--- 1/draft-ietf-6man-nd-extension-headers-03.txt 2013-04-11 13:22:16.009111262 +0100
+++ 2/draft-ietf-6man-nd-extension-headers-04.txt 2013-04-11 13:22:16.033111844 +0100
@@ -1,19 +1,19 @@
IPv6 maintenance Working Group (6man) F. Gont
Internet-Draft SI6 Networks / UTN-FRH
-Updates: 3971, 4861 (if approved) January 14, 2013
+Updates: 3971, 4861 (if approved) March 22, 2013
Intended status: Standards Track
-Expires: July 18, 2013
+Expires: September 23, 2013
Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery
- draft-ietf-6man-nd-extension-headers-03
+ draft-ietf-6man-nd-extension-headers-04
Abstract
This document analyzes the security implications of employing IPv6
fragmentation with Neighbor Discovery (ND) messages. It updates RFC
4861 such that use of the IPv6 Fragmentation Header is forbidden in
all Neighbor Discovery messages, thus allowing for simple and
effective counter-measures for Neighbor Discovery attacks. Finally,
it discusses the security implications of using IPv6 fragmentation
with SEcure Neighbor Discovery (SEND), and formally updates RFC 3971
@@ -28,21 +28,21 @@
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on July 18, 2013.
+ This Internet-Draft will expire on September 23, 2013.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
@@ -50,28 +50,31 @@
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Traditional Neighbor Discovery and IPv6 Fragmentation . . . . 5
3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation . . . 6
- 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 7
- 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
- 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
- 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
- 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
- 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11
- 8.2. Informative References . . . . . . . . . . . . . . . . . . 11
- Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 4. Rationale for Forbidding IPv6 Fragmentation in Neighbor
+ Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 5. Specification . . . . . . . . . . . . . . . . . . . . . . . . 8
+ 6. Operational Advice . . . . . . . . . . . . . . . . . . . . . . 9
+ 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
+ 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
+ 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
+ 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 10.1. Normative References . . . . . . . . . . . . . . . . . . 13
+ 10.2. Informative References . . . . . . . . . . . . . . . . . 13
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction
The Neighbor Discovery Protocol (NDP) is specified in RFC 4861
[RFC4861]. It is used by both hosts and routers. Its functions
include Neighbor Discovery (ND), Router Discovery (RD), Address
Autoconfiguration, Address Resolution, Neighbor Unreachability
Detection (NUD), Duplicate Address Detection (DAD), and Redirection.
Many of the possible attacks against the Neighbor Discovery Protocol
@@ -86,40 +89,37 @@
the unavailability of SEND implementations for many widely-deployed
operating systems, make SEND hard to deploy [Gont-DEEPSEC2011].
Thus, in many general scenarios it may be necessary and/or convenient
to use other mitigation techniques for NDP-based attacks. The
following mitigations are currently available for NDP attacks:
o Layer-2 filtering of Neighbor Discovery packets (such as RA-Guard
[RFC6105])
o Neighbor Discovery monitoring tools (e.g., such as NDPMon
- [NDPMon], ramond [ramond], and rafixd [rafixd])
+ [NDPMon], ramond [ramond])
o Intrusion Prevention Systems (IPS)
IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique
for attack vectors based on ICMPv6 Router Advertisement messages. It
is meant to block attack packets at a layer-2 device before the
attack packets actually reach the target nodes. [RFC6104] describes
the problem statement of "Rogue IPv6 Router Advertisements", and
[RFC6105] specifies the "IPv6 Router Advertisement Guard"
functionality.
Tools such as NDPMon [NDPMon] and ramond [ramond] aim at monitoring
Neighbor Discovery traffic in the hopes of detecting possible attacks
when there are discrepancies between the information advertised in
Neighbor Discovery packets and the information stored on a local
- database. rafixd [rafixd] goes one step further, and tries to
- mitigate some Neighbor Discovery attacks by sending "correcting"
- Router Advertisement messages in response to incorrect/malicious
- Router Advertisement messages.
+ database.
Some Intrusion Prevention Systems (IPS) can mitigate Neighbor
Discovery attacks. We recommend that Intrusion Prevention Systems
(IPS) implement mitigations for NDP attacks.
A key challenge that these mitigation or monitoring techniques face
is that introduced by IPv6 fragmentation, since it is trivial for an
attacker to conceal his attack by fragmenting his packets into
multiple fragments. This may limit or even eliminate the
effectiveness of the aforementioned mitigation or monitoring
@@ -131,24 +131,28 @@
packets into multiple fragments, such that the layer-2 device cannot
find all the necessary information to perform packet filtering in the
same packet. While Neighbor Discovery monitoring tools could (in
theory implement IPv6 fragment reassembly, this is usually an arms-
race with the attacker (an attacker generate lots of forged fragments
to "confuse" the monitoring tools), and therefore the aforementioned
tools are unreliable for the detection of such attacks.
Section 2 analyzes the use of IPv6 fragmentation in traditional
Neighbor discovery. Section 3 analyzes the use of IPv6 fragmentation
- in SEcure Neighbor Discovery (SEND). Section 4 formally updates RFC
- 4861 such that use of the IPv6 Fragment Header with traditional
- Neighbor Discovery is forbidden, and also formally updates RFC 3971
- providing advice on the use of IPv6 fragmentation with SEND.
+ in SEcure Neighbor Discovery (SEND). Section 4 provides the
+ rationale for forbidding the use of IPv6 fragmentation with Neighbor
+ Discovery. Section 5 formally updates RFC 4861 such that use of the
+ IPv6 Fragment Header with traditional Neighbor Discovery is
+ forbidden, and also formally updates RFC 3971 providing advice on the
+ use of IPv6 fragmentation with SEND. Section 6 provides operational
+ advice about interoperability problems arising from the use of IPv6
+ fragmentation with Neighbor Discovery.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Traditional Neighbor Discovery and IPv6 Fragmentation
The only potential use case for IPv6 fragmentation with traditional
(i.e., non-SEND) IPv6 Neighbor Discovery would be that in which a
Router Advertisement must include a large number of options (Prefix
@@ -157,64 +161,86 @@
the aforementioned information into multiple Router Advertisement
messages.
Some Neighbor Discovery implementations are known to silently
ignore Router Advertisement messages that employ fragmentation.
Therefore, splitting the necessary information into multiple RA
messages (rather than sending a large RA message that is
fragmented into multiple IPv6 fragments) is probably desirable
even from an interoperability point of view.
- As a result of the aforementioned considerations, and since avoiding
- the use of IPv6 fragmentation in traditional Neighbor Discovery would
- greatly simplify and improve the effectiveness of monitoring and
- filtering ND, Section 4 specifies that hosts silently ignore
- traditional Neighbor Discovery messages (i.e., those specified in
- [RFC4861]) that employ IPv6 fragmentation.
+ Thus, avoiding the use of IPv6 fragmentation in traditional Neighbor
+ Discovery would greatly simplify and improve the effectiveness of
+ monitoring and filtering Neighbor Discovery traffic, and would also
+ prevent interoperability problems with those implementations that do
+ not support fragmentation in Neighbor Discovery messages.
3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation
SEND packets typically carry more information than traditional
Neighbor Discovery packets: for example, they include additional
options such as the CGA option and the RSA signature option.
When SEND nodes employ any of the Neighbor Discovery messages
specified in [RFC4861], the situation is roughly the same: if more
information than would fit in a non-fragmented Neighbor Discovery
packet needs to be sent, it should be split into multiple Neighbor
Discovery messages (such that IPv6 fragmentation is avoided).
However, Certification Path Advertisement messages (specified in
[RFC3971]) pose a different situation, since the Certificate Option
they include typically contains much more information than any other
Neighbor Discovery option. For example, Appendix C of [RFC3971]
reports Certification Path Advertisement messages from 1050 to 1066
bytes on an Ethernet link layer. Since the size of CPA messages
- could potentially exceed the MTU of the local link, Section 4
+ could potentially exceed the MTU of the local link, Section 5
recommends that fragmented CPA messages be normally processed, but
discourages the use of keys that would result in fragmented CPA
messages.
It should be noted that relying on fragmentation opens the door to a
variety of IPv6 fragmentation-based attacks. In particular, if an
attacker is located on the same broadcast domain as the victim host,
and Certification Path Advertisement messages employ IPv6
fragmentation, it would be trivial for the attacker to forge IPv6
fragments such that they result in "Fragment ID collisions", causing
both the attack fragments and the legitimate fragments to be
discarded by the victim node. This would eventually cause the
Authorization Delegation Discovery to fail, thus leading the host to
fall back (depending on local configuration) either to unsecured
mode, or to reject the corresponding Router Advertisement messages
(possibly resulting in a Denial of Service).
-4. Specification
+4. Rationale for Forbidding IPv6 Fragmentation in Neighbor Discovery
+
+ A number of considerations should be made regarding the use of IPv6
+ fragmentation with Neighbor Discovery:
+
+ o A significant number of existing implementations already silently
+ drop fragmented ND messages, so the use of IPv6 fragmentation may
+ hamper interoperability among IPv6 implementations.
+
+ o Although it is possible to build an ND message that needs to be
+ fragmented, such packets are unlikely to exist in the real world
+ because of the large number of options that would be required for
+ the resulting packet to exceed the minimum IPv6 MTU of 1280
+ octets.
+
+ o If an ND message was so large as to need fragmentation, there is
+ an option to distribute the same information amongst more than one
+ message, each of which is small enough to not need fragmentation.
+
+ Thus, forbidding the use of IPv6 fragmentation with Neighbor
+ Discovery normalizes existing behavior and sets the expectations of
+ all implementations to the existing lowest common denominator.
+
+5. Specification
Nodes MUST NOT employ IPv6 fragmentation for sending any of the
following Neighbor Discovery and SEcure Neighbor Discovery messages:
o Neighbor Solicitation
o Neighbor Advertisement
o Router Solicitation
@@ -246,100 +272,112 @@
o Certification Path Solicitation
Nodes SHOULD normally process the following messages when the packets
carrying them include an IPv6 Fragmentation Header:
o Certification Path Advertisement
SEND nodes SHOULD NOT employ keys that would result in fragmented CPA
messages.
-5. IANA Considerations
+6. Operational Advice
+
+ An operator detecting that Neighbor Discovery traffic is being
+ silently dropped should find whether the corresponding Neighbor
+ Discovery are employing IPv6 fragmentation. If they are, it is
+ likely that the devices receiving such packets are silently dropping
+ them merely because they employ IPv6 fragmentation. In such case, an
+ operator should check whether the sending device has an option to
+ prevent fragmentation of ND messages, and/or see whether it is
+ possible to reduce the options carried on such messages. We note
+ that solving this (unlikely) problem might need a software upgrade to
+ a version that does not employ IPv6 fragmentation with Neighbor
+ Discovery.
+
+7. IANA Considerations
There are no IANA registries within this document. The RFC-Editor
can remove this section before publication of this document as an
RFC.
-6. Security Considerations
+8. Security Considerations
The IPv6 Fragmentation Header can be leveraged to circumvent network
monitoring tools and current implementations of mechanisms such as
RA-Guard [I-D.ietf-v6ops-ra-guard-implementation]. By updating the
relevant specifications such that the IPv6 Fragment Header is not
allowed in any Neighbor Discovery messages except "Certification Path
Advertisement", protection of local nodes against Neighbor Discovery
attacks, and monitoring of Neighbor Discovery traffic is greatly
simplified.
[I-D.ietf-v6ops-ra-guard-implementation] discusses an improvement to
the RA-Guard mechanism that can mitigate Neighbor Discovery attacks
that employ IPv6 Fragmentation. However, it should be noted that
unless [RFC4861] is updated (as proposed in this document), Neighbor
- Discovery monitoring tools (such as NDPMon [NDPMon], ramond [ramond],
- and rafixd [rafixd]) would remain unreliable and trivial to
- circumvent by a skilled attacker.
+ Discovery monitoring tools (such as NDPMon [NDPMon], and ramond
+ [ramond]) would remain unreliable and trivial to circumvent by a
+ skilled attacker.
As noted in Section 3, use of SEND could potentially result in
fragmented "Certification Path Advertisement" messages, thus allowing
an attacker to employ IPv6 fragmentation-based attacks against such
messages. Therefore, to the extent that is possible, such use of
fragmentation should be avoided.
-7. Acknowledgements
+9. Acknowledgements
The author would like to thank (in alphabetical order) Mikael
Abrahamsson, Ran Atkinson, Ron Bonica, Jean-Michel Combes, David
- Farmer, Roque Gagliano, Bran Haberman, Bob Hinden, Philip Homburg,
- Ray Hunter, Arturo Servin, and Mark Smith, for providing valuable
- comments on earlier versions of this document.
+ Farmer, Adrian Farrel, Stephen Farrell, Roque Gagliano, Brian
+ Haberman, Bob Hinden, Philip Homburg, Ray Hunter, Arturo Servin, Mark
+ Smith, and Martin Stiemerling, for providing valuable comments on
+ earlier versions of this document.
This document resulted from the project "Security Assessment of the
Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by
Fernando Gont on behalf of the UK Centre for the Protection of
National Infrastructure (CPNI). The author would like to thank the
UK CPNI, for their continued support.
-8. References
+10. References
-8.1. Normative References
+10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
Neighbor Discovery (SEND)", RFC 3971, March 2005.
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007.
-8.2. Informative References
+10.2. Informative References
[RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor
Discovery (ND) Trust Models and Threats", RFC 3756,
May 2004.
[RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
Problem Statement", RFC 6104, February 2011.
[RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
February 2011.
[NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor",
.
[ramond] "ramond", .
- [rafixd] "rafixd", .
-
[I-D.ietf-v6ops-ra-guard-implementation]
Gont, F., "Implementation Advice for IPv6 Router
Advertisement Guard (RA-Guard)",
draft-ietf-v6ops-ra-guard-implementation-07 (work in
progress), November 2012.
[CPNI-IPv6]
Gont, F., "Security Assessment of the Internet Protocol
version 6 (IPv6)", UK Centre for the Protection of
National Infrastructure, (available on request).