xenial (1) rs6.1.gz

Provided by: ipv6toolkit_2.0-1_amd64 bug

NAME

       rs6 - A security assessment tool for attack vectors based on ICMPv6 Router Solicitation messages

SYNOPSIS

       rs6   [-i  INTERFACE]  [-s  SRC_ADDR[/LEN]]  [-d  DST_ADDR]  [-y  FRAG_SIZE]  [-u  DST_OPT_HDR_SIZE]  [-U
       DST_OPT_U_HDR_SIZE] [-H HBH_OPT_HDR_SIZE] [-S LINK_SRC_ADDR] [-D LINK-DST-ADDR] [-E LINK_ADDR]  [-e]  [-F
       N_SOURCES] [-z SECONDS] [-l] [-v] [-h]

DESCRIPTION

       rs6  allows  the  assessment of IPv6 implementations with respect to a variety of attacks based on ICMPv6
       Router Solicitation messages. This tool is part of the SI6 Networks' IPv6 Toolkit: a security  assessment
       suite for the IPv6 protocols.

OPTIONS

       rs6  takes its parameters as command-line options. Each of the options can be specified with a short name
       (one character preceded with the hyphen character, as e.g. "-i") or with a long name (a  string  preceded
       with two hyphen characters, as e.g. "--interface").

       Depending  on  the  amount  of information (i.e., options and option data) to be conveyed into the Router
       Solicitations, it may be necessary  for  rs6  to  split  that  information  into  more  than  one  Router
       Solicitation.  Also,  when  the rs6 tool is instructed to flood the victim with Router Solicitations from
       different sources ("--flood-sources" option), multiple packets may need to  be  generated.  rs6  supports
       IPv6  fragmentation,  which  may be of use if a large amount of information needs to be conveyed within a
       single Router Solicitation message. IPv6 fragmentation is not enabled by default, and must be  explicitly
       enabled with the "-y" option.

       -i INTERFACE, --interface INTERFACE
              This  option  specifies  the  network interface that the tool will use. If the destination address
              ("-d" option) is a link-local address, the interface must be explicitly specified.  The  interface
              may also be specified along with a destination address, with the "-d" option.

       -s SRC_ADDR, --src-address SRC_ADDR

              This option is meant to specify the IPv6 Source Address (or IPv6 prefix) to be used for the Router
              Solicitation messages. If left unspecified, a randomized link-local unicast (fe80::/64) address is
              selected.

       -d DST_ADDR, --dst-address DST_ADDR

              This  option  specifies  the IPv6 Destination Address of the Router Solicitation messages. If left
              unspecified, but the Ethernet  Destination  Address  is  specified,  the  "all-routers  link-local
              multicast" address (ff02::2) is selected as the IPv6 Destination Address.

       --hop-limit, -A

              This  option  specifies  the  IPv6  Hop  Limit to be used for the Router Solicitation messages. It
              defaults to 255. Note that IPv6 nodes are required to check that the Hop Limit of incoming  Router
              Solicitation  messages  is  255.  Therefore,  this option is only useful to assess whether an IPv6
              implementation fails to enforce the aforementioned check.

       -y SIZE, --frag-hdr SIZE

              This option specifies that the resulting packet must be fragmented.  The  fragment  size  must  be
              specified as an argument to this option.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

              This option specifies that a Destination Options header is to be included in the resulting packet.
              The extension header size must be specified as an argument to this option (the  header  is  filled
              with  padding options). Multiple Destination Options headers may be specified by means of multiple
              "-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

              This option specifies a Destination Options header to be included in the "unfragmentable part"  of
              the  resulting packet. The header size must be specified as an argument to this option (the header
              is filled with padding options). Multiple Destination Options headers may be specified by means of
              multiple  "-U"  options. This option is only valid if the "-y" option is specified (as the concept
              of "unfragmentable part" only makes sense when fragmentation is employed).

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

              This option specifies that a Hop-by-Hop Options header is to be included in the resulting  packet.
              The header size must be specified as an argument to this option (the header is filled with padding
              options). Multiple Hop-by-Hop Options headers may be specified by means of multiple "-H" options.

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

              This  option  specifies  the  link-layer  Source  Address  of  the  Router  Solicitation  messages
              (currently,  only  Ethernet  is  supported). If left unspecified, the link-layer Source Address is
              randomized.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

              This option specifies the link-layer Destination  Address  of  the  Router  Solicitation  messages
              (currently,  only  Ethernet is supported). If left unspecified, the link-layer Destination Address
              is set to "33:33:00:00:00:02" (the Ethernet address that corresponds  to  the  "all-routers  link-
              local multicast" address).

       --source-lla-opt, -E

              This  option  specifies  the  contents of a source link-layer address option to be included in the
              Router Solicitation messages. If more than one source link-layer address is specified (by means of
              multiple  "-E"  options),  and  all  the resulting options cannot be conveyed into a single Router
              Solicitation, multiple Router Solicitations will be sent as needed.

       --add-slla-opt, -e

              This option instructs the rs6 tool to include a source link-layer address  option  in  the  Router
              Solicitation  messages that it sends. The link-layer address included in the option is the same as
              the Ethernet Source Address used for the outgoing Router Solicitation messages.

       --flood-sources, -F

              This option instructs the rs6 tool to send Router Solicitations from multiple  (and  random)  IPv6
              Source  Addresses.  The  number  of different sources is specified as "-F number". The IPv6 Source
              Address of each Router Solicitation is a randomized from the IPv6 prefix specified with  the  "-s"
              option, and defaults to a random link-local unicast address (fe80::/64).

       --loop, -l

              This  option instructs the rs6 tool to send periodic Router Solicitations to the destination node.
              The amount of time to pause between sending Neighbor Solicitations can be specified  by  means  of
              the "-z" option, and defaults to 1 second.

       --sleep, -z

              This  option  instructs  the  rs6  tool  to  the  amount  of  time to pause between sending Router
              Solicitation messages. If left unspecified, it defaults to 1 second.

       --verbose, -v

              This option instructs the rs6 tool to be verbose.

       --help, -h

              Print help information for the rs6 tool.

EXAMPLES

       The following sections illustrate typical use cases of the rs6 tool.

       Example #1

       # rs6 -i eth0 -e

       Use the network interface "eth0" to send a Router Solicitation using a  random  link-local  unicast  IPv6
       Source  Address  and  a  random Ethernet Source Address, to the IPv6 Destination Address "ff02::2" ("all-
       routers link-local multicast"  address,  selected  by  default)  and  the  Ethernet  Destination  Address
       "33:33:00:00:00:02"  (selected  by  default).  The  Router Solicitation also includes a source link-layer
       address option, that contains the same Ethernet address as that used for the Ethernet Source  Address  of
       the packet.

       Example #2

       # rs6 -i eth0 -e -F 100 -l -z 10 -v

       Send  100  Router  Solicitation  messages  using  a random Ethernet Source Address and random IPv6 Source
       Address for each of them, to the Ethernet Destination Address "33:33:00:00:00:02" (default) and the  IPv6
       Destination  Address  "ff02:2"  (default).  Each message includes a source link-layer address option that
       contains the same link-layer address as that used for the Ethernet Source Address of the  packet.  Repeat
       this operation every ten seconds. Be verbose.

       Example #3

       # rs6 -i eth0 -d fe80::1 -E ff:ff:ff:ff:ff:ff -v

       Send  one  Router  Solicitation  message  using  a random Ethernet Source Address and a random link-local
       unicast (i.e., fe80::/64) IPv6 Source Address, to the Ethernet  Destination  Address  "33:33:00:00:00:02"
       (default)  and  the  IPv6 Destination Address "fe80::1". Each Router Solicitation includes a source link-
       layer address option that contains the Ethernet address "ff:ff:ff:ff:ff:ff". Be verbose.

SEE ALSO

       "Security/Robustness  Assessment   of   IPv6   Neighbor   Discovery   Implementations"   (available   at:
       <http://www.si6networks.com/tools/ipv6toolkit/si6networks-ipv6-nd-assessment.pdf>)  for  a  discussion of
       Neighbor Discovery vulnerabilities, and additional examples of how to use the na6 tool to exploit them.

AUTHOR

       The rs6 tool and the corresponding manual pages were produced by  Fernando  Gont  <fgont@si6networks.com>
       for SI6 Networks <http://www.si6networks.com>.

       Copyright (c) 2011-2013 Fernando Gont.

       Permission  is  granted  to  copy, distribute and/or modify this document under the terms of the GNU Free
       Documentation License, Version 1.3 or any later version published by the Free Software  Foundation;  with
       no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.  A copy of the license is available
       at <http://www.gnu.org/licenses/fdl.html>.

                                                                                                          RS6(1)