[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00

IPv6 Maintenance (6man) Working Group                      E. Vasilenko
Internet Draft                                                  X. Xiao
Updates: 4861, 4862 (if approved)                   Huawei Technologies
Intended status: Standards Track                     September 24, 2020
Expires: March 2021

            ND improvement to prevent Man-in-the-middle attack


   Privacy protection is the bigger and bigger concern of many
   governments and public in general. ND has a few open man-in-the-
   middle attack vectors. MITM is considered among the most dangerous
   attack types because of information leakage. This document proposes
   minimal modifications for ND to protect IPv6 nodes against still
   open MITM attacks. It could be implemented gradually on any nodes,
   with the biggest benefit from support on routers.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of

Vasilenko               Expires March 24, 2021                 [Page 1]

Internet-Draft            ND-MITM-protection             September 2020

   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.

Table of Contents

   1. Terminology and pre-requisite..................................2
   2. Introduction...................................................3
   3. Security vulnerabilities.......................................4
      3.1. Rewrite by unsolicited NA.................................4
      3.2. Be the first and suppress DAD.............................5
      3.3. Win the race just after DAD...............................6
      3.4. Implications for off-link nodes...........................6
      3.5. Speed up by [Gratuitous ND]...............................6
   4. Solution - Security DAD........................................7
      4.1. Standards modifications...................................8
         4.1.1. Modifications to [ND]................................8
         4.1.2. Modifications to [SLAAC]............................11
      4.2. Interoperability analysis................................11
   5. Applicability analysis........................................13
      5.1. Performance analysis.....................................13
      5.2. Usability analysis.......................................15
      5.3. DoS level analysis.......................................16
   6. Security Considerations.......................................16
   7. IANA Considerations...........................................16
   8. References....................................................17
      8.1. Normative References.....................................17
      8.2. Informative References...................................18
   9. Acknowledgments...............................................18

1. Terminology and pre-requisite

   Good knowledge and frequent references to [ND] is assumed. Many
   terms are inherited from [ND]. Additional terms are introduced:

  Security DAD: Duplicated Address Detection for security check
            at the time to write or rewrite for Link Layer Address

  Intruder: The Node under control of malicious 3rd party

Vasilenko               Expires March 24, 2021                 [Page 2]

Internet-Draft            ND-MITM-protection             September 2020

  Intercepted Victim: The node that could lose the privacy of

  Poisoned Victim: The node that could suffer an unauthorized
            modification of Neighbor Cache entry; depending on the
            scenario, it could additionally lose the privacy of

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here

2. Introduction

   Cyber Security is one of the biggest concern for many governments:
   CPNI, HIPAA, FCRA, ECPA in US; GDPR in Europe; CSL in China; DPB in
   India; Data Protection Act 2018 in the UK. Many regulations have
   been refreshed or fully redeveloped in recent years.

   [ND Trust Model] clearly states: "it is desirable to limit the
   amount of potential damage in the case a node becomes compromised.
   For example, it might still be acceptable that a compromised node is
   able to launch a denial-of-service attack, but it is undesirable if
   it is able to hijack existing connections or establish man-in-the-
   middle attacks on new connections."

   The most dangerous and easy way to organize a MITM attack is based
   on rogue Router Advertisements. Fortunately, rogue router is easy to
   block on link level device by filtering ICMPv6 message type 134

   This document discusses MITM attacks that are more difficult to
   block, because it is a challenge for link layer to clarify IP
   address ownership in the plain (distributed) ND architecture. The
   Internet has open tools to exploit this vulnerability (parasite6,
   scapy). Attacks are explained in [RIPE-Training] and [IEEE ND
   Security]. Last reference has very big collection of ND security
   improvements proposed (50+ solutions), but the problem related to
   information leakage is still open.

   This document proposes a simple modification for ND protocol that
   could be briefly explained as:

Vasilenko               Expires March 24, 2021                 [Page 3]

Internet-Draft            ND-MITM-protection             September 2020

   o  Link Layer Address rewrite or initial write for any Neighbor
      Cache entry MUST be the result of only *multicast* Neighbor
      Solicitation. Multicast would give a chance for Poisoned Victim
      to understand that many nodes are going to use the same IP

   o  "Security DAD" is mandatory: it SHALL be checked that not more
      than expected number of NA replies have been received in the
      response to *multicast* NS. It means that for the majority of
      cases (default DuplicityLevel): no more than 1 reply.

   o  Any node SHOULD override neighbor cache entry on routers by
      sending unsolicited NA message after respective node addresses
      would progress to preferred state.

3. Security vulnerabilities

3.1. Rewrite by unsolicited NA

   Let's consider the case when all nodes support [ND] without any
   extensions. Additionally, assume that Intruder gains access to one
   node on the link by exploiting some other vulnerability or Intruder
   has connected his host physically to the link.

   3 nodes involved in the attack: Intruder (typically a host),
   Intercepted Victim (typically another host) and Poisoned Victim
   (typically a router).

   Neighbor Cache poisoning could be organized (by the procedure below)
   for any node (host or router). Router is typically the more probable
   target for the Poisoned Victim role because Intercepted Victim has a
   high probability to communicate with a Router.

   The algorithm for attack:

   o  Intruder has many ways to get Intercepted Victim IP address - see
      [IPv6 Reconnaissance]. The IP address could not be considered
      hidden information.

   o  Intruder starts sending non-legitimate unicast NA to Poisoned
      Victim with the "target IP address" of Intercepted Victim, but
      link layer address of the Intruder, with flags "Override" and
      "Solicited" set.

Vasilenko               Expires March 24, 2021                 [Page 4]

Internet-Draft            ND-MITM-protection             September 2020

   o  If Neighbor Cache entry on Poisoned Victim for reachability to
      Intercepted Victim is already created (by NS or return traffic -
      the second one is highly probable for routers) - then the
      Neighbor Cache entry would be overwritten, because "Override"
      flag was set. Neighbor cache entry would be put to STALE state at
      a minimum. If a particular implementation does not track
      correspondence between NS and NA (not required for state machine
      in [ND]) then cache entry would be put directly to REACHABLE,
      because "Solicited" flag was set (section 7.2.5 of [ND]).

   o  Intercepted Victim would not see unicast NA - it would not have
      chance to recognize "duplicate address". Upstream traffic would
      flow normally from Intercepted Victim to Poisoned Victim, but
      downstream traffic would go from Poisoned Victim to Intruder. An
      Intruder could build a much bigger set of attacks on this
      basement, for example: it could edit DNS answers and redirect all
      Intercepted Victim's traffic to itself (both directions).

   An intruder could send poisoning NA periodically and intercept
   traffic as soon as it would become available from Poisoned Victim.
   Initial traffic missed for Intruder could be very small (tens of

3.2. Be the first and suppress DAD

   An Intruder could claim an IP address (and establish communication)
   while Intercepted Victim is disconnected from the link. Intruder
   just needs to suppress DAD on itself - Poisoned Victim would never
   understand that address duplication did happen for the basic [ND]

   It is a more difficult attack vector for an Intruder, because it
   needs to wait Intercepted Victim reconnection to the link.
   It would be difficult to push the router to reinitialize the link.
   It is potentially possible to influence the host to re-initialize
   the link by DoS, social engineering or other vulnerability. It is
   definitely possible to wait till host or router would reload after
   upgrade (predicted event for host).
   This attack vector does not make sense for the Intruder under the
   case of availability attack vector #1. But it could become next
   primary attack vector if Intruder would be prevented from attack
   vector #1. Hence, solution should block it too.

Vasilenko               Expires March 24, 2021                 [Page 5]

Internet-Draft            ND-MITM-protection             September 2020

3.3. Win the race just after DAD

   The Intruder could be silent and monitor DAD. As soon as the
   Intruder would see DAD - it would have RetransTimer (1sec by
   default) to persuade the Poisoned Victim that it is the only one on
   the link that claims this IP address. The Intruder could pass any
   multicast or unicast check, because Intercepted Victim would be
   silent inside the DAD procedure for the basic [ND] environment.

   It is a more difficult attack vector for an Intruder, but could
   become primary if other attack vectors would be blocked. See more
   detailed explanation in previous section.

3.4. Implications for off-link nodes

   All 3 attack vectors above have additional strong vulnerability
   consequence that make sense to discuss separately: Intruder
   impersonates Intercepted Victim for traffic from off-link (for
   connections initiated from any node behind the router). It is the
   strongest form of 2-way Man-in-the-middle attack.
   It is not very important for ordinary hosts, because not many remote
   nodes would try to contact Intercepted Victim. There is the
   possibility for unlucky exception when admin would come to
   Intercepted Victim for remote monitoring, then Intruder could ask
   him for password hash. Admin password is extremely valuable for the
   It is really big leakage of information if Intruder impersonates
   some important corporate server. Many users of this company would
   connect to the Intruder. The majority of internal Enterprise
   applications do not have mutual authentication properly activated.
   The Intruder would be capable to collect many passwords of this
   company. It is easy for Intruder to emulate the original application
   because it could proxy user requests to Intercepted Victim (on the
   same link) and get proper responses that fully satisfy users.
   Particular application could have additional vulnerabilities that is
   easy to exploit in the situation when Intruder is on the server

3.5. Speed up by [Gratuitous ND]

   This is not separate attack vector. It is just a little improvement
   for the Intruder for attack vectors #1.

   Let's assume that [Gratuitous ND] is implemented at least on
   Poisoned Victim.

Vasilenko               Expires March 24, 2021                 [Page 6]

Internet-Draft            ND-MITM-protection             September 2020

   [Gratuitous ND] has changed 1st paragraph of [ND] section 7.2.5 - it
   permits creation of new Neighbor Cache entry on Poisoned Victim,
   including the situation when there was no NS before and no record
   has been created in any state.

   Let's assume that garbage collector deleted stale record for seldom
   speaking node. Then consider situation of attack vector #1. Basic
   [ND] pushes the Intruder to send unsolicited NA frequently (up to
   the rate limit on the Poisoned Victim). In contrast, [Gratuitous ND]
   permits to create the neighbor cache record by one message much in
   advance of traffic flow. As a result, Intruder could get all traffic
   from Poisoned Victim to Intercepted Victim, no any packet would be
   missed. The improvement for the Intruder is very small - just tens
   of milliseconds of additional traffic would be intercepted. Attack
   vector is very effective in both cases.

   Let's look to the attack vector #2. Intruder had plenty of time to
   establish communication by normal traffic flow. No additional value
   from [Gratuitous ND].

   Let's look to the attack vector #3. Intruder have RetransTimer (1sec
   by default) to create a record on Poisoned Victim. Normally
   generated traffic should be fast enough. No additional value from
   [Gratuitous ND] again.

4. Solution - Security DAD

   The general idea is very easy to explain:

   o  Link Layer Address rewrite or initial write for any Neighbor
      Cache entry MUST be the result of only *multicast* Neighbor
      Solicitation. Multicast would give a chance for Poisoned Victim
      to understand that many nodes are going to use the same IP

   o  "Security DAD" is mandatory: it SHALL be checked that not more
      than expected number of NA replies have been received in the
      response to *multicast* NS. It means that for the majority of
      cases (default DuplicityLevel): no more than 1 reply.

   o  Only fastest NA response to multicast NS SHOULD be used for write
      or rewrite of LLA. This rule would be useful only for the case of
      DuplicityLevel more than 1 (not default configuration). It is
      needed to support many anycast address on the same link.

Vasilenko               Expires March 24, 2021                 [Page 7]

Internet-Draft            ND-MITM-protection             September 2020

   o  Any node SHOULD override neighbor cache entry on routers by
      sending unsolicited NA message after respective node addresses
      would progress to preferred state.

   The implementation is more complex, because it needs to be put into
   [ND] context - see next sections.

4.1. Standards modifications

4.1.1. Modifications to [ND]

   * Section 5.1 and section 7.3.2 of [ND],
   add new state of Neighbor Cache entry:

  DUPLICATE - Target address has been put into dampening state for the
            time defined by DuplicateTimer, because SDAD (additional
            security check) has found duplicate address. The Neighbor
            Cache entry MUST not be used for traffic forwarding. All NS
            and NA for this target address SHALL be ignored. DUPLICATE
            entry SHOULD be deleted when DuplicateTimer expire.

   * Sections 6.2.1 and 6.3.2 of [ND],
   add to router and host variables:

  DuplicateTimer - measured in seconds, dampening time for duplicate
            IP address discovered by SDAD procedure. It SHOULD be
            copied from "Reachable Time" advertised by router (on the
            router itself, it is known as AdvReachableTime - section
            6.2.1 of [ND]). Future versions of [ND] should be extended
            to advertise this timer from router in RA messages.

   * Sections 6.2.1 and 6.3.1 of [ND],
   add to router and host configurable variables:

  DuplicityLevel - number of NA responses that is accepted as
            legitimate for multicast NS solicitation. It permits to
            proper handling of anycast addresses present on the link if
            the maximum number of anycast addresses is known in
            advance. The node MUST have the capability to provision
            DuplicityLevel on a per-link granularity. 32-bit unsigned
            integer SHOULD be reserved for this counter.

Vasilenko               Expires March 24, 2021                 [Page 8]

Internet-Draft            ND-MITM-protection             September 2020

   * Section 10 of [ND], add to Node constants:

  DuplicityLevel 1 (no duplicate addresses permitted)

   * Section 5.3 (Garbage Collection) of [ND], add at the end:

   Neighbor Cache entries with DuplicateTimer expired SHOULD be
   deleted. It is possible to delete entries before timer expiration,
   if there is a need to free space for new entries.

   * Section 7.2.2 (Sending NS) of [ND], add at the end:

   Prepare state machine on every transmission of multicast NS:

   o  Initialize DUPLICITY counter by DuplicityLevel

   o  Restart RetransTimer of this Neighbor Cache entry

   Do not change RetransTimer for unicast NS - reuse expired one.

   * Section 7.2.5 (Receipt NA) of [ND], replace at the beginning:

   This modification is equivalent to [Gratuitous ND]. You could have
   this change already if [Gratuitous ND] is implemented on your


   When a valid Neighbor Advertisement is received (either solicited or
   unsolicited), the Neighbor Cache is searched for the target's entry.
   If no entry exists, the advertisement SHOULD be silently discarded.
   There is no need to create an entry if none exists, since the
   recipient has apparently not initiated any communication with the


Vasilenko               Expires March 24, 2021                 [Page 9]

Internet-Draft            ND-MITM-protection             September 2020

   When a valid Neighbor Advertisement is received (either solicited or
   unsolicited), check first for the target's IP address entry in the
   Neighbor Cache.

   If no entry exists on the host, it SHOULD silently discard this
   advertisement. There is no need to create an entry if none exists,
   since the recipient has apparently not initiated any communication
   with the target.

   If no entry exists on the router, it should additionally check for
   Target link-layer address option.
   If the received Neighbor Advertisement does not contain the Target
   link-layer address option, then the router SHOULD silently discard
   this advertisement. Else router SHOULD create a new entry for the
   target address with the link-layer address set to the Target link-
   layer address option. The neighbor cache entry state MUST be set to

   * Section 7.2.5 (Receipt NA) of [ND], add at the end:

   I. If NA received is inside RetransTimer window, then it is
   considered as a response to NS (solicited):

   o  If DUPLICITY counter does not yet reach 0: Process NA according
      to all other rules of this section, except write or rewrite of
      link layer addresses is permitted only if DUPLICITY is equal to
      DuplicityLevel (only fastest anycast is used for neighbor
      reachability cache). Additionally, decrement DUPLICITY.

   o  If DUPLICITY counter is 0: Change Neighbor Cache entry to
      DUPLICATE state. Clear all packets in the queue related to this
      target address. Log duplicate address event with target address
      and both Link Layer addresses (from received NA and from cache
      entry). Start DuplicateTimer for this Neighbor Cache entry.

   II. If RetransTimer is expired or Neighbor Cache entry does not
   exist yet for this target address then NA is considered unsolicited
   disregard of any flags set. Process NA according to all other rules
   of this section, except additional check: if processing would need
   to initial write or rewrite Link Level Address (i.e. any change of
   LLA) then change Neighbor Cache entry state to INCOMPLETE and
   initiate *multicast* Neighbor Solicitation process against this
   target IP address.

Vasilenko               Expires March 24, 2021                [Page 10]

Internet-Draft            ND-MITM-protection             September 2020

   * Section 7.2.6 (Sending unsolicited NA) of [ND], add at the end:

   A node SHOULD send Neighbor Advertisement message with Override flag
   set to the all-routers multicast address after respective address
   would change state to preferred.

   * It MAY be added after 4th paragraph of section 5.2 (Conceptual
   Sending Algorithm) of [ND]:

   Traffic resolved to be sent through Neighbor Cache entry in
   DUPLICATE state MUST be dropped.

4.1.2. Modifications to [SLAAC]

   * Neighbor Cache maintenance is pretty much restricted to [ND].
   Hence, it is not mandatory to change [SLAAC] - the latter is more
   concerned on initialization and DAD. One optimization is possible
   specifically for [Gratuitous ND] environment. It is stated in
   paragraph 4 of section 5.4.2 [SLAAC] that messages sent in response
   to multicast announcements should be delayed for random time between
   0 and MAX_RTR_SOLICITATION_DELAY, but the type of multicast message
   is mentioned in clear "router advertisement message". It MAY be
   reasonable to replace it to "any message", because [Gratuitous ND]
   does send unsolicited NA to all-routers multicast and this document
   proposes response by NS that could synchronize from all routers.

4.2. Interoperability analysis

   Proposed solution does not need any additional functionality on link
   layer technology (no layer 2 features needed).

   It does not block unsolicited NA - Link Local Addresses write or
   rewrite is still possible, including compatibility to [Gratuitous

   [Optimistic DAD] creates possibility for Intruder to intercept
   RetransTimer (1sec by default) of traffic in the case of attack
   vector #2 and #3, because optimistic address could transmit traffic
   without the possibility to override Poisoned Victim neighbor cache -
   NA should have override flag cleared. [Gratuitous ND] does not
   change this rule for the good reason: it would be not a good idea to
   strongly claim address that has not passed DAD check yet.

Vasilenko               Expires March 24, 2021                [Page 11]

Internet-Draft            ND-MITM-protection             September 2020

   Hence, SDAD would not be activated up to the time the address would
   progress to preferred, that initiate NA with override flag set.
   You could disable [Optimistic DAD] if your concern about traffic
   intercepted for RetransTimer seconds is bigger than your concern of
   interface initialization delay for the same time.

   [Gratuitous ND] operates as intended in the combination with
   [Optimistic DAD]. [Gratuitous ND] is effectively replaced by this
   document for the case when address is progressed to preferred,
   because stronger form of unsolicited NA (with override flag set) is

   It should be no problem for multi-prefix and multi-homing
   environment discussed in [Multi-Homing], because Neighbor Cache
   population does not influence forwarding directions (Destination
   Cache does). [Gratuitous ND] could create unnecessary states on
   routers advertising address spaces from different ISP for the case
   of Provider-aggregatable address space. Mechanism specified in this
   document would confirm it to REACHABLE state, then it would be
   probably not used later (freeze in STALE state up to garbage
   collection). It is very small deficiency originated by [Gratuitous
   ND] that does not make sense to fix.

   This document does not create any problem for standard update
   proposed in [Subnet Model], because determination of "on-link"
   addresses is on Destination Cache level that Neighbor Cache is not
   capable to influence.

   [FCFS SAVI] deep security assistance from L2 switches would not
   benefit from this document - it is not possible to poison cache in
   SAVI architecture. It is important to mention that this document
   would not create any interoperability issue with [FCFS SAVI]. There
   would be no illegal write or rewrite requests (with duplicate
   addresses) that SDAD needs to check.

   The same consequence is under SeND presence: cryptographically
   protected addresses does not need additional protection, but again
   current document would not create any interoperability problem by
   additional Security DAD check.

   DHCP support is not affected by this document - it is irrelevant how
   node has got an IP address. Furthermore, it is not important whether
   it has been done in a legal way - if Intruders would try to hijack
   traffic of each other - they would be both blocked, because they
   would create duplicate addresses.

Vasilenko               Expires March 24, 2021                [Page 12]

Internet-Draft            ND-MITM-protection             September 2020

   [NUD improvement] has the natural synergy with current document,
   because it converts unicast NS to multicast NS (when neighbor cache
   state would change to UNREACHABLE) that permits to save on
   additional multicast NS for SDAD check.

   SDAD (as well as ordinary DAD) is not fully compatible to anycast IP
   address. DuplicityLevel permits to properly handle anycast addresses
   present on a link if the maximum number of anycast addresses is
   known in advance (see DuplicityLevel variable).

   Active-Standby clustering solutions (including VRRP) should not be
   affected by this standard extension, because properly functioning
   cluster should respond to target IP only from one LLA. If any
   concern on cluster behavior exist - SDAD could be effectively
   disabled by setting bigger number for DuplicityLevel.

   The document proposes minimal changes for ND protocol without
   changing the basic principles. Moreover, changes in nodes behavior
   are local - it is not needed to wait for formal standard update -
   new behavior would be fully compliant to [ND] and [SLAAC], as well
   as all other extensions mentioned above in this section.

5. Applicability analysis

5.1. Performance analysis

   [Gratuitous ND] cache initialization improvement is not affected by
   this document, because algorithm above assumes immediate check, no
   need to wait for return traffic to be buffered.

   Additional Security DAD (with associated multicast solicitation)
   should happen only for Link Layer Address write or rewrite that
   ideally should happen only one time for every address. Control Plane
   load should not be considerably increased. Moreover, in some cases
   SDAD check coincide with multicast NS that results in no additional
   messages. See later more detailed analysis of multicast performance
   for 3 primary scenarios. It has been analyzed per 1 address space,
   other Global Unicast Addresses or Unique Local Address would have
   exactly the same calculations.
   LLA would generate additional multicast traffic that is omitted in

   A reminder: according to section 5.1 of [SLAAC] - ordinary DAD has 1
   multicast check by default (DupAddrDetectTransmits is 1).

Vasilenko               Expires March 24, 2021                [Page 13]

Internet-Draft            ND-MITM-protection             September 2020

   We could assume that the host would not wait scheduled RA, it would
   probably initiate RS that would generate multicast RA.

   1. Host to host communication (general scenario).
      The basic neighbor reachability detection (by [RFC 4861]) should
      use one multicast for DAD and one multicast solicitation to
      discover other node. It is not important for performance analysis
      that only originating node would check 2-way communication (and
      would promote cache entry to REACHABLE) as a result of initial
      multicast solicitation, because other node would record proper
      LLA too - it would use unicast solicitation later to prove 2-way
      communication. Hence, this document would generate an additional
      multicast request per every pair of communicating nodes.
      Depending on the mesh communication richness between nodes - it
      could increase multicast traffic from 0 up to 100% (depends on
      the number of communicating pairs): (2*c*(c-1)+h)/(c*(c-1)+h).

   2. Router cache population in the basic [ND] scenario.
      Initial DAD is omitted here, because it was calculated in host-
      to-host scenario. The host would generate multicast RS and would
      receive multicast RA. Multicast NS is assumed as a result of one
      router receiving traffic to a particular host. This document
      reuses any multicast NS for SDAD, hence performance is not
      affected: (h*(2*r+1))/(h*(2*r+1))=1.

   3. Router cache population in the scenario of [Gratuitous ND].
      Initial DAD is omitted here, because it was calculated in host-
      to-host scenario. The host would generate multicast RS and would
      receive multicast RA. One multicast unsolicited NA is proposed by
      [Gratuitous ND], it could not be used for SDAD, because it is
      going to different multicast group (routers). Hence, this
      document creates 33% more multicast traffic for 1 router on this
      link, 40% more multicast for 2 routers on this link, up to 50%
      more multicast for many routers: (h*(2*r+1+r))/(h*(2*r+1)).

   It makes sense to remind, that normal neighbor cache entry
   refreshment should not generate additional multicast, because entry
   refreshment is assumed in unicast to known MAC address - see PROBE
   definition in [ND] section 5.1. The Garbage collector may completely
   delete long stale neighbor cache entry (good example of such host is
   a printer), then multicast would be needed anyway - this document
   does not increase multicast for that case.

Vasilenko               Expires March 24, 2021                [Page 14]

Internet-Draft            ND-MITM-protection             September 2020

5.2. Usability analysis

   Host's Unsolicited NA (after address would go to preferred state) is
   proposed only in the direction of all-routers multicast (router to
   host communication). It would invoke SDAD check and reveal
   Attack vector #2 has been left unprotected by this document for the
   case of host to host communication. MITM for traffic inside link is
   still possible, because SDAD check is useless at the time when
   Intercepted Victim is not connected yet to the link, but later would
   be no rewrite request that would not initiate SDAD check.

   Some technologies are prone to multicast loss. The mechanism in this
   document may not give security protection as intended if multicast
   NS would be lost only in the direction of Intercepted Victim - SDAD
   would not detect address duplicity.

   The Intruder could potentially answer to multicast NS a few
   milliseconds faster than the Intercepted Victim. Poisoned Victim
   could update neighbor cache in the favor of Intruder and release the
   small portion of the traffic before Poisoned Victim would receive
   excessive number of NA responses and block both (Intruder and
   Intercepted Victim).

   Security solution discussed in this document does not need any
   coordination on introduction in production. It could be done in any
   order or ad-hoc: it is not restricted which one particular node
   (router or host) would start additional SDAD check first.

   There are 2 primary use cases envisioned (with the 3rd mixing both):

   o  Campus environment: the majority of traffic are going to default
      router on every link. The intruder would have the priority to
      poison router cache. Hence, router protection is priority

   o  Data Center environment: the big proportion of the East-West
      traffic. Hosts protection has bigger priority for this use case

   DuplicityLevel is the common information for the link - it is better
   to advertise it from router in the future versions of ND.  Current
   design choice (keep this information local) is justified to simplify
   transition - possibility to introduce SDAD support on any one node
   or node sets in any order.

Vasilenko               Expires March 24, 2021                [Page 15]

Internet-Draft            ND-MITM-protection             September 2020

5.3. DoS level analysis

   MITM attack vector #1 was very effective and easy to organize, hence
   it was very probable. It has been converted by this document into
   the same probable DoS (Intercepted Victim and Intruder - both
   blocked). It could be the temptation to minimize Intercepted Victim
   disruption by blocking only the second node (first-come/first-serve
   approach). The Intruder would be the second in the majority of cases
   that would minimize disruption for Intercepted Victim.
   Unfortunately, there are less probable cases when Intruder would be
   capable of catching server with popular application in reload or
   upgrade state - then legal node would be blocked. The Intruder would
   be capable of pretending to be the particular application and start
   collection of valuable information from users that would visit this
   application. See section 3.4 (Implications for off-link nodes) for
   details. It is the leakage of information again. The leakage of
   information is considered much more serious security problem than
   DoS, hence such conversion of DoS back into leakage is not
   acceptable. Vulnerability harm is more important than the
   probability of vulnerability. It is especially true for [ND] where
   we have other DoS vulnerabilities anyway.

   Only cryptographically based authentication does permit to really
   minimize DoS disruption for legal node.

6. Security Considerations

   This document describes the conversion of most common MITM attack
   vectors into less dangerous DoS. It does not introduce new

   One corner case is left unprotected by this document:
   attack vector #2 for the situation when all involved nodes are hosts
   and at the same time Intercepted Victim has been connected to the
   link later after Intruder.

7. IANA Considerations

   This document has no any request to IANA.

Vasilenko               Expires March 24, 2021                [Page 16]

Internet-Draft            ND-MITM-protection             September 2020

8. References

8.1. Normative References

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119, DOI
             10.17487/RFC2119, March 1997, <https://www.rfc-

   [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
             2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
             May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [ND] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
             "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
             DOI 10.17487/RFC4861, September 2007, <https://www.rfc-

   [SLAAC] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
             Address Autoconfiguration", RFC 4862, DOI
             10.17487/RFC4862, September 2007, <https://www.rfc-

   [Gratuitous ND] Linkova, J., "Gratuitous Neighbor Discovery:
             Creating Neighbor Cache Entries on First-Hop Routers",
             draft-ietf-6man-grand-01 (work in progress), July 2020.

   [Optimistic DAD] N. Moore, "Optimistic Duplicate Address Detection
             (DAD) for IPv6", RFC 4429, DOI 10.17487/RFC4429, April
             2006, <https://www.rfc-editor.org/info/rfc4429>.

   [Multi-Homing] F. Baker, B. Carpenter, "First-Hop Router Selection
             by Hosts in a Multi-Prefix Network", RFC 8028, DOI
             10.17487/RFC8028, November 2016, <https://www.rfc-

   [ND Trust Model] P. Nikander, J. Kempf, E. Nordmark, "IPv6 Neighbor
             Discovery (ND) Trust Models and Threats", RFC 3756, DOI
             10.17487/RFC3756, May 2004, <https://www.rfc-

   [NUD improvement] E. Nordmark, I. Gashinsky, "Neighbor
             Unreachability Detection Is Too Impatient", RFC 7048, DOI
             10.17487/RFC7048, July 2010, <https://www.rfc-

Vasilenko               Expires March 24, 2021                [Page 17]

Internet-Draft            ND-MITM-protection             September 2020

   [Subnet Model] H. Singh, W. Beebee, E. Nordmark, "IPv6 Subnet Model:
             The Relationship between Links and Subnet Prefixes", RFC
             5942, DOI 10.17487/RFC5942, July 2010, <https://www.rfc-

   [FCFS SAVI] E. Nordmark, M. Bagnulo, E. Levy-Abegnoli, "FCFS SAVI:
             First-Come, First-Served Source Address Validation
             Improvement for Locally Assigned IPv6 Addresses", RFC
             6620, DOI 10.17487/RFC6620, May 2012, <https://www.rfc-

8.2. Informative References

   [RFC8200] S. Deering, R. Hinden, "Internet Protocol, Version 6
             (IPv6) Specification", RFC 8200, DOI 10.17487/RFC8200,
             July 2017, <https://www.rfc-editor.org/info/rfc8200>.

   [RIPE-Training] RIPE NCC, "IPv6 Security Training", February 2019,

   [RA-Guard] E. Levy-Abegnoli, G. Van de Velde, C. Popoviciu, J.
             Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, DOI
             10.17487/RFC6105, February 2011, <https://www.rfc-

   [IPv6 Reconnaissance] F. Gont, T. Chown, "Network Reconnaissance in
             IPv6 Networks", RFC 7707, DOI 0.17487/RFC7707, March 2016,

   [IEEE ND Security] Amjed Sid Ahmed Mohamed Sid Ahmed, Rosilah
             Hassan, Nor Effendy Othman, "IPv6 Neighbor Discovery
             Protocol Specifications, Threats and Countermeasures: A
             Survey", DOI 10.1109/ACCESS.2017.2737524, August 2017,

9. Acknowledgments

   Thanks to 6man working group for problem discussion

Vasilenko               Expires March 24, 2021                [Page 18]

Internet-Draft            ND-MITM-protection             September 2020

Authors' Addresses

   Eduard Vasilenko
   Huawei Technologies
   17/4 Krylatskaya st, Moscow, Russia 121614

   Email: vasilenko.eduard@huawei.com

   Xiao Xipeng
   Huawei Technologies
   205 Hansaallee, 40549 Dusseldorf, Germany

   Email: xipengxiao@huawei.com

Vasilenko               Expires March 24, 2021                [Page 19]

Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/