draft-ietf-6man-nd-extension-headers-02.txt   draft-ietf-6man-nd-extension-headers-03.txt 
IPv6 maintenance Working Group (6man) F. Gont IPv6 maintenance Working Group (6man) F. Gont
Internet-Draft SI6 Networks / UTN-FRH Internet-Draft SI6 Networks / UTN-FRH
Updates: 3971, 4861 (if approved) December 10, 2012 Updates: 3971, 4861 (if approved) January 14, 2013
Intended status: Standards Track Intended status: Standards Track
Expires: June 13, 2013 Expires: July 18, 2013
Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery
draft-ietf-6man-nd-extension-headers-02 draft-ietf-6man-nd-extension-headers-03
Abstract Abstract
This document analyzes the security implications of using IPv6 This document analyzes the security implications of employing IPv6
Extension Headers with Neighbor Discovery (ND) messages. It updates fragmentation with Neighbor Discovery (ND) messages. It updates RFC
RFC 4861 such that use of the IPv6 Fragmentation Header is forbidden 4861 such that use of the IPv6 Fragmentation Header is forbidden in
in all Neighbor Discovery messages, thus allowing for simple and all Neighbor Discovery messages, thus allowing for simple and
effective counter-measures for Neighbor Discovery attacks. Finally, effective counter-measures for Neighbor Discovery attacks. Finally,
it discusses the security implications of using IPv6 fragmentation it discusses the security implications of using IPv6 fragmentation
with SEcure Neighbor Discovery (SEND), and formally updates RFC 3971 with SEcure Neighbor Discovery (SEND), and formally updates RFC 3971
to provide advice regarding how the aforementioned security to provide advice regarding how the aforementioned security
implications can be prevented. implications can be prevented.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 13, 2013. This Internet-Draft will expire on July 18, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 8 skipping to change at page 3, line 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
The Neighbor Discovery Protocol (NDP) is specified in RFC 4861 The Neighbor Discovery Protocol (NDP) is specified in RFC 4861
[RFC4861] and RFC 4862 [RFC4862]. It is used by both hosts and [RFC4861]. It is used by both hosts and routers. Its functions
routers. Its functions include Neighbor Discovery (ND), Router include Neighbor Discovery (ND), Router Discovery (RD), Address
Discovery (RD), Address Autoconfiguration, Address Resolution, Autoconfiguration, Address Resolution, Neighbor Unreachability
Neighbor Unreachability Detection (NUD), Duplicate Address Detection Detection (NUD), Duplicate Address Detection (DAD), and Redirection.
(DAD), and Redirection.
Many of the possible attacks against the Neighbor Discovery Protocol Many of the possible attacks against the Neighbor Discovery Protocol
are discussed in detail in [RFC3756]. In order to mitigate the are discussed in detail in [RFC3756]. In order to mitigate the
aforementioned possible attacks, the SEcure Neighbor Discovery (SEND) aforementioned possible attacks, the SEcure Neighbor Discovery (SEND)
was standardized. SEND employs a number of mechanisms to certify the was standardized. SEND employs a number of mechanisms to certify the
origin of Neighbor Discovery packets and the authority of routers, origin of Neighbor Discovery packets and the authority of routers,
and to protect Neighbor Discovery packets from being the subject of and to protect Neighbor Discovery packets from being the subject of
modification or replay attacks. modification or replay attacks.
However, a number of factors, such as the use of trust anchors and However, a number of factors, such as the use of trust anchors and
the unavailability of SEND implementations for many widely-deployed the unavailability of SEND implementations for many widely-deployed
operating systems, make SEND hard to deploy [Gont-DEEPSEC2011]. operating systems, make SEND hard to deploy [Gont-DEEPSEC2011].
Thus, in many general scenarios it may be necessary and/or convenient Thus, in many general scenarios it may be necessary and/or convenient
to use other mitigation techniques for NDP-based attacks. The to use other mitigation techniques for NDP-based attacks. The
following mitigations are currently available for NDP attacks: following mitigations are currently available for NDP attacks:
o Layer-2 filtering of Neighbor Discovery packets (such as RA-Guard o Layer-2 filtering of Neighbor Discovery packets (such as RA-Guard
[RFC6105]) [RFC6105])
o Neighbor Discovery monitoring tools (e.g., such as NDPMon o Neighbor Discovery monitoring tools (e.g., such as NDPMon
[NDPMon]) [NDPMon], ramond [ramond], and rafixd [rafixd])
o Intrusion Prevention Systems (IPS) o Intrusion Prevention Systems (IPS)
IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique
for attack vectors based on ICMPv6 Router Advertisement messages. It for attack vectors based on ICMPv6 Router Advertisement messages. It
is meant to block attack packets at a layer-2 device before the is meant to block attack packets at a layer-2 device before the
attack packets actually reach the target nodes. [RFC6104] describes attack packets actually reach the target nodes. [RFC6104] describes
the problem statement of "Rogue IPv6 Router Advertisements", and the problem statement of "Rogue IPv6 Router Advertisements", and
[RFC6105] specifies the "IPv6 Router Advertisement Guard" [RFC6105] specifies the "IPv6 Router Advertisement Guard"
functionality. functionality.
Tools such as NDPMon [NDPMon] and ramond [ramond] aim at monitoring Tools such as NDPMon [NDPMon] and ramond [ramond] aim at monitoring
Neighbor Discovery traffic in the hopes of detecting possible attacks Neighbor Discovery traffic in the hopes of detecting possible attacks
when there are discrepancies between the information advertised in when there are discrepancies between the information advertised in
Neighbor Discovery packets and the information stored on a local Neighbor Discovery packets and the information stored on a local
database. database. rafixd [rafixd] goes one step further, and tries to
mitigate some Neighbor Discovery attacks by sending "correcting"
Router Advertisement messages in response to incorrect/malicious
Router Advertisement messages.
Some Intrusion Prevention Systems (IPS) can mitigate Neighbor Some Intrusion Prevention Systems (IPS) can mitigate Neighbor
Discovery attacks. We recommend that Intrusion Prevention Systems Discovery attacks. We recommend that Intrusion Prevention Systems
(IPS) implement mitigations for NDP attacks. (IPS) implement mitigations for NDP attacks.
A key challenge that these mitigation or monitoring techniques face A key challenge that these mitigation or monitoring techniques face
is that introduced by IPv6 fragmentation, since it is trivial for an is that introduced by IPv6 fragmentation, since it is trivial for an
attacker to conceal his attack by fragmenting his packets into attacker to conceal his attack by fragmenting his packets into
multiple fragments. This may limit or even eliminate the multiple fragments. This may limit or even eliminate the
effectiveness of the aforementioned mitigation or monitoring effectiveness of the aforementioned mitigation or monitoring
skipping to change at page 9, line 20 skipping to change at page 9, line 20
relevant specifications such that the IPv6 Fragment Header is not relevant specifications such that the IPv6 Fragment Header is not
allowed in any Neighbor Discovery messages except "Certification Path allowed in any Neighbor Discovery messages except "Certification Path
Advertisement", protection of local nodes against Neighbor Discovery Advertisement", protection of local nodes against Neighbor Discovery
attacks, and monitoring of Neighbor Discovery traffic is greatly attacks, and monitoring of Neighbor Discovery traffic is greatly
simplified. simplified.
[I-D.ietf-v6ops-ra-guard-implementation] discusses an improvement to [I-D.ietf-v6ops-ra-guard-implementation] discusses an improvement to
the RA-Guard mechanism that can mitigate Neighbor Discovery attacks the RA-Guard mechanism that can mitigate Neighbor Discovery attacks
that employ IPv6 Fragmentation. However, it should be noted that that employ IPv6 Fragmentation. However, it should be noted that
unless [RFC4861] is updated (as proposed in this document), Neighbor unless [RFC4861] is updated (as proposed in this document), Neighbor
Discovery monitoring tools (such as NDPMon [NDPMon]) would remain Discovery monitoring tools (such as NDPMon [NDPMon], ramond [ramond],
unreliable and trivial to circumvent by a skilled attacker. and rafixd [rafixd]) would remain unreliable and trivial to
circumvent by a skilled attacker.
As noted in Section 3, use of SEND could potentially result in As noted in Section 3, use of SEND could potentially result in
fragmented "Certification Path Advertisement" messages, thus allowing fragmented "Certification Path Advertisement" messages, thus allowing
an attacker to employ IPv6 fragmentation-based attacks against such an attacker to employ IPv6 fragmentation-based attacks against such
messages. Therefore, to the extent that is possible, such use of messages. Therefore, to the extent that is possible, such use of
fragmentation should be avoided. fragmentation should be avoided.
7. Acknowledgements 7. Acknowledgements
The author would like to thank (in alphabetical order) Mikael The author would like to thank (in alphabetical order) Mikael
Abrahamsson, Ran Atkinson, Ron Bonica, Jean-Michel Combes, David Abrahamsson, Ran Atkinson, Ron Bonica, Jean-Michel Combes, David
Farmer, Roque Gagliano, Bob Hinden, Philip Homburg, Ray Hunter, Farmer, Roque Gagliano, Bran Haberman, Bob Hinden, Philip Homburg,
Arturo Servin, and Mark Smith, for providing valuable comments on Ray Hunter, Arturo Servin, and Mark Smith, for providing valuable
earlier versions of this document. comments on earlier versions of this document.
This document resulted from the project "Security Assessment of the This document resulted from the project "Security Assessment of the
Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by
Fernando Gont on behalf of the UK Centre for the Protection of Fernando Gont on behalf of the UK Centre for the Protection of
National Infrastructure (CPNI). The author would like to thank the National Infrastructure (CPNI). The author would like to thank the
UK CPNI, for their continued support. UK CPNI, for their continued support.
8. References 8. References
8.1. Normative References 8.1. Normative References
skipping to change at page 11, line 19 skipping to change at page 11, line 19
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
Neighbor Discovery (SEND)", RFC 3971, March 2005. Neighbor Discovery (SEND)", RFC 3971, March 2005.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007. September 2007.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, September 2007.
8.2. Informative References 8.2. Informative References
[RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor
Discovery (ND) Trust Models and Threats", RFC 3756, Discovery (ND) Trust Models and Threats", RFC 3756,
May 2004. May 2004.
[RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
Problem Statement", RFC 6104, February 2011. Problem Statement", RFC 6104, February 2011.
[RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
February 2011. February 2011.
[NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor", [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor",
<http://ndpmon.sourceforge.net/>. <http://ndpmon.sourceforge.net/>.
[ramond] "ramond", <http://ramond.sourceforge.net/>. [ramond] "ramond", <http://ramond.sourceforge.net/>.
[rafixd] "rafixd", <http://www.kame.net/dev/cvsweb2.cgi/kame/kame/
kame/rafixd/>.
[I-D.ietf-v6ops-ra-guard-implementation] [I-D.ietf-v6ops-ra-guard-implementation]
Gont, F., "Implementation Advice for IPv6 Router Gont, F., "Implementation Advice for IPv6 Router
Advertisement Guard (RA-Guard)", Advertisement Guard (RA-Guard)",
draft-ietf-v6ops-ra-guard-implementation-07 (work in draft-ietf-v6ops-ra-guard-implementation-07 (work in
progress), November 2012. progress), November 2012.
[CPNI-IPv6] [CPNI-IPv6]
Gont, F., "Security Assessment of the Internet Protocol Gont, F., "Security Assessment of the Internet Protocol
version 6 (IPv6)", UK Centre for the Protection of version 6 (IPv6)", UK Centre for the Protection of
National Infrastructure, (available on request). National Infrastructure, (available on request).
 End of changes. 13 change blocks. 
24 lines changed or deleted 27 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/