Login

Documentation index

FAQ

Handbook

Documents

Terms of Service

RH Filtering issue

What is the RH filtering issue?

It has been shown recently that a malicious use of IPv6 Routing Headers type 0 can cause Denial of Service. As a consequence of this demonstration, many network administrators disabled RH processing on their routers. If we can be pleased by such initiative, we must complain when it has been done regardless to the type of Routing Header. Indeed Mobile IPv6 protocol makes use of the harmless Routing Headers type 2 and the RH filtering will block BAck messages on the way back to the Mobile Node.

Most of the time, administrators filter RH type 2 in addition to type 0 because of router's limitation or lack of knowledge. We encourage you to contact them and ask to consider MIPv6, and upgrade their equipment if needed.

How to check if the network I am visiting is affected by the RH filtering problem?

The simplest method to check whether or not there is a misconfigured router on the route from your Mobile Node to the Home Agent is to build fake BAck message with an incrementing Hop Limit and wait for an ICMPv6 Time Exceeded message. If you receive an ICMPv6 message, then it shows that there is no filtering until the responding router.

In theory, we should perform this check from the HA but doing it from the MN should also indicate the culprit router provided it filters on all network interfaces.

Note that this test can not give you a 100% certitude that the eventually found blocking routers are actually filtering RH0 but rather gives you a good indication for investigating the problem further.

Procedure

First, it is good to look at the path used to reach your Home Agent thanks to the traceroute6 tool: 

 $ traceroute6 $address_of_the_HA

Then, with scapy6 you will create a fake BAck (mobility message containing a Routing Header type 2) with a Hop Limit of 1: 

 # scapy6
 Welcome to Scapy (1.2.0)
 IPv6 enabled
 >>> ba = IPv6(dst='$address_of_the_HA')/ \
 ... IPv6ExtHdrRouting(type=2, addresses=['$your_HoA'])/ \
 ... MIP6MH_BA()
 >>> ba.hlim=1
 >>> r=sr1(ba)
 Begin emission:
 .Finished to send 1 packets.
 *
 Received 2 packets, got 1 answers, remaining 0 packets
 >>>

Good! We have received an answer. Let's check it is actually an ICMPv6 Time Exceeded: 

 >>> r.show()

Now let's increment the Hop Limit and continue until we reach the HA or no answers from a router: 

 >>> ba.hlim=6
 >>> r=sr1(ba)
 Begin emission:
 .Finished to send 1 packets.
 ............... # ^C to stop
 Received 15 packets, got 0 answers, remaining 1 packets
 >>>

We have no answers. The router is certainly filtering RH. We can have the IPv6 address of the last responding router: 

 >>> r.src

Thanks to your traceroute, you can know what is the address of the next router, corresponding to the one that certainly blocks RH type 2.

 Nautilus6
 WIDE
Powered by PmWiki