MLD Considered Harmful - Breaking Another IPv6 Subprotocol presented at DeepSec 2014

by Enno Rey, Antonios Atlasis, Jayson Salazar,

Summary : Multicast Listener Discovery (MLD) and its successor, MLDv2, is a protocol of the IPv6 suite used by IPv6 routers for discovering multicast listeners on a directly attached link, much like IGMP is used in IPv4. Most of the modern Operating Systems (OS), like Windows, Linux and FreeBSD, not only come pre-configured with IPv6 enabled, but they also start-up by sending MLDv2 traffic, which is repeated periodically. Despite of the out-of-the-box usage of MLDv2, it is one of the IPv6 protocols that have not be studied yet to a suitable extent, especially as far as its potential security implications are concerned. These ones can vary from OS fingerprinting on the local-link by sniffing the wire passively, to amplified DoS attacks. In this presentation, we will first study and analyse the default behaviour of some of the most popular OS. During this study, we will examine whether the specific OS implementations conform to the security measures defined by the corresponding RFCs, and if not, what are the potential security implications. Then, by diving into the specifications of the protocol, we will discuss potential security issues related with the design of MLD and how they can be exploited by attackers. Finally, specific security mitigation techniques will be proposed to defend against them, which will allow us to to secure IPv6 networks to the best possible extend in the emerging IPv6 era. There will be demos and a tool release. ;-)

Enno Rey: Daniel and Enno are long time network geeks who love to explore network devices & protocols and to break flawed ones.