[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC2460 problem - error processing of Routing Header



Hi Shresh.

> This packet will NEVER reach host-4. Consider the packet when it 
> reaches router-1
<<< snipped >>>
> router-1 will follow the algorithm for RH processing. The Segments Left is 
> greater than 0. So it will check the header ext len and find it to be odd. 
> It will drop the packet and send an ICMP message back to host-0. I guess 
> the general idea is that the first destination node will detect the 
> problem with the header ext len.

Of course what you said is true, but it is the case
when the first destination node (and all intermediate nodes)
was normal.

What I said in previous mail is the case when the packet
reached to End Node unfortunately.

e.g., If all routers via which the packet goes have broken
(although it is a very rare case) and overlook the invalid
Hdr.Ext.Len, the trouble will happen.

e.g., If an evil node transmit the packet with odd Hdr.Ext.Len
and zero Segment Left suddenly, the trouble will happen.

Isn't it connected with other vulnerabilities and become
a security hole etc.?


-- 
OOTOMO Hiroyuki <Hiroyuki.Ootomo@jp.yokogawa.com>

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------