Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
RS6(1)			    General Commands Manual			RS6(1)

NAME
       rs6  -  A  security  assessment tool for	attack vectors based on	ICMPv6
       Router Solicitation messages

SYNOPSIS
       rs6 [-i INTERFACE] [-s SRC_ADDR[/LEN]] [-d DST_ADDR] [-y	FRAG_SIZE] [-u
       DST_OPT_HDR_SIZE]  [-U  DST_OPT_U_HDR_SIZE]  [-H	 HBH_OPT_HDR_SIZE] [-S
       LINK_SRC_ADDR] [-D LINK-DST-ADDR] [-E LINK_ADDR]	 [-e]  [-F  N_SOURCES]
       [-z SECONDS] [-l] [-v] [-h]

DESCRIPTION
       rs6 allows the assessment of IPv6 implementations with respect to a va-
       riety of	attacks	based on ICMPv6	 Router	 Solicitation  messages.  This
       tool  is	 part of the SI6 Networks' IPv6	Toolkit: a security assessment
       suite for the IPv6 protocols.

OPTIONS
       rs6 takes its parameters	as command-line	options. Each of  the  options
       can be specified	with a short name (one character preceded with the hy-
       phen character, as e.g. "-i") or	with a long name  (a  string  preceded
       with two	hyphen characters, as e.g. "--interface").

       Depending  on the amount	of information (i.e., options and option data)
       to be conveyed into the Router Solicitations, it	may be	necessary  for
       rs6  to	split that information into more than one Router Solicitation.
       Also, when the rs6 tool is instructed to	flood the victim  with	Router
       Solicitations from different sources ("--flood-sources" option),	multi-
       ple packets may need to be generated. rs6 supports IPv6	fragmentation,
       which  may  be of use if	a large	amount of information needs to be con-
       veyed within a single Router Solicitation message.  IPv6	 fragmentation
       is not enabled by default, and must be explicitly enabled with the "-y"
       option.

       -i INTERFACE, --interface INTERFACE
	      This option specifies the	network	interface that the  tool  will
	      use.  If	the  destination address ("-d" option) is a link-local
	      address, the interface must be explicitly	specified. The	inter-
	      face  may	 also  be  specified along with	a destination address,
	      with the "-d" option.

       -s SRC_ADDR, --src-address SRC_ADDR

	      This option is meant to specify the IPv6 Source Address (or IPv6
	      prefix) to be used for the Router	Solicitation messages. If left
	      unspecified, a randomized	link-local unicast (fe80::/64) address
	      is selected.

       -d DST_ADDR, --dst-address DST_ADDR

	      This option specifies the	IPv6 Destination Address of the	Router
	      Solicitation messages. If	left  unspecified,  but	 the  Ethernet
	      Destination  Address  is	specified, the "all-routers link-local
	      multicast" address (ff02::2) is selected as the IPv6 Destination
	      Address.

       --hop-limit, -A

	      This  option  specifies  the  IPv6  Hop Limit to be used for the
	      Router Solicitation messages. It defaults	to 255.	Note that IPv6
	      nodes  are  required  to	check  that  the Hop Limit of incoming
	      Router Solicitation messages is 255. Therefore, this  option  is
	      only  useful  to	assess whether an IPv6 implementation fails to
	      enforce the aforementioned check.

       -y SIZE,	--frag-hdr SIZE

	      This option specifies that the resulting packet  must  be	 frag-
	      mented.  The  fragment  size must	be specified as	an argument to
	      this option.

       -u HDR_SIZE, --dst-opt-hdr HDR_SIZE

	      This option specifies that a Destination Options header is to be
	      included in the resulting	packet.	The extension header size must
	      be specified as an argument to this option (the header is	filled
	      with  padding options). Multiple Destination Options headers may
	      be specified by means of multiple	"-u" options.

       -U HDR_SIZE, --dst-opt-u-hdr HDR_SIZE

	      This option specifies a Destination Options  header  to  be  in-
	      cluded in	the "unfragmentable part" of the resulting packet. The
	      header size must be specified as an argument to this option (the
	      header is	filled with padding options). Multiple Destination Op-
	      tions headers may	be specified by	means  of  multiple  "-U"  op-
	      tions. This option is only valid if the "-y" option is specified
	      (as the concept of "unfragmentable part" only makes  sense  when
	      fragmentation is employed).

       -H HDR_SIZE, --hbh-opt-hdr HDR_SIZE

	      This  option specifies that a Hop-by-Hop Options header is to be
	      included in the resulting	packet.	The header size	must be	speci-
	      fied  as	an  argument to	this option (the header	is filled with
	      padding options).	Multiple Hop-by-Hop  Options  headers  may  be
	      specified	by means of multiple "-H" options.

       -S SRC_LINK_ADDR, --src-link-address SRC_LINK_ADDR

	      This  option  specifies  the  link-layer	Source	Address	of the
	      Router Solicitation messages (currently, only Ethernet  is  sup-
	      ported).	If  left unspecified, the link-layer Source Address is
	      randomized.

       -D DST_LINK_ADDR, --dst-link-address DST_LINK_ADDR

	      This option specifies the	link-layer Destination Address of  the
	      Router  Solicitation  messages (currently, only Ethernet is sup-
	      ported). If left unspecified, the	link-layer Destination Address
	      is  set to "33:33:00:00:00:02" (the Ethernet address that	corre-
	      sponds to	the "all-routers link-local multicast" address).

       --source-lla-opt, -E

	      This option specifies the	contents of a  source  link-layer  ad-
	      dress option to be included in the Router	Solicitation messages.
	      If more than one source  link-layer  address  is	specified  (by
	      means  of	 multiple "-E" options), and all the resulting options
	      cannot be	conveyed into a	single Router  Solicitation,  multiple
	      Router Solicitations will	be sent	as needed.

       --add-slla-opt, -e

	      This  option  instructs  the  rs6	tool to	include	a source link-
	      layer address option in the Router Solicitation messages that it
	      sends. The link-layer address included in	the option is the same
	      as the Ethernet Source Address used for the outgoing Router  So-
	      licitation messages.

       --flood-sources,	-F

	      This  option instructs the rs6 tool to send Router Solicitations
	      from multiple (and random) IPv6 Source Addresses.	The number  of
	      different	 sources  is specified as "-F number". The IPv6	Source
	      Address of each Router Solicitation is  a	 randomized  from  the
	      IPv6  prefix  specified  with the	"-s" option, and defaults to a
	      random link-local	unicast	address	(fe80::/64).

       --loop, -l

	      This option instructs the	rs6 tool to send periodic  Router  So-
	      licitations to the destination node. The amount of time to pause
	      between sending Neighbor Solicitations can be specified by means
	      of the "-z" option, and defaults to 1 second.

       --sleep,	-z

	      This  option  instructs  the  rs6	 tool to the amount of time to
	      pause between sending Router Solicitation	messages. If left  un-
	      specified, it defaults to	1 second.

       --verbose, -v

	      This option instructs the	rs6 tool to be verbose.

       --help, -h

	      Print help information for the rs6 tool.

EXAMPLES
       The following sections illustrate typical use cases of the rs6 tool.

       Example #1

       # rs6 -i	eth0 -e

       Use  the	network	interface "eth0" to send a Router Solicitation using a
       random link-local unicast IPv6 Source Address  and  a  random  Ethernet
       Source Address, to the IPv6 Destination Address "ff02::2" ("all-routers
       link-local multicast" address, selected by default)  and	 the  Ethernet
       Destination  Address  "33:33:00:00:00:02"  (selected  by	 default). The
       Router Solicitation also	includes a source link-layer  address  option,
       that  contains  the same	Ethernet address as that used for the Ethernet
       Source Address of the packet.

       Example #2

       # rs6 -i	eth0 -e	-F 100 -l -z 10	-v

       Send 100	Router Solicitation messages using a  random  Ethernet	Source
       Address	and random IPv6	Source Address for each	of them, to the	Ether-
       net Destination Address "33:33:00:00:00:02" (default) and the IPv6 Des-
       tination	 Address  "ff02:2"  (default).	Each message includes a	source
       link-layer address option that contains the same	link-layer address  as
       that  used  for	the Ethernet Source Address of the packet. Repeat this
       operation every ten seconds. Be verbose.

       Example #3

       # rs6 -i	eth0 -d	fe80::1	-E ff:ff:ff:ff:ff:ff -v

       Send one	Router Solicitation message using a random Ethernet Source Ad-
       dress and a random link-local unicast (i.e., fe80::/64) IPv6 Source Ad-
       dress, to the Ethernet  Destination  Address  "33:33:00:00:00:02"  (de-
       fault)  and the IPv6 Destination	Address	"fe80::1". Each	Router Solici-
       tation includes a source	link-layer address option  that	 contains  the
       Ethernet	address	"ff:ff:ff:ff:ff:ff". Be	verbose.

SEE ALSO
       "Security/Robustness  Assessment	of IPv6	Neighbor Discovery Implementa-
       tions"	(available   at:   <http://www.si6networks.com/tools/ipv6tool-
       kit/si6networks-ipv6-nd-assessment.pdf>)	 for  a	discussion of Neighbor
       Discovery vulnerabilities, and additional examples of how  to  use  the
       na6 tool	to exploit them.

AUTHOR
       The  rs6	 tool and the corresponding manual pages were produced by Fer-
       nando Gont _fgont@si6networks.com_ for SI6 Networks _http://www.si6net-
       works.com_.

COPYRIGHT
       Copyright (c) 2011-2013 Fernando	Gont.

       Permission  is  granted to copy,	distribute and/or modify this document
       under the terms of the GNU Free Documentation License, Version  1.3  or
       any  later  version  published by the Free Software Foundation; with no
       Invariant Sections, no Front-Cover Texts, and no	Back-Cover  Texts.   A
       copy   of   the	 license   is	available  at  _http://www.gnu.org/li-
       censes/fdl.html_.

									RS6(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO | AUTHOR | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=rs6&sektion=1&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help