idnits 2.17.1
draft-ietf-6man-nd-extension-headers-05.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC3971, updated by this document, for
RFC5378 checks: 2003-10-17)
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (June 3, 2013) is 3970 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
No issues found here.
Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 maintenance Working Group (6man) F. Gont
3 Internet-Draft SI6 Networks / UTN-FRH
4 Updates: 3971, 4861 (if approved) June 3, 2013
5 Intended status: Standards Track
6 Expires: December 5, 2013
8 Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery
9 draft-ietf-6man-nd-extension-headers-05
11 Abstract
13 This document analyzes the security implications of employing IPv6
14 fragmentation with Neighbor Discovery (ND) messages. It updates RFC
15 4861 such that use of the IPv6 Fragmentation Header is forbidden in
16 all Neighbor Discovery messages, thus allowing for simple and
17 effective counter-measures for Neighbor Discovery attacks. Finally,
18 it discusses the security implications of using IPv6 fragmentation
19 with SEcure Neighbor Discovery (SEND), and formally updates RFC 3971
20 to provide advice regarding how the aforementioned security
21 implications can be prevented.
23 Status of this Memo
25 This Internet-Draft is submitted in full conformance with the
26 provisions of BCP 78 and BCP 79.
28 Internet-Drafts are working documents of the Internet Engineering
29 Task Force (IETF). Note that other groups may also distribute
30 working documents as Internet-Drafts. The list of current Internet-
31 Drafts is at http://datatracker.ietf.org/drafts/current/.
33 Internet-Drafts are draft documents valid for a maximum of six months
34 and may be updated, replaced, or obsoleted by other documents at any
35 time. It is inappropriate to use Internet-Drafts as reference
36 material or to cite them other than as "work in progress."
38 This Internet-Draft will expire on December 5, 2013.
40 Copyright Notice
42 Copyright (c) 2013 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (http://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the Simplified BSD License.
55 Table of Contents
57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
58 2. Traditional Neighbor Discovery and IPv6 Fragmentation . . . . 5
59 3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation . . . 6
60 4. Rationale for Forbidding IPv6 Fragmentation in Neighbor
61 Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 7
62 5. Specification . . . . . . . . . . . . . . . . . . . . . . . . 8
63 6. Operational Advice . . . . . . . . . . . . . . . . . . . . . . 9
64 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
65 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
66 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
67 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
68 10.1. Normative References . . . . . . . . . . . . . . . . . . 13
69 10.2. Informative References . . . . . . . . . . . . . . . . . 13
70 Appendix A. Message Size When Carrying Certificates . . . . . . . 15
71 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16
73 1. Introduction
75 The Neighbor Discovery Protocol (NDP) is specified in RFC 4861
76 [RFC4861]. It is used by both hosts and routers. Its functions
77 include Neighbor Discovery (ND), Router Discovery (RD), Address
78 Autoconfiguration, Address Resolution, Neighbor Unreachability
79 Detection (NUD), Duplicate Address Detection (DAD), and Redirection.
81 Many of the possible attacks against the Neighbor Discovery Protocol
82 are discussed in detail in [RFC3756]. In order to mitigate the
83 aforementioned possible attacks, the SEcure Neighbor Discovery (SEND)
84 was standardized. SEND employs a number of mechanisms to certify the
85 origin of Neighbor Discovery packets and the authority of routers,
86 and to protect Neighbor Discovery packets from being the subject of
87 modification or replay attacks.
89 However, a number of factors, such as the high administrative
90 overhead of deploying trust anchors and the unavailability of SEND
91 implementations for many widely-deployed operating systems, make SEND
92 hard to deploy [Gont-DEEPSEC2011]. Thus, in many general scenarios
93 it may be necessary and/or convenient to use other mitigation
94 techniques for NDP-based attacks. The following mitigations are
95 currently available for NDP attacks:
97 o Static Access Control Lists (ACLs) in switches
99 o Layer-2 filtering of Neighbor Discovery packets (such as RA-Guard
100 [RFC6105])
102 o Neighbor Discovery monitoring tools (e.g., such as NDPMon
103 [NDPMon], ramond [ramond])
105 o Intrusion Prevention Systems (IPS)
107 IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique
108 for attack vectors based on ICMPv6 Router Advertisement messages. It
109 is meant to block attack packets at a layer-2 device before the
110 attack packets actually reach the target nodes. [RFC6104] describes
111 the problem statement of "Rogue IPv6 Router Advertisements", and
112 [RFC6105] specifies the "IPv6 Router Advertisement Guard"
113 functionality.
115 Tools such as NDPMon [NDPMon] and ramond [ramond] aim at monitoring
116 Neighbor Discovery traffic in the hopes of detecting possible attacks
117 when there are discrepancies between the information advertised in
118 Neighbor Discovery packets and the information stored on a local
119 database.
121 Some Intrusion Prevention Systems (IPS) can mitigate Neighbor
122 Discovery attacks. We recommend that Intrusion Prevention Systems
123 (IPS) implement mitigations for NDP attacks.
125 A key challenge that these mitigation or monitoring techniques face
126 is that introduced by IPv6 fragmentation, since it is trivial for an
127 attacker to conceal his attack by fragmenting his packets into
128 multiple fragments. This may limit or even eliminate the
129 effectiveness of the aforementioned mitigation or monitoring
130 techniques. Recent work [CPNI-IPv6] indicates that current
131 implementations of the aforementioned mitigations for NDP attacks can
132 be trivially evaded. For example, as noted in
133 [I-D.ietf-v6ops-ra-guard-implementation], current RA-Guard
134 implementations can be trivially evaded by fragmenting the attack
135 packets into multiple fragments, such that the layer-2 device cannot
136 find all the necessary information to perform packet filtering in the
137 same packet. While Neighbor Discovery monitoring tools could (in
138 theory implement IPv6 fragment reassembly, this is usually an arms-
139 race with the attacker (an attacker generate lots of forged fragments
140 to "confuse" the monitoring tools), and therefore the aforementioned
141 tools are unreliable for the detection of such attacks.
143 Section 2 analyzes the use of IPv6 fragmentation in traditional
144 Neighbor discovery. Section 3 analyzes the use of IPv6 fragmentation
145 in SEcure Neighbor Discovery (SEND). Section 4 provides the
146 rationale for forbidding the use of IPv6 fragmentation with Neighbor
147 Discovery. Section 5 formally updates RFC 4861 such that use of the
148 IPv6 Fragment Header with traditional Neighbor Discovery is
149 forbidden, and also formally updates RFC 3971 providing advice on the
150 use of IPv6 fragmentation with SEND. Section 6 provides operational
151 advice about interoperability problems arising from the use of IPv6
152 fragmentation with Neighbor Discovery.
154 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
155 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
156 document are to be interpreted as described in RFC 2119 [RFC2119].
158 2. Traditional Neighbor Discovery and IPv6 Fragmentation
160 The only potential use case for IPv6 fragmentation with traditional
161 (i.e., non-SEND) IPv6 Neighbor Discovery would be that in which a
162 Router Advertisement must include a large number of options (Prefix
163 Information Options, Route Information Options, etc.). However, this
164 could still be achieved without employing fragmentation, by splitting
165 the aforementioned information into multiple Router Advertisement
166 messages.
168 Some Neighbor Discovery implementations are known to silently
169 ignore Router Advertisement messages that employ fragmentation.
170 Therefore, splitting the necessary information into multiple RA
171 messages (rather than sending a large RA message that is
172 fragmented into multiple IPv6 fragments) is probably desirable
173 even from an interoperability point of view.
175 Thus, avoiding the use of IPv6 fragmentation in traditional Neighbor
176 Discovery would greatly simplify and improve the effectiveness of
177 monitoring and filtering Neighbor Discovery traffic, and would also
178 prevent interoperability problems with those implementations that do
179 not support fragmentation in Neighbor Discovery messages.
181 3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation
183 SEND packets typically carry more information than traditional
184 Neighbor Discovery packets: for example, they include additional
185 options such as the CGA option and the RSA signature option.
187 When SEND nodes employ any of the Neighbor Discovery messages
188 specified in [RFC4861], the situation is roughly the same: if more
189 information than would fit in a non-fragmented Neighbor Discovery
190 packet needs to be sent, it should be split into multiple Neighbor
191 Discovery messages (such that IPv6 fragmentation is avoided).
193 However, Certification Path Advertisement messages (specified in
194 [RFC3971]) pose a different situation, since the Certificate Option
195 they include typically contains much more information than any other
196 Neighbor Discovery option. For example, Appendix C of [RFC3971]
197 reports Certification Path Advertisement messages from 1050 to 1066
198 bytes on an Ethernet link layer. Since the size of CPA messages
199 could potentially exceed the MTU of the local link, Section 5
200 recommends that fragmented CPA messages be normally processed, but
201 discourages the use of keys that would result in fragmented CPA
202 messages.
204 It should be noted that relying on fragmentation opens the door to a
205 variety of IPv6 fragmentation-based attacks against SEND. In
206 particular, if an attacker is located on the same broadcast domain as
207 the victim host, and Certification Path Advertisement messages employ
208 IPv6 fragmentation, it would be trivial for the attacker to forge
209 IPv6 fragments such that they result in "Fragment ID collisions",
210 causing both the attack fragments and the legitimate fragments to be
211 discarded by the victim node. This would eventually cause the
212 Authorization Delegation Discovery (Section 6 of [RFC3971]) to fail,
213 thus leading the host to fall back (depending on local configuration)
214 either to unsecured mode, or to reject the corresponding Router
215 Advertisement messages (possibly resulting in a Denial of Service).
217 4. Rationale for Forbidding IPv6 Fragmentation in Neighbor Discovery
219 A number of considerations should be made regarding the use of IPv6
220 fragmentation with Neighbor Discovery:
222 o A significant number of existing implementations already silently
223 drop fragmented ND messages, so the use of IPv6 fragmentation may
224 hamper interoperability among IPv6 implementations.
226 o Although it is possible to build an ND message that needs to be
227 fragmented, such packets are unlikely to exist in the real world
228 because of the large number of options that would be required for
229 the resulting packet to exceed the minimum IPv6 MTU of 1280
230 octets.
232 o If an ND message was so large as to need fragmentation, there is
233 an option to distribute the same information amongst more than one
234 message, each of which is small enough to not need fragmentation.
236 Thus, forbidding the use of IPv6 fragmentation with Neighbor
237 Discovery normalizes existing behavior and sets the expectations of
238 all implementations to the existing lowest common denominator.
240 5. Specification
242 Nodes MUST NOT employ IPv6 fragmentation for sending any of the
243 following Neighbor Discovery and SEcure Neighbor Discovery messages:
245 o Neighbor Solicitation
247 o Neighbor Advertisement
249 o Router Solicitation
251 o Router Advertisement
253 o Redirect
255 o Certification Path Solicitation
257 Nodes SHOULD NOT employ IPv6 fragmentation for sending the following
258 messages (see Section 6.4.2 of [RFC3971]):
260 o Certification Path Advertisement messages
262 Nodes MUST silently ignore the following Neighbor Discovery and
263 SEcure Neighbor Discovery messages if the packets carrying them
264 include an IPv6 Fragmentation Header:
266 o Neighbor Solicitation
268 o Neighbor Advertisement
270 o Router Solicitation
272 o Router Advertisement
274 o Redirect
276 o Certification Path Solicitation
278 Nodes SHOULD normally process the following messages when the packets
279 carrying them include an IPv6 Fragmentation Header:
281 o Certification Path Advertisement
283 SEND nodes SHOULD NOT employ keys that would result in fragmented CPA
284 messages.
286 6. Operational Advice
288 An operator detecting that Neighbor Discovery traffic is being
289 silently dropped should find whether the corresponding Neighbor
290 Discovery are employing IPv6 fragmentation. If they are, it is
291 likely that the devices receiving such packets are silently dropping
292 them merely because they employ IPv6 fragmentation. In such case, an
293 operator should check whether the sending device has an option to
294 prevent fragmentation of ND messages, and/or see whether it is
295 possible to reduce the options carried on such messages. We note
296 that solving this (unlikely) problem might need a software upgrade to
297 a version that does not employ IPv6 fragmentation with Neighbor
298 Discovery.
300 7. IANA Considerations
302 There are no IANA registries within this document. The RFC-Editor
303 can remove this section before publication of this document as an
304 RFC.
306 8. Security Considerations
308 The IPv6 Fragmentation Header can be leveraged to circumvent network
309 monitoring tools and current implementations of mechanisms such as
310 RA-Guard [I-D.ietf-v6ops-ra-guard-implementation]. By updating the
311 relevant specifications such that the IPv6 Fragment Header is not
312 allowed in any Neighbor Discovery messages except "Certification Path
313 Advertisement", protection of local nodes against Neighbor Discovery
314 attacks, and monitoring of Neighbor Discovery traffic is greatly
315 simplified.
317 [I-D.ietf-v6ops-ra-guard-implementation] discusses an improvement to
318 the RA-Guard mechanism that can mitigate Neighbor Discovery attacks
319 that employ IPv6 Fragmentation. However, it should be noted that
320 unless [RFC4861] is updated (as proposed in this document), Neighbor
321 Discovery monitoring tools (such as NDPMon [NDPMon], and ramond
322 [ramond]) would remain unreliable and trivial to circumvent by a
323 skilled attacker.
325 As noted in Section 3, use of SEND could potentially result in
326 fragmented "Certification Path Advertisement" messages, thus allowing
327 an attacker to employ IPv6 fragmentation-based attacks against such
328 messages. Therefore, to the extent that is possible, such use of
329 fragmentation should be avoided.
331 9. Acknowledgements
333 The author would like to thank (in alphabetical order) Mikael
334 Abrahamsson, Ran Atkinson, Ron Bonica, Jean-Michel Combes, David
335 Farmer, Adrian Farrel, Stephen Farrell, Roque Gagliano, Brian
336 Haberman, Bob Hinden, Philip Homburg, Ray Hunter, Arturo Servin, Mark
337 Smith, and Martin Stiemerling, for providing valuable comments on
338 earlier versions of this document.
340 The author would like to thank Roque Gagliano, who contributed the
341 information regarding messages sizes in Appendix A.
343 This document resulted from the project "Security Assessment of the
344 Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by
345 Fernando Gont on behalf of the UK Centre for the Protection of
346 National Infrastructure (CPNI). The author would like to thank the
347 UK CPNI, for their continued support.
349 10. References
351 10.1. Normative References
353 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
354 Requirement Levels", BCP 14, RFC 2119, March 1997.
356 [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
357 Neighbor Discovery (SEND)", RFC 3971, March 2005.
359 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
360 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
361 September 2007.
363 [RFC6494] Gagliano, R., Krishnan, S., and A. Kukec, "Certificate
364 Profile and Certificate Management for SEcure Neighbor
365 Discovery (SEND)", RFC 6494, February 2012.
367 10.2. Informative References
369 [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor
370 Discovery (ND) Trust Models and Threats", RFC 3756,
371 May 2004.
373 [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
374 Problem Statement", RFC 6104, February 2011.
376 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
377 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
378 February 2011.
380 [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor",
381 .
383 [ramond] "ramond", .
385 [I-D.ietf-v6ops-ra-guard-implementation]
386 Gont, F., "Implementation Advice for IPv6 Router
387 Advertisement Guard (RA-Guard)",
388 draft-ietf-v6ops-ra-guard-implementation-07 (work in
389 progress), November 2012.
391 [CPNI-IPv6]
392 Gont, F., "Security Assessment of the Internet Protocol
393 version 6 (IPv6)", UK Centre for the Protection of
394 National Infrastructure, (available on request).
396 [Gont-DEEPSEC2011]
397 Gont, "Results of a Security Assessment of the Internet
398 Protocol version 6 (IPv6)", DEEPSEC 2011 Conference,
399 Vienna, Austria, November 2011, .
403 Appendix A. Message Size When Carrying Certificates
405 This section aims at estimating the size of normal Certification Path
406 Advertisement messages.
408 Considering a Certification Path Advertisement (CPA) such as that of
409 Appendix C of [RFC3971] (certification path length of 4, between 1
410 and 4 address prefix extensions, and a key length of 1024 bits), the
411 certificate lengths range between 864 to 888 bytes (and the
412 corresponding Ethernet packets from 1050 to 1066 bytes) [RFC3971].
414 Updating the aforementioned packet size to account for the larger
415 (2048 bits) keys required by [RFC6494] results in packet sizes
416 ranging from 1127 to 1238 bytes, which are smaller than the minimum
417 IPv6 MTU (1280 bytes), and much smaller than the ubiquitous Ethernet
418 MTU (1500 bytes).
420 However, we note that packet sizes may vary depending on a number of
421 factors, including:
423 o the number of prefixes included in the certificate
425 o the length of Fully-Qualified Domain Names (FQDNs) in Trust Anchor
426 (TA) options [RFC3971] (if present)
428 If larger key sizes (i.e. 4096 bits) were required in the future, a
429 larger MTU size might be required to to convey such information in
430 Neighbor Discovery packets without the need to employ fragmentation.
432 Author's Address
434 Fernando Gont
435 SI6 Networks / UTN-FRH
436 Evaristo Carriego 2644
437 Haedo, Provincia de Buenos Aires 1706
438 Argentina
440 Phone: +54 11 4650 8472
441 Email: fgont@si6networks.com
442 URI: http://www.si6networks.com