idnits 2.17.1
draft-ietf-6man-nd-extension-headers-00.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
-- The draft header indicates that this document updates RFC3971, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC3971, updated by this document, for
RFC5378 checks: 2003-10-17)
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (June 29, 2012) is 4316 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-07) exists of
draft-ietf-v6ops-ra-guard-implementation-04
Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 maintenance Working Group (6man) F. Gont
3 Internet-Draft UK CPNI
4 Updates: 3971, 4861 (if approved) June 29, 2012
5 Intended status: Standards Track
6 Expires: December 31, 2012
8 Security Implications of the Use of IPv6 Extension Headers with IPv6
9 Neighbor Discovery
10 draft-ietf-6man-nd-extension-headers-00
12 Abstract
14 This document analyzes the security implications of using IPv6
15 Extension Headers with Neighbor Discovery (ND) messages. It updates
16 RFC 4861 such that use of the IPv6 Fragmentation Header is forbidden
17 in all Neighbor Discovery messages, thus allowing for simple and
18 effective counter-measures for Neighbor Discovery attacks. Finally,
19 it discusses the security implications of using IPv6 fragmentation
20 with SEcure Neighbor Discovery (SEND), and provides advice such that
21 the aforementioned security implications are mitigated.
23 Status of this Memo
25 This Internet-Draft is submitted in full conformance with the
26 provisions of BCP 78 and BCP 79.
28 Internet-Drafts are working documents of the Internet Engineering
29 Task Force (IETF). Note that other groups may also distribute
30 working documents as Internet-Drafts. The list of current Internet-
31 Drafts is at http://datatracker.ietf.org/drafts/current/.
33 Internet-Drafts are draft documents valid for a maximum of six months
34 and may be updated, replaced, or obsoleted by other documents at any
35 time. It is inappropriate to use Internet-Drafts as reference
36 material or to cite them other than as "work in progress."
38 This Internet-Draft will expire on December 31, 2012.
40 Copyright Notice
42 Copyright (c) 2012 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (http://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the Simplified BSD License.
55 Table of Contents
57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
58 2. Traditional Neighbor Discovery and IPv6 Fragmentation . . . . 5
59 3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation . . . 6
60 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 7
61 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
62 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
63 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
64 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10
65 7.2. Informative References . . . . . . . . . . . . . . . . . . 10
66 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
68 1. Introduction
70 The Neighbor Discovery Protocol (NDP) is specified in RFC 4861
71 [RFC4861] and RFC 4862 [RFC4862]. It is used by both hosts and
72 routers. Its functions include Neighbor Discovery (ND), Router
73 Discovery (RD), Address Autoconfiguration, Address Resolution,
74 Neighbor Unreachability Detection (NUD), Duplicate Address Detection
75 (DAD), and Redirection.
77 Many of the possible attacks against the Neighbor Discovery Protocol
78 are discussed in detail in [RFC3756]. In order to mitigate the
79 aforementioned possible attacks, the SEcure Neighbor Discovery (SEND)
80 was standardized. SEND employs a number of mechanisms to certify the
81 origin of Neighbor Discovery packets and the authority of routers,
82 and to protect Neighbor Discovery packets from being the subject of
83 modification or replay attacks.
85 However, a number of factors, such as the use of trust anchors and
86 the unavailability of SEND implementations for many widely-deployed
87 operating systems, make SEND hard to deploy [Gont-DEEPSEC2011].
88 Thus, in many general scenarios it may be necessary and/or convenient
89 to use other mitigation techniques for NDP-based attacks. The
90 following "lightweight" mitigations are currently available for NDP
91 attacks:
93 o Layer-2 filtering of Neighbor Discovery packets (such as RA-Guard
94 [RFC6105])
96 o Neighbor Discovery monitoring tools (e.g., such as NDPMon
97 [NDPMon])
99 IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique
100 for attack vectors based on ICMPv6 Router Advertisement messages. It
101 is meant to block attack packets at a layer-2 device before the
102 attack packets actually reach the target nodes. [RFC6104] describes
103 the problem statement of "Rogue IPv6 Router Advertisements", and
104 [RFC6105] specifies the "IPv6 Router Advertisement Guard"
105 functionality.
107 Tools such as NDPMon [NDPMon] and ramond [ramond] aim at monitoring
108 Neighbor Discovery traffic in the hopes of detecting possible attacks
109 when there are discrepancies between the information advertised in
110 Neighbor Discovery packets and the information stored on a local
111 database.
113 A key challenge that these mitigation or monitoring techniques face
114 is that introduced by IPv6 fragmentation, since it is trivial for an
115 attacker to conceal his attack by fragmenting his packets into
116 multiple fragments. This may limit or even eliminate the
117 effectiveness of the aforementioned mitigation or monitoring
118 techniques. Recent work [CPNI-IPv6] indicates that current
119 implementations of the aforementioned "lightweight" mitigations for
120 NDP attacks can be trivially evaded. For example, as noted in
121 [I-D.ietf-v6ops-ra-guard-implementation], current RA-Guard
122 implementations can be trivially evaded by fragmenting the attack
123 packets into multiple fragments, such that the layer-2 device cannot
124 find all the necessary information to perform packet filtering in the
125 same packet. While Neighbor Discovery monitoring tools could (in
126 theory implement IPv6 fragment reassembly, this is usually an arms-
127 race with the attacker (an attacker generate lots of forged fragments
128 to "confuse" the monitoring tools), and therefore the aforementioned
129 tools are unreliable for the detection of such attacks.
131 Section 2 analyzes the use of IPv6 fragmentation in traditional
132 Neighbor discovery. Section 3 analyzes the use of IPv6 fragmentation
133 in SEcure Neighbor Discovery (SEND). Section 4 formally updates RFC
134 4861 such that use of the IPv6 Fragment Header with traditional
135 Neighbor Discovery is forbidden, and provides advice on the use of
136 IPv6 fragmentation with SEND.
138 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
139 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
140 document are to be interpreted as described in RFC 2119 [RFC2119].
142 2. Traditional Neighbor Discovery and IPv6 Fragmentation
144 The only potential use case for IPv6 fragmentation with traditional
145 (i.e., non-SEND) IPv6 Neighbor Discovery would be that in which a
146 Router Advertisement must include a large number of options (Prefix
147 Information Options, Route Information Options, etc.). However, this
148 could still be achieved without employing fragmentation, by splitting
149 the aforementioned information into multiple Router Advertisement
150 messages.
152 Some Neighbor Discovery implementations are known to silently
153 ignore Router Advertisement messages that employ fragmentation.
154 Therefore, splitting the necessary information into multiple RA
155 messages (rather than sending a large RA message that is
156 fragmented into multiple IPv6 fragments) is probably desirable
157 even from an interoperability point of view.
159 As a result of the aforementioned considerations, and since avoiding
160 the use of IPv6 fragmentation in traditional Neighbor Discovery would
161 greatly simplify and improve the effectiveness of monitoring and
162 filtering ND, Section 4 specifies that hosts silently ignore
163 traditional Neighbor Discovery messages (i.e., those specified in
164 [RFC4861]) that employ IPv6 fragmentation.
166 3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation
168 SEND packets typically carry more information than traditional
169 Neighbor Discovery packets: for example, they include additional
170 options such as the CGA option and the RSA signature option.
172 In the case of Neighbor Discovery messages specified in [RFC4861],
173 the situation is roughly the same: if more information than would fit
174 in a non-fragmented Neighbor Discovery packet needs to be sent, it
175 should be split into multiple Neighbor Discovery messages (such that
176 IPv6 fragmentation is avoided).
178 However, Certification Path Advertisement messages (specified in
179 [RFC3971]) pose a different situation, since the Certificate Option
180 they include contain much more information than any other Neighbor
181 Discovery option. For example, Appendix C of [RFC3971] reports
182 Certification Path Advertisement messages from 1050 to 1066 bytes on
183 an Ethernet link layer. Since the size of CPA messages could
184 potentially exceed the MTU of the local link, we recommend that
185 fragmented CPA messages be normally processed (although *sending*
186 fragmented CPA messages is discouraged).
188 It should be noted that relying on fragmentation opens the door to a
189 variety of IPv6 fragmentation-based attacks. In particular, if an
190 attacker is located on the same broadcast domain as the victim host,
191 and Certification Path Advertisement messages employ IPv6
192 fragmentation, it would be trivial for the attacker to forge IPv6
193 fragment such that they result in "Fragment ID collisions", causing
194 both the attack fragments and the legitimate fragments to be
195 discarded by the victim node. This would eventually cause the
196 Authorization Delegation Discovery to fail, thus leading the host to
197 fall back (depending to local configuration) either to unsecured
198 mode, or to reject the corresponding Router Advertisement messages
199 (possibly resulting in a Denial of Service).
201 4. Specification
203 Nodes MUST NOT employ IPv6 fragmentation for sending any of the
204 following Neighbor Discovery and SEcure Neighbor Discovery messages:
205 Neighbor Solicitation, Neighbor Advertisement, Router Solicitation,
206 Router Advertisement, Redirect, and Certification Path Solicitation.
207 SEND nodes SHOULD NOT employ IPv6 fragmentation for sending
208 Certification Path Advertisement messages.
210 Nodes MUST silently ignore the following Neighbor Discovery and
211 SEcure Neighbor Discovery messages if the packets carrying them
212 include an IPv6 Fragmentation Header: Neighbor Solicitation, Neighbor
213 Advertisement, Router Solicitation, Router Advertisement, Redirect,
214 and Certification Path Solicitation.
216 Nodes SHOULD normally process Certification Path Advertisement
217 messages that employ IPv6 fragmentation.
219 5. Security Considerations
221 The IPv6 Fragmentation Header can be leveraged to circumvent network
222 monitoring tools and current implementations of mechanisms such as
223 RA-Guard [I-D.ietf-v6ops-ra-guard-implementation]. By updating the
224 relevant specifications such that the IPv6 Fragment Header is not
225 allowed in any Neighbor Discovery messages except "Certification Path
226 Advertisement", protection of local nodes against Neighbor Discovery
227 attacks, and monitoring of Neighbor Discovery traffic is greatly
228 simplified.
230 [I-D.ietf-v6ops-ra-guard-implementation] discusses an improvement to
231 the RA-Guard mechanism that can mitigate Neighbor Discovery attacks
232 that employ IPv6 Fragmentation. However, it should be noted that
233 unless [RFC4861] is updated (as proposed in this document), Neighbor
234 Discovery monitoring tools (such as NDPMon [NDPMon]) would remain
235 unreliable and trivial to circumvent by a skilled attacker.
237 As noted in Section 3, use of SEND could potentially result in
238 fragmented "Certification Path Advertisement" messages, thus allowing
239 an attacker to employ IPv6 fragmentation-based attacks against such
240 messages. Therefore, to the extent that is possible, such use of
241 fragmentation should be avoided.
243 6. Acknowledgements
245 The author would like to thank (in alphabetical order) Mikael
246 Abrahamsson, Ran Atkinson, Ron Bonica, Jean-Michel Combes, David
247 Farmer, Roque Gagliano, Bob Hinden, Philip Homburg, Ray Hunter,
248 Arturo Servin, and Mark Smith, for providing valuable comments on
249 earlier versions of this document.
251 This document resulted from the project "Security Assessment of the
252 Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by
253 Fernando Gont on behalf of the UK Centre for the Protection of
254 National Infrastructure (CPNI). The author would like to thank the
255 UK CPNI, for their continued support.
257 7. References
259 7.1. Normative References
261 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
262 Requirement Levels", BCP 14, RFC 2119, March 1997.
264 [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
265 Neighbor Discovery (SEND)", RFC 3971, March 2005.
267 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
268 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
269 September 2007.
271 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
272 Address Autoconfiguration", RFC 4862, September 2007.
274 7.2. Informative References
276 [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor
277 Discovery (ND) Trust Models and Threats", RFC 3756,
278 May 2004.
280 [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
281 Problem Statement", RFC 6104, February 2011.
283 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
284 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
285 February 2011.
287 [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor",
288 .
290 [ramond] "ramond", .
292 [I-D.ietf-v6ops-ra-guard-implementation]
293 Gont, F., "Implementation Advice for IPv6 Router
294 Advertisement Guard (RA-Guard)",
295 draft-ietf-v6ops-ra-guard-implementation-04 (work in
296 progress), May 2012.
298 [CPNI-IPv6]
299 Gont, F., "Security Assessment of the Internet Protocol
300 version 6 (IPv6)", UK Centre for the Protection of
301 National Infrastructure, (available on request).
303 [Gont-DEEPSEC2011]
304 Gont, "Results of a Security Assessment of the Internet
305 Protocol version 6 (IPv6)", DEEPSEC 2011 Conference,
306 Vienna, Austria, November 2011, .
310 Author's Address
312 Fernando Gont
313 Centre for the Protection of National Infrastructure
315 Email: fernando@gont.com.ar
316 URI: http://www.cpni.gov.uk