| draft-ietf-v6ops-ra-guard-implementation-01.txt | draft-ietf-v6ops-ra-guard-implementation-02.txt | |||
|---|---|---|---|---|
| IPv6 Operations Working Group (v6ops) F. Gont | IPv6 Operations Working Group (v6ops) F. Gont | |||
| Internet-Draft UK CPNI | Internet-Draft UK CPNI | |||
| Intended status: BCP March 3, 2012 | Intended status: BCP March 8, 2012 | |||
| Expires: September 4, 2012 | Expires: September 9, 2012 | |||
| Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard) | Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard) | |||
| draft-ietf-v6ops-ra-guard-implementation-01 | draft-ietf-v6ops-ra-guard-implementation-02 | |||
| Abstract | Abstract | |||
| The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly | The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly | |||
| employed to mitigate attack vectors based on forged ICMPv6 Router | employed to mitigate attack vectors based on forged ICMPv6 Router | |||
| Advertisement messages. Many existing IPv6 deployments rely on RA- | Advertisement messages. Many existing IPv6 deployments rely on RA- | |||
| Guard as the first line of defense against the aforementioned attack | Guard as the first line of defense against the aforementioned attack | |||
| vectors. However, some implementations of RA-Guard have been found | vectors. However, some implementations of RA-Guard have been found | |||
| to be prone to circumvention by employing IPv6 Extension Headers. | to be prone to circumvention by employing IPv6 Extension Headers. | |||
| This document describes the evasion techniques that affect the | This document describes the evasion techniques that affect the | |||
| skipping to change at page 1, line 39 | skipping to change at page 1, line 39 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 4, 2012. | This Internet-Draft will expire on September 9, 2012. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 8, line 23 | skipping to change at page 8, line 23 | |||
| follow the IPv6 header chain, enforcing a limit on the maximum | follow the IPv6 header chain, enforcing a limit on the maximum | |||
| number of Extension Headers that is allowed for each packet. If | number of Extension Headers that is allowed for each packet. If | |||
| such limit is hit before the upper-layer protocol is identified, | such limit is hit before the upper-layer protocol is identified, | |||
| silently drop the packet. | silently drop the packet. | |||
| 2. If the packet is identified to be an ICMPv6 Router Advertisement | 2. If the packet is identified to be an ICMPv6 Router Advertisement | |||
| message, silently drop the packet. | message, silently drop the packet. | |||
| 3. If the layer-2 device is unable to identify whether the packet is | 3. If the layer-2 device is unable to identify whether the packet is | |||
| an ICMPv6 Router Advertisement message or not (i.e., the packet | an ICMPv6 Router Advertisement message or not (i.e., the packet | |||
| is a fragment, and the necessary information is missing), the | is a first-fragment, and the necessary information is missing), | |||
| IPv6 Source Address of the packet is a link-local address or the | the IPv6 Source Address of the packet is a link-local address or | |||
| unspecified address (::), and the Hop Limit is 255, silently drop | the unspecified address (::), and the Hop Limit is 255, silently | |||
| the packet. | drop the packet. | |||
| Note: This rule should only be applied to non-fragmented IPv6 | ||||
| datagrams and IPv6 fragments with a Fragment Offset of 0 (non- | ||||
| first fragments can be safely passed, since they will never | ||||
| reassemble into a complete datagram if they are part of a | ||||
| Router Advertisement received on a port where such packets are | ||||
| not allowed). | ||||
| 4. In all other cases, pass the packet as usual. | 4. In all other cases, pass the packet as usual. | |||
| Note: For the purpose of enforcing the RA-Guard filtering policy, | Note: For the purpose of enforcing the RA-Guard filtering policy, | |||
| an ESP header [RFC4303] should be considered to be an "upper-layer | an ESP header [RFC4303] should be considered to be an "upper-layer | |||
| protocol" (that is, it should be considered the last header in the | protocol" (that is, it should be considered the last header in the | |||
| IPv6 header chain). This means that packets employing ESP would | IPv6 header chain). This means that packets employing ESP would | |||
| be passed by the RA-Guard device to the intended destination. If | be passed by the RA-Guard device to the intended destination. If | |||
| the destination host does not have a security association with the | the destination host does not have a security association with the | |||
| sender of the aforementioned IPv6 packet, the packet would be | sender of the aforementioned IPv6 packet, the packet would be | |||
| skipping to change at page 11, line 8 | skipping to change at page 11, line 8 | |||
| A similar concept to that of "RA-Guard" has been implemented for | A similar concept to that of "RA-Guard" has been implemented for | |||
| protecting against forged DHCPv6 messages. Such protection can be | protecting against forged DHCPv6 messages. Such protection can be | |||
| circumvented with the same techniques discussed in this document, and | circumvented with the same techniques discussed in this document, and | |||
| the counter-measures for such evasion attack are analogous to those | the counter-measures for such evasion attack are analogous to those | |||
| described in Section 3 of this document. | described in Section 3 of this document. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| This document describes a number of techniques that have been found | This document describes a number of techniques that have been found | |||
| to be effective to circumvent popular RA-Guard implementations. | to be effective to circumvent popular RA-Guard implementations, and | |||
| provides advice to RA-Guard implementations such that those evasion | ||||
| vulnerabilities are eliminated. | ||||
| The most effective and efficient mitigation for these attacks would | We note that if an attacker sends a fragmented Router Advertisement | |||
| be to prohibit the use of some IPv6 extension headers with Router | message on a port not allowed to send such packets, the first- | |||
| Advertisement messages (as proposed by | fragment would be dropped, and the rest of the fragments would be | |||
| passed. This means that the victim node would tie memory buffers for | ||||
| the aforementioned fragments, which would never reassemble into a | ||||
| complete datagram. If a large number of such packets were sent by an | ||||
| attacker, and the victim node failed to implement proper resource | ||||
| management for the fragment reassembly buffer, this could lead to a | ||||
| Denial of Service (DoS). However, this does not really introduce a | ||||
| new attack vector, since an attacker could always perform the same | ||||
| attack by sending forged fragmented datagram in which at least one of | ||||
| the fragments is missing. [CPNI-IPv6] discusses some resource | ||||
| management strategies that could be implemented for the fragment | ||||
| reassembly buffer. | ||||
| Finally, we note that most effective and efficient mitigation for | ||||
| these attacks would be to prohibit the use of IPv6 fragmentation with | ||||
| Router Advertisement messages (as proposed by | ||||
| [I-D.gont-6man-nd-extension-headers]), such that the RA-Guard | [I-D.gont-6man-nd-extension-headers]), such that the RA-Guard | |||
| functionality is easier to implement. However, since such mitigation | functionality is easier to implement. However, since such mitigation | |||
| would require an update to existing implementations, it cannot be | would require an update to existing implementations, it cannot be | |||
| relied upon in the short or near term. | relied upon in the short or near term. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The author would like to thank Ran Atkinson, Karl Auer, Robert | The author would like to thank Ran Atkinson, Karl Auer, Robert | |||
| Downie, David Farmer, Marc Heuse, Ray Hunter, Simon Perreault, Arturo | Downie, Washam Fan, David Farmer, Marc Heuse, Ray Hunter, Simon | |||
| Servin, and Gunter van de Velde, for providing valuable comments on | Perreault, Arturo Servin, and Gunter van de Velde, for providing | |||
| earlier versions of this document. | valuable comments on earlier versions of this document. | |||
| The author would like to thank Arturo Servin, who presented this work | The author would like to thank Arturo Servin, who presented this | |||
| at IETF 81. | document at IETF 81. | |||
| This document resulted from the project "Security Assessment of the | This document resulted from the project "Security Assessment of the | |||
| Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by | Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by | |||
| Fernando Gont on behalf of the UK Centre for the Protection of | Fernando Gont on behalf of the UK Centre for the Protection of | |||
| National Infrastructure (CPNI). The author would like to thank the | National Infrastructure (CPNI). The author would like to thank the | |||
| UK CPNI, for their continued support. | UK CPNI, for their continued support. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| End of changes. 8 change blocks. | ||||
| 17 lines changed or deleted | 41 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||