idnits 2.17.1
draft-ietf-6man-nd-extension-headers-04.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC3971, updated by this document, for
RFC5378 checks: 2003-10-17)
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (March 22, 2013) is 4046 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
No issues found here.
Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 maintenance Working Group (6man) F. Gont
3 Internet-Draft SI6 Networks / UTN-FRH
4 Updates: 3971, 4861 (if approved) March 22, 2013
5 Intended status: Standards Track
6 Expires: September 23, 2013
8 Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery
9 draft-ietf-6man-nd-extension-headers-04
11 Abstract
13 This document analyzes the security implications of employing IPv6
14 fragmentation with Neighbor Discovery (ND) messages. It updates RFC
15 4861 such that use of the IPv6 Fragmentation Header is forbidden in
16 all Neighbor Discovery messages, thus allowing for simple and
17 effective counter-measures for Neighbor Discovery attacks. Finally,
18 it discusses the security implications of using IPv6 fragmentation
19 with SEcure Neighbor Discovery (SEND), and formally updates RFC 3971
20 to provide advice regarding how the aforementioned security
21 implications can be prevented.
23 Status of this Memo
25 This Internet-Draft is submitted in full conformance with the
26 provisions of BCP 78 and BCP 79.
28 Internet-Drafts are working documents of the Internet Engineering
29 Task Force (IETF). Note that other groups may also distribute
30 working documents as Internet-Drafts. The list of current Internet-
31 Drafts is at http://datatracker.ietf.org/drafts/current/.
33 Internet-Drafts are draft documents valid for a maximum of six months
34 and may be updated, replaced, or obsoleted by other documents at any
35 time. It is inappropriate to use Internet-Drafts as reference
36 material or to cite them other than as "work in progress."
38 This Internet-Draft will expire on September 23, 2013.
40 Copyright Notice
42 Copyright (c) 2013 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (http://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the Simplified BSD License.
55 Table of Contents
57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
58 2. Traditional Neighbor Discovery and IPv6 Fragmentation . . . . 5
59 3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation . . . 6
60 4. Rationale for Forbidding IPv6 Fragmentation in Neighbor
61 Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 7
62 5. Specification . . . . . . . . . . . . . . . . . . . . . . . . 8
63 6. Operational Advice . . . . . . . . . . . . . . . . . . . . . . 9
64 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
65 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
66 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
67 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
68 10.1. Normative References . . . . . . . . . . . . . . . . . . 13
69 10.2. Informative References . . . . . . . . . . . . . . . . . 13
70 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15
72 1. Introduction
74 The Neighbor Discovery Protocol (NDP) is specified in RFC 4861
75 [RFC4861]. It is used by both hosts and routers. Its functions
76 include Neighbor Discovery (ND), Router Discovery (RD), Address
77 Autoconfiguration, Address Resolution, Neighbor Unreachability
78 Detection (NUD), Duplicate Address Detection (DAD), and Redirection.
80 Many of the possible attacks against the Neighbor Discovery Protocol
81 are discussed in detail in [RFC3756]. In order to mitigate the
82 aforementioned possible attacks, the SEcure Neighbor Discovery (SEND)
83 was standardized. SEND employs a number of mechanisms to certify the
84 origin of Neighbor Discovery packets and the authority of routers,
85 and to protect Neighbor Discovery packets from being the subject of
86 modification or replay attacks.
88 However, a number of factors, such as the use of trust anchors and
89 the unavailability of SEND implementations for many widely-deployed
90 operating systems, make SEND hard to deploy [Gont-DEEPSEC2011].
91 Thus, in many general scenarios it may be necessary and/or convenient
92 to use other mitigation techniques for NDP-based attacks. The
93 following mitigations are currently available for NDP attacks:
95 o Layer-2 filtering of Neighbor Discovery packets (such as RA-Guard
96 [RFC6105])
98 o Neighbor Discovery monitoring tools (e.g., such as NDPMon
99 [NDPMon], ramond [ramond])
101 o Intrusion Prevention Systems (IPS)
103 IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique
104 for attack vectors based on ICMPv6 Router Advertisement messages. It
105 is meant to block attack packets at a layer-2 device before the
106 attack packets actually reach the target nodes. [RFC6104] describes
107 the problem statement of "Rogue IPv6 Router Advertisements", and
108 [RFC6105] specifies the "IPv6 Router Advertisement Guard"
109 functionality.
111 Tools such as NDPMon [NDPMon] and ramond [ramond] aim at monitoring
112 Neighbor Discovery traffic in the hopes of detecting possible attacks
113 when there are discrepancies between the information advertised in
114 Neighbor Discovery packets and the information stored on a local
115 database.
117 Some Intrusion Prevention Systems (IPS) can mitigate Neighbor
118 Discovery attacks. We recommend that Intrusion Prevention Systems
119 (IPS) implement mitigations for NDP attacks.
121 A key challenge that these mitigation or monitoring techniques face
122 is that introduced by IPv6 fragmentation, since it is trivial for an
123 attacker to conceal his attack by fragmenting his packets into
124 multiple fragments. This may limit or even eliminate the
125 effectiveness of the aforementioned mitigation or monitoring
126 techniques. Recent work [CPNI-IPv6] indicates that current
127 implementations of the aforementioned mitigations for NDP attacks can
128 be trivially evaded. For example, as noted in
129 [I-D.ietf-v6ops-ra-guard-implementation], current RA-Guard
130 implementations can be trivially evaded by fragmenting the attack
131 packets into multiple fragments, such that the layer-2 device cannot
132 find all the necessary information to perform packet filtering in the
133 same packet. While Neighbor Discovery monitoring tools could (in
134 theory implement IPv6 fragment reassembly, this is usually an arms-
135 race with the attacker (an attacker generate lots of forged fragments
136 to "confuse" the monitoring tools), and therefore the aforementioned
137 tools are unreliable for the detection of such attacks.
139 Section 2 analyzes the use of IPv6 fragmentation in traditional
140 Neighbor discovery. Section 3 analyzes the use of IPv6 fragmentation
141 in SEcure Neighbor Discovery (SEND). Section 4 provides the
142 rationale for forbidding the use of IPv6 fragmentation with Neighbor
143 Discovery. Section 5 formally updates RFC 4861 such that use of the
144 IPv6 Fragment Header with traditional Neighbor Discovery is
145 forbidden, and also formally updates RFC 3971 providing advice on the
146 use of IPv6 fragmentation with SEND. Section 6 provides operational
147 advice about interoperability problems arising from the use of IPv6
148 fragmentation with Neighbor Discovery.
150 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
151 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
152 document are to be interpreted as described in RFC 2119 [RFC2119].
154 2. Traditional Neighbor Discovery and IPv6 Fragmentation
156 The only potential use case for IPv6 fragmentation with traditional
157 (i.e., non-SEND) IPv6 Neighbor Discovery would be that in which a
158 Router Advertisement must include a large number of options (Prefix
159 Information Options, Route Information Options, etc.). However, this
160 could still be achieved without employing fragmentation, by splitting
161 the aforementioned information into multiple Router Advertisement
162 messages.
164 Some Neighbor Discovery implementations are known to silently
165 ignore Router Advertisement messages that employ fragmentation.
166 Therefore, splitting the necessary information into multiple RA
167 messages (rather than sending a large RA message that is
168 fragmented into multiple IPv6 fragments) is probably desirable
169 even from an interoperability point of view.
171 Thus, avoiding the use of IPv6 fragmentation in traditional Neighbor
172 Discovery would greatly simplify and improve the effectiveness of
173 monitoring and filtering Neighbor Discovery traffic, and would also
174 prevent interoperability problems with those implementations that do
175 not support fragmentation in Neighbor Discovery messages.
177 3. SEcure Neighbor Discovery (SEND) and IPv6 Fragmentation
179 SEND packets typically carry more information than traditional
180 Neighbor Discovery packets: for example, they include additional
181 options such as the CGA option and the RSA signature option.
183 When SEND nodes employ any of the Neighbor Discovery messages
184 specified in [RFC4861], the situation is roughly the same: if more
185 information than would fit in a non-fragmented Neighbor Discovery
186 packet needs to be sent, it should be split into multiple Neighbor
187 Discovery messages (such that IPv6 fragmentation is avoided).
189 However, Certification Path Advertisement messages (specified in
190 [RFC3971]) pose a different situation, since the Certificate Option
191 they include typically contains much more information than any other
192 Neighbor Discovery option. For example, Appendix C of [RFC3971]
193 reports Certification Path Advertisement messages from 1050 to 1066
194 bytes on an Ethernet link layer. Since the size of CPA messages
195 could potentially exceed the MTU of the local link, Section 5
196 recommends that fragmented CPA messages be normally processed, but
197 discourages the use of keys that would result in fragmented CPA
198 messages.
200 It should be noted that relying on fragmentation opens the door to a
201 variety of IPv6 fragmentation-based attacks. In particular, if an
202 attacker is located on the same broadcast domain as the victim host,
203 and Certification Path Advertisement messages employ IPv6
204 fragmentation, it would be trivial for the attacker to forge IPv6
205 fragments such that they result in "Fragment ID collisions", causing
206 both the attack fragments and the legitimate fragments to be
207 discarded by the victim node. This would eventually cause the
208 Authorization Delegation Discovery to fail, thus leading the host to
209 fall back (depending on local configuration) either to unsecured
210 mode, or to reject the corresponding Router Advertisement messages
211 (possibly resulting in a Denial of Service).
213 4. Rationale for Forbidding IPv6 Fragmentation in Neighbor Discovery
215 A number of considerations should be made regarding the use of IPv6
216 fragmentation with Neighbor Discovery:
218 o A significant number of existing implementations already silently
219 drop fragmented ND messages, so the use of IPv6 fragmentation may
220 hamper interoperability among IPv6 implementations.
222 o Although it is possible to build an ND message that needs to be
223 fragmented, such packets are unlikely to exist in the real world
224 because of the large number of options that would be required for
225 the resulting packet to exceed the minimum IPv6 MTU of 1280
226 octets.
228 o If an ND message was so large as to need fragmentation, there is
229 an option to distribute the same information amongst more than one
230 message, each of which is small enough to not need fragmentation.
232 Thus, forbidding the use of IPv6 fragmentation with Neighbor
233 Discovery normalizes existing behavior and sets the expectations of
234 all implementations to the existing lowest common denominator.
236 5. Specification
238 Nodes MUST NOT employ IPv6 fragmentation for sending any of the
239 following Neighbor Discovery and SEcure Neighbor Discovery messages:
241 o Neighbor Solicitation
243 o Neighbor Advertisement
245 o Router Solicitation
247 o Router Advertisement
249 o Redirect
251 o Certification Path Solicitation
253 Nodes SHOULD NOT employ IPv6 fragmentation for sending the following
254 messages:
256 o Certification Path Advertisement messages
258 Nodes MUST silently ignore the following Neighbor Discovery and
259 SEcure Neighbor Discovery messages if the packets carrying them
260 include an IPv6 Fragmentation Header:
262 o Neighbor Solicitation
264 o Neighbor Advertisement
266 o Router Solicitation
268 o Router Advertisement
270 o Redirect
272 o Certification Path Solicitation
274 Nodes SHOULD normally process the following messages when the packets
275 carrying them include an IPv6 Fragmentation Header:
277 o Certification Path Advertisement
279 SEND nodes SHOULD NOT employ keys that would result in fragmented CPA
280 messages.
282 6. Operational Advice
284 An operator detecting that Neighbor Discovery traffic is being
285 silently dropped should find whether the corresponding Neighbor
286 Discovery are employing IPv6 fragmentation. If they are, it is
287 likely that the devices receiving such packets are silently dropping
288 them merely because they employ IPv6 fragmentation. In such case, an
289 operator should check whether the sending device has an option to
290 prevent fragmentation of ND messages, and/or see whether it is
291 possible to reduce the options carried on such messages. We note
292 that solving this (unlikely) problem might need a software upgrade to
293 a version that does not employ IPv6 fragmentation with Neighbor
294 Discovery.
296 7. IANA Considerations
298 There are no IANA registries within this document. The RFC-Editor
299 can remove this section before publication of this document as an
300 RFC.
302 8. Security Considerations
304 The IPv6 Fragmentation Header can be leveraged to circumvent network
305 monitoring tools and current implementations of mechanisms such as
306 RA-Guard [I-D.ietf-v6ops-ra-guard-implementation]. By updating the
307 relevant specifications such that the IPv6 Fragment Header is not
308 allowed in any Neighbor Discovery messages except "Certification Path
309 Advertisement", protection of local nodes against Neighbor Discovery
310 attacks, and monitoring of Neighbor Discovery traffic is greatly
311 simplified.
313 [I-D.ietf-v6ops-ra-guard-implementation] discusses an improvement to
314 the RA-Guard mechanism that can mitigate Neighbor Discovery attacks
315 that employ IPv6 Fragmentation. However, it should be noted that
316 unless [RFC4861] is updated (as proposed in this document), Neighbor
317 Discovery monitoring tools (such as NDPMon [NDPMon], and ramond
318 [ramond]) would remain unreliable and trivial to circumvent by a
319 skilled attacker.
321 As noted in Section 3, use of SEND could potentially result in
322 fragmented "Certification Path Advertisement" messages, thus allowing
323 an attacker to employ IPv6 fragmentation-based attacks against such
324 messages. Therefore, to the extent that is possible, such use of
325 fragmentation should be avoided.
327 9. Acknowledgements
329 The author would like to thank (in alphabetical order) Mikael
330 Abrahamsson, Ran Atkinson, Ron Bonica, Jean-Michel Combes, David
331 Farmer, Adrian Farrel, Stephen Farrell, Roque Gagliano, Brian
332 Haberman, Bob Hinden, Philip Homburg, Ray Hunter, Arturo Servin, Mark
333 Smith, and Martin Stiemerling, for providing valuable comments on
334 earlier versions of this document.
336 This document resulted from the project "Security Assessment of the
337 Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by
338 Fernando Gont on behalf of the UK Centre for the Protection of
339 National Infrastructure (CPNI). The author would like to thank the
340 UK CPNI, for their continued support.
342 10. References
344 10.1. Normative References
346 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
347 Requirement Levels", BCP 14, RFC 2119, March 1997.
349 [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
350 Neighbor Discovery (SEND)", RFC 3971, March 2005.
352 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
353 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
354 September 2007.
356 10.2. Informative References
358 [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor
359 Discovery (ND) Trust Models and Threats", RFC 3756,
360 May 2004.
362 [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
363 Problem Statement", RFC 6104, February 2011.
365 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
366 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
367 February 2011.
369 [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor",
370 .
372 [ramond] "ramond", .
374 [I-D.ietf-v6ops-ra-guard-implementation]
375 Gont, F., "Implementation Advice for IPv6 Router
376 Advertisement Guard (RA-Guard)",
377 draft-ietf-v6ops-ra-guard-implementation-07 (work in
378 progress), November 2012.
380 [CPNI-IPv6]
381 Gont, F., "Security Assessment of the Internet Protocol
382 version 6 (IPv6)", UK Centre for the Protection of
383 National Infrastructure, (available on request).
385 [Gont-DEEPSEC2011]
386 Gont, "Results of a Security Assessment of the Internet
387 Protocol version 6 (IPv6)", DEEPSEC 2011 Conference,
388 Vienna, Austria, November 2011, .
392 Author's Address
394 Fernando Gont
395 SI6 Networks / UTN-FRH
396 Evaristo Carriego 2644
397 Haedo, Provincia de Buenos Aires 1706
398 Argentina
400 Phone: +54 11 4650 8472
401 Email: fgont@si6networks.com
402 URI: http://www.si6networks.com