| draft-ietf-6man-nd-extension-headers-02.txt | draft-ietf-6man-nd-extension-headers-03.txt | |||
|---|---|---|---|---|
| IPv6 maintenance Working Group (6man) F. Gont | IPv6 maintenance Working Group (6man) F. Gont | |||
| Internet-Draft SI6 Networks / UTN-FRH | Internet-Draft SI6 Networks / UTN-FRH | |||
| Updates: 3971, 4861 (if approved) December 10, 2012 | Updates: 3971, 4861 (if approved) January 14, 2013 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: June 13, 2013 | Expires: July 18, 2013 | |||
| Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery | Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery | |||
| draft-ietf-6man-nd-extension-headers-02 | draft-ietf-6man-nd-extension-headers-03 | |||
| Abstract | Abstract | |||
| This document analyzes the security implications of using IPv6 | This document analyzes the security implications of employing IPv6 | |||
| Extension Headers with Neighbor Discovery (ND) messages. It updates | fragmentation with Neighbor Discovery (ND) messages. It updates RFC | |||
| RFC 4861 such that use of the IPv6 Fragmentation Header is forbidden | 4861 such that use of the IPv6 Fragmentation Header is forbidden in | |||
| in all Neighbor Discovery messages, thus allowing for simple and | all Neighbor Discovery messages, thus allowing for simple and | |||
| effective counter-measures for Neighbor Discovery attacks. Finally, | effective counter-measures for Neighbor Discovery attacks. Finally, | |||
| it discusses the security implications of using IPv6 fragmentation | it discusses the security implications of using IPv6 fragmentation | |||
| with SEcure Neighbor Discovery (SEND), and formally updates RFC 3971 | with SEcure Neighbor Discovery (SEND), and formally updates RFC 3971 | |||
| to provide advice regarding how the aforementioned security | to provide advice regarding how the aforementioned security | |||
| implications can be prevented. | implications can be prevented. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| skipping to change at page 1, line 39 | skipping to change at page 1, line 39 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on June 13, 2013. | This Internet-Draft will expire on July 18, 2013. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2012 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 3, line 8 | skipping to change at page 3, line 8 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 1. Introduction | 1. Introduction | |||
| The Neighbor Discovery Protocol (NDP) is specified in RFC 4861 | The Neighbor Discovery Protocol (NDP) is specified in RFC 4861 | |||
| [RFC4861] and RFC 4862 [RFC4862]. It is used by both hosts and | [RFC4861]. It is used by both hosts and routers. Its functions | |||
| routers. Its functions include Neighbor Discovery (ND), Router | include Neighbor Discovery (ND), Router Discovery (RD), Address | |||
| Discovery (RD), Address Autoconfiguration, Address Resolution, | Autoconfiguration, Address Resolution, Neighbor Unreachability | |||
| Neighbor Unreachability Detection (NUD), Duplicate Address Detection | Detection (NUD), Duplicate Address Detection (DAD), and Redirection. | |||
| (DAD), and Redirection. | ||||
| Many of the possible attacks against the Neighbor Discovery Protocol | Many of the possible attacks against the Neighbor Discovery Protocol | |||
| are discussed in detail in [RFC3756]. In order to mitigate the | are discussed in detail in [RFC3756]. In order to mitigate the | |||
| aforementioned possible attacks, the SEcure Neighbor Discovery (SEND) | aforementioned possible attacks, the SEcure Neighbor Discovery (SEND) | |||
| was standardized. SEND employs a number of mechanisms to certify the | was standardized. SEND employs a number of mechanisms to certify the | |||
| origin of Neighbor Discovery packets and the authority of routers, | origin of Neighbor Discovery packets and the authority of routers, | |||
| and to protect Neighbor Discovery packets from being the subject of | and to protect Neighbor Discovery packets from being the subject of | |||
| modification or replay attacks. | modification or replay attacks. | |||
| However, a number of factors, such as the use of trust anchors and | However, a number of factors, such as the use of trust anchors and | |||
| the unavailability of SEND implementations for many widely-deployed | the unavailability of SEND implementations for many widely-deployed | |||
| operating systems, make SEND hard to deploy [Gont-DEEPSEC2011]. | operating systems, make SEND hard to deploy [Gont-DEEPSEC2011]. | |||
| Thus, in many general scenarios it may be necessary and/or convenient | Thus, in many general scenarios it may be necessary and/or convenient | |||
| to use other mitigation techniques for NDP-based attacks. The | to use other mitigation techniques for NDP-based attacks. The | |||
| following mitigations are currently available for NDP attacks: | following mitigations are currently available for NDP attacks: | |||
| o Layer-2 filtering of Neighbor Discovery packets (such as RA-Guard | o Layer-2 filtering of Neighbor Discovery packets (such as RA-Guard | |||
| [RFC6105]) | [RFC6105]) | |||
| o Neighbor Discovery monitoring tools (e.g., such as NDPMon | o Neighbor Discovery monitoring tools (e.g., such as NDPMon | |||
| [NDPMon]) | [NDPMon], ramond [ramond], and rafixd [rafixd]) | |||
| o Intrusion Prevention Systems (IPS) | o Intrusion Prevention Systems (IPS) | |||
| IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique | IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique | |||
| for attack vectors based on ICMPv6 Router Advertisement messages. It | for attack vectors based on ICMPv6 Router Advertisement messages. It | |||
| is meant to block attack packets at a layer-2 device before the | is meant to block attack packets at a layer-2 device before the | |||
| attack packets actually reach the target nodes. [RFC6104] describes | attack packets actually reach the target nodes. [RFC6104] describes | |||
| the problem statement of "Rogue IPv6 Router Advertisements", and | the problem statement of "Rogue IPv6 Router Advertisements", and | |||
| [RFC6105] specifies the "IPv6 Router Advertisement Guard" | [RFC6105] specifies the "IPv6 Router Advertisement Guard" | |||
| functionality. | functionality. | |||
| Tools such as NDPMon [NDPMon] and ramond [ramond] aim at monitoring | Tools such as NDPMon [NDPMon] and ramond [ramond] aim at monitoring | |||
| Neighbor Discovery traffic in the hopes of detecting possible attacks | Neighbor Discovery traffic in the hopes of detecting possible attacks | |||
| when there are discrepancies between the information advertised in | when there are discrepancies between the information advertised in | |||
| Neighbor Discovery packets and the information stored on a local | Neighbor Discovery packets and the information stored on a local | |||
| database. | database. rafixd [rafixd] goes one step further, and tries to | |||
| mitigate some Neighbor Discovery attacks by sending "correcting" | ||||
| Router Advertisement messages in response to incorrect/malicious | ||||
| Router Advertisement messages. | ||||
| Some Intrusion Prevention Systems (IPS) can mitigate Neighbor | Some Intrusion Prevention Systems (IPS) can mitigate Neighbor | |||
| Discovery attacks. We recommend that Intrusion Prevention Systems | Discovery attacks. We recommend that Intrusion Prevention Systems | |||
| (IPS) implement mitigations for NDP attacks. | (IPS) implement mitigations for NDP attacks. | |||
| A key challenge that these mitigation or monitoring techniques face | A key challenge that these mitigation or monitoring techniques face | |||
| is that introduced by IPv6 fragmentation, since it is trivial for an | is that introduced by IPv6 fragmentation, since it is trivial for an | |||
| attacker to conceal his attack by fragmenting his packets into | attacker to conceal his attack by fragmenting his packets into | |||
| multiple fragments. This may limit or even eliminate the | multiple fragments. This may limit or even eliminate the | |||
| effectiveness of the aforementioned mitigation or monitoring | effectiveness of the aforementioned mitigation or monitoring | |||
| skipping to change at page 9, line 20 | skipping to change at page 9, line 20 | |||
| relevant specifications such that the IPv6 Fragment Header is not | relevant specifications such that the IPv6 Fragment Header is not | |||
| allowed in any Neighbor Discovery messages except "Certification Path | allowed in any Neighbor Discovery messages except "Certification Path | |||
| Advertisement", protection of local nodes against Neighbor Discovery | Advertisement", protection of local nodes against Neighbor Discovery | |||
| attacks, and monitoring of Neighbor Discovery traffic is greatly | attacks, and monitoring of Neighbor Discovery traffic is greatly | |||
| simplified. | simplified. | |||
| [I-D.ietf-v6ops-ra-guard-implementation] discusses an improvement to | [I-D.ietf-v6ops-ra-guard-implementation] discusses an improvement to | |||
| the RA-Guard mechanism that can mitigate Neighbor Discovery attacks | the RA-Guard mechanism that can mitigate Neighbor Discovery attacks | |||
| that employ IPv6 Fragmentation. However, it should be noted that | that employ IPv6 Fragmentation. However, it should be noted that | |||
| unless [RFC4861] is updated (as proposed in this document), Neighbor | unless [RFC4861] is updated (as proposed in this document), Neighbor | |||
| Discovery monitoring tools (such as NDPMon [NDPMon]) would remain | Discovery monitoring tools (such as NDPMon [NDPMon], ramond [ramond], | |||
| unreliable and trivial to circumvent by a skilled attacker. | and rafixd [rafixd]) would remain unreliable and trivial to | |||
| circumvent by a skilled attacker. | ||||
| As noted in Section 3, use of SEND could potentially result in | As noted in Section 3, use of SEND could potentially result in | |||
| fragmented "Certification Path Advertisement" messages, thus allowing | fragmented "Certification Path Advertisement" messages, thus allowing | |||
| an attacker to employ IPv6 fragmentation-based attacks against such | an attacker to employ IPv6 fragmentation-based attacks against such | |||
| messages. Therefore, to the extent that is possible, such use of | messages. Therefore, to the extent that is possible, such use of | |||
| fragmentation should be avoided. | fragmentation should be avoided. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| The author would like to thank (in alphabetical order) Mikael | The author would like to thank (in alphabetical order) Mikael | |||
| Abrahamsson, Ran Atkinson, Ron Bonica, Jean-Michel Combes, David | Abrahamsson, Ran Atkinson, Ron Bonica, Jean-Michel Combes, David | |||
| Farmer, Roque Gagliano, Bob Hinden, Philip Homburg, Ray Hunter, | Farmer, Roque Gagliano, Bran Haberman, Bob Hinden, Philip Homburg, | |||
| Arturo Servin, and Mark Smith, for providing valuable comments on | Ray Hunter, Arturo Servin, and Mark Smith, for providing valuable | |||
| earlier versions of this document. | comments on earlier versions of this document. | |||
| This document resulted from the project "Security Assessment of the | This document resulted from the project "Security Assessment of the | |||
| Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by | Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by | |||
| Fernando Gont on behalf of the UK Centre for the Protection of | Fernando Gont on behalf of the UK Centre for the Protection of | |||
| National Infrastructure (CPNI). The author would like to thank the | National Infrastructure (CPNI). The author would like to thank the | |||
| UK CPNI, for their continued support. | UK CPNI, for their continued support. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| skipping to change at page 11, line 19 | skipping to change at page 11, line 19 | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure | [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure | |||
| Neighbor Discovery (SEND)", RFC 3971, March 2005. | Neighbor Discovery (SEND)", RFC 3971, March 2005. | |||
| [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | |||
| "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | |||
| September 2007. | September 2007. | |||
| [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless | ||||
| Address Autoconfiguration", RFC 4862, September 2007. | ||||
| 8.2. Informative References | 8.2. Informative References | |||
| [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor | [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor | |||
| Discovery (ND) Trust Models and Threats", RFC 3756, | Discovery (ND) Trust Models and Threats", RFC 3756, | |||
| May 2004. | May 2004. | |||
| [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement | [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement | |||
| Problem Statement", RFC 6104, February 2011. | Problem Statement", RFC 6104, February 2011. | |||
| [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. | [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. | |||
| Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, | Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, | |||
| February 2011. | February 2011. | |||
| [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor", | [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor", | |||
| <http://ndpmon.sourceforge.net/>. | <http://ndpmon.sourceforge.net/>. | |||
| [ramond] "ramond", <http://ramond.sourceforge.net/>. | [ramond] "ramond", <http://ramond.sourceforge.net/>. | |||
| [rafixd] "rafixd", <http://www.kame.net/dev/cvsweb2.cgi/kame/kame/ | ||||
| kame/rafixd/>. | ||||
| [I-D.ietf-v6ops-ra-guard-implementation] | [I-D.ietf-v6ops-ra-guard-implementation] | |||
| Gont, F., "Implementation Advice for IPv6 Router | Gont, F., "Implementation Advice for IPv6 Router | |||
| Advertisement Guard (RA-Guard)", | Advertisement Guard (RA-Guard)", | |||
| draft-ietf-v6ops-ra-guard-implementation-07 (work in | draft-ietf-v6ops-ra-guard-implementation-07 (work in | |||
| progress), November 2012. | progress), November 2012. | |||
| [CPNI-IPv6] | [CPNI-IPv6] | |||
| Gont, F., "Security Assessment of the Internet Protocol | Gont, F., "Security Assessment of the Internet Protocol | |||
| version 6 (IPv6)", UK Centre for the Protection of | version 6 (IPv6)", UK Centre for the Protection of | |||
| National Infrastructure, (available on request). | National Infrastructure, (available on request). | |||
| End of changes. 13 change blocks. | ||||
| 24 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||