Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
RD6(1)			    General Commands Manual			RD6(1)

NAME
       rd6 - A security	assessment tool	for attack vectors based on ICMPv6 Re-
       direct messages

SYNOPSIS
       rd6 [-i INTERFACE] [-s SRC_ADDR[/LEN]] [-d DST_ADDR] [-S	LINK_SRC_ADDR]
       [-D  LINK-DST-ADDR] [-A HOP_LIMIT] [-y FRAG_SIZE] [-u DST_OPT_HDR_SIZE]
       [-U DST_OPT_U_HDR_SIZE] [-H HBH_OPT_HDR_SIZE] [-r RD_DESTADDR/LEN]  [-t
       RD_TARGETADDR/LEN]   [-p	  PAYLOAD_TYPE]	 [-P  PAYLOAD_SIZE]  [-n]  [-c
       HOP_LIMIT] [-x SRC_ADDR]	[-a SRC_PORT] [-o DST_PORT] [-X	TCP_FLAGS] [-q
       TCP_SEQ]	 [-Q  TCP_ACK]	[-V  TCP_URP]  [-w TCP_WIN] [-M] [-O] [-N] [-E
       LINK_ADDR] [-e] [-j PREFIX[/LEN]] [-k PREFIX[/LEN]] [-J LINK_ADDR]  [-K
       LINK_ADDR]  [-b	PREFIX[/LEN]]  [-g  PREFIX[/LEN]]  [-B	LINK_ADDR] [-G
       LINK_ADDR] [-f] [-R N_DESTS] [-T	N_TARGETS] [-F N_SOURCES]  [-L	|  -l]
       [-z] [-v] [-h]

DESCRIPTION
       rd6 allows the assessment of IPv6 implementations with respect to a va-
       riety of	attack vectors based on	ICMPv6 Redirect	messages. This tool is
       part of the SI6 Networks' IPv6 Toolkit: a security assessment suite for
       the IPv6	protocols.

       This tool has two modes of operation: active  and  passive.  In	active
       mode,  the  tool	 attacks  a specific target, while in passive mode the
       tool listens to traffic on the local network, and launches an attack in
       response	 to  such traffic. Active mode is employed if an IPv6 Destina-
       tion Address, a Redirect	Destination Address, and a Redirect Target Ad-
       dress  are  specified.  Passive mode is employed	if the "-L" option (or
       its long	counterpart "--listen")	is set.	If both	an attack  target  and
       the "-L"	option are specified, the attack is launched against the spec-
       ified target, and then the tool enters passive mode to respond incoming
       packets with ICMPv6 Redirect messages.

       The  tool  supports filtering of	incoming packets based on the Ethernet
       Source Address, the Ethernet Destination	Address, the IPv6  Source  Ad-
       dress,  and  the	IPv6 Destination Address.  There are two types of fil-
       ters: "block filters" and "accept filters". If any  "block  filter"  is
       specified,  and	the  incoming packet matches any of those filters, the
       message is discarded (and thus no Redirect messages  are	 sent  in  re-
       sponse).	 If  any  "accept  filter" is specified, incoming packets must
       match the specified filters in order for	the tool to respond with Redi-
       rect messages.

OPTIONS
       rd6  takes  it  parameters as command-line options. Each	of the options
       can be specified	with a short name (one character preceded with the hy-
       phen  character,	 as  e.g. "-i")	or with	a long name (a string preceded
       with two	hyphen characters, as e.g. "--interface").

       Depending on the	amount of information (i.e., options) to  be  conveyed
       into the	ICMPv6 Redirect	messages, it may be necessary for the rd6 tool
       to split	that information into more than	one Redirect message. Also, if
       the  tool is instructed to e.g. flood the victim	with Redirect messages
       from different sources ("--flood-sources" option), multiple packets may
       need  to	 be generated. rd6 supports IPv6 fragmentation,	which might be
       of use to circumvent layer-2 filtering and/or Network Intrusion	Detec-
       tion  Systems (NIDS). However, IPv6 fragmentation is not	enabled	by de-
       fault, and must be explicitly enabled with the "-y" option.

       -i INTERFACE, --interface INTERFACE
	      This option specifies the	network	interface that the  tool  will
	      use.  If	the  destination address ("-d" option) is a link-local
	      address, or the "listening" ("-L") mode is selected, the	inter-
	      face  must  be  explicitly  specified. The interface may also be
	      specified	along with a destination address, with	the  "-d"  op-
	      tion.

       -s SRC_ADDR, --src-address SRC_ADDR

	      This  option  specifies the IPv6 source address (or IPv6 prefix)
	      to be used for the Source	Address	of the	attack	packets.  This
	      address  typically corresponds to	the IPv6 link-local address of
	      the default router. If the "-F"  ("--flood-sources")  option  is
	      specified,  this option includes an IPv6 prefix, from which ran-
	      dom addresses are	selected. See the description of the "-F"  op-
	      tion for further information on how the "-s" option is processed
	      in that specific case.

	      Note: Instead of specifying the "Source Address" with  this  op-
	      tion,  the  "--learn-router"  option could be set, such that the
	      tool automatically learns	the IPv6 link-local address of the de-
	      fault  router, and uses this address for the "Source Address" of
	      the Redirect messages.

       -d DST_ADDR, --dst-address DST_ADDR

	      This option specifies the	IPv6 Destination Address of  the  vic-
	      tim.  It	can be left unspecified	only if	the "-L" option	is se-
	      lected (i.e., if the tool	is to operate in "Passive" mode).

	      When operating in	passive	mode ("-L" option), the	IPv6  Destina-
	      tion Address is selected according to the	IPv6 Source Address of
	      the incoming packet.

       --hop-limit, -A

	      This option specifies the	Hop Limit to be	used for the  Redirect
	      messages.	 It defaults to	255. Note that IPv6 nodes are required
	      to check that the	Hop Limit of  incoming	Redirect  messages  is
	      255.  Therefore, this option is only useful to assess whether an
	      IPv6 implementation fails	to enforce the aforementioned check.

       -y SIZE,	--frag-hdr SIZE

	      This option specifies that the resulting packet  must  be	 frag-
	      mented.  The  fragment  size must	be specified as	an argument to
	      this option.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

	      This option specifies that a Destination Options header is to be
	      included in the resulting	packet.	The extension header size must
	      be specified as an argument to this option (the header is	filled
	      with  padding options). Multiple Destination Options headers may
	      be specified by means of multiple	"-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

	      This option specifies a Destination Options  header  to  be  in-
	      cluded in	the "unfragmentable part" of the resulting packet. The
	      header size must be specified as an argument to this option (the
	      header is	filled with padding options). Multiple Destination Op-
	      tions headers may	be specified by	means  of  multiple  "-U"  op-
	      tions. This option is only valid if the "-y" option is specified
	      (as the concept of "unfragmentable part" only makes  sense  when
	      fragmentation is employed).

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

	      This  option specifies that a Hop-by-Hop Options header is to be
	      included in the resulting	packet.	The header size	must be	speci-
	      fied  as	an  argument to	this option (the header	is filled with
	      padding options).	Multiple Hop-by-Hop  Options  headers  may  be
	      specified	by means of multiple "-H" options.

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

	      This option specifies the	link-layer Source Address of the Redi-
	      rect messages (this option is only  valid	 for  Ethernet	inter-
	      faces).  If  left	 unspecified, the link-layer Source Address is
	      randomized. However, if this option is left unspecified, but the
	      "--learn-router" option is set, the link-layer Source Address is
	      set to that of the default router	for the	local network.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

	      This option specifies the	link-layer Destination Address of  the
	      Redirect messages	(this option is	only valid for Ethernet	inter-
	      faces). If left unspecified, it is set to	the  "all-nodes	 link-
	      local multicast" address (ff02::1).

	      When  operating  in passive mode,	the link-layer Destination Ad-
	      dress is set according to	the link-layer Source Address  of  the
	      incoming packet.

       --redir-target, -t

	      This  option  specifies  the Target Address of the Redirect mes-
	      sages. If	the "-T" ("--flood-targets") option is specified, this
	      option  specifies	 an  IPv6  prefix  in the form "-t prefix/pre-
	      fixlen". See the description of the "-T" option for further  in-
	      formation	 on  how the "-t" option is processed in that specific
	      case.

	      This option can be left unspecified only if the  "--make-onlink"
	      option is	selected, in which case	the Redirect Target Address is
	      set to the same value as the Redirect Destination	address.

       --redir-dest, -r

	      This option specifies the	Redirect Destination Address.  If  the
	      "-R"  ("--flood-dests")  option is specified, this option	speci-
	      fies an IPv6 prefix in the form "-r prefix/prefixlen".  See  the
	      description  of  the  "-R" option	for further information	on how
	      the "-t" option is processed in that specific case.

       --payload-type, -p

	      This option specifies the	payload	type to	be included in the Re-
	      direct  Payload.	Currently supported payloads are "TCP",	"UDP",
	      and "ICMP6". The payload-type defaults to	"TCP".

       --payload-size, -P

	      Size of the payload to be	included in the	Redirect message (with
	      the  payload  type  being	 specified by the "-p" option).	By de-
	      fault, as	many bytes as possible are included, without exceeding
	      the minimum IPv6 MTU (1280 bytes).

       --no-payload, -n

	      This  option  specifies  that  no	 payload  (i-e-, no Redirected
	      Header option) should be included	in the Redirect	message.

       --ipv6-hlim, -c

	      This option specifies the	Hop Limit of the IPv6 packet  included
	      in the payload of	the Redirect message. It defaults to 255.

       --peer-addr, -x

	      This  option  specifies  the IPv6	Source Address of the Redirect
	      payload. If left unspecified, the	IPv6 Source Address of the Re-
	      direct  payload is set to	the same value as the IPv6 Destination
	      Address of the packet. This option is only employed for  packets
	      sent in "active" mode.

	      Note:  this option might be useful to check whether an implemen-
	      tation validates the contents of the Redirect message.

       --redir-port, -o

	      This option specifies the	Destination Port of  the  TCP  or  UDP
	      packet contained in the Redirect payload.

	      Note: This option	is meaningful only if "TCP" or "UDP" have been
	      specified	with the "-p" option.

       --peer-port, -a

	      This option specifies the	Source Port of the TCP or  UDP	packet
	      contained	in the Redirect	payload.

	      Note: This option	is meaningful only if "TCP" or "UDP" have been
	      specified	with the "-p" option.

       --tcp-flags, -X

	      This option specifies the	flags of the TCP header	 contained  in
	      the  Redirect payload. The flags are specified as	"F" (FIN), "S"
	      (SYN), "R" (RST),	"P" (PSH),  "A"	 (ACK),	 "U"  (URG),  "X"  (no
	      flags). If left uspecified, only the "ACK" bit is	set.

	      Note: This option	is meaningful only if "TCP" has	been specified
	      with the "-p" option.

       --tcp-seq, -q

	      This option specifies the	Sequence Number	of the TCP header con-
	      tained  in  the  Redirect	 payload. If left unspecified, the Se-
	      quence Number is randomized.

	      Note: This option	is meaningful only if "TCP" has	been specified
	      with the "-p" option.

       --tcp-ack, -Q

	      This  option  specifies  the  Acknowledgment  Number  of the TCP
	      header contained in the Redirect payload.	If  left  unspecified,
	      the Acknowledgment Number	is randomized.

	      Note: This option	is meaningful only if "TCP" has	been specified
	      with the "-p" option.

       --tcp-urg, -V

	      This option specifies the	Urgent Pointer of the TCP header  con-
	      tained  in the Redirect payload. If left unspecified, the	Urgent
	      Pointer is set to	0.

	      Note: This option	is meaningful only if "TCP" has	been specified
	      with the "-p" option.

       --tcp-win, -w

	      This  option specifies the Window	of the TCP header contained in
	      the Redirect payload. If left unspecified, the Window is random-
	      ized.

	      Note: This option	is meaningful only if "TCP" has	been specified
	      with the "-p" option.

       --resp-mcast, -M

	      This option specifies that, when operating  in  "passive"	 mode,
	      the  tool	 should	 also respond to packets sent to multicast ad-
	      dresses. By default, the tool does not  send  Redirects  in  re-
	      sponse to	packets	sent to	multicast addresses.

       --make-onlink, -O

	      This  option  instructs  the tool	to set the Redirect Target Ad-
	      dress to the same	value as  the  Redirect	 Destination  Address,
	      thus causing the specified address to be considered "on-link".

       --learn-router, -N

	      This  option  instructs the tool to learn	the link-layer and the
	      (link-local) IPv6	addresses of the  local	 router	 by  means  of
	      Router  Solicitation  and	 Router	Advertisement messages.	If the
	      IPv6 Source Address or the link-layer Source  Address  are  left
	      unspecified,  the	 corresponding values learned with this	option
	      will be used.

	      Note: This option	is very	useful to avoid	having to manually en-
	      ter the IPv6 and/or Ethernet addresses of	the router.

       --target-lla-opt, -E

	      This  option  specifies  the contents of a target	link-layer ad-
	      dress option to be included in the Redirect messages. If a  sin-
	      gle  option is specified,	it is included in all the outgoing Re-
	      direct messages. If more than one	target link-layer  address  is
	      specified	 (by  means of multiple	"-E" options), and all the re-
	      sulting options cannot be	conveyed into a	single	Redirect  mes-
	      sage, multiple Redirect messages will be sent as needed.

       --add-tlla-opt, -e

	      This   option  instructs	the  rd6  tool	to  include  a	target
	      link-layer address option	 in  the  Redirect  messages  that  it
	      sends.  When  this option	is employed, the link-layer Source Ad-
	      dress must be specified, and such	value will  be	used  for  the
	      target  link-layer  address  option. The difference between this
	      option and the "-E" option is that  the  "-e"  option  does  not
	      specify  the  actual value of the	option,	but just instructs the
	      tool to include a	target link-layer address option  (the	actual
	      value of the option is selected as explained before).

       -j SRC_ADDR, --block-src	SRC_ADDR

	      This  option sets	a block	filter for the incoming	packets, based
	      on their IPv6 Source Address. It allows the specification	of  an
	      IPv6  prefix  in	the  form "-j prefix/prefixlen". If the	prefix
	      length is	not specified, a prefix	length of "/128"  is  selected
	      (i.e.,  the  option  assumes  that a single IPv6 address,	rather
	      than an IPv6 prefix, has been specified).

       -k DST_ADDR, --block-dst	DST_ADDR

	      This option sets a block filter for the incoming Neighbor	Solic-
	      itation  messages,  based	 on their IPv6 Destination Address. It
	      allows the specification of an IPv6 prefix in the	form "-k  pre-
	      fix/prefixlen".  If the prefix length is not specified, a	prefix
	      length of	"/128" is selected (i.e., the option  assumes  that  a
	      single IPv6 address, rather than an IPv6 prefix, has been	speci-
	      fied).

       -J SRC_ADDR, --block-link-src SRC_ADDR

	      This option sets a block filter for the incoming packets,	 based
	      on  their	link-layer Source Address. The option must be followed
	      by a link-layer address (this option is only valid for  Ethernet
	      interfaces).

       -K DST_ADDR, --block-link-dst DST_ADDR

	      This  option sets	a block	filter for the incoming	packets, based
	      on their link-layer Destination Address. The option must be fol-
	      lowed  by	 a  link-layer	address	(this option is	only valid for
	      Ethernet interfaces).

       -b SRC_ADDR, --accept-src SRC_ADDR

	      This option sets an accept  filter  for  the  incoming  packets,
	      based  on	their IPv6 Source Address. It allows the specification
	      of an IPv6 prefix	in the form "-b	prefix/prefixlen". If the pre-
	      fix  length  is  not specified, a	prefix length of "/128"	is se-
	      lected (i.e., the	option assumes that  a	single	IPv6  address,
	      rather than an IPv6 prefix, has been specified).

       -g DST_ADDR, --accept-dst DST_ADDR

	      This option sets a accept	filter for the incoming	packets, based
	      on their IPv6 Destination	Address. It allows  the	 specification
	      of an IPv6 prefix	in the form "-g	prefix/prefixlen". If the pre-
	      fix length is not	specified, a prefix length of  "/128"  is  se-
	      lected  (i.e.,  the  option  assumes that	a single IPv6 address,
	      rather than an IPv6 prefix, has been specified).

       -B SRC_ADDR, --accept-link-src SRC_ADDR

	      This option sets an accept filter	for the	incoming Neighbor  So-
	      licitation  messages,  based on their link-layer Source Address.
	      The option must be followed by a link-layer address (this	option
	      is only valid for	Ethernet interfaces).

       -G DST_ADDR, --accept-link-dst DST_ADDR

	      This  option  sets  an  accept  filter for the incoming packets,
	      based on their link-layer	Destination Address. The  option  must
	      be  followed  by a link-layer address (this option is only valid
	      for Ethernet interfaces).

       --sanity-filters, -w

	      This option  automatically  adds	an  "accept  filter"  for  the
	      link-layer Destination Address corresponding to the local	router
	      (either learned as a result of the "--learn-router"  option,  or
	      specified	 by  the "-S" option), and a block filter for the IPv6
	      Source Address fe80::/16.

	      Note: This option	is desirable in	virtually all scenarios,  such
	      that the tool does not respond to	link-local traffic, etc.

       --flood-dests, -R

	      This  option  instructs  the  rd6	tool to	send multiple Redirect
	      messages for different Redirect Destination Addresses. The  num-
	      ber  of different	Redirect Destination Addresses is specified as
	      "-R number". The Redirect	Destination Address of each packet  is
	      randomly	selected from the prefix ::/0, unless a	different pre-
	      fix has been specified by	means of the "-r" option.

       --flood-targets,	-T

	      This option instructs the	rd6 tool  to  send  multiple  Redirect
	      messages	for different Redirect Target Addresses. The number of
	      different	Target Addresses is specified as "-T number". The Tar-
	      get  Address of each packet is randomly selected from the	prefix
	      fe80::/64, unless	a different prefix has been specified by means
	      of the "-t" option.

       --flood-sources,	-F

	      This  option  instructs  the tool	to send	multiple Redirect mes-
	      sages with different Source Addresses. The number	 of  different
	      sources  is specified as "-F number". The	Source Address of each
	      Redirect message is randomly selected from the prefix  specified
	      by the "-s" option. If the "-F" option is	specified but the "-s"
	      option is	left unspecified, the Source Address of	the packets is
	      randomly	selected  from	the  prefix fe80::/64 (link-local uni-
	      cast). It	should be noted	that hosts are required	to discard Re-
	      direct  messages	whose  IPv6  Source address does not match the
	      (link-local) IPv6	address	of the router used  for	 the  Redirect
	      Destination Address.

       --loop, -l

	      This  option  instructs  the  rd6	tool to	send periodic Redirect
	      messages to the victim node. The amount of time to pause between
	      sending  Redirect	messages can be	specified by means of the "-z"
	      option, and defaults to 1	second.	Note that this	option	cannot
	      be set in	conjunction with the "-L" ("--listen") option.

       --sleep,	-z

	      This  option specifies the amount	of time	to pause between send-
	      ing Redirect messages (when the "--loop" option is set). If left
	      unspecified, it defaults to 1 second.

       --listen, -L

	      This instructs the rd6 tool to operate in	passive	mode (possibly
	      after attacking a	given node). Note that this option  cannot  be
	      used in conjunction with the "-l"	("--loop") option.

       --verbose, -v

	      This  option instructs the rd6 tool to be	verbose.  When the op-
	      tion is set twice, the tool is "very verbose", and the tool also
	      informs  which  packets have been	accepted or discarded as a re-
	      sult of applying the specified filters.

       --help, -h

	      Print help information for the rd6 tool.

EXAMPLES
       The following sections illustrate typical use cases of the rd6 tool.

       Example #1

       # rd6 -i	eth0 --learn-router --sanity-filters -L	--make-onlink -v

       The tool	uses the network interface "eth0",  and	 operates  in  passive
       mode  ("-L"  option). The IPv6 and Ethernet address of the local	router
       is automatically	learned	by means of RS/RA messages. Basic filters  are
       employed	 to avoid responding to	incorrect/unnecessary packets ("--san-
       ity-filters"). Each Redirect message will contain the  Redirect	Target
       Address set to the same value as	the Redirect Destination Address, thus
       causing	the  corresponding  address   to   be	considered   "on-link"
       ("--make-onlink"	 option).  The	tool  will  print detailed information
       about the attack	("-v" option).

       Example #2

       # rd6  -i  eth0	--learn-router	-d  2001:db8::1	 -r  2001:db8::/64  -t
       fe80::bad -R 100	-l -v

       Flood  the victim host (specified with the "-d" option) with batches of
       100 Redirect messages ("-R 100" option).	Each  Redirect	message	 redi-
       rects  a	 random	address	from the prefix	"2001:db8::/64"	to the address
       "fe80::bad". The	IPv6 and link-layer addresses  of  the	current	 local
       router	is   dynamically   learned   by	  means	  of   RS/RA  messages
       ("--learn-router" option). The process is repeated every	 second	 ("-l"
       option, with the	default	delay of 1 second).

SEE ALSO
       "Security/Robustness  Assessment	of IPv6	Neighbor Discovery Implementa-
       tions"	(available   at:   <http://www.si6networks.com/tools/ipv6tool-
       kit/si6networks-ipv6-nd-assessment.pdf>)	 for  a	discussion of Neighbor
       Discovery vulnerabilities, and additional examples of how  to  use  the
       na6 tool	to exploit them.

AUTHOR
       The  rd6	 tool and the corresponding manual pages were produced by Fer-
       nando Gont _fgont@si6networks.com_ for SI6 Networks _http://www.si6net-
       works.com_.

COPYRIGHT
       Copyright (c) 2011-2013 Fernando	Gont.

       Permission  is  granted to copy,	distribute and/or modify this document
       under the terms of the GNU Free Documentation License, Version  1.3  or
       any  later  version  published by the Free Software Foundation; with no
       Invariant Sections, no Front-Cover Texts, and no	Back-Cover  Texts.   A
       copy   of   the	 license   is	available  at  _http://www.gnu.org/li-
       censes/fdl.html_.

									RD6(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO | AUTHOR | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=rd6&sektion=1&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help