[Bug] Tcprewrite does not rewrite the contents of ICMPv6 error messages
heliosfa opened this issue · 0 comments
heliosfa commented
ICMPv6 error messages defined in Section 3 of RFC4443 include "As much of invoking packet as possible without the ICMPv6 packet exceeding the minimum IPv6 MTU". This means that they include the IPv6 header of the original packet that triggered the ICMPv6 error message.
Tcprewrite does not not process the contents of ICMPv6 error messages, so does not re-write the IPv6 addresses in the original packet appended to the error message.
This poses two problems:
- packet captures re-written with Tcprewrite do not maintain compliance with RFC4443
- if used for packet capture sanitisation, ICMPv6 error messages leak the original IP addresses. As Destination Unreachable (type 1) and Time Exceeded (type 3) messages are not uncommon, this is a notable leak risk.
To Reproduce
- Create a packet capture containing an ICMPv6 error message that includes the invoking packet. Example packet capture: ttl.pcap.gz
- Re-write the packet capture. For the example Pcap, try
tcprewrite --pnat=[2001:0DB8:85A3:08D3::/64]:[2001:0db8:FFFF:FFFF::/64] --infile=ttl.pcap --outfile=ttl-anon.pcap --fixcsum
- Inspect the contents of the ICMPv6 error message in the re-written packet capture. Example re-written packet capture:
ttl-anon.pcap.gz