Provided by: ipv6toolkit_2.0-1_amd64 
NAME
rd6 - A security assessment tool for attack vectors based on ICMPv6 Redirect messages
SYNOPSIS
rd6 [-i INTERFACE] [-s SRC_ADDR[/LEN]] [-d DST_ADDR] [-S LINK_SRC_ADDR] [-D LINK-DST-ADDR]
[-A HOP_LIMIT] [-y FRAG_SIZE] [-u DST_OPT_HDR_SIZE] [-U DST_OPT_U_HDR_SIZE] [-H
HBH_OPT_HDR_SIZE] [-r RD_DESTADDR/LEN] [-t RD_TARGETADDR/LEN] [-p PAYLOAD_TYPE] [-P
PAYLOAD_SIZE] [-n] [-c HOP_LIMIT] [-x SRC_ADDR] [-a SRC_PORT] [-o DST_PORT] [-X TCP_FLAGS]
[-q TCP_SEQ] [-Q TCP_ACK] [-V TCP_URP] [-w TCP_WIN] [-M] [-O] [-N] [-E LINK_ADDR] [-e] [-j
PREFIX[/LEN]] [-k PREFIX[/LEN]] [-J LINK_ADDR] [-K LINK_ADDR] [-b PREFIX[/LEN]] [-g
PREFIX[/LEN]] [-B LINK_ADDR] [-G LINK_ADDR] [-f] [-R N_DESTS] [-T N_TARGETS] [-F
N_SOURCES] [-L | -l] [-z] [-v] [-h]
DESCRIPTION
rd6 allows the assessment of IPv6 implementations with respect to a variety of attack
vectors based on ICMPv6 Redirect messages. This tool is part of the SI6 Networks' IPv6
Toolkit: a security assessment suite for the IPv6 protocols.
This tool has two modes of operation: active and passive. In active mode, the tool attacks
a specific target, while in passive mode the tool listens to traffic on the local network,
and launches an attack in response to such traffic. Active mode is employed if an IPv6
Destination Address, a Redirect Destination Address, and a Redirect Target Address are
specified. Passive mode is employed if the "-L" option (or its long counterpart
"--listen") is set. If both an attack target and the "-L" option are specified, the attack
is launched against the specified target, and then the tool enters passive mode to respond
incoming packets with ICMPv6 Redirect messages.
The tool supports filtering of incoming packets based on the Ethernet Source Address, the
Ethernet Destination Address, the IPv6 Source Address, and the IPv6 Destination Address.
There are two types of filters: "block filters" and "accept filters". If any "block
filter" is specified, and the incoming packet matches any of those filters, the message is
discarded (and thus no Redirect messages are sent in response). If any "accept filter" is
specified, incoming packets must match the specified filters in order for the tool to
respond with Redirect messages.
OPTIONS
rd6 takes it parameters as command-line options. Each of the options can be specified with
a short name (one character preceded with the hyphen character, as e.g. "-i") or with a
long name (a string preceded with two hyphen characters, as e.g. "--interface").
Depending on the amount of information (i.e., options) to be conveyed into the ICMPv6
Redirect messages, it may be necessary for the rd6 tool to split that information into
more than one Redirect message. Also, if the tool is instructed to e.g. flood the victim
with Redirect messages from different sources ("--flood-sources" option), multiple packets
may need to be generated. rd6 supports IPv6 fragmentation, which might be of use to
circumvent layer-2 filtering and/or Network Intrusion Detection Systems (NIDS). However,
IPv6 fragmentation is not enabled by default, and must be explicitly enabled with the "-y"
option.
-i INTERFACE, --interface INTERFACE
This option specifies the network interface that the tool will use. If the
destination address ("-d" option) is a link-local address, or the "listening"
("-L") mode is selected, the interface must be explicitly specified. The interface
may also be specified along with a destination address, with the "-d" option.
-s SRC_ADDR, --src-address SRC_ADDR
This option specifies the IPv6 source address (or IPv6 prefix) to be used for the
Source Address of the attack packets. This address typically corresponds to the
IPv6 link-local address of the default router. If the "-F" ("--flood-sources")
option is specified, this option includes an IPv6 prefix, from which random
addresses are selected. See the description of the "-F" option for further
information on how the "-s" option is processed in that specific case.
Note: Instead of specifying the "Source Address" with this option, the
"--learn-router" option could be set, such that the tool automatically learns the
IPv6 link-local address of the default router, and uses this address for the
"Source Address" of the Redirect messages.
-d DST_ADDR, --dst-address DST_ADDR
This option specifies the IPv6 Destination Address of the victim. It can be left
unspecified only if the "-L" option is selected (i.e., if the tool is to operate in
"Passive" mode).
When operating in passive mode ("-L" option), the IPv6 Destination Address is
selected according to the IPv6 Source Address of the incoming packet.
--hop-limit, -A
This option specifies the Hop Limit to be used for the Redirect messages. It
defaults to 255. Note that IPv6 nodes are required to check that the Hop Limit of
incoming Redirect messages is 255. Therefore, this option is only useful to assess
whether an IPv6 implementation fails to enforce the aforementioned check.
-y SIZE, --frag-hdr SIZE
This option specifies that the resulting packet must be fragmented. The fragment
size must be specified as an argument to this option.
-u HDR_SIZE, --dst-opt-hdr HDR_SIZE
This option specifies that a Destination Options header is to be included in the
resulting packet. The extension header size must be specified as an argument to
this option (the header is filled with padding options). Multiple Destination
Options headers may be specified by means of multiple "-u" options.
-U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE
This option specifies a Destination Options header to be included in the
"unfragmentable part" of the resulting packet. The header size must be specified as
an argument to this option (the header is filled with padding options). Multiple
Destination Options headers may be specified by means of multiple "-U" options.
This option is only valid if the "-y" option is specified (as the concept of
"unfragmentable part" only makes sense when fragmentation is employed).
-H HDR_SIZE, --hbh-opt-hdr HDR_SIZE
This option specifies that a Hop-by-Hop Options header is to be included in the
resulting packet. The header size must be specified as an argument to this option
(the header is filled with padding options). Multiple Hop-by-Hop Options headers
may be specified by means of multiple "-H" options.
-S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR
This option specifies the link-layer Source Address of the Redirect messages (this
option is only valid for Ethernet interfaces). If left unspecified, the link-layer
Source Address is randomized. However, if this option is left unspecified, but the
"--learn-router" option is set, the link-layer Source Address is set to that of the
default router for the local network.
-D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR
This option specifies the link-layer Destination Address of the Redirect messages
(this option is only valid for Ethernet interfaces). If left unspecified, it is set
to the "all-nodes link-local multicast" address (ff02::1).
When operating in passive mode, the link-layer Destination Address is set according
to the link-layer Source Address of the incoming packet.
--redir-target, -t
This option specifies the Target Address of the Redirect messages. If the "-T"
("--flood-targets") option is specified, this option specifies an IPv6 prefix in
the form "-t prefix/prefixlen". See the description of the "-T" option for further
information on how the "-t" option is processed in that specific case.
This option can be left unspecified only if the "--make-onlink" option is selected,
in which case the Redirect Target Address is set to the same value as the Redirect
Destination address.
--redir-dest, -r
This option specifies the Redirect Destination Address. If the "-R"
("--flood-dests") option is specified, this option specifies an IPv6 prefix in the
form "-r prefix/prefixlen". See the description of the "-R" option for further
information on how the "-t" option is processed in that specific case.
--payload-type, -p
This option specifies the payload type to be included in the Redirect Payload.
Currently supported payloads are "TCP", "UDP", and "ICMP6". The payload-type
defaults to "TCP".
--payload-size, -P
Size of the payload to be included in the Redirect message (with the payload type
being specified by the "-p" option). By default, as many bytes as possible are
included, without exceeding the minimum IPv6 MTU (1280 bytes).
--no-payload, -n
This option specifies that no payload (i-e-, no Redirected Header option) should be
included in the Redirect message.
--ipv6-hlim, -c
This option specifies the Hop Limit of the IPv6 packet included in the payload of
the Redirect message. It defaults to 255.
--peer-addr, -x
This option specifies the IPv6 Source Address of the Redirect payload. If left
unspecified, the IPv6 Source Address of the Redirect payload is set to the same
value as the IPv6 Destination Address of the packet. This option is only employed
for packets sent in "active" mode.
Note: this option might be useful to check whether an implementation validates the
contents of the Redirect message.
--redir-port, -o
This option specifies the Destination Port of the TCP or UDP packet contained in
the Redirect payload.
Note: This option is meaningful only if "TCP" or "UDP" have been specified with the
"-p" option.
--peer-port, -a
This option specifies the Source Port of the TCP or UDP packet contained in the
Redirect payload.
Note: This option is meaningful only if "TCP" or "UDP" have been specified with the
"-p" option.
--tcp-flags, -X
This option specifies the flags of the TCP header contained in the Redirect
payload. The flags are specified as "F" (FIN), "S" (SYN), "R" (RST), "P" (PSH), "A"
(ACK), "U" (URG), "X" (no flags). If left uspecified, only the "ACK" bit is set.
Note: This option is meaningful only if "TCP" has been specified with the "-p"
option.
--tcp-seq, -q
This option specifies the Sequence Number of the TCP header contained in the
Redirect payload. If left unspecified, the Sequence Number is randomized.
Note: This option is meaningful only if "TCP" has been specified with the "-p"
option.
--tcp-ack, -Q
This option specifies the Acknowledgment Number of the TCP header contained in the
Redirect payload. If left unspecified, the Acknowledgment Number is randomized.
Note: This option is meaningful only if "TCP" has been specified with the "-p"
option.
--tcp-urg, -V
This option specifies the Urgent Pointer of the TCP header contained in the
Redirect payload. If left unspecified, the Urgent Pointer is set to 0.
Note: This option is meaningful only if "TCP" has been specified with the "-p"
option.
--tcp-win, -w
This option specifies the Window of the TCP header contained in the Redirect
payload. If left unspecified, the Window is randomized.
Note: This option is meaningful only if "TCP" has been specified with the "-p"
option.
--resp-mcast, -M
This option specifies that, when operating in "passive" mode, the tool should also
respond to packets sent to multicast addresses. By default, the tool does not send
Redirects in response to packets sent to multicast addresses.
--make-onlink, -O
This option instructs the tool to set the Redirect Target Address to the same value
as the Redirect Destination Address, thus causing the specified address to be
considered "on-link".
--learn-router, -N
This option instructs the tool to learn the link-layer and the (link-local) IPv6
addresses of the local router by means of Router Solicitation and Router
Advertisement messages. If the IPv6 Source Address or the link-layer Source Address
are left unspecified, the corresponding values learned with this option will be
used.
Note: This option is very useful to avoid having to manually enter the IPv6 and/or
Ethernet addresses of the router.
--target-lla-opt, -E
This option specifies the contents of a target link-layer address option to be
included in the Redirect messages. If a single option is specified, it is included
in all the outgoing Redirect messages. If more than one target link-layer address
is specified (by means of multiple "-E" options), and all the resulting options
cannot be conveyed into a single Redirect message, multiple Redirect messages will
be sent as needed.
--add-tlla-opt, -e
This option instructs the rd6 tool to include a target link-layer address option in
the Redirect messages that it sends. When this option is employed, the link-layer
Source Address must be specified, and such value will be used for the target
link-layer address option. The difference between this option and the "-E" option
is that the "-e" option does not specify the actual value of the option, but just
instructs the tool to include a target link-layer address option (the actual value
of the option is selected as explained before).
-j SRC_ADDR, --block-src SRC_ADDR
This option sets a block filter for the incoming packets, based on their IPv6
Source Address. It allows the specification of an IPv6 prefix in the form "-j
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
is selected (i.e., the option assumes that a single IPv6 address, rather than an
IPv6 prefix, has been specified).
-k DST_ADDR, --block-dst DST_ADDR
This option sets a block filter for the incoming Neighbor Solicitation messages,
based on their IPv6 Destination Address. It allows the specification of an IPv6
prefix in the form "-k prefix/prefixlen". If the prefix length is not specified, a
prefix length of "/128" is selected (i.e., the option assumes that a single IPv6
address, rather than an IPv6 prefix, has been specified).
-J SRC_ADDR, --block-link-src SRC_ADDR
This option sets a block filter for the incoming packets, based on their link-layer
Source Address. The option must be followed by a link-layer address (this option is
only valid for Ethernet interfaces).
-K DST_ADDR, --block-link-dst DST_ADDR
This option sets a block filter for the incoming packets, based on their link-layer
Destination Address. The option must be followed by a link-layer address (this
option is only valid for Ethernet interfaces).
-b SRC_ADDR, --accept-src SRC_ADDR
This option sets an accept filter for the incoming packets, based on their IPv6
Source Address. It allows the specification of an IPv6 prefix in the form "-b
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
is selected (i.e., the option assumes that a single IPv6 address, rather than an
IPv6 prefix, has been specified).
-g DST_ADDR, --accept-dst DST_ADDR
This option sets a accept filter for the incoming packets, based on their IPv6
Destination Address. It allows the specification of an IPv6 prefix in the form "-g
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128"
is selected (i.e., the option assumes that a single IPv6 address, rather than an
IPv6 prefix, has been specified).
-B SRC_ADDR, --accept-link-src SRC_ADDR
This option sets an accept filter for the incoming Neighbor Solicitation messages,
based on their link-layer Source Address. The option must be followed by a
link-layer address (this option is only valid for Ethernet interfaces).
-G DST_ADDR, --accept-link-dst DST_ADDR
This option sets an accept filter for the incoming packets, based on their
link-layer Destination Address. The option must be followed by a link-layer address
(this option is only valid for Ethernet interfaces).
--sanity-filters, -w
This option automatically adds an "accept filter" for the link-layer Destination
Address corresponding to the local router (either learned as a result of the
"--learn-router" option, or specified by the "-S" option), and a block filter for
the IPv6 Source Address fe80::/16.
Note: This option is desirable in virtually all scenarios, such that the tool does
not respond to link-local traffic, etc.
--flood-dests, -R
This option instructs the rd6 tool to send multiple Redirect messages for different
Redirect Destination Addresses. The number of different Redirect Destination
Addresses is specified as "-R number". The Redirect Destination Address of each
packet is randomly selected from the prefix ::/0, unless a different prefix has
been specified by means of the "-r" option.
--flood-targets, -T
This option instructs the rd6 tool to send multiple Redirect messages for different
Redirect Target Addresses. The number of different Target Addresses is specified as
"-T number". The Target Address of each packet is randomly selected from the prefix
fe80::/64, unless a different prefix has been specified by means of the "-t"
option.
--flood-sources, -F
This option instructs the tool to send multiple Redirect messages with different
Source Addresses. The number of different sources is specified as "-F number". The
Source Address of each Redirect message is randomly selected from the prefix
specified by the "-s" option. If the "-F" option is specified but the "-s" option
is left unspecified, the Source Address of the packets is randomly selected from
the prefix fe80::/64 (link-local unicast). It should be noted that hosts are
required to discard Redirect messages whose IPv6 Source address does not match the
(link-local) IPv6 address of the router used for the Redirect Destination Address.
--loop, -l
This option instructs the rd6 tool to send periodic Redirect messages to the victim
node. The amount of time to pause between sending Redirect messages can be
specified by means of the "-z" option, and defaults to 1 second. Note that this
option cannot be set in conjunction with the "-L" ("--listen") option.
--sleep, -z
This option specifies the amount of time to pause between sending Redirect messages
(when the "--loop" option is set). If left unspecified, it defaults to 1 second.
--listen, -L
This instructs the rd6 tool to operate in passive mode (possibly after attacking a
given node). Note that this option cannot be used in conjunction with the "-l"
("--loop") option.
--verbose, -v
This option instructs the rd6 tool to be verbose. When the option is set twice,
the tool is "very verbose", and the tool also informs which packets have been
accepted or discarded as a result of applying the specified filters.
--help, -h
Print help information for the rd6 tool.
EXAMPLES
The following sections illustrate typical use cases of the rd6 tool.
Example #1
# rd6 -i eth0 --learn-router --sanity-filters -L --make-onlink -v
The tool uses the network interface "eth0", and operates in passive mode ("-L" option).
The IPv6 and Ethernet address of the local router is automatically learned by means of
RS/RA messages. Basic filters are employed to avoid responding to incorrect/unnecessary
packets ("--sanity-filters"). Each Redirect message will contain the Redirect Target
Address set to the same value as the Redirect Destination Address, thus causing the
corresponding address to be considered "on-link" ("--make-onlink" option). The tool will
print detailed information about the attack ("-v" option).
Example #2
# rd6 -i eth0 --learn-router -d 2001:db8::1 -r 2001:db8::/64 -t fe80::bad -R 100 -l -v
Flood the victim host (specified with the "-d" option) with batches of 100 Redirect
messages ("-R 100" option). Each Redirect message redirects a random address from the
prefix "2001:db8::/64" to the address "fe80::bad". The IPv6 and link-layer addresses of
the current local router is dynamically learned by means of RS/RA messages
("--learn-router" option). The process is repeated every second ("-l" option, with the
default delay of 1 second).
SEE ALSO
"Security/Robustness Assessment of IPv6 Neighbor Discovery Implementations" (available at:
<http://www.si6networks.com/tools/ipv6toolkit/si6networks-ipv6-nd-assessment.pdf>) for a
discussion of Neighbor Discovery vulnerabilities, and additional examples of how to use
the na6 tool to exploit them.
AUTHOR
The rd6 tool and the corresponding manual pages were produced by Fernando Gont
<fgont@si6networks.com> for SI6 Networks <http://www.si6networks.com>.
COPYRIGHT
Copyright (c) 2011-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of
the GNU Free Documentation License, Version 1.3 or any later version published by the Free
Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is available at <http://www.gnu.org/licenses/fdl.html>.
RD6(1)