1f74e6e49SBjoern A. Zeeb#!/usr/bin/env python 2f74e6e49SBjoern A. Zeeb#- 3f74e6e49SBjoern A. Zeeb# SPDX-License-Identifier: BSD-2-Clause 4f74e6e49SBjoern A. Zeeb# 5f74e6e49SBjoern A. Zeeb# Copyright (c) 2019 Netflix, Inc. 6f74e6e49SBjoern A. Zeeb# 7f74e6e49SBjoern A. Zeeb# Redistribution and use in source and binary forms, with or without 8f74e6e49SBjoern A. Zeeb# modification, are permitted provided that the following conditions 9f74e6e49SBjoern A. Zeeb# are met: 10f74e6e49SBjoern A. Zeeb# 1. Redistributions of source code must retain the above copyright 11f74e6e49SBjoern A. Zeeb# notice, this list of conditions and the following disclaimer. 12f74e6e49SBjoern A. Zeeb# 2. Redistributions in binary form must reproduce the above copyright 13f74e6e49SBjoern A. Zeeb# notice, this list of conditions and the following disclaimer in the 14f74e6e49SBjoern A. Zeeb# documentation and/or other materials provided with the distribution. 15f74e6e49SBjoern A. Zeeb# 16f74e6e49SBjoern A. Zeeb# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17f74e6e49SBjoern A. Zeeb# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18f74e6e49SBjoern A. Zeeb# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19f74e6e49SBjoern A. Zeeb# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20f74e6e49SBjoern A. Zeeb# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21f74e6e49SBjoern A. Zeeb# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22f74e6e49SBjoern A. Zeeb# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23f74e6e49SBjoern A. Zeeb# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24f74e6e49SBjoern A. Zeeb# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25f74e6e49SBjoern A. Zeeb# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26f74e6e49SBjoern A. Zeeb# SUCH DAMAGE. 27f74e6e49SBjoern A. Zeeb# 28f74e6e49SBjoern A. Zeeb# 29f74e6e49SBjoern A. Zeeb 30f74e6e49SBjoern A. Zeebimport argparse 31a26e895fSKristof Provostimport logging 32a26e895fSKristof Provostlogging.getLogger("scapy").setLevel(logging.CRITICAL) 33f74e6e49SBjoern A. Zeebimport scapy.all as sp 34f74e6e49SBjoern A. Zeebimport socket 35f74e6e49SBjoern A. Zeebimport sys 36f74e6e49SBjoern A. Zeebfrom sniffer import Sniffer 37f74e6e49SBjoern A. Zeebfrom time import sleep 38f74e6e49SBjoern A. Zeeb 39f74e6e49SBjoern A. Zeebdef check_icmp6_error(args, packet): 40f74e6e49SBjoern A. Zeeb ip6 = packet.getlayer(sp.IPv6) 41f74e6e49SBjoern A. Zeeb if not ip6: 42f74e6e49SBjoern A. Zeeb return False 43f74e6e49SBjoern A. Zeeb oip6 = sp.IPv6(src=args.src[0], dst=args.to[0]) 44f74e6e49SBjoern A. Zeeb if ip6.dst != oip6.src: 45f74e6e49SBjoern A. Zeeb return False 46f74e6e49SBjoern A. Zeeb icmp6 = packet.getlayer(sp.ICMPv6ParamProblem) 47f74e6e49SBjoern A. Zeeb if not icmp6: 48f74e6e49SBjoern A. Zeeb return False 49f74e6e49SBjoern A. Zeeb # ICMP6_PARAMPROB_HEADER 0 50f74e6e49SBjoern A. Zeeb if icmp6.code != 0: 51f74e6e49SBjoern A. Zeeb return False 52f74e6e49SBjoern A. Zeeb # Should we check the payload as well? 53f74e6e49SBjoern A. Zeeb # We are running in a very isolated environment and nothing else 54f74e6e49SBjoern A. Zeeb # should trigger an ICMPv6 Param Prob so leave it. 55f74e6e49SBjoern A. Zeeb #icmp6.display() 56f74e6e49SBjoern A. Zeeb return True 57f74e6e49SBjoern A. Zeeb 584527b28bSBjoern A. Zeebdef check_icmp6_error_2(args, packet): 594527b28bSBjoern A. Zeeb ip6 = packet.getlayer(sp.IPv6) 604527b28bSBjoern A. Zeeb if not ip6: 614527b28bSBjoern A. Zeeb return False 624527b28bSBjoern A. Zeeb oip6 = sp.IPv6(src=args.src[0], dst=args.to[0]) 634527b28bSBjoern A. Zeeb if ip6.dst != oip6.src: 644527b28bSBjoern A. Zeeb return False 654527b28bSBjoern A. Zeeb icmp6 = packet.getlayer(sp.ICMPv6TimeExceeded) 664527b28bSBjoern A. Zeeb if not icmp6: 674527b28bSBjoern A. Zeeb return False 684527b28bSBjoern A. Zeeb # ICMP6_TIME_EXCEED_REASSEMBLY 1 694527b28bSBjoern A. Zeeb if icmp6.code != 1: 704527b28bSBjoern A. Zeeb return False 714527b28bSBjoern A. Zeeb # Should we check the payload as well? 724527b28bSBjoern A. Zeeb # We are running in a very isolated environment and nothing else 734527b28bSBjoern A. Zeeb # should trigger an ICMPv6 Time Exceeded / Frag reassembly so leave it. 744527b28bSBjoern A. Zeeb #icmp6.display() 754527b28bSBjoern A. Zeeb return True 764527b28bSBjoern A. Zeeb 77f74e6e49SBjoern A. Zeebdef main(): 78f74e6e49SBjoern A. Zeeb parser = argparse.ArgumentParser("frag6.py", 79f74e6e49SBjoern A. Zeeb description="IPv6 fragementation test tool") 80f74e6e49SBjoern A. Zeeb parser.add_argument('--sendif', nargs=1, 81f74e6e49SBjoern A. Zeeb required=True, 82f74e6e49SBjoern A. Zeeb help='The interface through which the packet will be sent') 83f74e6e49SBjoern A. Zeeb parser.add_argument('--recvif', nargs=1, 84f74e6e49SBjoern A. Zeeb required=True, 85f74e6e49SBjoern A. Zeeb help='The interface on which to check for the packet') 86f74e6e49SBjoern A. Zeeb parser.add_argument('--src', nargs=1, 87f74e6e49SBjoern A. Zeeb required=True, 88f74e6e49SBjoern A. Zeeb help='The source IP address') 89f74e6e49SBjoern A. Zeeb parser.add_argument('--to', nargs=1, 90f74e6e49SBjoern A. Zeeb required=True, 91f74e6e49SBjoern A. Zeeb help='The destination IP address') 92f74e6e49SBjoern A. Zeeb parser.add_argument('--debug', 93f74e6e49SBjoern A. Zeeb required=False, action='store_true', 94f74e6e49SBjoern A. Zeeb help='Enable test debugging') 95f74e6e49SBjoern A. Zeeb 96f74e6e49SBjoern A. Zeeb args = parser.parse_args() 97f74e6e49SBjoern A. Zeeb 98f74e6e49SBjoern A. Zeeb 99f74e6e49SBjoern A. Zeeb # Start sniffing on recvif 100f74e6e49SBjoern A. Zeeb sniffer = Sniffer(args, check_icmp6_error) 1014527b28bSBjoern A. Zeeb sniffer2 = Sniffer(args, check_icmp6_error_2) 102f74e6e49SBjoern A. Zeeb 103f74e6e49SBjoern A. Zeeb 104f74e6e49SBjoern A. Zeeb ######################################################################## 105f74e6e49SBjoern A. Zeeb # 106f74e6e49SBjoern A. Zeeb # Two fragments with payload and offset set to add up to >64k. 107f74e6e49SBjoern A. Zeeb # 108f74e6e49SBjoern A. Zeeb # Make a first fragment arrive and a second to explode everything. 109f74e6e49SBjoern A. Zeeb # 110f74e6e49SBjoern A. Zeeb # A: Reassembly failure. 111f74e6e49SBjoern A. Zeeb # R: ICMPv6 param prob, param header. 1124527b28bSBjoern A. Zeeb # R: ICMPv6 timeout (1st frag, off=0) 113f74e6e49SBjoern A. Zeeb # 114f74e6e49SBjoern A. Zeeb data = "6" * 1280 115f74e6e49SBjoern A. Zeeb ip6f01 = \ 116f74e6e49SBjoern A. Zeeb sp.Ether() / \ 117f74e6e49SBjoern A. Zeeb sp.IPv6(src=args.src[0], dst=args.to[0]) / \ 118f74e6e49SBjoern A. Zeeb sp.IPv6ExtHdrFragment(offset=0, m=1, id=7) / \ 119f74e6e49SBjoern A. Zeeb sp.UDP(dport=3456, sport=6543) / \ 120f74e6e49SBjoern A. Zeeb data 121f74e6e49SBjoern A. Zeeb ip6f02 = \ 122f74e6e49SBjoern A. Zeeb sp.Ether() / \ 123f74e6e49SBjoern A. Zeeb sp.IPv6(src=args.src[0], dst=args.to[0]) / \ 124f74e6e49SBjoern A. Zeeb sp.IPv6ExtHdrFragment(offset=0x1fff, m=1, id=7) / \ 125f74e6e49SBjoern A. Zeeb sp.UDP(dport=3456, sport=6543) / \ 126f74e6e49SBjoern A. Zeeb data 127f74e6e49SBjoern A. Zeeb if args.debug : 128f74e6e49SBjoern A. Zeeb ip6f01.display() 129f74e6e49SBjoern A. Zeeb ip6f02.display() 130f74e6e49SBjoern A. Zeeb sp.sendp(ip6f01, iface=args.sendif[0], verbose=False) 131f74e6e49SBjoern A. Zeeb sp.sendp(ip6f02, iface=args.sendif[0], verbose=False) 132f74e6e49SBjoern A. Zeeb 133f74e6e49SBjoern A. Zeeb sleep(1.00) 134f74e6e49SBjoern A. Zeeb sniffer.setEnd() 135f74e6e49SBjoern A. Zeeb sniffer.join() 136f74e6e49SBjoern A. Zeeb if not sniffer.foundCorrectPacket: 137f74e6e49SBjoern A. Zeeb sys.exit(1) 138f74e6e49SBjoern A. Zeeb 139f74e6e49SBjoern A. Zeeb 140f74e6e49SBjoern A. Zeeb # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## 141f74e6e49SBjoern A. Zeeb # 142f74e6e49SBjoern A. Zeeb # A fragment with payload and offset set to add up to >64k. 143f74e6e49SBjoern A. Zeeb # 144f74e6e49SBjoern A. Zeeb # Try again with the first packet to make things explode. 145f74e6e49SBjoern A. Zeeb # 146f74e6e49SBjoern A. Zeeb # A: Reassembly failure. 147f74e6e49SBjoern A. Zeeb # R: ICMPv6 param prob, param header. 148f74e6e49SBjoern A. Zeeb # 149f74e6e49SBjoern A. Zeeb 150f74e6e49SBjoern A. Zeeb # Start sniffing on recvif 151f74e6e49SBjoern A. Zeeb sniffer = Sniffer(args, check_icmp6_error) 152f74e6e49SBjoern A. Zeeb 153f74e6e49SBjoern A. Zeeb ip6f01 = \ 154f74e6e49SBjoern A. Zeeb sp.Ether() / \ 155f74e6e49SBjoern A. Zeeb sp.IPv6(src=args.src[0], dst=args.to[0]) / \ 156f74e6e49SBjoern A. Zeeb sp.IPv6ExtHdrFragment(offset=0x1fff, m=1, id=0x7001) / \ 157f74e6e49SBjoern A. Zeeb sp.UDP(dport=3456, sport=6543) / \ 158f74e6e49SBjoern A. Zeeb data 159f74e6e49SBjoern A. Zeeb if args.debug : 160f74e6e49SBjoern A. Zeeb ip6f01.display() 161f74e6e49SBjoern A. Zeeb sp.sendp(ip6f01, iface=args.sendif[0], verbose=False) 162f74e6e49SBjoern A. Zeeb 163f74e6e49SBjoern A. Zeeb sleep(0.10) 164f74e6e49SBjoern A. Zeeb sniffer.setEnd() 165f74e6e49SBjoern A. Zeeb sniffer.join() 166f74e6e49SBjoern A. Zeeb if not sniffer.foundCorrectPacket: 167f74e6e49SBjoern A. Zeeb sys.exit(1) 168f74e6e49SBjoern A. Zeeb 1694527b28bSBjoern A. Zeeb # Wait for expiry from first test run. 170e32221a1SAlexander V. Chernikov sleep(3) 1714527b28bSBjoern A. Zeeb sniffer2.setEnd() 1724527b28bSBjoern A. Zeeb sniffer2.join() 1734527b28bSBjoern A. Zeeb if not sniffer2.foundCorrectPacket: 1744527b28bSBjoern A. Zeeb sys.exit(1) 1754527b28bSBjoern A. Zeeb 176f74e6e49SBjoern A. Zeeb sys.exit(0) 177f74e6e49SBjoern A. Zeeb 178f74e6e49SBjoern A. Zeebif __name__ == '__main__': 179f74e6e49SBjoern A. Zeeb main() 180