Source Address is selected
according to the IPv6 Destination Address of the incoming Router
Solicitation messages. If the IPv6 Destination Address of the incoming
Router Solicitation message is a multicast address (usually the
"all-routers link-local multicast" address
"ff02::02"), the link-layer Source Address is set to the address
specified by the "-S" option (or to a random address if the
"-S" option was left unspecified). If the IPv6 Destination
Address of the incoming Router Solicitation is not a multicast address
(i.e., it is a unicast address), the link-layer Source Address is set to
the Ethernet Destination Address of the incoming Router Solicitation
message.
-
-D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR
-
This option is meant to specify the link-layer Destination Address of the
Router Advertisement messages (this option is only valid for Ethernet
interfaces). If left unspecified, it is set to
"33:33:00:00:00:01" (the Ethernet multicast address
corresponding to the IPv6 "all-nodes link-local multicast"
address).
When operating in passive mode, the link-layer Destination Address is set
depending to the IPv6 Source Address of the incoming Router Solicitation
message. If the IPv6 Source Address of the incoming Router Solicitation
message is the unspecified address (::), the link-layer destination
address is set to "33:33:00:00:00:01" (the Ethernet multicast
address corresponding to the IPv6 "all-nodes link-local
multicast" address). Otherwise, the link-layer Destination Address is
set to the same value as the link-layer Source Address of the incoming
Router Solicitation message.
- --source-lla-opt, -E
-
This option specifies the contents of a source link-layer address option to
be included in the Router Advertisement messages. If a single option is
specified, it is included in all the outgoing Router Advertisement
messages. If more than one source link-layer address is specified, they
are included only in the first packet of a set of Router Advertisements
(if more than one Router Advertisement needs to be sent in order to convey
all the specified information).
- --add-slla-opt, -e
-
This option instructs the ra6 tool to include a source link-layer address
option in the Router Advertisement messages. The link-layer address
included in the option is the same as the Ethernet Source Address used for
the outgoing Router Advertisement message. The difference between this
option and the "-E" option is that the latter does not specify
the actual value of the option, but just instructs the tool include the
option (the actual value of the option is selected according to the
Ethernet Source address used in the outgoing packet).
- --prefix-opt, -P
-
This option specifies the contents of a Prefix Information option to be
included in Router advertisement messages, with the following format:
"-P prefix/length#flags#valid#preferred". Where
"prefix/length" is a mandatory field that indicates an IPv6
prefix (e.g., "2001::/16"). "flags" is an optional
argument that indicates which flags should be set for this prefix
(‘L’ for the "on-link" flag, ‘A’ for
the "autonomous address-configuration" flag, ‘R’
for "Router Address", and ‘-‘ for indicating that
no flags should be set for this prefix) -- if this field is left
unspecified, the "L" and "A" flags are set for in the
specified Prefix Information option. "valid" is an optional
field that indicates the "Valid Lifetime" for this prefix (the
length of time in seconds during which this information can be used for
on-link determination. If left unspecified, a value of 0xffffffff
(infinity) is used. "preferred" is an optional argument that
specifies the "Preferred Lifetime" value for this prefix (the
length of time in seconds that addresses generated from this prefix via
stateless address auto-configuration remain preferred). If left
unspecified, a value of 0xffffffff (infinity) is used.
- --route-opt, -R
-
This option specifies the contents of a Route Information option to be
included in Router advertisement messages, with the following format:
"-R prefix/length#preference#lifetime". Where
"prefix/length" is a mandatory field that indicates an IPv6
prefix (e.g., "2001::/16"). "preference" is an
optional argument that indicates the preference of this prefix (with
‘1’ meaning "high", ‘0’ meaning
"normal", ‘-1’ meaning "low", and
‘-2’ being an invalid value). If this field is left
unspecified, a value of ‘1’ (i.e., "high") is
selected. "lifetime" is an optional parameter that specifies the
"Route Lifetime" for the specified route (the period of time
during which this information can be used for route determination). If
left unspecified, a value of 0xffffffff (infinity) is selected.
- --mtu-opt, -M
-
This option is meant to specify the value of a MTU option that should be
included in Router Advertisements. Multiple MTU options can be specified.
- --rdnss-opt, -N
-
This option allows the advertisement of a number of recursive DNS servers by
means of the RDNSS option. A "Lifetime" parameter (32 bits)
indicates the amount of time (in seconds) that the specified DNS server(s)
may be used for name resolution. Multiple IPv6 addresses can be specified
in the same RDNSS option in the form "--dns-opt
lifetime#ipv6address1#ipv6address2". Also, more than one RDNSS option
may be specified.
- --flood-prefixes, -f
-
This option instructs the ra6 tool to flood the victim host with Prefix
information options. The number of Prefix Information options to be sent
is specified as "-f number". When this option is specified, a
"-P" option must be specified (with the usual syntax "-P
prefix/length#flags#valid#preferred"), such that it instructs ra6
about how to generate the Prefix Information options. The
"prefix/length" specifies the length of the prefixes that will
be included in each Prefix Information option. While the prefix length
will be constant for all options, the actual prefix will be randomized.
The rest of the parameters will be shared by all the prefixes, and have
the same "defaults" as indicated in the description of the
"-P" option.
- --flood-sources, -F
-
This option instructs the tool to send Router Advertisement messages from
multiple addresses. The number of different sources is specified as
"-F number". The Source Address of each Router Advertisement is
randomly selected from the prefix specified by the "-s" option.
If the "-F" option is specified but the "-s" option is
left unspecified, the Source Address of the packets is randomly selected
from the prefix fe80::/64 (link-local unicast). It should be noted that
hosts are required to discard Router Advertisement messages that do not
have a link-local unicast address as the Source Address.
- --flood-routes, -w
-
This option instructs the ra6 tool to flood the target with Route
Information options. The number of Route Information options to be sent is
specified as "-R number". When this option is specified, a
"-R" option should be specified (with the usual syntax "-R
prefix/length#preference#lifetime") such that ra6 is instructed about
how to generate the Route Information options. The
"prefix/length" species the length of the prefixes that will be
included in each Route Information option. While the prefix length will be
constant for all options, the actual prefix will be randomized. The rest
of the parameters are shared by all the the options, and have the same
"default values" as indicated in the description of the
"-R" option.
- --flood-dns, -W
-
This option instructs the ra6 tool to flood the target with random IPv6
addresses (supposed to correspond to recursive DNS servers), by means of
the Recursive DNS Server (RDNSS) option. The number of IPv6 addresses that
are to be sent to the target is specified as "-k number". As
there is a limit in the number of IPv6 addresses that can be included in a
RDNSS option, it may be necessary for the tool to split those addresses
into several RDNSS options.
It is possible to instruct the ra6 about the maximum number of IPv6
addresses that each RDNSS option should contain, by means of a second (and
optional) parameter to the "-k" option. Namely, the tool can be
instructed to send a total number of addresses
("totaladdresses") with up to some specific number
("addrsperoption") of addresses per RDNSS option in the form
"-k totaladresses#addrsperoption". This might be helpful if it
is believed that the target implementation enforces a limit on the number
of addresses it honors on a "per RNDSS option" basis, but no
limit on the aggregate number of addresses. In such a case, an
implementation might e.g. survive the attack "-k 5000", but
still be vulnerable to the attack "-k 5000#3"). The
"Lifetime" value for these addresses can be specified by issuing
a "-N" option with the desired "Lifetime" (this is
analogous to how the "--flood-routes" operates together with the
"-R" option, and how the "--flood-prefixes" operates
together with the "-P" option).
- --block-src, -j
-
This option sets a block filter for the incoming Router Solicitation
messages based on their IPv6 Source Address. It allows the specification
of an IPv6 prefix in the form "-j prefix/prefixlen". If the
prefix length is not specified, a prefix length of "/128" is
selected (i.e., the option assumes that a single IPv6 address, rather than
an IPv6 prefix, has been specified).
- --block-dst, -k
-
This option sets a block filter for the incoming Router Solicitation
messages, based on their IPv6 Destination Address. It allows the
specification of an IPv6 prefix in the form "-k
prefix/prefixlen". If the prefix length is not specified, a prefix
length of "/128" is selected (i.e., the option assumes that a
single IPv6 address, rather than an IPv6 prefix, has been specified).
- --block-link-src, -J
-
This option sets a block filter for the incoming Router Solicitation
messages, based on their link-layer Source Address. The option must be
followed by a link-layer address (this option is only valid for Ethernet
interfaces).
- --block-link-dst, -K
-
This option sets a block filter for the incoming Router Solicitation
messages, based on their link-layer Destination Address. The option must
be followed by a link-layer address (this option is only valid for
Ethernet interfaces).
- --accept-src, -b
-
This option sets an accept filter for the incoming Router Solicitation
messages, based on their IPv6 Source Address. It allows the specification
of an IPv6 prefix in the form "-b prefix/prefixlen". If the
prefix length is not specified, a prefix length of "/128" is
selected (i.e., the option assumes that a single IPv6 address, rather than
an IPv6 prefix, has been specified).
- --accept-dst, -g
-
This option sets a accept filter for the incoming Router Solicitation
messages, based on their IPv6 Destination Address. It allows the
specification of an IPv6 prefix in the form "-g
prefix/prefixlen". If the prefix length is not specified, a prefix
length of "/128" is selected (i.e., the option assumes that a
single IPv6 address, rather than an IPv6 prefix, has been specified).
- --accept-link-src, -B
-
This option sets an accept filter for the incoming Router Solicitation
messages, based on their link-layer Source Address. The option must be
followed by a link-layer address (this option is only valid for Ethernet
interfaces).
- --accept-link-dst, -K
-
This option sets an accept filter for the incoming Router Solicitation
messages, based on their link-layer Destination Address. The option must
be followed by a link-layer address (this option is only valid for
Ethernet interfaces).
- --loop, -l
-
This option instructs the ra6 tool to send periodic Router Advertisements to
the destination node. The amount of time to pause between sending Router
Advertisements can be specified by means of the "-z" option, and
defaults to 1 second. Note that this option cannot be set in conjunction
with the "-L" ("--listen") option.
- --sleep, -z
-
This option specifies the amount of time to pause between sending Router
Advertisements. If left unspecified, it defaults to 1 second.
- --listen, -L
-
This option specifies that the tool should enter the "passive"
mode (possibly after operating in active mode, if the ‘-d’
or ‘-D’ options were specified).
- --verbose, -v
-
This option instructs the ra6 tool to be verbose.
- --help, -h
-
Print help information for the ra6 tool.
The following sections illustrate typical use cases of the
ra6 tool.
Example #1
# ra6 -i eth0 -P 2001::/64#LA -P 2002::/64#A -e -L
Listen ("-L") for incoming Router Solicitations on interface eth0
("-i eth0"), and advertise the prefix 2001::/64 for both on-link
determination and auto-configuration ("-P 2001::/64#LA") and the
prefix 2002::/64 only for auto-configuration ("-P 2002::/64#A").
Include a source link-layer address option ("-e") in the Router
Advertisements.
Example #2
# ra6 -i eth0 -d fe80::1 -D 01:02:03:04:05:06 -c 5 --lifetime 100 -o -e -M 1400
Use the network interface "eth0" to send a Router Advertisement using
a random link-local IPv6 Source Address and a random Ethernet Source Address,
to the IPv6 Destination address fe80::1 and the Ethernet Destination Address
01:02:03:04:05:06. The Router Advertisement includes a "Router
Lifetime" of 100, and advertises a CurHop value of 5 (i.e., a recommended
"Hop Limit" of "5"). The ‘O’ bit is set
(thus indicating that other configuration information is available via DHCP).
The Router Advertisement includes a source link-layer address option
(containing the same address as the Ethernet Source Address of the packet) and
an MTU option with a value of 1400.
Example #3
# ra6 -i eth0 --flood-sources 10 --flood-routes 50 --flood-prefixes 40 -R
::/64#1 -P ::/48#LA -L -e
Listen for incoming Router Solicitation messages on the interface
"eth0", and respond with Router Advertisements from 10 different
link-local unicast IPv6 Source Addresses (randomized) and 10 different
(randomized) Ethernet Source Addresses. Each Router Advertisement includes 50
Route Information options, each of them with a randomized /64 prefix and a
preference of 1 ("high"). The Router Advertisements also contain 40
Prefix Information options, each with a randomized /48 prefix and the
‘A’ (auto-configuration) and ‘L’ (on-link
determination) bits set. In addition, each Router Advertisement includes a
source link-layer address option, containing the same (randomized) address as
that used for the Ethernet Source Address field.
Example #4
# ra6 -i eth0 -N 1000#fe80::1#2001:db8::1 -L
Listen for incoming Router Solicitation messages, and respond with a Router
Advertisement that contains one RDNSS option with two IPv6 addresses (fe80::1
and 2001:db8::1), with a Lifetime of "1000". All Router Solicitation
messages sent to multicast addresses will be responded using the same
(randomized) IPv6 Source Address and the same (randomized) Ethernet Source
Address. Router Solicitation messages destined to unicast addresses will be
responded with Router Advertisements using the IPv6 Destination Address and
the Ethernet Destination Address of the incoming Router Solicitation message
for the IPv6 Source Address and the Ethernet Source Address of the Router
Advertisement, respectively.
Example #5
# ra6 -i eth0 -s fe80::1234 -S 00:01:02:03:04:05 -d fe80::1 -N 900 --flood-dns
1000#10 -L
Flood the target (fe80::1) with 1000 random IPv6 addresses of Recursive DNS
Servers, with a maximum of 10 addresses per RDNSS option. Each RDNSS option
has a "Lifetime" of 900. Packets are sent with an IPv6 Source
Address of "fe80::1234" and an Ethernet Source Address of
"00:01:02:03:04:05". Once the target has been attacked, listen for
incoming Router Solicitation messages and respond with the same
"flood" packets (the Ethernet Source Address and the IPv6 Source
Address will change if the Router Solicitation messages have been sent to a
unicast address, though).
"Security/Robustness Assessment of IPv6 Neighbor Discovery
Implementations" (available at:
<
http://www.si6networks.com/tools/ipv6toolkit/si6networks-ipv6-nd-assessment.pdf>)
for a discussion of Neighbor Discovery vulnerabilities, and additional
examples of how to use the na6 tool to exploit them.
The
ra6 tool and the corresponding manual pages were produced by Fernando
Gont
<[email protected]> for SI6 Networks
<http://www.si6networks.com>.
Copyright (c) 2011-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.3 or any later version
published by the Free Software Foundation; with no Invariant Sections, no
Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available
at
<http://www.gnu.org/licenses/fdl.html>.