Unsafe routing option in IPv6

The developers of FreeBSD and Linux have released new kernel versions which by default ignores type 0 IPv6 routing headers. This is intended to prevent denial of service attacks that consume a lot of bandwidth on a link between two hosts. In addition, the route of a connection can be manipulated to, for example, fool firewalls. The developers of OpenBSD have also released a security fix, after installing which the kernel no longer processes such headers.

The routing header introduced in IPv6 allows, as for source routing in IPv4, the route a packet should take to be specified irrespective of the router's routing table. For security reasons, source routing is, however, not supported by most IPv4 routers and firewalls. The same problem is now present in IPv6, though it seems that the world has only woken up to this following the "IPv6 Routing Header Security" presentation by security specialists Philippe Biondi and Arnaud Ebalard at CanSecWest 2007. What makes it even worse is that the standard (RFC 2460) leaves vendors no room for manoeuvre - processing of such headers is a compulsory part of the specification. Looked at in this way, this option is actually a design fault in the protocol.

Biondi and Ebalard mention other affected vendors - Apple, Cisco, Juniper, NetBSD - in their report. It can be assumed that these vendors will also be producing updates in the near future. Windows XP and Windows Vista do not suffer from this problem, as they simply ignore type 0 IPv6 routing headers.

See also:

• Linux kernel 2.6.20.9 changelog, description on kernel.org
• IPv6 Routing Header 0 is dangerous, security advisory from FreeBSD
• OpenBSD 3.9 release errata & patch, bug reports from OpenBSD
• IPv6 Routing Header Security, presentation by Philippe Biondi and Arnaud Ebalard

(mba)