English / Japanese / Spanish / French / Korean

KAME project's action on Type 0 Routing Header issue

Background

At the CanSecWest2007, a report titled `Fun with IPv6 routing headers' was presented indicating that the IPv6 Type 0 Routing Header can be used as an attacking method. One of the described attacks can exploit any two IPv6 nodes that handles the Type 0 Routing Header as described in RFC2460, including the KAME/BSD based nodes, to consume the bandwidth between those two nodes. Although the presentation slides on this type of attack have some technical errors, the main threat still seems to exist.

KAME Project's Action

The KAME project performed the following actions to fix the issue and to prevent the issue from being used as a method of attacks.

Recommendation

There is no need to panic, but it is strongly recommended to apply the above change (see also the security advisory from BSDs below) and reboot the kernel, especially for those IPv6 nodes that are widely known and attached to a high-bandwidth link.

Related Announcements

Contact Points

If you have any questions on this issue that can be publicly discussed, please send them to snap-users at kame.net, the users mailing list for the KAME products. Please use core at kame.net (closed mailing list for KAME developers only) should you want to keep the questions confidential.