| draft-ietf-6man-overlap-fragment-03.txt | rfc5722.txt | |||
|---|---|---|---|---|
| 6man Working Group S. Krishnan | Network Working Group S. Krishnan | |||
| Internet-Draft Ericsson | Request for Comments: 5722 Ericsson | |||
| Updates: 2460 (if approved) July 2, 2009 | Updates: 2460 December 2009 | |||
| Intended status: Standards Track | Category: Standards Track | |||
| Expires: January 3, 2010 | ||||
| Handling of overlapping IPv6 fragments | ||||
| draft-ietf-6man-overlap-fragment-03 | ||||
| Status of this Memo | ||||
| This Internet-Draft is submitted to IETF in full conformance with the | ||||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | Handling of Overlapping IPv6 Fragments | |||
| Task Force (IETF), its areas, and its working groups. Note that | ||||
| other groups may also distribute working documents as Internet- | ||||
| Drafts. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | Abstract | |||
| and may be updated, replaced, or obsoleted by other documents at any | ||||
| time. It is inappropriate to use Internet-Drafts as reference | ||||
| material or to cite them other than as "work in progress." | ||||
| The list of current Internet-Drafts can be accessed at | The fragmentation and reassembly algorithm specified in the base IPv6 | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | specification allows fragments to overlap. This document | |||
| demonstrates the security issues associated with allowing overlapping | ||||
| fragments and updates the IPv6 specification to explicitly forbid | ||||
| overlapping fragments. | ||||
| The list of Internet-Draft Shadow Directories can be accessed at | Status of This Memo | |||
| http://www.ietf.org/shadow.html. | ||||
| This Internet-Draft will expire on January 3, 2010. | This document specifies an Internet standards track protocol for the | |||
| Internet community, and requests discussion and suggestions for | ||||
| improvements. Please refer to the current edition of the "Internet | ||||
| Official Protocol Standards" (STD 1) for the standardization state | ||||
| and status of this protocol. Distribution of this memo is unlimited. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2009 IETF Trust and the persons identified as the | Copyright (c) 2009 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents in effect on the date of | Provisions Relating to IETF Documents | |||
| publication of this document (http://trustee.ietf.org/license-info). | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | ||||
| Abstract | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | ||||
| The fragmentation and reassembly algorithm specified in the base IPv6 | described in the BSD License. | |||
| specification allows fragments to overlap. This document | ||||
| demonstrates the security issues with allowing overlapping fragments | ||||
| and updates the IPv6 specification to explicitly forbid overlapping | ||||
| fragments. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction ....................................................2 | |||
| 1.1. Conventions used in this document . . . . . . . . . . . . . 3 | 1.1. Conventions Used in This Document ..........................2 | |||
| 2. Overlapping Fragments . . . . . . . . . . . . . . . . . . . . . 3 | 2. Overlapping Fragments ...........................................2 | |||
| 3. The attack . . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. The Attack ......................................................3 | |||
| 4. Recommendation . . . . . . . . . . . . . . . . . . . . . . . . 6 | 4. Node Behavior ...................................................5 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 | 5. Security Considerations .........................................5 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 | 6. Acknowledgements ................................................5 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 | 7. References ......................................................6 | |||
| 8. Normative References . . . . . . . . . . . . . . . . . . . . . 7 | 7.1. Normative References .......................................6 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 7.2. Informative References .....................................6 | |||
| 1. Introduction | 1. Introduction | |||
| Fragmentation is used in IPv6 when the IPv6 packet will not fit | Fragmentation is used in IPv6 when the IPv6 packet will not fit | |||
| inside the path MTU to its destination. When fragmentation is | inside the path MTU to its destination. When fragmentation is | |||
| performed an IPv6 node uses a fragment header as specified in section | performed, an IPv6 node uses a fragment header, as specified in | |||
| 4.5 of the IPv6 base specification [RFC2460] to break down the | Section 4.5 of the IPv6 base specification [RFC2460], to break down | |||
| datagram into smaller fragments that will fit in the path MTU. The | the datagram into smaller fragments that will fit in the path MTU. | |||
| destination node receives these fragments and reassembles them. The | The destination node receives these fragments and reassembles them. | |||
| algorithm specified for fragmentation in [RFC2460] does not prevent | The algorithm specified for fragmentation in [RFC2460] does not | |||
| the fragments from overlapping, and this can lead to some security | prevent the fragments from overlapping, and this can lead to some | |||
| issues with firewalls [RFC4942]. This document explores the issues | security issues with firewalls [RFC4942]. This document explores the | |||
| that can be caused by overlapping fragments. | issues that can be caused by overlapping fragments and updates the | |||
| IPv6 specification to explicitly forbid overlapping fragments. | ||||
| 1.1. Conventions used in this document | 1.1. Conventions Used in This Document | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL","SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 2. Overlapping Fragments | 2. Overlapping Fragments | |||
| Commonly used firewalls use the algorithm specified in [RFC1858] to | Commonly used firewalls use the algorithm specified in [RFC1858] to | |||
| weed out malicious packets that try to overwrite parts of the | weed out malicious packets that try to overwrite parts of the | |||
| transport layer header to bypass inbound connection checks. | transport-layer header in order to bypass inbound connection checks. | |||
| [RFC1858] prevents an overlapping fragment attack on an upper layer | [RFC1858] prevents an overlapping fragment attack on an upper-layer | |||
| protocol (in this case TCP) by recommending that packets with | protocol (in this case, TCP) by recommending that packets with a | |||
| fragment offset 1 be dropped. While this works well for IPv4 | fragment offset of 1 be dropped. While this works well for IPv4 | |||
| fragments, it will not work for IPv6 fragments. This is because the | fragments, it will not work for IPv6 fragments. This is because the | |||
| fragmentable part of the IPv6 packet can contain extension headers | fragmentable part of the IPv6 packet can contain extension headers | |||
| before the TCP header, making this check less effective. | before the TCP header, making this check less effective. | |||
| 3. The attack | 3. The Attack | |||
| This attack describes how a malicious node can bypass a firewall | This attack describes how a malicious node can bypass a firewall | |||
| using overlapping fragments. Consider a sufficiently large IPv6 | using overlapping fragments. Consider a sufficiently large IPv6 | |||
| packet that needs to be fragmented. | packet that needs to be fragmented. | |||
| +------------------+--------------------//-----------------------+ | +------------------+--------------------//-----------------------+ | |||
| | Unfragmentable | Fragmentable | | | Unfragmentable | Fragmentable | | |||
| | Part | Part | | | Part | Part | | |||
| +------------------+--------------------//-----------------------+ | +------------------+--------------------//-----------------------+ | |||
| Figure 1: Large IPv6 packet | Figure 1: Large IPv6 Packet | |||
| This packet is split into several fragments by the sender so that the | This packet is split into several fragments by the sender so that the | |||
| packet can fit inside the path MTU. Let's say the packet is split | packet can fit inside the path MTU. Let's say the packet is split | |||
| into two fragments. | into two fragments. | |||
| +------------------+--------+--------------------+ | +------------------+--------+--------------------+ | |||
| | Unfragmentable |Fragment| first | | | Unfragmentable |Fragment| first | | |||
| | Part | Header | fragment | | | Part | Header | fragment | | |||
| +------------------+--------+--------------------+ | +------------------+--------+--------------------+ | |||
| +------------------+--------+--------------------+ | +------------------+--------+--------------------+ | |||
| | Unfragmentable |Fragment| second | | | Unfragmentable |Fragment| second | | |||
| | Part | Header | fragment | | | Part | Header | fragment | | |||
| +------------------+--------+--------------------+ | +------------------+--------+--------------------+ | |||
| Figure 2: Fragmented IPv6 packet | Figure 2: Fragmented IPv6 Packet | |||
| Consider the first fragment. Let's say it contains a destination | Consider the first fragment. Let's say it contains a destination | |||
| options header (DOH) 80 octets long and is followed by a TCP header. | options header (DOH) 80 octets long and is followed by a TCP header. | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<==FH | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<==FH | |||
| |NextHdr=DOH(60)| Reserved | FragmentOffset = 0 |Res|1| | |NextHdr=DOH(60)| Reserved | FragmentOffset = 0 |Res|1| | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Identification=aaaabbbb | | | Identification=aaaabbbb | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<==DOH | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<==DOH | |||
| |NextHdr=TCP(6) | HdrExtLen = 9 | | | |NextHdr=TCP(6) | HdrExtLen = 9 | | | |||
| skipping to change at page 5, line 27 | skipping to change at page 4, line 27 | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<==TCP | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<==TCP | |||
| | Source Port | Destination Port | | | Source Port | Destination Port | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Sequence Number | | | Sequence Number | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Acknowledgment Number | | | Acknowledgment Number | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Offset| Reserved |U|A|P|R|S|F| Window | | | Offset| Reserved |U|A|P|R|S|F| Window | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 3: First Fragment | Figure 3: First Fragment | |||
| The TCP header has the following values of the flags S(YN)=1 and | The TCP header has the following values of the flags: S(YN)=1 and | |||
| A(CK)=1. This may make an inspecting stateful firewall think that it | A(CK)=1. This may make an inspecting stateful firewall think that it | |||
| is a response packet for a connection request initiated from the | is a response packet for a connection request initiated from the | |||
| trusted side of the firewall. Hence it will allow the fragment to | trusted side of the firewall. Hence, it will allow the fragment to | |||
| pass. It will also allow the following fragments with the same | pass. It will also allow the following fragments with the same | |||
| Fragment Identification value in the fragment header to pass through. | Fragment Identification value in the fragment header to pass through. | |||
| A malicious node can form a second fragment with a TCP header that | A malicious node can form a second fragment with a TCP header that | |||
| changes the flags and sets S(YN)=1 and A(CK)=0. This can change the | changes the flags and sets S(YN)=1 and A(CK)=0. This can change the | |||
| packet on the receiving end to consider the packet as a connection | packet on the receiving end to consider the packet as a connection | |||
| request instead of a response. By doing this the malicious node has | request instead of a response. By doing this, the malicious node has | |||
| bypassed the firewall's access control to initiate a connection | bypassed the firewall's access control to initiate a connection | |||
| request to a node protected by a firewall. | request to a node protected by a firewall. | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<==FH | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<==FH | |||
| |NextHdr=DOH(60)| Reserved | FragmentOffset = 10 |Res|0| | |NextHdr=DOH(60)| Reserved | FragmentOffset = 10 |Res|0| | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Identification=aaaabbbb | | | Identification=aaaabbbb | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<==TCP | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<==TCP | |||
| | Source Port | Destination Port | | | Source Port | Destination Port | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Sequence Number | | | Sequence Number | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Acknowledgment Number | | | Acknowledgment Number | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| | Offset| Reserved |U|A|P|R|S|F| Window | | | Offset| Reserved |U|A|P|R|S|F| Window | | |||
| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 4: Second Fragment | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |||
| Figure 4: Second Fragment | ||||
| Note that this attack is much more serious in IPv6 than in IPv4. In | Note that this attack is much more serious in IPv6 than in IPv4. In | |||
| IPv4 the overlapping part of the TCP header did not include the | IPv4, the overlapping part of the TCP header does not include the | |||
| source and destination ports. In IPv6 the attack can easily work to | source and destination ports. In IPv6, the attack can easily work to | |||
| replace the source or destination port with an overlapping fragment. | replace the source or destination port with an overlapping fragment. | |||
| 4. Recommendation | 4. Node Behavior | |||
| IPv6 nodes transmitting datagrams that need to be fragmented MUST NOT | IPv6 nodes transmitting datagrams that need to be fragmented MUST NOT | |||
| create overlapping fragments. When reassembling an IPv6 datagram, if | create overlapping fragments. When reassembling an IPv6 datagram, if | |||
| one or more its constituent fragments is determined to be an | one or more its constituent fragments is determined to be an | |||
| overlapping fragment, the entire datagram (and any constituent | overlapping fragment, the entire datagram (and any constituent | |||
| fragments, including those not yet received), MUST be silently | fragments, including those not yet received) MUST be silently | |||
| discarded. | discarded. | |||
| Nodes MAY also provide mechanisms to track the reception of such | ||||
| packets, for instance, by implementing counters or alarms relating to | ||||
| these events. | ||||
| 5. Security Considerations | 5. Security Considerations | |||
| This document discusses an attack that can be used to bypass IPv6 | This document discusses an attack that can be used to bypass IPv6 | |||
| firewalls using overlapping fragments. It recommends disallowing | firewalls using overlapping fragments. It recommends disallowing | |||
| overlapping fragments in order to prevent this attack. | overlapping fragments in order to prevent this attack. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| The author would like to thank Thomas Narten, Doug Montgomery, | The author would like to thank Thomas Narten, Doug Montgomery, | |||
| Gabriel Montenegro, Remi Denis-Courmont, Marla Azinger, Arnaud | Gabriel Montenegro, Remi Denis-Courmont, Marla Azinger, Arnaud | |||
| Ebalard, Seiichi Kawamura, Behcet Sarikaya, Vishwas Manral, Christian | Ebalard, Seiichi Kawamura, Behcet Sarikaya, Vishwas Manral, Christian | |||
| Vogt, and Alfred Hoenes for their reviews and suggestions that made | Vogt, Bob Hinden, Carl Wallace, Jari Arkko, Pasi Eronen, Francis | |||
| this document better. | Dupont, Neville Brownlee, Dan Romascanu, Lars Eggert, Cullen | |||
| Jennings, and Alfred Hoenes for their reviews and suggestions that | ||||
| 7. IANA Considerations | made this document better. | |||
| This document does not require any action from the IANA. | ||||
| 8. Normative References | 7. References | |||
| [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security | 7.1. Normative References | |||
| Considerations for IP Fragment Filtering", RFC 1858, | ||||
| October 1995. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification", RFC 2460, December 1998. | (IPv6) Specification", RFC 2460, December 1998. | |||
| [RFC4942] Davies, E., Krishnan, S., and P. Savola, "IPv6 Transition/ | 7.2. Informative References | |||
| Co-existence Security Considerations", RFC 4942, | ||||
| September 2007. | [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security | |||
| Considerations for IP Fragment Filtering", RFC 1858, | ||||
| October 1995. | ||||
| [RFC4942] Davies, E., Krishnan, S., and P. Savola, "IPv6 | ||||
| Transition/Co-existence Security Considerations", RFC | ||||
| 4942, September 2007. | ||||
| Author's Address | Author's Address | |||
| Suresh Krishnan | Suresh Krishnan | |||
| Ericsson | Ericsson | |||
| 8400 Blvd Decarie | 8400 Blvd Decarie | |||
| Town of Mount Royal, Quebec | Town of Mount Royal, Quebec | |||
| Canada | Canada | |||
| Email: suresh.krishnan@ericsson.com | EMail: suresh.krishnan@ericsson.com | |||
| End of changes. 30 change blocks. | ||||
| 100 lines changed or deleted | 95 lines changed or added | |||
This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||