DHCPv6 Flip-Flop Vulnerability

Summary

Neither Mac OS X nor Windows 7 handle DHCPv6 correctly. The Windows 7 error leads to intermittent connectivity when two routers are sending conflicting Router Advertisements, while the Mac OS X behavior leads to a steady configuration with the wrong addresses.

I learned about this from Jeff Carrell, who visited my class and demonstrated the Windows problem.

Here's my setup, which consisted of two virtual Vyatta routers and a virtual Windows 7 computer, all on the Mac OS X host.

Router 1: DHCPv6-Only

The first Vyatta router is handing out Router Advertisements with the Managed flag set to true, and no Prefix, so the addresses are determined solely by DHCPv6.

Here's the Vyatta configuration:

Here's a Wireshark capture of the RA it's sending out:

And here's the result on a Windows 7 virtual machine:

The Vyatta is handing out addresses in the 2001:db8:6::/64 subnet via DHCPv6 only, so the client gets one of them, and no SLAAC addresses. This is proper behavior, so far.

Router 2: SLAAC-Only

The second Vyatta router uses Stateless Autoconfiguration only, not DHCPv6.

Here's its configuration:

The Managed flag is off, so DHCPv6 is not used.

Here's a Wireshark capture of the RA it's sending out:

When this router is the only one connected to the Windows 7 client, it autoconfigures addresses as expected:

SLAAC makes on Temporary and one Preferred address, which is normal.

Flip-Flop

The problem happens when both of these routers are connected to the same client at the same time.

The interface flip-flops between these two states, constantly losing its DHCPv6 address:

One way to see this is to just ping the local DHCPv6 address:

There are periods of connectivity, followed by periods of no connectivity.

Here's the series of packets, captured by Wireshark:

Here's what the packets do:

You can download the PCAP file here:

FF5.pcap

Since routers typically send out Router Advertisements every ten minutes, this could really ruin your day troubleshooting. Things will work for intermittent periods of 5-10 minutes, then spontaneously stop working again.

This is WRONG, as explained by Jeff Carrell here:

http://article.gmane.org/gmane.network.ipv6.hackers/848

Windows 7 should retain the address it got from DHCPv6 till it expires, not just discard it the moment it gets an RA with the Managed bit off.

Mac OS X

The Mac OS X (Lion 10.7.5) on the same LAN behaves in a very different manner.

The Mac ignore DHCPv6 completely, and it also ignored the Managed flag and the lack of Prefix information in the RAs from the DHCPv6 server.

It just configures two SLAAC addresses for each router, and sits there steady as a rock, as shown below:

This seems wrong to me, but it's wrong in a less broken way than Windows 7.


Posted 5:28 PM Nov. 10, 2012 by Sam Bowne