idnits 2.17.1
draft-gont-v6ops-ra-guard-implementation-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
-- The document has an IETF Trust Provisions (28 Dec 2009) Section 6.c(ii)
Publication Limitation clause. If this document is intended for
submission to the IESG for publication, this constitutes an error.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (February 2, 2012) is 4467 days in the past. Is this
intentional?
Checking references for intended status: Best Current Practice
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-03) exists of
draft-gont-6man-nd-extension-headers-02
Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 Operations Working Group (v6ops) F. Gont
3 Internet-Draft UK CPNI
4 Intended status: BCP February 2, 2012
5 Expires: August 5, 2012
7 Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
8 draft-gont-v6ops-ra-guard-implementation-01
10 Abstract
12 The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly
13 employed to mitigate attack vectors based on forged ICMPv6 Router
14 Advertisement messages. Many existing IPv6 deployments rely on RA-
15 Guard as the first line of defense against the aforementioned attack
16 vectors. However, some implementations of RA-Guard have been found
17 to be prone to circumvention by employing IPv6 Extension Headers.
18 This document describes the evasion techniques that affect the
19 aforementioned implementations, and provides advice on the
20 implementation of RA-Guard, such that the RA-Guard evasion vectors
21 are eliminated.
23 Status of this Memo
25 This Internet-Draft is submitted in full conformance with the
26 provisions of BCP 78 and BCP 79. This document may not be modified,
27 and derivative works of it may not be created, and it may not be
28 published except as an Internet-Draft.
30 Internet-Drafts are working documents of the Internet Engineering
31 Task Force (IETF). Note that other groups may also distribute
32 working documents as Internet-Drafts. The list of current Internet-
33 Drafts is at http://datatracker.ietf.org/drafts/current/.
35 Internet-Drafts are draft documents valid for a maximum of six months
36 and may be updated, replaced, or obsoleted by other documents at any
37 time. It is inappropriate to use Internet-Drafts as reference
38 material or to cite them other than as "work in progress."
40 This Internet-Draft will expire on August 5, 2012.
42 Copyright Notice
44 Copyright (c) 2012 IETF Trust and the persons identified as the
45 document authors. All rights reserved.
47 This document is subject to BCP 78 and the IETF Trust's Legal
48 Provisions Relating to IETF Documents
49 (http://trustee.ietf.org/license-info) in effect on the date of
50 publication of this document. Please review these documents
51 carefully, as they describe your rights and restrictions with respect
52 to this document. Code Components extracted from this document must
53 include Simplified BSD License text as described in Section 4.e of
54 the Trust Legal Provisions and are provided without warranty as
55 described in the Simplified BSD License.
57 Table of Contents
59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
60 2. Evasion techniques for some Router Advertisement Guard (RA
61 Guard) implementations . . . . . . . . . . . . . . . . . . . . 4
62 2.1. Attack Vector based on IPv6 Extension Headers . . . . . . 4
63 2.2. Attack vector based on IPv6 fragmentation . . . . . . . . 4
64 3. RA-Guard implementation advice . . . . . . . . . . . . . . . . 8
65 4. Other Implications . . . . . . . . . . . . . . . . . . . . . . 9
66 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10
67 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
68 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
69 7.1. Normative References . . . . . . . . . . . . . . . . . . . 12
70 7.2. Informative References . . . . . . . . . . . . . . . . . . 12
71 Appendix A. Changes from previous versions of the draft (to
72 be removed by the RFC Editor before publication
73 of this document as a RFC . . . . . . . . . . . . . . 13
74 A.1. Changes from
75 draft-gont-v6ops-ra-guard-implementation-00 . . . . . . . 13
76 A.2. Changes from draft-gont-v6ops-ra-guard-evasion-01 . . . . 13
77 Appendix B. Assessment tools . . . . . . . . . . . . . . . . . . 14
78 Appendix C. Advice and guidance to vendors . . . . . . . . . . . 15
79 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16
81 1. Introduction
83 IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique
84 for attack vectors based on ICMPv6 Router Advertisement messages.
85 [RFC6104] describes the problem statement of "Rogue IPv6 Router
86 Advertisements", and [RFC6105] specifies the "IPv6 Router
87 Advertisement Guard" functionality.
89 The basic concept behind RA-Guard is that a layer-2 device filters
90 ICMPv6 Router Advertisement messages, according to a number of
91 different criteria. The most basic filtering criterion is that
92 Router Advertisement messages are discarded by the layer-2 device
93 unless they are received on a specified port of the layer-2 device.
94 Clearly, the effectiveness of the RA Guard mitigation relies on the
95 ability of the layer-2 device to identify ICMPv6 Router Advertisement
96 messages.
98 Some popular RA-Guard implementations have been found to be easy to
99 circumvent by employing IPv6 extension headers [CPNI-IPv6]. This
100 document describes such evasion techniques, and provides advice to
101 RA-Guard implementers such that the aforementioned evasion vectors
102 can be eliminated.
104 It should be noted that the aforementioned techniques could also be
105 exploited to evade network monitoring tools such as NDPMon [NDPMon],
106 ramond [ramond], and rafixd [rafixd], and could probably be exploited
107 to perform stealth DHCPv6 attacks.
109 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
110 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
111 document are to be interpreted as described in RFC 2119 [RFC2119].
113 2. Evasion techniques for some Router Advertisement Guard (RA Guard)
114 implementations
116 The following subsections describe two different vectors that have
117 been found to be effective for the evasion of popular implementations
118 of the RA-Guard protection. Section 2.1 describes an attack vector
119 based on the use of IPv6 Extension Headers with the ICMPv6 Router
120 Advertisement messages, which may be used to circumvent the RA-Guard
121 protection of those implementations that fail to process an entire
122 IPv6 header chain when trying to identify the ICMPv6 Router
123 Advertisement messages. Section 2.2 describes an attack method based
124 on the use of IPv6 fragmentation, possibly in conjunction with the
125 use of IPv6 Extension Headers. This later vector has been found to
126 be effective with all existing implementations of the RA-Guard
127 mechanism.
129 2.1. Attack Vector based on IPv6 Extension Headers
131 While there is currently no legitimate use for IPv6 Extension Headers
132 in ICMPv6 Router Advertisement messages, Neighbor Discovery
133 implementations allow the use of Extension Headers with these
134 messages, by simply ignoring the received options. Some RA-Guard
135 implementations try to identify ICMPv6 Router Advertisement messages
136 by simply looking at the "Next Header" field of the fixed IPv6
137 header, rather than following the entire header chain. As a result,
138 such implementations fail to identify any ICMPv6 Router Advertisement
139 messages that include any Extension Headers (for example, a Hop by
140 Hop Options header, a Destination Options Header, etc.), and can be
141 easily circumvented.
143 The following figure illustrates the structure of ICMPv6 Router
144 Advertisement messages that implement this evasion technique:
146 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
147 |NH=60| |NH=58| | |
148 +-+-+-+ +-+-+-+ + +
149 | IPv6 header | Dst Opt Hdr | ICMPv6 Router Advertisement |
150 + + + +
151 | | | |
152 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
154 2.2. Attack vector based on IPv6 fragmentation
156 This section presents a different attack vector, which has been found
157 to be effective against all implementations of RA-Guard. The basic
158 idea behind this attack vector is that if the forged ICMPv6 Router
159 Advertisement is fragmented into at least two fragments, the layer-2
160 device implementing "RA-Guard" would be unable to identify the attack
161 packet, and would thus fail to block it.
163 A first variant of this attack vector would be an original ICMPv6
164 Router Advertisement message preceded with a Destination Options
165 Header, that results in two fragments. The following figure
166 illustrates the "original" attack packet, prior to fragmentation, and
167 the two resulting fragments which are actually sent as part of the
168 attack.
170 Original packet:
172 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
173 |NH=60| |NH=58| | |
174 +-+-+-+ +-+-+-+ + +
175 | IPv6 header | Dst Opt Hdr | ICMPv6 RA |
176 + + + +
177 | | | |
178 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
180 First fragment:
182 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
183 |NH=44| |NH=60| |NH=58| |
184 +-+-+-+ +-+-+-+ +-+-+-+ +
185 | IPv6 Header | Frag Hdr | Dst Opt Hdr |
186 + + + +
187 | | | |
188 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
190 Second fragment:
192 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
193 |NH=44| |NH=60| | | |
194 +-+-+-+ +-+-+-+ + + +
195 | IPv6 header | Frag Hdr | Dst Opt Hdr | ICMPv6 RA |
196 + + + + +
197 | | | | |
198 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
200 It should be noted that the "Hdr Ext Len" field of the Destination
201 Options Header is present in the first fragment (rather than the
202 second). Therefore, it is impossible for a device processing only
203 the second fragment to locate the ICMPv6 header contained in that
204 fragment, since it is unknown how many bytes should be "skipped" to
205 get to the next header following the Destination Options Header.
207 Thus, by leveraging the use of the Fragment Header together with the
208 use of the Destination Options header, the attacker is able to
209 conceal the type and contents of the ICMPv6 message he is sending (an
210 ICMPv6 Router Advertisement in this example). Unless the layer-2
211 device were to implement IPv6 fragment reassembly, it would be
212 impossible for the device to identify the ICMPv6 type of the message.
214 A layer-2 device could, however, at least detect that that an
215 ICMPv6 message (or some type) is being sent, since the "Next
216 Header" field of the Destination Options header contained in the
217 first fragment is set to "58" (ICMPv6).
219 This idea can be taken further, such that it is also impossible for
220 the layer-2 device to detect that the attacker is sending an ICMPv6
221 message in the first place. This can be achieved with an original
222 ICMPv6 Router Advertisement message preceded with two Destination
223 Options Headers, that results in two fragments. The following figure
224 illustrates the "original" attack packet, prior to fragmentation, and
225 the two resulting packets which are actually sent as part of the
226 attack.
228 Original packet:
230 +-+-+-+-+-+-+-+-+-+-+-+-//+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
231 |NH=60| |NH=60| |NH=58| | |
232 +-+-+-+ +-+-+-+ +-+-+-+ + +
233 | IPv6 header | Dst Opt Hdr | Dst Opt Hdr | ICMPv6 RA |
234 + + + + +
235 | | | | |
236 +-+-+-+-+-+-+-+-+-+-+-+-//+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
238 First fragment:
240 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
241 |NH=44| |NH=60| |NH=60| |
242 +-+-+-+ +-+-+-+ +-+-+-+ +
243 | IPv6 header | Frag Hdr | Dst Opt Hdr |
244 + + + +
245 | | | |
246 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
248 Second fragment:
250 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
251 |NH=44| |NH=60| | |NH=58| | |
252 +-+-+-+ +-+-+-+ + +-+-+-+ + +
253 | IPv6 header | Frag Hdr | Dst O Hdr | Dst Opt Hdr | ICMPv6 RA |
254 + + + + + +
255 | | | | | |
256 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
258 In this variant, the "Next Header" field of the Destination Options
259 header contained in the first fragment is set "60" (Destination
260 Options header), and thus it is impossible for a device processing
261 only the first fragment to detect that an ICMPv6 message is being
262 sent in the first place.
264 The second fragment presents the same challenges as the second
265 fragment of the previous variant. That is, it would be impossible
266 for a device processing only the second fragment to locate the second
267 Destination Options header (and hence the ICMPv6 header), since the
268 "Hdr Ext Len" field of the first Destination Options header is
269 present in the first fragment (rather than the second).
271 3. RA-Guard implementation advice
273 The following filtering rules MUST be implemented as part of an "RA-
274 Guard" implementation on those ports that are not allowed to send
275 ICMPv6 Router Advertisement messages, such that the vulnerabilities
276 discussed in this document are eliminated:
278 1. When trying to identify an ICMPv6 Router Advertisement message,
279 follow the IPv6 header chain, enforcing a limit on the maximum
280 number of Extension Headers that is allowed for each packet. If
281 such limit is hit before the upper-layer protocol is can be
282 determined, silently drop the packet.
284 2. If the packet is identified to be an ICMPv6 Router Advertisement
285 message, silently drop the packet.
287 3. If the layer-2 device is unable to identify whether the packet is
288 an ICMPv6 Router Advertisement message or not (i.e., the packet
289 is a fragment, and the necessary information is missing), the
290 IPv6 Source Address of the packet is a link-local address or the
291 unspecified address (::), and the Hop Limit is 255, silently drop
292 the packet.
294 4. In all other cases, pass the packet as usual.
296 This filtering policy assumes that host implementations require that
297 the IPv6 Source Address of ICMPv6 Router Advertisement messages be a
298 link-local address, and that they discard the packet if this check
299 fails, as required by the current IETF specifications [RFC4861].
300 Additionally, it assumes that hosts require the Hop Limit of Neighbor
301 Discovery messages to be 255, and discard those packets otherwise.
303 Note that the aforementioned filtering rules implicitly handle the
304 case of fragmented packets: if the RA-Guard device fails to identify
305 the upper-layer protocol as a result of the use of fragmentation, the
306 corresponding packets would be silently dropped.
308 4. Other Implications
310 A similar concept to that of "RA-Guard" has been implemented for
311 protecting against forged DHCPv6 messages. Such protection can be
312 circumvented with the same techniques discussed in this document, and
313 the counter-measures for such evasion attack are analogous to those
314 described in Section 3 of this document.
316 5. Security Considerations
318 This document describes a number of techniques that have been found
319 to be effective to circumvent popular RA-Guard implementations.
321 The most effective and efficient mitigation for these attacks would
322 be to prohibit the use of some IPv6 extension headers with Router
323 Advertisement messages (as proposed by
324 [I-D.gont-6man-nd-extension-headers]), such that the RA-Guard
325 functionality is easier to implement. However, since such mitigation
326 would require an update to existing implementations, it cannot be
327 relied upon in the short or near term.
329 6. Acknowledgements
331 The author would like to thank Ran Atkinson, Karl Auer, Robert
332 Downie, David Farmer, Marc Heuse, Simon Perreault, Arturo Servin, and
333 Gunter van de Velde, for providing valuable comments on earlier
334 versions of this document.
336 This document resulted from the project "Security Assessment of the
337 Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by
338 Fernando Gont on behalf of the UK Centre for the Protection of
339 National Infrastructure (CPNI). The author would like to thank the
340 UK CPNI, for their continued support.
342 7. References
344 7.1. Normative References
346 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
347 Requirement Levels", BCP 14, RFC 2119, March 1997.
349 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
350 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
351 September 2007.
353 7.2. Informative References
355 [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
356 Problem Statement", RFC 6104, February 2011.
358 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
359 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
360 February 2011.
362 [I-D.gont-6man-nd-extension-headers]
363 Gont, F., "Security Implications of the Use of IPv6
364 Extension Headers with IPv6 Neighbor Discovery",
365 draft-gont-6man-nd-extension-headers-02 (work in
366 progress), January 2012.
368 [CPNI-IPv6]
369 Gont, F., "Security Assessment of the Internet Protocol
370 version 6 (IPv6)", UK Centre for the Protection of
371 National Infrastructure, (available on request).
373 [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor",
374 .
376 [rafixd] "rafixd", .
379 [ramond] "ramond", .
381 [THC-IPV6]
382 "THC-IPV6", .
384 Appendix A. Changes from previous versions of the draft (to be removed
385 by the RFC Editor before publication of this document as a
386 RFC
388 A.1. Changes from draft-gont-v6ops-ra-guard-implementation-00
390 o Miscellaneous (minor) editorial changes.
392 o The filtering rules in Section 3 have been polished.
394 A.2. Changes from draft-gont-v6ops-ra-guard-evasion-01
396 o The contents were updated to reflect that the evasion
397 vulnerabilities are based on implementation flaws, rather than on
398 the RA-Guard "concept" itself.
400 o The I-D now focuses on providing advice to RA-Guard implementers.
402 Appendix B. Assessment tools
404 CPNI has produced assessment tools (which have not yet been made
405 publicly available) to assess RA-Guard implementations with respect
406 to the issues described in this document. If you think that you
407 would benefit from these tools, we might be able to provide a copy of
408 the tools (please contact Fernando Gont at fernando@gont.com.ar).
410 [THC-IPV6] is a publicly-available set of tools that implements some
411 of the techniques described in this document.
413 Appendix C. Advice and guidance to vendors
415 Vendors are urged to contact CSIRTUK (csirt@cpni.gsi.gov.uk) if they
416 think they may be affected by the issues described in this document.
417 As the lead coordination centre for these issues, CPNI is well placed
418 to give advice and guidance as required.
420 CPNI works extensively with government departments and agencies,
421 commercial organisations and the academic community to research
422 vulnerabilities and potential threats to IT systems especially where
423 they may have an impact on Critical National Infrastructure's (CNI).
425 Other ways to contact CPNI, plus CPNI's PGP public key, are available
426 at http://www.cpni.gov.uk.
428 Author's Address
430 Fernando Gont
431 Centre for the Protection of National Infrastructure
433 Email: fgont@si6networks.com
434 URI: http://www.cpni.gov.uk