Provided by: ipv6toolkit_2.0-1_amd64 
NAME
ra6 - A security assessment tool for attack vectors based on ICMPv6 Router Advertisement messages
SYNOPSIS
ra6 [-i INTERFACE] [-s SRC_ADDR[/LEN]] [-d DST_ADDR] [-y FRAG_SIZE] [-u DST_OPT_HDR_SIZE] [-U
DST_OPT_U_HDR_SIZE] [-H HBH_OPT_HDR_SIZE] [-S LINK_SRC_ADDR] [-D LINK_DST_ADDR] [-c CUR_HOP] [-t
ROUTER_LIFETIME] [-r REACHABLE_TIME] [-x RETRANS_TIMER] [-m] [-o] [-a] [-q] [-p PREFERENCE] [-E
LINK_ADDR] [-e] [-P PREFIX/LEN[#FLAGS[#VALID[#PREFERRED]]]] [-M MTU] [-N [LIFETIME[#DNS_ADDR]]] [-R
PREFIX/LEN[#PREF[#LIFETIME]]] [-f N_PREFIXES] [-F N_SOURCES] [-w N_ROUTES] [-W N_ADDRS[#ADDRSPEROPT]] [-j
PREFIX[/LEN]] [-k PREFIX[/LEN]] [-J LINK_ADDR] [-K LINK_ADDR] [-b PREFIX[/LEN]] [-g PREFIX[/LEN]] [-B
LINK_ADDR] [-G LINK_ADDR] [-L] [-v] [-h]
DESCRIPTION
ra6 allows the assessment of IPv6 implementations with respect to a variety of attacks based on ICMPv6
Router Advertisement messages. This tool is part of the SI6 Networks' IPv6 Toolkit: a security assessment
suite for the IPv6 protocols.
This tool has two modes of operation: active and passive. In active mode, the tool attacks a specific
target, while in passive mode the tool listens to traffic on the local network, and launches an attack in
response to such traffic. Active mode is employed when an Ethernet destination address and/or an IPv6
destination address are specified. Passive mode is employed when the "-L" option (or its long variant
"--listen") is specified. In passive mode, the ra6 tool listens for incoming Router Solicitation messages
and responds with the Router Advertisement attack messages. If both a destination address and the "-L"
option are specified, the tool firstly employs active mode to attack the specified target, and then
enters passive mode to respond to Router Solicitation messages with Router Advertisement attack packets.
OPTIONS
ra6 takes its parameters as command-line options. Each of the options can be specified with a short name
(one character preceded with the hyphen character, as e.g. "-i") or with a long name (a string preceded
with two hyphen characters, as e.g. "--interface").
Depending on the amount of information (i.e., options and option data) to be conveyed into the Router
Advertisements, it may be necessary for ra6 to split that information into more than one Router
Advertisement message. This may be particularly the case when the "flood-prefixes", "--flood-routes", or
"--flood-dns" options are used. Also, when the ra6 tool is instructed to flood the victim with Router
Advertisements from different sources ("--flood-sources" option), multiple packets may need to be
generated. ra6 supports IPv6 fragmentation, which may be of use if a large amount of information needs to
be conveyed within a single Router Advertisement message. IPv6 fragmentation is not enabled by default,
and must be explicitly enabled with the "-y" option.
The tool supports filtering of incoming Router Solicitation messages based on the Ethernet Source
Address, the Ethernet Destination Address, the IPv6 Source Address, and the IPv6 Destination Address.
There are two types of filters: "block filters" and "accept filters". If any "block filter" is specified,
and the incoming Router Solicitation message matches any of those filters, the message is discarded (and
thus no Router Advertisements are sent in response). If any "accept filter" is specified, incoming Router
Solicitation messages must match the specified filters in order for the ra6 tool to respond with Router
Advertisement messages.
-i INTERFACE, --interface INTERFACE
This option specifies the network interface that the tool will use. If the destination address
("-d" option) is a link-local address, or the "listening" ("-L") mode is selected, the interface
must be explicitly specified. The interface may also be specified along with a destination
address, with the "-d" option.
-s SRC_ADDR, --src-address SRC_ADDR
This option specifies the IPv6 Source Address (or IPv6 prefix) to be used for the Router
Advertisement messages. If left unspecified, a randomized link-local unicast (fe80::/64) address
is selected.
-d DST_ADDR, --dst-address DST_ADDR
This specifies the IPv6 Destination Address of the Router Advertisement messages. If this option
is left unspecified, but the Ethernet Destination Address is specified, the "all-nodes link-local
multicast" address (ff02::1) is selected as the IPv6 Destination Address.
When operating in passive mode ("-L" option), the IPv6 Destination Address is selected according
to the IPv6 Source Address of the Router Solicitation message. If the IPv6 Source Address of the
Router Solicitation is the unspecified address (::), the "all-nodes link-local multicast" address
(ff02::1) is used as the IPv6 Destination Address. Otherwise, the IPv6 Source Address of the
incoming Router Solicitation message is used as the IPv6 Destination Address of the outgoing
Router Advertisement messages.
--hop-limit, -A
This option specifies the Hop Limit of the Router Advertisement messages. It defaults to 255. Note
that IPv6 nodes are required to check that the Hop Limit of incoming Router Advertisement messages
is 255. Therefore, this option is only useful to assess whether an IPv6 implementation fails to
enforce the aforementioned check.
-y SIZE, --frag-hdr SIZE
This option specifies that the resulting packet must be fragmented. The fragment size must be
specified as an argument to this option.
-u HDR_SIZE, --dst-opt-hdr HDR_SIZE
This option specifies that a Destination Options header is to be included in the resulting packet.
The extension header size must be specified as an argument to this option (the header is filled
with padding options). Multiple Destination Options headers may be specified by means of multiple
"-u" options.
-U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE
This option specifies a Destination Options header to be included in the "unfragmentable part" of
the resulting packet. The header size must be specified as an argument to this option (the header
is filled with padding options). Multiple Destination Options headers may be specified by means of
multiple "-U" options. This option is only valid if the "-y" option is specified (as the concept
of "unfragmentable part" only makes sense when fragmentation is employed).
-H HDR_SIZE, --hbh-opt-hdr HDR_SIZE
This option specifies that a Hop-by-Hop Options header is to be included in the resulting packet.
The header size must be specified as an argument to this option (the header is filled with padding
options). Multiple Hop-by-Hop Options headers may be specified by means of multiple "-H" options.
--curhop, -c
This option specifies the CurHop value that is included in Router Advertisement messages. This is
the value that nodes should use for the "Hop Limit" field of the IPv6 packets they send. If this
option is not specified, the CurHop value defaults to 255.
--lifetime, -t
This option specifies the Router Lifetime value that is included in Router Advertisement messages.
The Router Lifetime is the amount of time (in seconds) that the router can be used as a "default
router". If this option is left unspecified, a Router Lifetime value of 9000 seconds is selected.
--reachable, -r
This option specifies the Reachable Time value that is included in Router Advertisement messages.
The Router Lifetime is the amount of time in milliseconds that a neighbor is considered
"reachable" after a reachability confirmation. If this option is left unspecified, a Reachable
Time of 0xffffffff ("infinity") is selected.
--retrans, -x
This option specifies the Retrans Timer value that is included in Router Advertisement messages.
The Retrans Timer specifies the amount of time in milliseconds between retransmitted Neighbor
Solicitation messages (with ‘0’ meaning "unspecified by this router"). If this option is left
unspecified, a Retrans Timer of 4000 milliseconds is selected.
--managed, -m
This option causes the ra6 tool to set the ‘M’ (Managed) bit in the Router Advertisement messages
that it sends. The ‘M’ bit indicates that network configuration is "managed" (e.g., DHCPv6 should
be used instead). If left unspecified, the ‘M’ bit is not set.
--other, -o
This option causes the ra6 tool to set the ‘O’ ("Other") bit in the Router Advertisement messages
that it sends. The ‘O’ bit indicates that additional configuration information is available
through other means (e.g., DHCPv6). If left unspecified, the ‘O’ bit is not set.
--home-agent, -a
This option causes the ra6 tool to set the ‘H’ ("Home Agent") bit in the Router Advertisement
messages that it sends (the ‘H’ bit is specified in RFC 3775). If this option is left
unspecified, the ‘H’ bit is not set.
--nd-proxy, -q
This option causes the ra6 tool to set the ‘P’ ("ND Proxy") bit in the Router Advertisement
messages that it sends (the "P" bit is specified in RFC4389). If this option is left unspecified,
the ‘P’ bit is not set.
--preference, -p
This option specifies the Preference field of the Router Advertisement messages, with "1" meaning
"High", "0" meaning "Normal", and "-1" meaning "low" (the value "-2" is forbidden). If left
unspecified, a Preference value of "1" (High) is selected.
-S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR
This option specifies the link-layer Source Address of the Router Advertisement messages (this
option is only valid for Ethernet interfaces). If left unspecified, the link-layer Source Address
is randomized.
When operating in passive mode, the link-layer Source Address is selected according to the IPv6
Destination Address of the incoming Router Solicitation messages. If the IPv6 Destination Address
of the incoming Router Solicitation message is a multicast address (usually the "all-routers link-
local multicast" address "ff02::02"), the link-layer Source Address is set to the address
specified by the "-S" option (or to a random address if the "-S" option was left unspecified). If
the IPv6 Destination Address of the incoming Router Solicitation is not a multicast address (i.e.,
it is a unicast address), the link-layer Source Address is set to the Ethernet Destination Address
of the incoming Router Solicitation message.
-D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR
This option is meant to specify the link-layer Destination Address of the Router Advertisement
messages (this option is only valid for Ethernet interfaces). If left unspecified, it is set to
"33:33:00:00:00:01" (the Ethernet multicast address corresponding to the IPv6 "all-nodes link-
local multicast" address).
When operating in passive mode, the link-layer Destination Address is set depending to the IPv6
Source Address of the incoming Router Solicitation message. If the IPv6 Source Address of the
incoming Router Solicitation message is the unspecified address (::), the link-layer destination
address is set to "33:33:00:00:00:01" (the Ethernet multicast address corresponding to the IPv6
"all-nodes link-local multicast" address). Otherwise, the link-layer Destination Address is set to
the same value as the link-layer Source Address of the incoming Router Solicitation message.
--source-lla-opt, -E
This option specifies the contents of a source link-layer address option to be included in the
Router Advertisement messages. If a single option is specified, it is included in all the outgoing
Router Advertisement messages. If more than one source link-layer address is specified, they are
included only in the first packet of a set of Router Advertisements (if more than one Router
Advertisement needs to be sent in order to convey all the specified information).
--add-slla-opt, -e
This option instructs the ra6 tool to include a source link-layer address option in the Router
Advertisement messages. The link-layer address included in the option is the same as the Ethernet
Source Address used for the outgoing Router Advertisement message. The difference between this
option and the "-E" option is that the latter does not specify the actual value of the option, but
just instructs the tool include the option (the actual value of the option is selected according
to the Ethernet Source address used in the outgoing packet).
--prefix-opt, -P
This option specifies the contents of a Prefix Information option to be included in Router
advertisement messages, with the following format: "-P prefix/length#flags#valid#preferred". Where
"prefix/length" is a mandatory field that indicates an IPv6 prefix (e.g., "2001::/16"). "flags" is
an optional argument that indicates which flags should be set for this prefix (‘L’ for the "on-
link" flag, ‘A’ for the "autonomous address-configuration" flag, ‘R’ for "Router Address", and ‘-‘
for indicating that no flags should be set for this prefix) -- if this field is left unspecified,
the "L" and "A" flags are set for in the specified Prefix Information option. "valid" is an
optional field that indicates the "Valid Lifetime" for this prefix (the length of time in seconds
during which this information can be used for on-link determination. If left unspecified, a value
of 0xffffffff (infinity) is used. "preferred" is an optional argument that specifies the
"Preferred Lifetime" value for this prefix (the length of time in seconds that addresses generated
from this prefix via stateless address auto-configuration remain preferred). If left unspecified,
a value of 0xffffffff (infinity) is used.
--route-opt, -R
This option specifies the contents of a Route Information option to be included in Router
advertisement messages, with the following format: "-R prefix/length#preference#lifetime". Where
"prefix/length" is a mandatory field that indicates an IPv6 prefix (e.g., "2001::/16").
"preference" is an optional argument that indicates the preference of this prefix (with ‘1’
meaning "high", ‘0’ meaning "normal", ‘-1’ meaning "low", and ‘-2’ being an invalid value). If
this field is left unspecified, a value of ‘1’ (i.e., "high") is selected. "lifetime" is an
optional parameter that specifies the "Route Lifetime" for the specified route (the period of time
during which this information can be used for route determination). If left unspecified, a value
of 0xffffffff (infinity) is selected.
--mtu-opt, -M
This option is meant to specify the value of a MTU option that should be included in Router
Advertisements. Multiple MTU options can be specified.
--rdnss-opt, -N
This option allows the advertisement of a number of recursive DNS servers by means of the RDNSS
option. A "Lifetime" parameter (32 bits) indicates the amount of time (in seconds) that the
specified DNS server(s) may be used for name resolution. Multiple IPv6 addresses can be specified
in the same RDNSS option in the form "--dns-opt lifetime#ipv6address1#ipv6address2". Also, more
than one RDNSS option may be specified.
--flood-prefixes, -f
This option instructs the ra6 tool to flood the victim host with Prefix information options. The
number of Prefix Information options to be sent is specified as "-f number". When this option is
specified, a "-P" option must be specified (with the usual syntax "-P
prefix/length#flags#valid#preferred"), such that it instructs ra6 about how to generate the Prefix
Information options. The "prefix/length" specifies the length of the prefixes that will be
included in each Prefix Information option. While the prefix length will be constant for all
options, the actual prefix will be randomized. The rest of the parameters will be shared by all
the prefixes, and have the same "defaults" as indicated in the description of the "-P" option.
--flood-sources, -F
This option instructs the tool to send Router Advertisement messages from multiple addresses. The
number of different sources is specified as "-F number". The Source Address of each Router
Advertisement is randomly selected from the prefix specified by the "-s" option. If the "-F"
option is specified but the "-s" option is left unspecified, the Source Address of the packets is
randomly selected from the prefix fe80::/64 (link-local unicast). It should be noted that hosts
are required to discard Router Advertisement messages that do not have a link-local unicast
address as the Source Address.
--flood-routes, -w
This option instructs the ra6 tool to flood the target with Route Information options. The number
of Route Information options to be sent is specified as "-R number". When this option is
specified, a "-R" option should be specified (with the usual syntax "-R
prefix/length#preference#lifetime") such that ra6 is instructed about how to generate the Route
Information options. The "prefix/length" species the length of the prefixes that will be included
in each Route Information option. While the prefix length will be constant for all options, the
actual prefix will be randomized. The rest of the parameters are shared by all the the options,
and have the same "default values" as indicated in the description of the "-R" option.
--flood-dns, -W
This option instructs the ra6 tool to flood the target with random IPv6 addresses (supposed to
correspond to recursive DNS servers), by means of the Recursive DNS Server (RDNSS) option. The
number of IPv6 addresses that are to be sent to the target is specified as "-k number". As there
is a limit in the number of IPv6 addresses that can be included in a RDNSS option, it may be
necessary for the tool to split those addresses into several RDNSS options.
It is possible to instruct the ra6 about the maximum number of IPv6 addresses that each RDNSS
option should contain, by means of a second (and optional) parameter to the "-k" option. Namely,
the tool can be instructed to send a total number of addresses ("totaladdresses") with up to some
specific number ("addrsperoption") of addresses per RDNSS option in the form "-k
totaladresses#addrsperoption". This might be helpful if it is believed that the target
implementation enforces a limit on the number of addresses it honors on a "per RNDSS option"
basis, but no limit on the aggregate number of addresses. In such a case, an implementation might
e.g. survive the attack "-k 5000", but still be vulnerable to the attack "-k 5000#3"). The
"Lifetime" value for these addresses can be specified by issuing a "-N" option with the desired
"Lifetime" (this is analogous to how the "--flood-routes" operates together with the "-R" option,
and how the "--flood-prefixes" operates together with the "-P" option).
--block-src, -j
This option sets a block filter for the incoming Router Solicitation messages based on their IPv6
Source Address. It allows the specification of an IPv6 prefix in the form "-j prefix/prefixlen".
If the prefix length is not specified, a prefix length of "/128" is selected (i.e., the option
assumes that a single IPv6 address, rather than an IPv6 prefix, has been specified).
--block-dst, -k
This option sets a block filter for the incoming Router Solicitation messages, based on their IPv6
Destination Address. It allows the specification of an IPv6 prefix in the form "-k
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128" is selected
(i.e., the option assumes that a single IPv6 address, rather than an IPv6 prefix, has been
specified).
--block-link-src, -J
This option sets a block filter for the incoming Router Solicitation messages, based on their
link-layer Source Address. The option must be followed by a link-layer address (this option is
only valid for Ethernet interfaces).
--block-link-dst, -K
This option sets a block filter for the incoming Router Solicitation messages, based on their
link-layer Destination Address. The option must be followed by a link-layer address (this option
is only valid for Ethernet interfaces).
--accept-src, -b
This option sets an accept filter for the incoming Router Solicitation messages, based on their
IPv6 Source Address. It allows the specification of an IPv6 prefix in the form "-b
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128" is selected
(i.e., the option assumes that a single IPv6 address, rather than an IPv6 prefix, has been
specified).
--accept-dst, -g
This option sets a accept filter for the incoming Router Solicitation messages, based on their
IPv6 Destination Address. It allows the specification of an IPv6 prefix in the form "-g
prefix/prefixlen". If the prefix length is not specified, a prefix length of "/128" is selected
(i.e., the option assumes that a single IPv6 address, rather than an IPv6 prefix, has been
specified).
--accept-link-src, -B
This option sets an accept filter for the incoming Router Solicitation messages, based on their
link-layer Source Address. The option must be followed by a link-layer address (this option is
only valid for Ethernet interfaces).
--accept-link-dst, -K
This option sets an accept filter for the incoming Router Solicitation messages, based on their
link-layer Destination Address. The option must be followed by a link-layer address (this option
is only valid for Ethernet interfaces).
--loop, -l
This option instructs the ra6 tool to send periodic Router Advertisements to the destination node.
The amount of time to pause between sending Router Advertisements can be specified by means of the
"-z" option, and defaults to 1 second. Note that this option cannot be set in conjunction with the
"-L" ("--listen") option.
--sleep, -z
This option specifies the amount of time to pause between sending Router Advertisements. If left
unspecified, it defaults to 1 second.
--listen, -L
This option specifies that the tool should enter the "passive" mode (possibly after operating in
active mode, if the ‘-d’ or ‘-D’ options were specified).
--verbose, -v
This option instructs the ra6 tool to be verbose.
--help, -h
Print help information for the ra6 tool.
EXAMPLES
The following sections illustrate typical use cases of the ra6 tool.
Example #1
# ra6 -i eth0 -P 2001::/64#LA -P 2002::/64#A -e -L
Listen ("-L") for incoming Router Solicitations on interface eth0 ("-i eth0"), and advertise the prefix
2001::/64 for both on-link determination and auto-configuration ("-P 2001::/64#LA") and the prefix
2002::/64 only for auto-configuration ("-P 2002::/64#A"). Include a source link-layer address option
("-e") in the Router Advertisements.
Example #2
# ra6 -i eth0 -d fe80::1 -D 01:02:03:04:05:06 -c 5 --lifetime 100 -o -e -M 1400
Use the network interface "eth0" to send a Router Advertisement using a random link-local IPv6 Source
Address and a random Ethernet Source Address, to the IPv6 Destination address fe80::1 and the Ethernet
Destination Address 01:02:03:04:05:06. The Router Advertisement includes a "Router Lifetime" of 100, and
advertises a CurHop value of 5 (i.e., a recommended "Hop Limit" of "5"). The ‘O’ bit is set (thus
indicating that other configuration information is available via DHCP). The Router Advertisement includes
a source link-layer address option (containing the same address as the Ethernet Source Address of the
packet) and an MTU option with a value of 1400.
Example #3
# ra6 -i eth0 --flood-sources 10 --flood-routes 50 --flood-prefixes 40 -R ::/64#1 -P ::/48#LA -L -e
Listen for incoming Router Solicitation messages on the interface "eth0", and respond with Router
Advertisements from 10 different link-local unicast IPv6 Source Addresses (randomized) and 10 different
(randomized) Ethernet Source Addresses. Each Router Advertisement includes 50 Route Information options,
each of them with a randomized /64 prefix and a preference of 1 ("high"). The Router Advertisements also
contain 40 Prefix Information options, each with a randomized /48 prefix and the ‘A’ (auto-configuration)
and ‘L’ (on-link determination) bits set. In addition, each Router Advertisement includes a source
link-layer address option, containing the same (randomized) address as that used for the Ethernet Source
Address field.
Example #4
# ra6 -i eth0 -N 1000#fe80::1#2001:db8::1 -L
Listen for incoming Router Solicitation messages, and respond with a Router Advertisement that contains
one RDNSS option with two IPv6 addresses (fe80::1 and 2001:db8::1), with a Lifetime of "1000". All Router
Solicitation messages sent to multicast addresses will be responded using the same (randomized) IPv6
Source Address and the same (randomized) Ethernet Source Address. Router Solicitation messages destined
to unicast addresses will be responded with Router Advertisements using the IPv6 Destination Address and
the Ethernet Destination Address of the incoming Router Solicitation message for the IPv6 Source Address
and the Ethernet Source Address of the Router Advertisement, respectively.
Example #5
# ra6 -i eth0 -s fe80::1234 -S 00:01:02:03:04:05 -d fe80::1 -N 900 --flood-dns 1000#10 -L
Flood the target (fe80::1) with 1000 random IPv6 addresses of Recursive DNS Servers, with a maximum of 10
addresses per RDNSS option. Each RDNSS option has a "Lifetime" of 900. Packets are sent with an IPv6
Source Address of "fe80::1234" and an Ethernet Source Address of "00:01:02:03:04:05". Once the target has
been attacked, listen for incoming Router Solicitation messages and respond with the same "flood" packets
(the Ethernet Source Address and the IPv6 Source Address will change if the Router Solicitation messages
have been sent to a unicast address, though).
SEE ALSO
"Security/Robustness Assessment of IPv6 Neighbor Discovery Implementations" (available at:
<http://www.si6networks.com/tools/ipv6toolkit/si6networks-ipv6-nd-assessment.pdf>) for a discussion of
Neighbor Discovery vulnerabilities, and additional examples of how to use the na6 tool to exploit them.
AUTHOR
The ra6 tool and the corresponding manual pages were produced by Fernando Gont <fgont@si6networks.com>
for SI6 Networks <http://www.si6networks.com>.
COPYRIGHT
Copyright (c) 2011-2013 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free
Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with
no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is available
at <http://www.gnu.org/licenses/fdl.html>.
RA6(1)