-
Notifications
You must be signed in to change notification settings - Fork 70
/
Copy pathmldq6.1
165 lines (105 loc) · 10 KB
/
mldq6.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
.TH MLDQ6 1
.SH NAME
mldq6 \- A security assessment tool for attack vectors based on ICMPv6 MLD Query messages
.SH SYNOPSIS
.B mldq6
.RB [\| \-i
.IR INTERFACE\| ]
[\-s SRC_ADDR[/LEN]] [\-d DST_ADDR] [\-A HOP_LIMIT] [\-y FRAG_SIZE] [\-u DST_OPT_HDR_SIZE] [\-U DST_OPT_U_HDR_SIZE] [\-H HBH_OPT_HDR_SIZE] [\-S LINK_SRC_ADDR] [\-D LINK-DST-ADDR] [\-E LINK_ADDR] [\-e] [\-m MLD_ADDR] [\-r MLD_RESP_DELAY ] [\-F N_SOURCES] [\-z SECONDS] [\-l] [\-v] [\-h]
.SH DESCRIPTION
.B mldq6
allows the assessment of IPv6 implementations with respect to a variety of attacks based on ICMPv6 MLD Query messages. This tool is part of the SI6 Networks' IPv6 Toolkit: a security assessment suite for the IPv6 protocols.
.SH OPTIONS
.B mldq6
takes its parameters as command-line options. Each of the options can be specified with a short name (one character preceded with the hyphen character, as e.g. "\-i") or with a long name (a string preceded with two hyphen characters, as e.g. "\-\-interface").
.TP
.BI \-i\ INTERFACE ,\ \-\-interface\ INTERFACE
This option specifies the network interface that the tool will use. If the destination address ("\-d" option) is a link-local address, the interface must be explicitly specified. The interface may also be specified along with a destination address, with the "\-d" option.
.TP
.BI \-s\ SRC_ADDR ,\ \-\-src\-address\ SRC_ADDR
This option is meant to specify the IPv6 Source Address (or IPv6 prefix) to be used for the MLD Query messages. If left unspecified, a randomized link-local unicast (fe80::/64) address is selected.
.TP
.BI \-d\ DST_ADDR ,\ \-\-dst\-address\ DST_ADDR
This option specifies the IPv6 Destination Address of the MLD Query messages. If left unspecified the "all-nodes link-local multicast" address (ff02::1) is selected as the IPv6 Destination Address.
.TP
.BI \-A\ HOP_LIMIT ,\ \-\-hop\-limit\ HOP_LIMIT
This option specifies the IPv6 Hop Limit to be used for the MLD Query messages. It defaults to 1. Note that IPv6 nodes are required to check that the Hop Limit of incoming MLD Query messages is 1. Therefore, this option is only useful to assess whether an IPv6 implementation fails to enforce the aforementioned check.
.TP
.BI \-y\ SIZE ,\ \-\-frag\-hdr\ SIZE
This option specifies that the resulting packet must be fragmented. The fragment size must be specified as an argument to this option.
.TP
.BI \-u\ HDR_SIZE ,\ \-\-dst\-opt\-hdr\ HDR_SIZE
This option specifies that a Destination Options header is to be included in the resulting packet. The extension header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-u" options.
.TP
.BI \-U\ HDR_SIZE ,\ \-\-dst\-opt\-u\-hdr\ HDR_SIZE
This option specifies a Destination Options header to be included in the "unfragmentable part" of the resulting packet. The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Destination Options headers may be specified by means of multiple "\-U" options. This option is only valid if the "\-y" option is specified (as the concept of "unfragmentable part" only makes sense when fragmentation is employed).
.TP
.BI \-H\ HDR_SIZE ,\ \-\-hbh\-opt\-hdr\ HDR_SIZE
This option specifies that a Hop-by-Hop Options header is to be included in the resulting packet. The header size must be specified as an argument to this option (the header is filled with padding options). Multiple Hop\-by\-Hop Options headers may be specified by means of multiple "\-H" options. Without this option a MLD standard conforming Hop-by-hop header is added. With "\-H 0" no Hop-by-Hop Options header is added, thus creating an invalid MLD Query message). This option can be used to check whether an IPv6 implementations correctly validates the Hop-by-Hop Options header and drops MLD Query messages with an invalid Hop-by-Hop Options header.
.TP
.BI \-S\ SRC_LINK_ADDR ,\ \-\-src\-link\-address\ SRC_LINK_ADDR
This option specifies the link-layer Source Address of the MLD Query messages (currently, only Ethernet is supported). If left unspecified, the link-layer Source Address is randomized.
.TP
.BI \-D\ DST_LINK_ADDR ,\ \-\-dst\-link\-address\ DST_LINK_ADDR
This option specifies the link-layer Destination Address of the MLD Query messages (currently, only Ethernet is supported). If left unspecified, the link-layer Destination Address is set to "33:33:00:00:00:01" (the Ethernet address that corresponds to the "all-nodes link-local multicast" address).
.TP
\-\-source\-lla\-opt, \-E
This option specifies the contents of a source link-layer address option to be included in the MLD Query messages. If more than one source link-layer address is specified (by means of multiple "\-E" options), and all the resulting options cannot be conveyed into a single MLD Query, multiple MLD Queries will be sent as needed.
.TP
\-\-add\-slla\-opt, \-e
This option instructs the mldq6 tool to include a source link-layer address option in the MLD Query messages that it sends. The link-layer address included in the option is the same as the Ethernet Source Address used for the outgoing MLD Query messages.
.TP
.BI \-m\ MLD_ADDR ,\ \-\-mld\-addr\ MLD_ADDR
This option specifies the MLD Multicast Address of the MLD Query messages. If left unspecified the unspecified IPv6 address (::) is selected as the MLD Multicast Address (a General Query). Note that for a valid Multicast-Address-Specific Query MLD_ADDR and the IPv6 destination address should be the same. So if setting a multicast address with "\-m", you might also want to use "\-d" and "\-D".
.TP
.BI \-r\ MLD_RESP_DELAY ,\ \-\-mld\-resp\-delay\ MLD_RESP_DELAY
This option specifies the MLD Maximum Respones Delay of the MLD Query messages in milliseconds. A multicast listener will reply with its MLD Report with a random delay between zero and the MLD_RESP_DELAY. For MLD Version 2 if set to >=32768 then this specifies the Maximum Response Code instead. Defaults to 10000 milliseconds (10 seconds).
.TP
\-\-mld\-sflag, \-M
For MLD Version 2, sets the MLDv2 Query Suppress Router-Side Processing flag. Default: off.
.TP
.BI \-R\ MLDV2_ROBUSTNESS_VARIABLE ,\ \-\-mld\-qrv\ MLDV2_ROBUSTNESS_VARIABLE
For MLD Version 2, sets the MLD2 Query Robustness Variable. Specifies how many MLD packets minus 1 may be missed without hindering protocol performance. Higher values increase the leave latency. RFC3810, section 5.1.8 specifies QRV values from 0-7, where 0 is the special value of a Robustness Variable > 7. Defaults to 2.
.TP
.BI \-V\ MLD_VERSION ,\ \-\-mld\-version\ MLD_VERSION
This option specifies if an MLDv1 or MLDv2 Query message is sent. An MLDv2 Query starts identical to an MLDv1 Query, for compatibility. But an MLDv2 Query message is at least 4 bytes longer which contain an additional S-Flag, Query Robustness Variable (QRV) and "Number of Sources" field. Optionally a list of IPv6 source addresses for multicast and source specific queries may follow. May be set to 1 or 2, defaults to 2.
.TP
\-\-flood\-sources, \-F
This option instructs the mldq6 tool to send MLD Queries from multiple (and random) IPv6 Source Addresses. The number of different sources is specified as "\-F number". The IPv6 Source Address of each MLD Query is a randomized from the IPv6 prefix specified with the "\-s" option, and defaults to a random link-local unicast address (fe80::/64).
.TP
\-\-loop, \-l
This option instructs the mldq6 tool to send periodic MLD Queries to the destination node. The amount of time to pause between sending MLD Queries can be specified by means of the "\-z" option, and defaults to 120 seconds.
.TP
\-\-sleep, \-z
This option instructs the mldq6 tool to the amount of time to pause between sending MLD Query messages. If left unspecified, it defaults to 125 seconds. For MLDv2 this also sets and codifies the MLDv2 Querier's Query Interval Code (QQIC) field. For sleep values > 128 they will get rounded up to the next QQIC if necessary.
.TP
\-\-verbose, \-v
This option instructs the mldq6 tool to be verbose.
.TP
\-\-help, \-h
Print help information for the mldq6 tool.
.SH EXAMPLES
The following sections illustrate typical use cases of the
.B rs6
tool.
\fBExample #1\fR
# mldq6 \-i eth0
Use the network interface "eth0" to send a MLD Query using a random link-local unicast IPv6 Source Address and a random Ethernet Source Address, to the IPv6 Destination Address "ff02::1" ("all-nodes link-local multicast" address, selected by default) and the Ethernet Destination Address "33:33:00:00:00:01" (selected by default). Set the MLD Multicast Address to :: (a "General Query", default) and set the MLD Maximum Response Delay to 10 seconds (default).
\fBExample #2\fR
# mldq6 \-i eth0 \-d ff12::123 \-D 33:33:00:00:01:23 \-m ff12::123 \-r 1000 \-F 100 \-l \-z 5 \-v
Send 100 Multicast-Address-Specific MLD Query messages using a random Ethernet Source Address and random IPv6 Source Address for each of them, to the Ethernet Destination Address "33:33:00:00:01:23" and the IPv6 Destination Address "ff12::123". Set the MLD Multicast Address to ff02::123 (a "Multicast-Address-Specific Query") and set the MLD Maximum Response Delay to 1000 milliseconds. Repeat this operation every five seconds. Be verbose.
.SH MULTICAST LISTENERS
To create multicast listeners you can check queries send by mldq6 against, you can use socat (>= 1.7.3.2) for instance:
$ socat \-u UDP6\-RECV:1234,reuseaddr,ipv6\-join\-group="[ff12::123]:eth0" \-
Another option is mcjoin: https://github.com/troglobit/mcjoin
.SH AUTHOR
The
.B mldq6
tool and the corresponding manual pages were produced by Fernando Gont
.I <[email protected]>
for SI6 Networks
.IR <http://www.si6networks.com> .
.SH COPYRIGHT
Copyright (c) 2011\-2020 Fernando Gont.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front\-Cover Texts, and no Back\-Cover Texts. A copy of the license is available at
.IR <http://www.gnu.org/licenses/fdl.html> .