| < draft-kempf-ipng-netaccess-threats-00.txt | draft-kempf-ipng-netaccess-threats-01.txt > | |||
|---|---|---|---|---|
| IPNG Working Group J. Kempf | IPNG Working Group J. Kempf | |||
| Internet Draft E. Nordmark | Internet Draft E. Nordmark | |||
| draft-kempf-ipng-netaccess-threats-00.txt | draft-kempf-ipng-netaccess-threats-01.txt | |||
| Expires: April, 2002 | Expires: December, 2002 | |||
| Threat Analysis for IPv6 Public Multi-Access Links | Threat Analysis for IPv6 Public Multi-Access Links | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is in full conformance | This document is an Internet-Draft and is in full conformance | |||
| with all provisions of Section 10 of RFC2026. | with all provisions of Section 10 of RFC2026. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 2, line 4 ¶ | skipping to change at page 2, line 4 ¶ | |||
| threats raised in the IPv6 Neighbor Discovery and Stateless Address | threats raised in the IPv6 Neighbor Discovery and Stateless Address | |||
| Autoconfiguration RFCs that have yet to be adequately addressed, and | Autoconfiguration RFCs that have yet to be adequately addressed, and | |||
| new threats that have not previously been identified. | new threats that have not previously been identified. | |||
| Table of Contents | Table of Contents | |||
| 1.0 Introduction | 1.0 Introduction | |||
| The Mobile IP Working Group has been conducting a threat analysis | The Mobile IP Working Group has been conducting a threat analysis | |||
| for securing specific Mobile IPv6 mechanisms [1]. While conducting | for securing specific Mobile IPv6 mechanisms [1]. While conducting | |||
| Threat Analysis November 2001 | ||||
| for IPv6 Public Multi-Access Links | for IPv6 Public Multi-Access Links | |||
| the analysis, threats were identified that involve host utilization | the analysis, threats were identified that involve host utilization | |||
| of IPv6 protocols on a Public Multi-Access link, such as 802.11, | of IPv6 protocols on a Public Multi-Access link, such as 802.11, | |||
| that were not specific to Mobile IP. Although the initial analysis | that were not specific to Mobile IP. Although the initial analysis | |||
| focused on wireless networks, the identified threats may occur in | focused on wireless networks, the identified threats may occur in | |||
| any Public Multi-Access IPv6 network, such as Ethernet. | any Public Multi-Access IPv6 network, such as Ethernet. | |||
| Despite the initial impetus given to this study by considering | Despite the initial impetus given to this study by considering | |||
| wireless Ethernet, this document is not about link-layer specific | wireless Ethernet, this document is not about link-layer specific | |||
| skipping to change at page 3, line 4 ¶ | skipping to change at page 3, line 4 ¶ | |||
| network. A host attempting to gain access to a Public Access network | network. A host attempting to gain access to a Public Access network | |||
| may or may not have the required IPsec security association set up | may or may not have the required IPsec security association set up | |||
| with the network. In a roaming (but not necessarily mobile) | with the network. In a roaming (but not necessarily mobile) | |||
| situation, where a user is currently accessing the network through a | situation, where a user is currently accessing the network through a | |||
| service provider different from the home provider, it is not likely | service provider different from the home provider, it is not likely | |||
| that the host will have been preconfigured with the proper mutual | that the host will have been preconfigured with the proper mutual | |||
| trust relationship for the foreign provider's network. | trust relationship for the foreign provider's network. | |||
| Any IPsec security association between the host and the last hop | Any IPsec security association between the host and the last hop | |||
| routers or other hosts on the link would need to be completely | routers or other hosts on the link would need to be completely | |||
| Threat Analysis November 2001 | ||||
| for IPv6 Public Multi-Access Links | for IPv6 Public Multi-Access Links | |||
| manually preconfigured, since the Neighbor Discovery and Address | manually preconfigured, since the Neighbor Discovery and Address | |||
| Autoconfiguration protocols deal to some extent with how a host | Autoconfiguration protocols deal to some extent with how a host | |||
| obtains initial access to a link. If a security association is | obtains initial access to a link. If a security association is | |||
| required for initial access and the host does not have that | required for initial access and the host does not have that | |||
| association, there is no way that the host can dynamically configure | association, there is no way that the host can dynamically configure | |||
| itself with that association, even if it has the necessary minimum | itself with that association, even if it has the necessary minimum | |||
| prerequisite keying material. This situation could induce | prerequisite keying material. This situation could induce | |||
| administration hardships when events such as re-keying occur. | administration hardships when events such as re-keying occur. | |||
| skipping to change at page 4, line 4 ¶ | skipping to change at page 4, line 4 ¶ | |||
| An attacking node on the same subnet as a host attempting to | An attacking node on the same subnet as a host attempting to | |||
| discover a legitimate last hop router could masquerade as an IPv6 | discover a legitimate last hop router could masquerade as an IPv6 | |||
| last hop router by multicasting legitimate-looking IPv6 Router | last hop router by multicasting legitimate-looking IPv6 Router | |||
| Advertisements or unicasting Router Advertisements in response to | Advertisements or unicasting Router Advertisements in response to | |||
| multicast Router Advertisement Solicitations from the entering host. | multicast Router Advertisement Solicitations from the entering host. | |||
| If the entering host selects the attacker as its default router, the | If the entering host selects the attacker as its default router, the | |||
| attacker has the opportunity to siphon off traffic from the host. | attacker has the opportunity to siphon off traffic from the host. | |||
| The attacker could ensure that the entering host selected itself as | The attacker could ensure that the entering host selected itself as | |||
| the default router by multicasting periodic Router Advertisements | the default router by multicasting periodic Router Advertisements | |||
| for the real last hop router having a lifetime of zero. This | for the real last hop router having a lifetime of zero. This | |||
| Threat Analysis November 2001 | ||||
| for IPv6 Public Multi-Access Links | for IPv6 Public Multi-Access Links | |||
| essentially spoofs the entering host into believing that the real | essentially spoofs the entering host into believing that the real | |||
| access router is not willing to take any traffic. Once accepted as a | access router is not willing to take any traffic. Once accepted as a | |||
| legitimate router, the attacker could send Redirect messages to | legitimate router, the attacker could send Redirect messages to | |||
| hosts, then disappear, thus covering its tracks. | hosts, then disappear, thus covering its tracks. | |||
| This threat involves Router Advertisement and Router Advertisement | This threat involves Router Advertisement and Router Advertisement | |||
| Solicitation. | Solicitation. | |||
| skipping to change at page 5, line 5 ¶ | skipping to change at page 5, line 5 ¶ | |||
| the link-local address of the current first-hop router in order to | the link-local address of the current first-hop router in order to | |||
| send a Redirect message to a legitimate host. Since the host | send a Redirect message to a legitimate host. Since the host | |||
| identifies the message by the link-local address as coming from its | identifies the message by the link-local address as coming from its | |||
| first hop router, it accepts the Redirect. As long as the attacker | first hop router, it accepts the Redirect. As long as the attacker | |||
| responds to Neighbor Unreachability Detection probes to the link- | responds to Neighbor Unreachability Detection probes to the link- | |||
| layer address, the Redirect will remain in effect. This is a | layer address, the Redirect will remain in effect. This is a | |||
| redirect attack. | redirect attack. | |||
| This threat involves Redirect messages. | This threat involves Redirect messages. | |||
| Threat Analysis November 2001 | ||||
| for IPv6 Public Multi-Access Links | for IPv6 Public Multi-Access Links | |||
| 3.5 Bogus On-Link Prefix | 3.5 Bogus On-Link Prefix | |||
| An attacking node can send a Router Advertisement message specifying | An attacking node can send a Router Advertisement message specifying | |||
| that some prefix of arbitrary length is on-link. If a sending host | that some prefix of arbitrary length is on-link. If a sending host | |||
| thinks the prefix is on-link, it will never send a packet for that | thinks the prefix is on-link, it will never send a packet for that | |||
| prefix to the router. Instead, the host will try to perform address | prefix to the router. Instead, the host will try to perform address | |||
| resolution by sending Neighbor Solicitations, but the Neighbor | resolution by sending Neighbor Solicitations, but the Neighbor | |||
| Solicitations will not result in a response, denying service to the | Solicitations will not result in a response, denying service to the | |||
| skipping to change at page 6, line 5 ¶ | skipping to change at page 6, line 5 ¶ | |||
| In networks where entering hosts obtain their addresses using | In networks where entering hosts obtain their addresses using | |||
| stateless address autoconfiguration [5], an attacking node could | stateless address autoconfiguration [5], an attacking node could | |||
| launch a DOS attack by responding to every duplicate address | launch a DOS attack by responding to every duplicate address | |||
| detection attempt by an entering host. If the attacker claims the | detection attempt by an entering host. If the attacker claims the | |||
| address, then the host will never be able to obtain an address. This | address, then the host will never be able to obtain an address. This | |||
| threat was identified in RFC 2462 [5]. | threat was identified in RFC 2462 [5]. | |||
| This attack involves Neighbor Solicitation/Advertisement. | This attack involves Neighbor Solicitation/Advertisement. | |||
| Threat Analysis November 2001 | ||||
| for IPv6 Public Multi-Access Links | for IPv6 Public Multi-Access Links | |||
| 3.8 Neighbor Discovery DoS Attack | 3.8 Neighbor Discovery DoS Attack | |||
| In this attack, the attacking node begins fabricating addresses with | In this attack, the attacking node begins fabricating addresses with | |||
| the subnet prefix and continuously sending packets to them. The last | the subnet prefix and continuously sending packets to them. The last | |||
| hop router is obligated to resolve these addresses by sending | hop router is obligated to resolve these addresses by sending | |||
| neighbor solicitation packets. A legitimate host attempting to enter | neighbor solicitation packets. A legitimate host attempting to enter | |||
| the network may not be able to obtain Neighbor Discovery service | the network may not be able to obtain Neighbor Discovery service | |||
| from the last hop router as it will be already busy with sending | from the last hop router as it will be already busy with sending | |||
| skipping to change at page 7, line 5 ¶ | skipping to change at page 7, line 5 ¶ | |||
| 4.0 Security Considerations | 4.0 Security Considerations | |||
| This document discusses security threats to network access in IPv6. | This document discusses security threats to network access in IPv6. | |||
| As such, it is concerned entirely with security. | As such, it is concerned entirely with security. | |||
| 5.0 Acknowledgements | 5.0 Acknowledgements | |||
| Thanks to Alper Yegin, DoCoMo Communications Laboratories USA, for | Thanks to Alper Yegin, DoCoMo Communications Laboratories USA, for | |||
| identifying the Neighbor Discovery DOS attack. | identifying the Neighbor Discovery DOS attack. | |||
| Threat Analysis November 2001 | ||||
| for IPv6 Public Multi-Access Links | for IPv6 Public Multi-Access Links | |||
| 6.0 References | 6.0 References | |||
| [1] Mankin, et. al., "Threat Models introduced by Mobile IPv6 and | [1] Mankin, et. al., "Threat Models introduced by Mobile IPv6 and | |||
| Requirements for Security in Mobile IPv6," draft-ietf-mobileip- | Requirements for Security in Mobile IPv6," draft-ietf-mobileip- | |||
| mipv6-scrty-reqts-01.txt, a work in progress. | mipv6-scrty-reqts-01.txt, a work in progress. | |||
| [2] Narten, T., Nordmark, E., and Simson, W., "Neighbor Discovery | [2] Narten, T., Nordmark, E., and Simson, W., "Neighbor Discovery | |||
| for IP Version 6 (IPv6)," RFC 2461, December, 1998. | for IP Version 6 (IPv6)," RFC 2461, December, 1998. | |||
| [3] Blunk, L., and Vollbrecht, J., "PPP Extensible Authentication | [3] Blunk, L., and Vollbrecht, J., "PPP Extensible Authentication | |||
| End of changes. 7 change blocks. | ||||
| 8 lines changed or deleted | 2 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||