| draft-ietf-6man-nd-extension-headers-01.txt | draft-ietf-6man-nd-extension-headers-02.txt | |||
|---|---|---|---|---|
| IPv6 maintenance Working Group (6man) F. Gont | IPv6 maintenance Working Group (6man) F. Gont | |||
| Internet-Draft SI6 Networks / UTN-FRH | Internet-Draft SI6 Networks / UTN-FRH | |||
| Updates: 3971, 4861 (if approved) November 5, 2012 | Updates: 3971, 4861 (if approved) December 10, 2012 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: May 9, 2013 | Expires: June 13, 2013 | |||
| Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery | Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery | |||
| draft-ietf-6man-nd-extension-headers-01 | draft-ietf-6man-nd-extension-headers-02 | |||
| Abstract | Abstract | |||
| This document analyzes the security implications of using IPv6 | This document analyzes the security implications of using IPv6 | |||
| Extension Headers with Neighbor Discovery (ND) messages. It updates | Extension Headers with Neighbor Discovery (ND) messages. It updates | |||
| RFC 4861 such that use of the IPv6 Fragmentation Header is forbidden | RFC 4861 such that use of the IPv6 Fragmentation Header is forbidden | |||
| in all Neighbor Discovery messages, thus allowing for simple and | in all Neighbor Discovery messages, thus allowing for simple and | |||
| effective counter-measures for Neighbor Discovery attacks. Finally, | effective counter-measures for Neighbor Discovery attacks. Finally, | |||
| it discusses the security implications of using IPv6 fragmentation | it discusses the security implications of using IPv6 fragmentation | |||
| with SEcure Neighbor Discovery (SEND), and formally updates RFC 3971 | with SEcure Neighbor Discovery (SEND), and formally updates RFC 3971 | |||
| skipping to change at page 1, line 39 | skipping to change at page 1, line 39 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 9, 2013. | This Internet-Draft will expire on June 13, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2012 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 16 | skipping to change at page 2, line 16 | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Traditional Neighbor Discovery and IPv6 Fragmentation . . . . 5 | 2. Traditional Neighbor Discovery and IPv6 Fragmentation . . . . 5 | |||
| 3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation . . . 6 | 3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation . . . 6 | |||
| 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 7 | 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13 | ||||
| 1. Introduction | 1. Introduction | |||
| The Neighbor Discovery Protocol (NDP) is specified in RFC 4861 | The Neighbor Discovery Protocol (NDP) is specified in RFC 4861 | |||
| [RFC4861] and RFC 4862 [RFC4862]. It is used by both hosts and | [RFC4861] and RFC 4862 [RFC4862]. It is used by both hosts and | |||
| routers. Its functions include Neighbor Discovery (ND), Router | routers. Its functions include Neighbor Discovery (ND), Router | |||
| Discovery (RD), Address Autoconfiguration, Address Resolution, | Discovery (RD), Address Autoconfiguration, Address Resolution, | |||
| Neighbor Unreachability Detection (NUD), Duplicate Address Detection | Neighbor Unreachability Detection (NUD), Duplicate Address Detection | |||
| (DAD), and Redirection. | (DAD), and Redirection. | |||
| skipping to change at page 8, line 5 | skipping to change at page 8, line 5 | |||
| o Certification Path Solicitation | o Certification Path Solicitation | |||
| Nodes SHOULD normally process the following messages when the packets | Nodes SHOULD normally process the following messages when the packets | |||
| carrying them include an IPv6 Fragmentation Header: | carrying them include an IPv6 Fragmentation Header: | |||
| o Certification Path Advertisement | o Certification Path Advertisement | |||
| SEND nodes SHOULD NOT employ keys that would result in fragmented CPA | SEND nodes SHOULD NOT employ keys that would result in fragmented CPA | |||
| messages. | messages. | |||
| 5. Security Considerations | 5. IANA Considerations | |||
| There are no IANA registries within this document. The RFC-Editor | ||||
| can remove this section before publication of this document as an | ||||
| RFC. | ||||
| 6. Security Considerations | ||||
| The IPv6 Fragmentation Header can be leveraged to circumvent network | The IPv6 Fragmentation Header can be leveraged to circumvent network | |||
| monitoring tools and current implementations of mechanisms such as | monitoring tools and current implementations of mechanisms such as | |||
| RA-Guard [I-D.ietf-v6ops-ra-guard-implementation]. By updating the | RA-Guard [I-D.ietf-v6ops-ra-guard-implementation]. By updating the | |||
| relevant specifications such that the IPv6 Fragment Header is not | relevant specifications such that the IPv6 Fragment Header is not | |||
| allowed in any Neighbor Discovery messages except "Certification Path | allowed in any Neighbor Discovery messages except "Certification Path | |||
| Advertisement", protection of local nodes against Neighbor Discovery | Advertisement", protection of local nodes against Neighbor Discovery | |||
| attacks, and monitoring of Neighbor Discovery traffic is greatly | attacks, and monitoring of Neighbor Discovery traffic is greatly | |||
| simplified. | simplified. | |||
| skipping to change at page 9, line 5 | skipping to change at page 10, line 5 | |||
| unless [RFC4861] is updated (as proposed in this document), Neighbor | unless [RFC4861] is updated (as proposed in this document), Neighbor | |||
| Discovery monitoring tools (such as NDPMon [NDPMon]) would remain | Discovery monitoring tools (such as NDPMon [NDPMon]) would remain | |||
| unreliable and trivial to circumvent by a skilled attacker. | unreliable and trivial to circumvent by a skilled attacker. | |||
| As noted in Section 3, use of SEND could potentially result in | As noted in Section 3, use of SEND could potentially result in | |||
| fragmented "Certification Path Advertisement" messages, thus allowing | fragmented "Certification Path Advertisement" messages, thus allowing | |||
| an attacker to employ IPv6 fragmentation-based attacks against such | an attacker to employ IPv6 fragmentation-based attacks against such | |||
| messages. Therefore, to the extent that is possible, such use of | messages. Therefore, to the extent that is possible, such use of | |||
| fragmentation should be avoided. | fragmentation should be avoided. | |||
| 6. Acknowledgements | 7. Acknowledgements | |||
| The author would like to thank (in alphabetical order) Mikael | The author would like to thank (in alphabetical order) Mikael | |||
| Abrahamsson, Ran Atkinson, Ron Bonica, Jean-Michel Combes, David | Abrahamsson, Ran Atkinson, Ron Bonica, Jean-Michel Combes, David | |||
| Farmer, Roque Gagliano, Bob Hinden, Philip Homburg, Ray Hunter, | Farmer, Roque Gagliano, Bob Hinden, Philip Homburg, Ray Hunter, | |||
| Arturo Servin, and Mark Smith, for providing valuable comments on | Arturo Servin, and Mark Smith, for providing valuable comments on | |||
| earlier versions of this document. | earlier versions of this document. | |||
| This document resulted from the project "Security Assessment of the | This document resulted from the project "Security Assessment of the | |||
| Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by | Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by | |||
| Fernando Gont on behalf of the UK Centre for the Protection of | Fernando Gont on behalf of the UK Centre for the Protection of | |||
| National Infrastructure (CPNI). The author would like to thank the | National Infrastructure (CPNI). The author would like to thank the | |||
| UK CPNI, for their continued support. | UK CPNI, for their continued support. | |||
| 7. References | 8. References | |||
| 7.1. Normative References | 8.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure | [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure | |||
| Neighbor Discovery (SEND)", RFC 3971, March 2005. | Neighbor Discovery (SEND)", RFC 3971, March 2005. | |||
| [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | |||
| "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | |||
| September 2007. | September 2007. | |||
| [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless | [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless | |||
| Address Autoconfiguration", RFC 4862, September 2007. | Address Autoconfiguration", RFC 4862, September 2007. | |||
| 7.2. Informative References | 8.2. Informative References | |||
| [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor | [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor | |||
| Discovery (ND) Trust Models and Threats", RFC 3756, | Discovery (ND) Trust Models and Threats", RFC 3756, | |||
| May 2004. | May 2004. | |||
| [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement | [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement | |||
| Problem Statement", RFC 6104, February 2011. | Problem Statement", RFC 6104, February 2011. | |||
| [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. | [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. | |||
| Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, | Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, | |||
| February 2011. | February 2011. | |||
| [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor", | [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor", | |||
| <http://ndpmon.sourceforge.net/>. | <http://ndpmon.sourceforge.net/>. | |||
| [ramond] "ramond", <http://ramond.sourceforge.net/>. | [ramond] "ramond", <http://ramond.sourceforge.net/>. | |||
| [I-D.ietf-v6ops-ra-guard-implementation] | [I-D.ietf-v6ops-ra-guard-implementation] | |||
| Gont, F., "Implementation Advice for IPv6 Router | Gont, F., "Implementation Advice for IPv6 Router | |||
| Advertisement Guard (RA-Guard)", | Advertisement Guard (RA-Guard)", | |||
| draft-ietf-v6ops-ra-guard-implementation-05 (work in | draft-ietf-v6ops-ra-guard-implementation-07 (work in | |||
| progress), October 2012. | progress), November 2012. | |||
| [CPNI-IPv6] | [CPNI-IPv6] | |||
| Gont, F., "Security Assessment of the Internet Protocol | Gont, F., "Security Assessment of the Internet Protocol | |||
| version 6 (IPv6)", UK Centre for the Protection of | version 6 (IPv6)", UK Centre for the Protection of | |||
| National Infrastructure, (available on request). | National Infrastructure, (available on request). | |||
| [Gont-DEEPSEC2011] | [Gont-DEEPSEC2011] | |||
| Gont, "Results of a Security Assessment of the Internet | Gont, "Results of a Security Assessment of the Internet | |||
| Protocol version 6 (IPv6)", DEEPSEC 2011 Conference, | Protocol version 6 (IPv6)", DEEPSEC 2011 Conference, | |||
| Vienna, Austria, November 2011, <http:// | Vienna, Austria, November 2011, <http:// | |||
| End of changes. 11 change blocks. | ||||
| 17 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||