draft-ietf-v6ops-v6nd-problems-04.txt   draft-ietf-v6ops-v6nd-problems-05.txt 
v6ops I. Gashinsky v6ops I. Gashinsky
Internet-Draft Yahoo! Internet-Draft Yahoo!
Intended status: Informational J. Jaeggli Intended status: Informational J. Jaeggli
Expires: August 5, 2012 Zynga Expires: September 4, 2012 Zynga
W. Kumari W. Kumari
Google Inc Google Inc
February 02, 2012 March 03, 2012
Operational Neighbor Discovery Problems Operational Neighbor Discovery Problems
draft-ietf-v6ops-v6nd-problems-04 draft-ietf-v6ops-v6nd-problems-05
Abstract Abstract
In IPv4, subnets are generally small, made just large enough to cover In IPv4, subnets are generally small, made just large enough to cover
the actual number of machines on the subnet. In contrast, the the actual number of machines on the subnet. In contrast, the
default IPv6 subnet size is a /64, a number so large it covers default IPv6 subnet size is a /64, a number so large it covers
trillions of addresses, the overwhelming number of which will be trillions of addresses, the overwhelming number of which will be
unassigned. Consequently, simplistic implementations of Neighbor unassigned. Consequently, simplistic implementations of Neighbor
Discovery (ND) can be vulnerable to deliberate or accidental denial Discovery (ND) can be vulnerable to deliberate or accidental denial
of service, whereby they attempt to perform address resolution for of service, whereby they attempt to perform address resolution for
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 5, 2012. This Internet-Draft will expire on September 4, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 49 skipping to change at page 4, line 49
In IPv4, subnets are generally small, made just large enough to cover In IPv4, subnets are generally small, made just large enough to cover
the actual number of machines on the subnet. For example, an IPv4 the actual number of machines on the subnet. For example, an IPv4
/20 contains only 4096 address. In contrast, the default IPv6 subnet /20 contains only 4096 address. In contrast, the default IPv6 subnet
size is a /64, a number so large it covers literally billions of size is a /64, a number so large it covers literally billions of
billions of addresses, the overwhelming majority of which will be billions of addresses, the overwhelming majority of which will be
unassigned. Consequently, simplistic implementations of Neighbor unassigned. Consequently, simplistic implementations of Neighbor
Discovery may fail to perform as desired when they perform address Discovery may fail to perform as desired when they perform address
resolution of large numbers of unassigned addresses. Such failures resolution of large numbers of unassigned addresses. Such failures
can be triggered either intentionally by an attacker launching a can be triggered either intentionally by an attacker launching a
Denial of Service attack (DoS) to exploit this vulnerability, or Denial of Service attack (DoS)[RFC4732] to exploit this
unintentionally due to the use of legitimate operational tools that vulnerability, or unintentionally due to the use of legitimate
scan networks for inventory and other purposes. As a result of these operational tools that scan networks for inventory and other
failures, new devices may not be able to "join" a network, it may be purposes. As a result of these failures, new devices may not be able
impossible to establish new IPv6 flows, and existing IPv6 transport to "join" a network, it may be impossible to establish new IPv6
flows may be interrupted. flows, and existing IPv6 transport flows may be interrupted.
Network scans attempt to find and probe devices on a network. Network scans attempt to find and probe devices on a network.
Typically, scans are performed on a range of target addresses, or all Typically, scans are performed on a range of target addresses, or all
the addresses on a particular subnet. When such probes are directed the addresses on a particular subnet. When such probes are directed
via a router, and the target addresses are on a directly attached via a router, and the target addresses are on a directly attached
network, the router will attempt to perform address resolution on a network, the router will attempt to perform address resolution on a
large number of destinations (i.e., some fraction of the 2^64 large number of destinations (i.e., some fraction of the 2^64
addresses on the subnet). The router's process of testing for the addresses on the subnet). The router's process of testing for the
(non)existence of neighbors can induce a denial of service condition, (non)existence of neighbors can induce a denial of service condition,
where the number of necessary Neighbor Discovery requests overwhelms where the number of necessary Neighbor Discovery requests overwhelms
skipping to change at page 6, line 30 skipping to change at page 6, line 30
resolution and maintaining the Neighbor Cache. When forwarding resolution and maintaining the Neighbor Cache. When forwarding
packets, the forwarding plane accesses entries within the Neighbor packets, the forwarding plane accesses entries within the Neighbor
Cache. When the forwarding plane processes a packet for which the Cache. When the forwarding plane processes a packet for which the
corresponding Neighbor Cache Entry is missing or incomplete, it corresponding Neighbor Cache Entry is missing or incomplete, it
notifies NDP to take appropriate action (typically via a shared notifies NDP to take appropriate action (typically via a shared
queue). NDP picks up requests from the shared queue and performs queue). NDP picks up requests from the shared queue and performs
any necessary discovery action. In many implementations the NDP any necessary discovery action. In many implementations the NDP
is also responsible for responding to router solicitation is also responsible for responding to router solicitation
messages, Neighbor Unreachability Detection (NUD), etc. messages, Neighbor Unreachability Detection (NUD), etc.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
4. Background 4. Background
Modern router architectures separate the forwarding of packets Modern router architectures separate the forwarding of packets
(forwarding plane) from the decisions needed to decide where the (forwarding plane) from the decisions needed to decide where the
packets should go (control plane). In order to deal with the high packets should go (control plane). In order to deal with the high
number of packets per second, the forwarding plane is generally number of packets per second, the forwarding plane is generally
implemented in hardware and is highly optimized for the task of implemented in hardware and is highly optimized for the task of
forwarding packets. In contrast, the NDP control plane is mostly forwarding packets. In contrast, the NDP control plane is mostly
implemented in software processes running on a general purpose implemented in software processes running on a general purpose
processor. processor.
skipping to change at page 8, line 14 skipping to change at page 8, line 10
resolution process. The device then sends out one or more Neighbor resolution process. The device then sends out one or more Neighbor
Solicitations, and when it receives a corresponding Neighbor Solicitations, and when it receives a corresponding Neighbor
Advertisement, completes the Neighbor Cache Entry and sends the Advertisement, completes the Neighbor Cache Entry and sends the
queued packet. queued packet.
6. Operational Mitigation Options 6. Operational Mitigation Options
This section provides some feasible mitigation options that can be This section provides some feasible mitigation options that can be
employed today by network operators in order to protect network employed today by network operators in order to protect network
availability while vendors implement more effective protection availability while vendors implement more effective protection
measures. It can be stipulated that some of these options are measures. It can be stated that some of these options are "kludges",
"kludges", and are operationally difficult to manage. They are and can be operationally difficult to manage. They are presented, as
presented, as they represent options we currently have. It is each they represent options we currently have. It is each operator's
operator's responsibility to evaluate and understand the impact of responsibility to evaluate and understand the impact of changes to
changes to their network due to these measures. their network due to these measures.
6.1. Filtering of unused address space. 6.1. Filtering of unused address space.
The DoS condition is induced by making a router try to resolve The DoS condition is induced by making a router try to resolve
addresses on the subnet at a high rate. By carefully addressing addresses on the subnet at a high rate. By carefully addressing
machines into a small portion of a subnet (such as the lowest machines into a small portion of a subnet (such as the lowest
numbered addresses), it is possible to filter access to addresses not numbered addresses), it is possible to filter access to addresses not
in that assigned portion of address space using Access Control Lists in that assigned portion of address space using Access Control Lists
(ACLs), or by null routing, features which are available on most (ACLs), or by null routing, features which are available on most
existing platforms. This will prevent the attacker from making the existing platforms. This will prevent the attacker from making the
skipping to change at page 10, line 37 skipping to change at page 10, line 31
7.1. Prioritize NDP Activities 7.1. Prioritize NDP Activities
Not all Neighbor Discovery activities are equally important. Not all Neighbor Discovery activities are equally important.
Specifically, requests to perform large numbers of address Specifically, requests to perform large numbers of address
resolutions on non-existent Neighbor Cache Entries should not come at resolutions on non-existent Neighbor Cache Entries should not come at
the expense of servicing requests related to keeping existing, in-use the expense of servicing requests related to keeping existing, in-use
entries properly up-to-date. Thus, implementations should divide entries properly up-to-date. Thus, implementations should divide
work activities into categories having different priorities. The work activities into categories having different priorities. The
following gives examples of different activities and their importance following gives examples of different activities and their importance
in rough priority order. If implmented, the operation and priority in rough priority order. If implmented, the operation and priority
of these SHOULD be configurable by the operator. of these should be configurable by the operator.
1. It is critical to respond to Neighbor Solicitations for one's own 1. It is critical to respond to Neighbor Solicitations for one's own
address, especially for a router. Whether for address resolution or address, especially for a router. Whether for address resolution or
Neighbor Unreachability Detection, failure to respond to Neighbor Neighbor Unreachability Detection, failure to respond to Neighbor
Solicitations results in immediate problems. Failure to respond to Solicitations results in immediate problems. Failure to respond to
NS requests that are part of NUD can cause neighbors to delete the NS requests that are part of NUD can cause neighbors to delete the
NCE for that address, and will result in followup NS messages using NCE for that address, and will result in followup NS messages using
multicast. Once an entry has been flushed, existing traffic for multicast. Once an entry has been flushed, existing traffic for
destinations using that entry can no longer be forwarded until destinations using that entry can no longer be forwarded until
address resolution completes successfully. In other words, not address resolution completes successfully. In other words, not
skipping to change at page 11, line 36 skipping to change at page 11, line 30
algorithm in IPv6 Neighbor Discovery [RFC4861] calls for deleting algorithm in IPv6 Neighbor Discovery [RFC4861] calls for deleting
NCEs under certain conditions. Rather than delete them completely, NCEs under certain conditions. Rather than delete them completely,
however, it might be useful to at least keep track of the fact that however, it might be useful to at least keep track of the fact that
an entry at one time existed, in order to prioritize address an entry at one time existed, in order to prioritize address
resolution requests for such neighbors compared with neighbors that resolution requests for such neighbors compared with neighbors that
have never been seen before. have never been seen before.
7.2. Queue Tuning. 7.2. Queue Tuning.
On implementations in which requests to NDP are submitted via a On implementations in which requests to NDP are submitted via a
single queue, router vendors SHOULD provide operators with means to single queue, router vendors should provide operators with means to
control both the rate of link-layer address resolution requests control both the rate of link-layer address resolution requests
placed into the queue and the size of the queue. This will allow placed into the queue and the size of the queue. This will allow
operators to tune Neighbour Discovery for their specific environment. operators to tune Neighbour Discovery for their specific environment.
The ability to set, or have per interface or per prefix queue limits The ability to set, or have per interface or per prefix queue limits
at a rate below that of the global queue limit might limit the damage at a rate below that of the global queue limit might limit the damage
to the neighbor discovery processing to the network targeted by the to the neighbor discovery processing to the network targeted by the
attack. attack.
Setting those values must be a very careful balancing act - the lower Setting those values must be a very careful balancing act - the lower
the rate of entry into the queue, the less load there will be on the the rate of entry into the queue, the less load there will be on the
skipping to change at page 13, line 8 skipping to change at page 13, line 7
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, September 2007. Address Autoconfiguration", RFC 4862, September 2007.
[RFC6164] Kohno, M., Nitzan, B., Bush, R., Matsuzaki, Y., Colitti, [RFC6164] Kohno, M., Nitzan, B., Bush, R., Matsuzaki, Y., Colitti,
L., and T. Narten, "Using 127-Bit IPv6 Prefixes on Inter- L., and T. Narten, "Using 127-Bit IPv6 Prefixes on Inter-
Router Links", RFC 6164, April 2011. Router Links", RFC 6164, April 2011.
11.2. Informative References 11.2. Informative References
[RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of-
Service Considerations", RFC 4732, December 2006.
[RFC5157] Chown, T., "IPv6 Implications for Network Scanning", [RFC5157] Chown, T., "IPv6 Implications for Network Scanning",
RFC 5157, March 2008. RFC 5157, March 2008.
Authors' Addresses Authors' Addresses
Igor Gashinsky Igor Gashinsky
Yahoo! Yahoo!
45 W 18th St 45 W 18th St
New York, NY New York, NY
USA USA
 End of changes. 10 change blocks. 
21 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/