Discussion:
A problem whith an ICMPv6 redirect message
Mounir ASSAF
2010-05-17 13:10:43 UTC
Permalink
Hello,

I've noticed something odd while sniffing an ICMPv6 redirect packet with Scapy. It fails to correctly dissect the packet inside the ICMPv6NDOptRedirectedHdr layer. I think this is due to the reserved option "res" of this layer which is defined as a ShortField (2 bytes), when it should be a 6-bytes field (http://tools.ietf.org/html/rfc2461#page-31).

scapy/layers/inet6.py :
class ICMPv6NDOptRedirectedHdr(_ICMPv6NDGuessPayload, Packet):
....
XShortField("res",0),
TruncPktLenField("pkt", "", IPv6, 4,
length_from = lambda pkt: 8*pkt.len-4) ]


Regards,
Mounir



Mounir ASSAF

Expert s?curit? junior
Standard : +33 1 41 91 77 77 * Fax : +33 1 41 91 77 78

215, avenue Georges Clemenceau * 92024 NANTERRE

[cid:***@7797ecbd.fa174178]<http://www.laqualitedeviedudsi.com>


[cid:***@f51eb0e2.881a4a83]<http://www.intrinsec.com/>
Jochen Bartl
2010-05-17 22:19:18 UTC
Permalink
Hello Mounir,

you are right, the field size should be indeed 6 bytes. I have fixed the
problem in the community repository[1] and opened a ticket [2] regarding
the problem.

Best Regards,

Jochen


1) http://hg.secdev.org/scapy-com/rev/eca7e1d072da
2) http://trac.secdev.org/scapy/ticket/351
Arnaud Ebalard
2010-05-18 07:27:35 UTC
Permalink
Hi Jochen,
Post by Jochen Bartl
you are right, the field size should be indeed 6 bytes.
That's correct.
Post by Jochen Bartl
I have fixed the problem in the community repository[1] and opened a
ticket [2] regarding the problem.
I just took a quick look and I think you need to update the lambdas too
(for length computation).

Cheers,

a+

---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org
Jochen Bartl
2010-05-18 16:12:05 UTC
Permalink
Hi Arnaud,

oh yes, you are right. Seems like I should have a closer look at
problems next time, before fixing them in a hurry ;-)

It will take me a bit longer to solve the problem, because after fixing
the lambda calculation I ran into an issue with padding.

IPv6 packets are padded so that the length is a multiple of 8 bytes. But
the ICMPv6NDOptRedirectedHdr length field, also includes the padding of
the outer IPv6 header in its calculation. This results in 4 additional
bytes that are appended to the outer IPv6 header in the packet of my
example pcap file.

http://verbosemo.de/~lobo/files/ICMPv6_redirect.pcap

In [45]: p = rdpcap("ICMPv6_redirect.pcap")[0]
In [46]: p[ICMPv6NDOptRedirectedHdr].len = None
In [47]: p.show()
###[ Ethernet ]###
dst= c2:02:2d:5e:00:00
src= c2:00:2d:5e:00:00
type= 0x86dd
###[ IPv6 ]###
version= 6L
tc= 224L
fl= 0L
plen= 160
nh= ICMPv6
hlim= 255
src= fe80::c000:2dff:fe5e:0
dst= 2001:23::3
###[ ICMPv6 Neighbor Discovery - Redirect ]###
type= Redirect Message
code= 0
cksum= 0xd082
res= 0x0
tgt= fe80::c001:2dff:fe5e:0
dst= 2001:42::2
###[ ICMPv6 Neighbor Discovery Option - Destination Link-Layer
Address ]###
type= 2
len= 1
lladdr= c2:01:2d:5e:00:00
###[ ICMPv6 Neighbor Discovery Option - Redirected Header ]###
type= 4
len= None
res= ''
\pkt\
|###[ IPv6 ]###
| version= 6L
| tc= 0L
| fl= 0L
| plen= 60
| nh= ICMPv6
| hlim= 64
| src= 2001:23::3
| dst= 2001:42::2
|###[ ICMPv6 Echo Request ]###
| type= Echo Request
| code= 0
| cksum= 0x9935
| id= 0x1941
| seq= 0x0
| data= '\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b
\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d
\x1e\x1f !"#$%&\'()*+,-./0123'
|###[ Padding ]###
| load= '\x00\x00\x00\x00'


In [48]: p.show2()
###[ Ethernet ]###
dst= c2:02:2d:5e:00:00
src= c2:00:2d:5e:00:00
type= 0x86dd
###[ IPv6 ]###
version= 6L
tc= 224L
fl= 0L
plen= 160
nh= ICMPv6
hlim= 255
src= fe80::c000:2dff:fe5e:0
dst= 2001:23::3
###[ ICMPv6 Neighbor Discovery - Redirect ]###
type= Redirect Message
code= 0
cksum= 0xd082
res= 0x0
tgt= fe80::c001:2dff:fe5e:0
dst= 2001:42::2
###[ ICMPv6 Neighbor Discovery Option - Destination Link-Layer
Address ]###
type= 2
len= 1
lladdr= c2:01:2d:5e:00:00
###[ ICMPv6 Neighbor Discovery Option - Redirected Header ]###
type= 4
len= 14
res= ''
\pkt\
|###[ IPv6 ]###
| version= 6L
| tc= 0L
| fl= 0L
| plen= 60
| nh= ICMPv6
| hlim= 64
| src= 2001:23::3
| dst= 2001:42::2
|###[ ICMPv6 Echo Request ]###
| type= Echo Request
| code= 0
| cksum= 0x9935
| id= 0x1941
| seq= 0x0
| data= '\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\x0b
\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d
\x1e\x1f !"#$%&\'()*+,-./0123'
|###[ Padding ]###
| load= '\x00\x00\x00\x00'
###[ Padding ]###
load= '\x00\x00\x00\x00'



I'm trying to find a solution to the problem, but any hints are highly
appreciated.

Regards,

Jochen
Post by Arnaud Ebalard
Hi Jochen,
Post by Jochen Bartl
you are right, the field size should be indeed 6 bytes.
That's correct.
Post by Jochen Bartl
I have fixed the problem in the community repository[1] and opened a
ticket [2] regarding the problem.
I just took a quick look and I think you need to update the lambdas too
(for length computation).
Cheers,
a+
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a mail to scapy.ml-***@secdev.org

Loading...