| < draft-ietf-v6ops-ipv6-ehs-packet-drops-01.txt | draft-ietf-v6ops-ipv6-ehs-packet-drops-02.txt > | |||
|---|---|---|---|---|
| IPv6 Operations Working Group (v6ops) F. Gont | IPv6 Operations Working Group (v6ops) F. Gont | |||
| Internet-Draft SI6 Networks | Internet-Draft SI6 Networks | |||
| Intended status: Informational N. Hilliard | Intended status: Informational N. Hilliard | |||
| Expires: April 17, 2021 INEX | Expires: June 8, 2021 INEX | |||
| G. Doering | G. Doering | |||
| SpaceNet AG | SpaceNet AG | |||
| W. Kumari | W. Kumari | |||
| G. Huston | G. Huston | |||
| APNIC | APNIC | |||
| W. Liu | W. Liu | |||
| Huawei Technologies | Huawei Technologies | |||
| October 14, 2020 | December 5, 2020 | |||
| Operational Implications of IPv6 Packets with Extension Headers | Operational Implications of IPv6 Packets with Extension Headers | |||
| draft-ietf-v6ops-ipv6-ehs-packet-drops-01 | draft-ietf-v6ops-ipv6-ehs-packet-drops-02 | |||
| Abstract | Abstract | |||
| This document summarizes the operational implications of IPv6 | This document summarizes the operational implications of IPv6 | |||
| extension headers, and attempts to analyze reasons why packets with | extension headers specified in the IPv6 protocol specification | |||
| IPv6 extension headers may be dropped in the public Internet. | (RFC8200), and attempts to analyze reasons why packets with IPv6 | |||
| extension headers are often dropped in the public Internet. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 17, 2021. | This Internet-Draft will expire on June 8, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 34 ¶ | skipping to change at page 2, line 37 ¶ | |||
| 6.3. DDoS Management and Customer Requests for Filtering . . . 9 | 6.3. DDoS Management and Customer Requests for Filtering . . . 9 | |||
| 6.4. Network Intrusion Detection and Prevention . . . . . . . 10 | 6.4. Network Intrusion Detection and Prevention . . . . . . . 10 | |||
| 6.5. Firewalling . . . . . . . . . . . . . . . . . . . . . . . 10 | 6.5. Firewalling . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 7. Operational Implications . . . . . . . . . . . . . . . . . . 11 | 7. Operational Implications . . . . . . . . . . . . . . . . . . 11 | |||
| 7.1. Inability to Find Layer-4 Information . . . . . . . . . . 11 | 7.1. Inability to Find Layer-4 Information . . . . . . . . . . 11 | |||
| 7.2. Route-Processor Protection . . . . . . . . . . . . . . . 11 | 7.2. Route-Processor Protection . . . . . . . . . . . . . . . 11 | |||
| 7.3. Inability to Perform Fine-grained Filtering . . . . . . . 12 | 7.3. Inability to Perform Fine-grained Filtering . . . . . . . 12 | |||
| 7.4. Security Concerns Associated with IPv6 Extension Headers 12 | 7.4. Security Concerns Associated with IPv6 Extension Headers 12 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | |||
| 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 | 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 14 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 15 | 11.2. Informative References . . . . . . . . . . . . . . . . . 15 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 1. Introduction | 1. Introduction | |||
| IPv6 Extension Headers (EHs) allow for the extension of the IPv6 | IPv6 Extension Headers (EHs) allow for the extension of the IPv6 | |||
| protocol, and provide support for core functionality such as IPv6 | protocol, and provide support for core functionality such as IPv6 | |||
| fragmentation. However, common implementation limitations suggest | fragmentation. However, common implementation limitations suggest | |||
| that EHs present a challenge for IPv6 packet routing equipment and | that EHs present a challenge for IPv6 packet routing equipment and | |||
| middle-boxes, and evidence exists that IPv6 packets with EHs may be | middle-boxes, and evidence exists that IPv6 packets with EHs are | |||
| intentionally dropped in the public Internet in some network | intentionally dropped in the public Internet in some network | |||
| deployments. | deployments. | |||
| The authors of this document have been involved in numerous | The authors of this document have been involved in numerous | |||
| discussions about IPv6 extension headers (both within the IETF and in | discussions about IPv6 extension headers (both within the IETF and in | |||
| other fora), and have noticed that the security and operational | other fora), and have noticed that the security and operational | |||
| implications associated with IPv6 EHs were unknown to the larger | implications associated with IPv6 EHs were unknown to the larger | |||
| audience participating in these discussions. | audience participating in these discussions. | |||
| This document has the following goals: | This document has the following goals: | |||
| o Raise awareness about the operational and security implications of | o Raise awareness about the operational and security implications of | |||
| IPv6 Extension Headers, and presents reasons why some networks may | IPv6 Extension Headers specified in [RFC8200], and present reasons | |||
| intentionally drop packets containing IPv6 Extension Headers. | why some networks resort to intentionally dropping packets | |||
| containing IPv6 Extension Headers. | ||||
| o Highlight areas where current IPv6 support by networking devices | o Highlight areas where current IPv6 support by networking devices | |||
| maybe sub-optimal, such that the aforementioned support is | maybe sub-optimal, such that the aforementioned support is | |||
| improved. | improved. | |||
| o Highlight operational issues associated with IPv6 extension | o Highlight operational issues associated with IPv6 extension | |||
| headers, such that those issues are considered in IETF | headers, such that those issues are considered in IETF | |||
| standardization efforts. | standardization efforts. | |||
| Section 3 provides background information about the IPv6 packet | Section 3 provides background information about the IPv6 packet | |||
| skipping to change at page 3, line 35 ¶ | skipping to change at page 3, line 39 ¶ | |||
| IPv6 extension headers. Section 5 discusses packet forwarding engine | IPv6 extension headers. Section 5 discusses packet forwarding engine | |||
| constraints in contemporary routers. Section 6 discusses why | constraints in contemporary routers. Section 6 discusses why | |||
| contemporary routers and middle-boxes may need to access Layer-4 | contemporary routers and middle-boxes may need to access Layer-4 | |||
| information to make a forwarding decision. Finally, Section 7 | information to make a forwarding decision. Finally, Section 7 | |||
| discusses the operational implications of IPv6 EHs. | discusses the operational implications of IPv6 EHs. | |||
| 2. Disclaimer | 2. Disclaimer | |||
| This document analyzes the operational challenges represented by | This document analyzes the operational challenges represented by | |||
| packets that employ IPv6 Extension Headers, and documents some of the | packets that employ IPv6 Extension Headers, and documents some of the | |||
| operational reasons why these packets may be dropped in the public | operational reasons why these packets are often dropped in the public | |||
| Internet. This document is not a recommendation to drop such | Internet. This document is not a recommendation to drop such | |||
| packets, but rather an analysis of why they are dropped. | packets, but rather an analysis of why they are dropped. | |||
| 3. Background Information | 3. Background Information | |||
| It is useful to compare the basic structure of IPv6 packets against | It is useful to compare the basic structure of IPv6 packets against | |||
| that of IPv4 packets, and analyze the implications of the two | that of IPv4 packets, and analyze the implications of the two | |||
| different packet structures. | different packet structures. | |||
| IPv4 packets have a variable-length header size, that allows for the | IPv4 packets have a variable-length header size, that allows for the | |||
| skipping to change at page 5, line 33 ¶ | skipping to change at page 5, line 33 ¶ | |||
| been discussed in IETF circles: | been discussed in IETF circles: | |||
| o [I-D.taylor-v6ops-fragdrop] discusses a rationale for which | o [I-D.taylor-v6ops-fragdrop] discusses a rationale for which | |||
| operators drop IPv6 fragments. | operators drop IPv6 fragments. | |||
| o [I-D.wkumari-long-headers] discusses possible issues arising from | o [I-D.wkumari-long-headers] discusses possible issues arising from | |||
| "long" IPv6 header chains. | "long" IPv6 header chains. | |||
| o [I-D.kampanakis-6man-ipv6-eh-parsing] describes how | o [I-D.kampanakis-6man-ipv6-eh-parsing] describes how | |||
| inconsistencies in the way IPv6 packets with extension headers are | inconsistencies in the way IPv6 packets with extension headers are | |||
| parsed by different implementations may result in evasion of | parsed by different implementations could result in evasion of | |||
| security controls, and presents guidelines for parsing IPv6 | security controls, and presents guidelines for parsing IPv6 | |||
| extension headers with the goal of providing a common and | extension headers with the goal of providing a common and | |||
| consistent parsing methodology for IPv6 implementations. | consistent parsing methodology for IPv6 implementations. | |||
| o [I-D.ietf-opsec-ipv6-eh-filtering] analyzes the security | o [I-D.ietf-opsec-ipv6-eh-filtering] analyzes the security | |||
| implications of IPv6 EHs, and the operational implications of | implications of IPv6 EHs, and the operational implications of | |||
| dropping packets that employ IPv6 EHs and associated options. | dropping packets that employ IPv6 EHs and associated options. | |||
| o [RFC7113] discusses how some popular RA-Guard implementations are | o [RFC7113] discusses how some popular RA-Guard implementations are | |||
| subject to evasion by means of IPv6 extension headers. | subject to evasion by means of IPv6 extension headers. | |||
| skipping to change at page 6, line 43 ¶ | skipping to change at page 6, line 43 ¶ | |||
| recommends against such usage. | recommends against such usage. | |||
| Additionally, [RFC8200] has relaxed the requirement that "all nodes | Additionally, [RFC8200] has relaxed the requirement that "all nodes | |||
| examine and process the Hop-by-Hop Options header" from [RFC2460], by | examine and process the Hop-by-Hop Options header" from [RFC2460], by | |||
| specifying that only nodes that have been explicitly configured to | specifying that only nodes that have been explicitly configured to | |||
| process the Hop-by-Hop Options header are required to do so. | process the Hop-by-Hop Options header are required to do so. | |||
| A number of studies have measured the extent to which packets | A number of studies have measured the extent to which packets | |||
| employing IPv6 extension headers are dropped in the public Internet: | employing IPv6 extension headers are dropped in the public Internet: | |||
| o [PMTUD-Blackholes], [Gont-IEPG88], [Gont-Chown-IEPG89], and | o [PMTUD-Blackholes] and [Linkova-Gont-IEPG90] presented some | |||
| [Linkova-Gont-IEPG90] presented some preliminary measurements | preliminary measurements regarding the extent to which packet | |||
| regarding the extent to which packet containing IPv6 EHs are | containing IPv6 EHs are dropped in the public Internet. | |||
| dropped in the public Internet. | ||||
| o [RFC7872] presents more comprehensive results and documents the | o [RFC7872] presents more comprehensive results and documents the | |||
| methodology for obtaining the presented results. | methodology for obtaining the presented results. | |||
| o [Huston-2017] and [Huston-2020] measured packet drops resulting | o [Huston-2017] and [Huston-2020] measured packet drops resulting | |||
| from IPv6 fragmentation when communicating with DNS servers. | from IPv6 fragmentation when communicating with DNS servers. | |||
| 5. Packet Forwarding Engine Constraints | 5. Packet Forwarding Engine Constraints | |||
| Most contemporary routers use dedicated hardware (e.g. ASICs or | Most contemporary routers use dedicated hardware (e.g. ASICs or | |||
| skipping to change at page 7, line 48 ¶ | skipping to change at page 7, line 45 ¶ | |||
| forwarding decision. | forwarding decision. | |||
| Historically, some packet forwarding engines punted packets of this | Historically, some packet forwarding engines punted packets of this | |||
| form to the control plane for more in-depth analysis, but this is | form to the control plane for more in-depth analysis, but this is | |||
| unfeasible on most current router architectures as a result of the | unfeasible on most current router architectures as a result of the | |||
| vast difference between the hardware forwarding capacity of the | vast difference between the hardware forwarding capacity of the | |||
| router and processing capacity of the control plane and the size of | router and processing capacity of the control plane and the size of | |||
| the management link which connects the control plane to the | the management link which connects the control plane to the | |||
| forwarding plane. | forwarding plane. | |||
| If an IPv6 header chain is sufficiently long that its header exceeds | If an IPv6 header chain is sufficiently long that it exceeds the | |||
| the packet look-up capacity of the router, then it may be dropped due | packet look-up capacity of the router, the router could resort to | |||
| to hardware inability to determine how it should be handled. | dropping the packet, as a result of being unable to determine how the | |||
| packet should be handled. | ||||
| 5.1. Recirculation | 5.1. Recirculation | |||
| Although TLV chains are amenable to iterative processing on | Although TLV chains are amenable to iterative processing on | |||
| architectures which have packet look-up engines with deep inspection | architectures that have packet look-up engines with deep inspection | |||
| capabilities, some packet forwarding engines manage IPv6 Extension | capabilities, some packet forwarding engines manage IPv6 Extension | |||
| Header chains using recirculation. This approach processes Extension | Header chains using recirculation. This approach processes Extension | |||
| Headers one at a time: when processing on one Extension Header is | Headers one at a time: when processing on one Extension Header is | |||
| completed, the packet is looped back through the processing engine | completed, the packet is looped back through the processing engine | |||
| again. This recirculation process continues repeatedly until there | again. This recirculation process continues repeatedly until there | |||
| are no more Extension Headers left to be processed. | are no more Extension Headers left to be processed. | |||
| Recirculation is typically used on packet forwarding engines with | Recirculation is typically used on packet forwarding engines with | |||
| limited look-up capability, as it allows arbitrarily long header | limited look-up capability, because it allows arbitrarily long header | |||
| chains to be processed without the complexity and cost associated | chains to be processed without the complexity and cost associated | |||
| with packet forwarding engines which have deep look-up capabilities. | with packet forwarding engines which have deep look-up capabilities. | |||
| However, recirculation can impact the forwarding capacity of | However, recirculation can impact the forwarding capacity of | |||
| hardware, as each packet will pass through the processing engine | hardware, as each packet will pass through the processing engine | |||
| multiple times. Depending on configuration, the type of packets | multiple times. Depending on configuration, the type of packets | |||
| being processed, and the hardware capabilities of the packet | being processed, and the hardware capabilities of the packet | |||
| forwarding engine, this may impact data-plane throughput performance | forwarding engine, this could impact data-plane throughput | |||
| on the router. | performance on the router. | |||
| 6. Requirement to Process Layer-3/layer-4 information in Intermediate | 6. Requirement to Process Layer-3/layer-4 information in Intermediate | |||
| Systems | Systems | |||
| The following subsections discuss some of reasons for which | The following subsections discuss some of the reasons for which | |||
| contemporary routers and middle-boxes may need to process Layer-3/ | contemporary routers and middle-boxes may need to process Layer-3/ | |||
| layer-4 information to make a forwarding decision. | layer-4 information to make a forwarding decision. | |||
| 6.1. ECMP and Hash-based Load-Sharing | 6.1. ECMP and Hash-based Load-Sharing | |||
| In the case of ECMP (equal cost multi path) load sharing, the router | In the case of ECMP (equal cost multi path) load sharing, the router | |||
| on the sending side of the link needs to make a decision regarding | on the sending side of the link needs to make a decision regarding | |||
| which of the links to use for a given packet. Since round-robin | which of the links to use for a given packet. Since round-robin | |||
| usage of the links is usually avoided in order to prevent packet | usage of the links is usually avoided to prevent packet reordering, | |||
| reordering, forwarding engines need to use a mechanism which will | forwarding engines need to use a mechanism that will consistently | |||
| consistently forward the same data streams down the same forwarding | forward the same data streams down the same forwarding paths. Most | |||
| paths. Most forwarding engines achieve this by calculating a simple | forwarding engines achieve this by calculating a simple hash using an | |||
| hash using an n-tuple gleaned from a combination of layer-2 through | n-tuple gleaned from a combination of layer-2 through to layer-4 | |||
| to layer-4 packet header information. This n-tuple will typically | packet header information. This n-tuple will typically use the src/ | |||
| use the src/dst MAC address, src/dst IP address, and if possible | dst MAC address, src/dst IP address, and if possible further layer-4 | |||
| further layer-4 src/dst port information. As layer-4 port | src/dst port information. Layer-4 port information can increase the | |||
| information increases the entropy of the hash, it is normally highly | entropy of the hash, and it is often thought desirable to use it if | |||
| desirable to use it where possible. | available. | |||
| We note that in the IPv6 world, flows are expected to be identified | We note that in the IPv6 world, flows are expected to be identified | |||
| by means of the IPv6 Flow Label [RFC6437]. Thus, ECMP and Hash-based | by means of the IPv6 Flow Label [RFC6437]. Thus, ECMP and Hash-based | |||
| Load-Sharing would be possible without the need to process the entire | Load-Sharing would be possible without the need to process the entire | |||
| IPv6 header chain to obtain upper-layer information to identify | IPv6 header chain to obtain upper-layer information to identify | |||
| flows. However, we note that for a long time many IPv6 | flows. However, we note that for a long time many IPv6 | |||
| implementations failed to set the Flow Label, and ECMP and Hash-based | implementations failed to set the Flow Label, and ECMP and Hash-based | |||
| Load-Sharing devices also did not employ the Flow Label for | Load-Sharing devices also did not employ the Flow Label for | |||
| performing their task. | performing their task. | |||
| Clearly, widespread support of [RFC6437] would relieve middle-boxes | Clearly, widespread support of [RFC6437] would relieve middle-boxes | |||
| from having to process the entire IPv6 header chain, making Flow | from having to process the entire IPv6 header chain, making Flow | |||
| Label-based ECMP and Hash-based Load-Sharing [RFC6438] feasible. | Label-based ECMP and Hash-based Load-Sharing [RFC6438] feasible. | |||
| While support of [RFC6437] is currently widespread for current | While support of [RFC6437] is currently widespread for current | |||
| versions of all popular host implementations, there is still only | versions of all popular host implementations, there is still only | |||
| marginal usage of the IPv6 Flow Label for ECMP and load balancing | marginal usage of the IPv6 Flow Label for ECMP and load balancing | |||
| [Cunha-2020] -- possibly as a result of issues that have been found | [Cunha-2020]. A contributing factor could be the issues that have | |||
| in host implementations and middle-boxes [Jaeggli-2018]. | been found in host implementations and middle-boxes [Jaeggli-2018]. | |||
| 6.2. Enforcing infrastructure ACLs | 6.2. Enforcing infrastructure ACLs | |||
| Generally speaking, infrastructure ACLs (iACLs) drop unwanted packets | Generally speaking, infrastructure ACLs (iACLs) drop unwanted packets | |||
| destined to parts of a provider's infrastructure, because they are | destined to parts of a provider's infrastructure, because they are | |||
| not operationally needed and can be used for attacks of different | not operationally needed and can be used for attacks of different | |||
| sorts against router control planes. Some traffic needs to be | sorts against router control planes. Some traffic needs to be | |||
| differentiated depending on layer-3 or layer-4 criteria to achieve a | differentiated depending on layer-3 or layer-4 criteria to achieve a | |||
| useful balance of protection and functionality, for example: | useful balance of protection and functionality, for example: | |||
| skipping to change at page 9, line 48 ¶ | skipping to change at page 9, line 48 ¶ | |||
| The case of customer DDoS protection and edge-to-core customer | The case of customer DDoS protection and edge-to-core customer | |||
| protection filters is similar in nature to the infrastructure ACL | protection filters is similar in nature to the infrastructure ACL | |||
| protection. Similar to infrastructure ACL protection, layer-4 ACLs | protection. Similar to infrastructure ACL protection, layer-4 ACLs | |||
| generally need to be applied as close to the edge of the network as | generally need to be applied as close to the edge of the network as | |||
| possible, even though the intent is usually to protect the customer | possible, even though the intent is usually to protect the customer | |||
| edge rather than the provider core. Application of layer-4 DDoS | edge rather than the provider core. Application of layer-4 DDoS | |||
| protection to a network edge is often automated using Flowspec | protection to a network edge is often automated using Flowspec | |||
| [RFC5575]. | [RFC5575]. | |||
| For example, a web site which normally only handled traffic on TCP | For example, a web site that normally only handled traffic on TCP | |||
| ports 80 and 443 could be subject to a volumetric DDoS attack using | ports 80 and 443 could be subject to a volumetric DDoS attack using | |||
| NTP and DNS packets with randomised source IP address, thereby | NTP and DNS packets with randomised source IP address, thereby | |||
| rendering traditional [RFC5635] source-based real-time black hole | rendering traditional [RFC5635] source-based real-time black hole | |||
| mechanisms useless. In this situation, DDoS protection ACLs could be | mechanisms useless. In this situation, DDoS protection ACLs could be | |||
| configured to block all UDP traffic at the network edge without | configured to block all UDP traffic at the network edge without | |||
| impairing the web server functionality in any way. Thus, being able | impairing the web server functionality in any way. Thus, being able | |||
| to block arbitrary protocols at the network edge can avoid DDoS- | to block arbitrary protocols at the network edge can avoid DDoS- | |||
| related problems both in the provider network and on the customer | related problems both in the provider network and on the customer | |||
| edge link. | edge link. | |||
| 6.4. Network Intrusion Detection and Prevention | 6.4. Network Intrusion Detection and Prevention | |||
| Network Intrusion Detection Systems (NIDS) examine network traffic | Network Intrusion Detection Systems (NIDS) examine network traffic | |||
| and try to identify traffic patterns that can be correlated to | and try to identify traffic patterns that can be correlated to | |||
| network-based attacks. These systems generally inspect application- | network-based attacks. These systems generally inspect application- | |||
| layer traffic (if possible), but at the bare minimum inspect layer-4 | layer traffic (if possible), but at the bare minimum inspect layer-4 | |||
| flows. When attack activity is inferred, the operator is signaled of | flows. When attack activity is inferred, the operator is signaled of | |||
| the potential intrusion attempt. | the potential intrusion attempt. | |||
| Network Intrusion Prevention Systems (IPS) operate similarly to | Network Intrusion Prevention Systems (IPS) operate similarly to | |||
| NIDS's, but they may also prevent intrusions by reacting to detected | NIDS's, but they can also prevent intrusions by reacting to detected | |||
| attack attempts by e.g. triggering packet filtering policies at | attack attempts by e.g., triggering packet filtering policies at | |||
| firewalls and other devices. | firewalls and other devices. | |||
| Use of extension headers may result problematic for NIDS/IPS, since: | Use of extension headers can result problematic for NIDS/IPS, since: | |||
| o Extension headers increase the complexity of resulting traffic, | o Extension headers increase the complexity of resulting traffic, | |||
| and the associated work and system requirements to process it. | and the associated work and system requirements to process it. | |||
| o Use of unknown extension headers may prevent an NIDS/IPS to | o Use of unknown extension headers can prevent an NIDS/IPS to | |||
| process layer-4 information | process layer-4 information | |||
| o Use of IPv6 fragmentation requires a stateful fragment-reassembly | o Use of IPv6 fragmentation requires a stateful fragment-reassembly | |||
| operation, even for decoy traffic employing forged source | operation, even for decoy traffic employing forged source | |||
| addresses (see e.g. [nmap]). | addresses (see e.g. [nmap]). | |||
| As a result, in order to increase the efficiency or effectiveness of | As a result, in order to increase the efficiency or effectiveness of | |||
| these systems, packets employing IPv6 extension headers may be | these systems, packets employing IPv6 extension headers are often | |||
| dropped at the network ingress point(s) of networks that deploy these | dropped at the network ingress point(s) of networks that deploy these | |||
| systems. | systems. | |||
| 6.5. Firewalling | 6.5. Firewalling | |||
| Firewalls enforce security policies by means of packet filtering. | Firewalls enforce security policies by means of packet filtering. | |||
| These systems generally inspect layer-3 and layer-4 traffic, and may | These systems generally inspect layer-3 and layer-4 traffic, and can | |||
| also examine application-layer traffic flows. | often also examine application-layer traffic flows. | |||
| As with NIDS/IPS (Section 6.4), use of IPv6 extension headers may | As with NIDS/IPS (Section 6.4), use of IPv6 extension headers can | |||
| represent a challenge to network firewalls, since: | represent a challenge to network firewalls, since: | |||
| o Extension headers increase the complexity of resulting traffic, | o Extension headers increase the complexity of resulting traffic, | |||
| and the associated work and system requirements to process it (see | and the associated work and system requirements to process it (see | |||
| e.g. [Zack-FW-Benchmark]). | e.g. [Zack-FW-Benchmark]). | |||
| o Use of unknown extension headers may prevent an NIDS/IPS to | o Use of unknown extension headers can prevent firewalls to process | |||
| process layer-4 information | layer-4 information | |||
| o Use of IPv6 fragmentation requires a stateful fragment-reassembly | o Use of IPv6 fragmentation requires a stateful fragment-reassembly | |||
| operation, even for decoy traffic employing forged source | operation, even for decoy traffic employing forged source | |||
| addresses (see e.g. [nmap]). | addresses (see e.g. [nmap]). | |||
| Additionally, a common firewall filtering policy is the so-called | Additionally, a common firewall filtering policy is the so-called | |||
| "default deny", where all traffic is blocked (by default), and only | "default deny", where all traffic is blocked (by default), and only | |||
| expected traffic is added to an "allow/accept list". | expected traffic is added to an "allow/accept list". | |||
| As a result, whether because of the challenges represented by | As a result, whether because of the challenges represented by | |||
| extension headers or because the use of IPv6 extension headers has | extension headers or because the use of IPv6 extension headers has | |||
| not been explicitly allowed, packets employing IPv6 extension headers | not been explicitly allowed, packets employing IPv6 extension headers | |||
| may be dropped by network firewalls. | are often dropped by network firewalls. | |||
| 7. Operational Implications | 7. Operational Implications | |||
| 7.1. Inability to Find Layer-4 Information | 7.1. Inability to Find Layer-4 Information | |||
| As discussed in Section 6, contemporary routers and middle-boxes that | As discussed in Section 6, contemporary routers and middle-boxes that | |||
| need to find the layer-4 header must process the entire IPv6 | need to find the layer-4 header must process the entire IPv6 | |||
| extension header chain. When such devices are unable to obtain the | extension header chain. When such devices are unable to obtain the | |||
| required information, they may simply resort to dropping the | required information, the forwarding device has the option to drop | |||
| corresponding packets. | the packet unconditionally, forward the packet unconditionally, or | |||
| process the packet outside the normal forwarding path. Forwarding | ||||
| packets unconditionally will usually allow for the circumvention of | ||||
| security controls (see e.g. Section 6.5), while processing packets | ||||
| outside of the normal forwarding path will usually open the door to | ||||
| DoS attacks (see e.g. Section 5). Thus, in these scenarios, devices | ||||
| often simply resort to dropping such packets unconditionally. | ||||
| 7.2. Route-Processor Protection | 7.2. Route-Processor Protection | |||
| Most contemporary routers have a fast hardware-assisted forwarding | Most contemporary routers have a fast hardware-assisted forwarding | |||
| plane and a loosely coupled control plane, connected together with a | plane and a loosely coupled control plane, connected together with a | |||
| link that has much less capacity than the forwarding plane could | link that has much less capacity than the forwarding plane could | |||
| handle. Traffic differentiation cannot be done by the control plane | handle. Traffic differentiation cannot be done by the control plane | |||
| side, because this would overload the internal link connecting the | side, because this would overload the internal link connecting the | |||
| forwarding plane to the control plane. | forwarding plane to the control plane. | |||
| The Hop-by-Hop Options header has been particularly challenging since | The Hop-by-Hop Options header has been particularly challenging since | |||
| in most circumstances, the corresponding packet is punted to the | in most circumstances, the corresponding packet is punted to the | |||
| control plane for processing. As a result, operators usually drop | control plane for processing. As a result, operators usually drop | |||
| IPv6 packets containing this extension header. Please see [RFC6192] | IPv6 packets containing this extension header. Please see [RFC6192] | |||
| for advice regarding protection of the router control plane. | for advice regarding protection of the router control plane. | |||
| 7.3. Inability to Perform Fine-grained Filtering | 7.3. Inability to Perform Fine-grained Filtering | |||
| Some router implementations lack fine-grained filtering of IPv6 | Some router implementations do not have support for fine-grained | |||
| extension headers. For example, an operator may want to drop packets | filtering of IPv6 extension headers. For example, an operator that | |||
| containing Routing Header Type 0 (RHT0) but may only be able to | wishes to drop packets containing Routing Header Type 0 (RHT0), may | |||
| filter on the extension header type (Routing Header). As a result, | only be able to filter on the extension header type (Routing Header). | |||
| the operator may end up enforcing a more coarse filtering policy | This could result in an operator enforcing a more coarse filtering | |||
| (e.g. "drop all packets containing a Routing Header" vs. "only drop | policy (e.g. "drop all packets containing a Routing Header" vs. "only | |||
| packets that contain a Routing Header Type 0"). | drop packets that contain a Routing Header Type 0"). | |||
| 7.4. Security Concerns Associated with IPv6 Extension Headers | 7.4. Security Concerns Associated with IPv6 Extension Headers | |||
| The security implications of IPv6 Extension Headers generally fall | The security implications of IPv6 Extension Headers generally fall | |||
| into one or more of these categories: | into one or more of these categories: | |||
| o Evasion of security controls | o Evasion of security controls | |||
| o DoS due to processing requirements | o DoS due to processing requirements | |||
| o DoS due to implementation errors | o DoS due to implementation errors | |||
| o Extension Header-specific issues | o Extension Header-specific issues | |||
| Unlike IPv4 packets where the upper-layer protocol can be trivially | Unlike IPv4 packets where the upper-layer protocol can be trivially | |||
| found by means of the "IHL" ("Internet Header Length") IPv4 header | found by means of the "IHL" ("Internet Header Length") IPv4 header | |||
| field, the structure of IPv6 packets is more flexible and complex, | field, the structure of IPv6 packets is more flexible and complex, | |||
| and may represent a challenge for devices that need to find this | and can represent a challenge for devices that need to find this | |||
| information, since locating upper-layer protocol information requires | information, since locating upper-layer protocol information requires | |||
| that all IPv6 extension headers be examined. This has presented | that all IPv6 extension headers be examined. This has presented | |||
| implementation difficulties, and packet filtering mechanisms that | implementation difficulties, and some packet filtering mechanisms | |||
| require upper-layer information (even if just the upper layer | that require upper-layer information (even if just the upper layer | |||
| protocol type) can be trivially circumvented by inserting IPv6 | protocol type) can be trivially circumvented by inserting IPv6 | |||
| Extension Headers between the main IPv6 header and the upper layer | Extension Headers between the main IPv6 header and the upper layer | |||
| protocol. [RFC7113] describes this issue for the RA-Guard case, but | protocol. [RFC7113] describes this issue for the RA-Guard case, but | |||
| the same techniques can be employed to circumvent other IPv6 firewall | the same techniques could be employed to circumvent other IPv6 | |||
| and packet filtering mechanisms. Additionally, implementation | firewall and packet filtering mechanisms. Additionally, | |||
| inconsistencies in packet forwarding engines may result in evasion of | implementation inconsistencies in packet forwarding engines can | |||
| security controls [I-D.kampanakis-6man-ipv6-eh-parsing] [Atlasis2014] | result in evasion of security controls | |||
| [BH-EU-2014]. | [I-D.kampanakis-6man-ipv6-eh-parsing] [Atlasis2014] [BH-EU-2014]. | |||
| Packets with attached IPv6 Extension Headers may impact performance | Packets with attached IPv6 Extension Headers can impact performance | |||
| on routers that forward them. Unless appropriate mitigations are put | on routers that forward them. Unless appropriate mitigations are put | |||
| in place (e.g., packet dropping and/or rate-limiting), an attacker | in place (e.g., packet dropping and/or rate-limiting), an attacker | |||
| could simply send a large amount of IPv6 traffic employing IPv6 | could simply send a large amount of IPv6 traffic employing IPv6 | |||
| Extension Headers with the purpose of performing a Denial of Service | Extension Headers with the purpose of performing a Denial of Service | |||
| (DoS) attack (see Section 7 for further details). | (DoS) attack (see Section 7 for further details). | |||
| NOTE: | NOTE: | |||
| In the most trivial case, a packet that includes a Hop-by-Hop | In the most trivial case, a packet that includes a Hop-by-Hop | |||
| Options header might go through the slow forwarding path, and be | Options header might go through the slow forwarding path, and be | |||
| processed by the router's CPU. Another possible case might be | processed by the router's CPU. Another possible case might be | |||
| where a router that has been configured to enforce an ACL based on | where a router that has been configured to enforce an ACL based on | |||
| upper-layer information (e.g., upper layer protocol or TCP | upper-layer information (e.g., upper layer protocol or TCP | |||
| Destination Port), needs to process the entire IPv6 header chain | Destination Port), needs to process the entire IPv6 header chain | |||
| (in order to find the required information), causing the packet to | (in order to find the required information), causing the packet to | |||
| be processed in the slow path [Cisco-EH-Cons]. We note that, for | be processed in the slow path [Cisco-EH-Cons]. We note that, for | |||
| obvious reasons, the aforementioned performance issues may affect | obvious reasons, the aforementioned performance issues can affect | |||
| other devices such as firewalls, Network Intrusion Detection | other devices such as firewalls, Network Intrusion Detection | |||
| Systems (NIDS), etc. [Zack-FW-Benchmark]. The extent to which | Systems (NIDS), etc. [Zack-FW-Benchmark]. The extent to which | |||
| these devices are affected is typically implementation-dependent. | these devices are affected is typically implementation-dependent. | |||
| IPv6 implementations, like all other software, tend to mature with | IPv6 implementations, like all other software, tend to mature with | |||
| time and wide-scale deployment. While the IPv6 protocol itself has | time and wide-scale deployment. While the IPv6 protocol itself has | |||
| existed for over 20 years, serious bugs related to IPv6 Extension | existed for over 20 years, serious bugs related to IPv6 Extension | |||
| Header processing continue to be discovered (see e.g. [Cisco-Frag1], | Header processing continue to be discovered (see e.g. [Cisco-Frag1], | |||
| [Cisco-Frag2], and [FreeBSD-SA]). Because there is currently little | [Cisco-Frag2], and [FreeBSD-SA]). Because there is currently little | |||
| operational reliance on IPv6 Extension headers, the corresponding | operational reliance on IPv6 Extension headers, the corresponding | |||
| skipping to change at page 13, line 49 ¶ | skipping to change at page 14, line 8 ¶ | |||
| 9. Security Considerations | 9. Security Considerations | |||
| The security implications of IPv6 extension headers are discussed in | The security implications of IPv6 extension headers are discussed in | |||
| Section 7.4. This document does not introduce any new security | Section 7.4. This document does not introduce any new security | |||
| issues. | issues. | |||
| 10. Acknowledgements | 10. Acknowledgements | |||
| The authors would like to thank (in alphabetical order) Mikael | The authors would like to thank (in alphabetical order) Mikael | |||
| Abrahamsson, Fred Baker, Brian Carpenter, Tim Chown, Owen DeLong, Tom | Abrahamsson, Fred Baker, Dale W. Carder, Brian Carpenter, Tim Chown, | |||
| Herbert, Lee Howard, Tom Petch, Sander Steffann, Eduard Vasilenko, | Owen DeLong, Gorry Fairhurst, Tom Herbert, Lee Howard, Tom Petch, | |||
| Eric Vyncke, Jingrong Xie, and Andrew Yourtchenko, for providing | Sander Steffann, Eduard Vasilenko, Eric Vyncke, Jingrong Xie, and | |||
| valuable comments on earlier versions of this document. | Andrew Yourtchenko, for providing valuable comments on earlier | |||
| versions of this document. | ||||
| Fernando Gont would like to thank Jan Zorz / Go6 Lab | Fernando Gont would like to thank Jan Zorz / Go6 Lab | |||
| <https://go6lab.si/>, Jared Mauch, and Sander Steffann | <https://go6lab.si/>, Jared Mauch, and Sander Steffann | |||
| <https://steffann.nl/>, for providing access to systems and networks | <https://steffann.nl/>, for providing access to systems and networks | |||
| that were employed to perform experiments and measurements involving | that were employed to perform experiments and measurements involving | |||
| packets with IPv6 Extension Headers. | packets with IPv6 Extension Headers. | |||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| skipping to change at page 16, line 23 ¶ | skipping to change at page 16, line 29 ¶ | |||
| routes", NPS/CAIDA 2020 Virtual IPv6 Workshop, 2020, | routes", NPS/CAIDA 2020 Virtual IPv6 Workshop, 2020, | |||
| <https://www.cmand.org/workshops/202006-v6/slides/ | <https://www.cmand.org/workshops/202006-v6/slides/ | |||
| cunha.pdf>. | cunha.pdf>. | |||
| [FreeBSD-SA] | [FreeBSD-SA] | |||
| FreeBSD, "FreeBSD Security Advisory FreeBSD-SA-20:24.ipv6: | FreeBSD, "FreeBSD Security Advisory FreeBSD-SA-20:24.ipv6: | |||
| IPv6 Hop-by-Hop options use-after-free bug", September | IPv6 Hop-by-Hop options use-after-free bug", September | |||
| 2020, <https://www.freebsd.org/security/advisories/ | 2020, <https://www.freebsd.org/security/advisories/ | |||
| FreeBSD-SA-20:24.ipv6.asc>. | FreeBSD-SA-20:24.ipv6.asc>. | |||
| [Gont-Chown-IEPG89] | ||||
| Gont, F. and T. Chown, "A Small Update on the Use of IPv6 | ||||
| Extension Headers", IEPG 89. London, UK. March 2, 2014, | ||||
| <http://www.iepg.org/2014-03-02-ietf89/fgont-iepg-ietf89- | ||||
| eh-update.pdf>. | ||||
| [Gont-IEPG88] | ||||
| Gont, F., "Fragmentation and Extension header Support in | ||||
| the IPv6 Internet", IEPG 88. Vancouver, BC, Canada. | ||||
| November 13, 2013, <http://www.iepg.org/2013-11-ietf88/ | ||||
| fgont-iepg-ietf88-ipv6-frag-and-eh.pdf>. | ||||
| [Huston-2017] | [Huston-2017] | |||
| Huston, G., "Dealing with IPv6 fragmentation in the | Huston, G., "Dealing with IPv6 fragmentation in the | |||
| DNS", APNIC Blog, 2017, | DNS", APNIC Blog, 2017, | |||
| <https://blog.apnic.net/2017/08/22/dealing-ipv6- | <https://blog.apnic.net/2017/08/22/dealing-ipv6- | |||
| fragmentation-dns/>. | fragmentation-dns/>. | |||
| [Huston-2020] | [Huston-2020] | |||
| Huston, G., "Measurement of IPv6 Extension Header | Huston, G., "Measurement of IPv6 Extension Header | |||
| Support", NPS/CAIDA 2020 Virtual IPv6 Workshop, 2020, | Support", NPS/CAIDA 2020 Virtual IPv6 Workshop, 2020, | |||
| <https://www.cmand.org/workshops/202006-v6/ | <https://www.cmand.org/workshops/202006-v6/ | |||
| End of changes. 37 change blocks. | ||||
| 84 lines changed or deleted | 80 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||