idnits 2.17.1
draft-ietf-6man-nd-extension-headers-02.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC3971, updated by this document, for
RFC5378 checks: 2003-10-17)
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (December 10, 2012) is 4154 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
No issues found here.
Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 maintenance Working Group (6man) F. Gont
3 Internet-Draft SI6 Networks / UTN-FRH
4 Updates: 3971, 4861 (if approved) December 10, 2012
5 Intended status: Standards Track
6 Expires: June 13, 2013
8 Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery
9 draft-ietf-6man-nd-extension-headers-02
11 Abstract
13 This document analyzes the security implications of using IPv6
14 Extension Headers with Neighbor Discovery (ND) messages. It updates
15 RFC 4861 such that use of the IPv6 Fragmentation Header is forbidden
16 in all Neighbor Discovery messages, thus allowing for simple and
17 effective counter-measures for Neighbor Discovery attacks. Finally,
18 it discusses the security implications of using IPv6 fragmentation
19 with SEcure Neighbor Discovery (SEND), and formally updates RFC 3971
20 to provide advice regarding how the aforementioned security
21 implications can be prevented.
23 Status of this Memo
25 This Internet-Draft is submitted in full conformance with the
26 provisions of BCP 78 and BCP 79.
28 Internet-Drafts are working documents of the Internet Engineering
29 Task Force (IETF). Note that other groups may also distribute
30 working documents as Internet-Drafts. The list of current Internet-
31 Drafts is at http://datatracker.ietf.org/drafts/current/.
33 Internet-Drafts are draft documents valid for a maximum of six months
34 and may be updated, replaced, or obsoleted by other documents at any
35 time. It is inappropriate to use Internet-Drafts as reference
36 material or to cite them other than as "work in progress."
38 This Internet-Draft will expire on June 13, 2013.
40 Copyright Notice
42 Copyright (c) 2012 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (http://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the Simplified BSD License.
55 Table of Contents
57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
58 2. Traditional Neighbor Discovery and IPv6 Fragmentation . . . . 5
59 3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation . . . 6
60 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 7
61 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
62 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
63 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
64 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
65 8.1. Normative References . . . . . . . . . . . . . . . . . . . 11
66 8.2. Informative References . . . . . . . . . . . . . . . . . . 11
67 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13
69 1. Introduction
71 The Neighbor Discovery Protocol (NDP) is specified in RFC 4861
72 [RFC4861] and RFC 4862 [RFC4862]. It is used by both hosts and
73 routers. Its functions include Neighbor Discovery (ND), Router
74 Discovery (RD), Address Autoconfiguration, Address Resolution,
75 Neighbor Unreachability Detection (NUD), Duplicate Address Detection
76 (DAD), and Redirection.
78 Many of the possible attacks against the Neighbor Discovery Protocol
79 are discussed in detail in [RFC3756]. In order to mitigate the
80 aforementioned possible attacks, the SEcure Neighbor Discovery (SEND)
81 was standardized. SEND employs a number of mechanisms to certify the
82 origin of Neighbor Discovery packets and the authority of routers,
83 and to protect Neighbor Discovery packets from being the subject of
84 modification or replay attacks.
86 However, a number of factors, such as the use of trust anchors and
87 the unavailability of SEND implementations for many widely-deployed
88 operating systems, make SEND hard to deploy [Gont-DEEPSEC2011].
89 Thus, in many general scenarios it may be necessary and/or convenient
90 to use other mitigation techniques for NDP-based attacks. The
91 following mitigations are currently available for NDP attacks:
93 o Layer-2 filtering of Neighbor Discovery packets (such as RA-Guard
94 [RFC6105])
96 o Neighbor Discovery monitoring tools (e.g., such as NDPMon
97 [NDPMon])
99 o Intrusion Prevention Systems (IPS)
101 IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique
102 for attack vectors based on ICMPv6 Router Advertisement messages. It
103 is meant to block attack packets at a layer-2 device before the
104 attack packets actually reach the target nodes. [RFC6104] describes
105 the problem statement of "Rogue IPv6 Router Advertisements", and
106 [RFC6105] specifies the "IPv6 Router Advertisement Guard"
107 functionality.
109 Tools such as NDPMon [NDPMon] and ramond [ramond] aim at monitoring
110 Neighbor Discovery traffic in the hopes of detecting possible attacks
111 when there are discrepancies between the information advertised in
112 Neighbor Discovery packets and the information stored on a local
113 database.
115 Some Intrusion Prevention Systems (IPS) can mitigate Neighbor
116 Discovery attacks. We recommend that Intrusion Prevention Systems
117 (IPS) implement mitigations for NDP attacks.
119 A key challenge that these mitigation or monitoring techniques face
120 is that introduced by IPv6 fragmentation, since it is trivial for an
121 attacker to conceal his attack by fragmenting his packets into
122 multiple fragments. This may limit or even eliminate the
123 effectiveness of the aforementioned mitigation or monitoring
124 techniques. Recent work [CPNI-IPv6] indicates that current
125 implementations of the aforementioned mitigations for NDP attacks can
126 be trivially evaded. For example, as noted in
127 [I-D.ietf-v6ops-ra-guard-implementation], current RA-Guard
128 implementations can be trivially evaded by fragmenting the attack
129 packets into multiple fragments, such that the layer-2 device cannot
130 find all the necessary information to perform packet filtering in the
131 same packet. While Neighbor Discovery monitoring tools could (in
132 theory implement IPv6 fragment reassembly, this is usually an arms-
133 race with the attacker (an attacker generate lots of forged fragments
134 to "confuse" the monitoring tools), and therefore the aforementioned
135 tools are unreliable for the detection of such attacks.
137 Section 2 analyzes the use of IPv6 fragmentation in traditional
138 Neighbor discovery. Section 3 analyzes the use of IPv6 fragmentation
139 in SEcure Neighbor Discovery (SEND). Section 4 formally updates RFC
140 4861 such that use of the IPv6 Fragment Header with traditional
141 Neighbor Discovery is forbidden, and also formally updates RFC 3971
142 providing advice on the use of IPv6 fragmentation with SEND.
144 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
145 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
146 document are to be interpreted as described in RFC 2119 [RFC2119].
148 2. Traditional Neighbor Discovery and IPv6 Fragmentation
150 The only potential use case for IPv6 fragmentation with traditional
151 (i.e., non-SEND) IPv6 Neighbor Discovery would be that in which a
152 Router Advertisement must include a large number of options (Prefix
153 Information Options, Route Information Options, etc.). However, this
154 could still be achieved without employing fragmentation, by splitting
155 the aforementioned information into multiple Router Advertisement
156 messages.
158 Some Neighbor Discovery implementations are known to silently
159 ignore Router Advertisement messages that employ fragmentation.
160 Therefore, splitting the necessary information into multiple RA
161 messages (rather than sending a large RA message that is
162 fragmented into multiple IPv6 fragments) is probably desirable
163 even from an interoperability point of view.
165 As a result of the aforementioned considerations, and since avoiding
166 the use of IPv6 fragmentation in traditional Neighbor Discovery would
167 greatly simplify and improve the effectiveness of monitoring and
168 filtering ND, Section 4 specifies that hosts silently ignore
169 traditional Neighbor Discovery messages (i.e., those specified in
170 [RFC4861]) that employ IPv6 fragmentation.
172 3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation
174 SEND packets typically carry more information than traditional
175 Neighbor Discovery packets: for example, they include additional
176 options such as the CGA option and the RSA signature option.
178 When SEND nodes employ any of the Neighbor Discovery messages
179 specified in [RFC4861], the situation is roughly the same: if more
180 information than would fit in a non-fragmented Neighbor Discovery
181 packet needs to be sent, it should be split into multiple Neighbor
182 Discovery messages (such that IPv6 fragmentation is avoided).
184 However, Certification Path Advertisement messages (specified in
185 [RFC3971]) pose a different situation, since the Certificate Option
186 they include typically contains much more information than any other
187 Neighbor Discovery option. For example, Appendix C of [RFC3971]
188 reports Certification Path Advertisement messages from 1050 to 1066
189 bytes on an Ethernet link layer. Since the size of CPA messages
190 could potentially exceed the MTU of the local link, Section 4
191 recommends that fragmented CPA messages be normally processed, but
192 discourages the use of keys that would result in fragmented CPA
193 messages.
195 It should be noted that relying on fragmentation opens the door to a
196 variety of IPv6 fragmentation-based attacks. In particular, if an
197 attacker is located on the same broadcast domain as the victim host,
198 and Certification Path Advertisement messages employ IPv6
199 fragmentation, it would be trivial for the attacker to forge IPv6
200 fragments such that they result in "Fragment ID collisions", causing
201 both the attack fragments and the legitimate fragments to be
202 discarded by the victim node. This would eventually cause the
203 Authorization Delegation Discovery to fail, thus leading the host to
204 fall back (depending on local configuration) either to unsecured
205 mode, or to reject the corresponding Router Advertisement messages
206 (possibly resulting in a Denial of Service).
208 4. Specification
210 Nodes MUST NOT employ IPv6 fragmentation for sending any of the
211 following Neighbor Discovery and SEcure Neighbor Discovery messages:
213 o Neighbor Solicitation
215 o Neighbor Advertisement
217 o Router Solicitation
219 o Router Advertisement
221 o Redirect
223 o Certification Path Solicitation
225 Nodes SHOULD NOT employ IPv6 fragmentation for sending the following
226 messages:
228 o Certification Path Advertisement messages
230 Nodes MUST silently ignore the following Neighbor Discovery and
231 SEcure Neighbor Discovery messages if the packets carrying them
232 include an IPv6 Fragmentation Header:
234 o Neighbor Solicitation
236 o Neighbor Advertisement
238 o Router Solicitation
240 o Router Advertisement
242 o Redirect
244 o Certification Path Solicitation
246 Nodes SHOULD normally process the following messages when the packets
247 carrying them include an IPv6 Fragmentation Header:
249 o Certification Path Advertisement
251 SEND nodes SHOULD NOT employ keys that would result in fragmented CPA
252 messages.
254 5. IANA Considerations
256 There are no IANA registries within this document. The RFC-Editor
257 can remove this section before publication of this document as an
258 RFC.
260 6. Security Considerations
262 The IPv6 Fragmentation Header can be leveraged to circumvent network
263 monitoring tools and current implementations of mechanisms such as
264 RA-Guard [I-D.ietf-v6ops-ra-guard-implementation]. By updating the
265 relevant specifications such that the IPv6 Fragment Header is not
266 allowed in any Neighbor Discovery messages except "Certification Path
267 Advertisement", protection of local nodes against Neighbor Discovery
268 attacks, and monitoring of Neighbor Discovery traffic is greatly
269 simplified.
271 [I-D.ietf-v6ops-ra-guard-implementation] discusses an improvement to
272 the RA-Guard mechanism that can mitigate Neighbor Discovery attacks
273 that employ IPv6 Fragmentation. However, it should be noted that
274 unless [RFC4861] is updated (as proposed in this document), Neighbor
275 Discovery monitoring tools (such as NDPMon [NDPMon]) would remain
276 unreliable and trivial to circumvent by a skilled attacker.
278 As noted in Section 3, use of SEND could potentially result in
279 fragmented "Certification Path Advertisement" messages, thus allowing
280 an attacker to employ IPv6 fragmentation-based attacks against such
281 messages. Therefore, to the extent that is possible, such use of
282 fragmentation should be avoided.
284 7. Acknowledgements
286 The author would like to thank (in alphabetical order) Mikael
287 Abrahamsson, Ran Atkinson, Ron Bonica, Jean-Michel Combes, David
288 Farmer, Roque Gagliano, Bob Hinden, Philip Homburg, Ray Hunter,
289 Arturo Servin, and Mark Smith, for providing valuable comments on
290 earlier versions of this document.
292 This document resulted from the project "Security Assessment of the
293 Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by
294 Fernando Gont on behalf of the UK Centre for the Protection of
295 National Infrastructure (CPNI). The author would like to thank the
296 UK CPNI, for their continued support.
298 8. References
300 8.1. Normative References
302 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
303 Requirement Levels", BCP 14, RFC 2119, March 1997.
305 [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
306 Neighbor Discovery (SEND)", RFC 3971, March 2005.
308 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
309 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
310 September 2007.
312 [RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
313 Address Autoconfiguration", RFC 4862, September 2007.
315 8.2. Informative References
317 [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor
318 Discovery (ND) Trust Models and Threats", RFC 3756,
319 May 2004.
321 [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
322 Problem Statement", RFC 6104, February 2011.
324 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
325 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
326 February 2011.
328 [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor",
329 .
331 [ramond] "ramond", .
333 [I-D.ietf-v6ops-ra-guard-implementation]
334 Gont, F., "Implementation Advice for IPv6 Router
335 Advertisement Guard (RA-Guard)",
336 draft-ietf-v6ops-ra-guard-implementation-07 (work in
337 progress), November 2012.
339 [CPNI-IPv6]
340 Gont, F., "Security Assessment of the Internet Protocol
341 version 6 (IPv6)", UK Centre for the Protection of
342 National Infrastructure, (available on request).
344 [Gont-DEEPSEC2011]
345 Gont, "Results of a Security Assessment of the Internet
346 Protocol version 6 (IPv6)", DEEPSEC 2011 Conference,
347 Vienna, Austria, November 2011, .
351 Author's Address
353 Fernando Gont
354 SI6 Networks / UTN-FRH
355 Evaristo Carriego 2644
356 Haedo, Provincia de Buenos Aires 1706
357 Argentina
359 Phone: +54 11 4650 8472
360 Email: fgont@si6networks.com
361 URI: http://www.si6networks.com