idnits 2.17.1
draft-ietf-v6ops-ra-guard-implementation-01.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (March 3, 2012) is 4437 days in the past. Is this
intentional?
Checking references for intended status: Best Current Practice
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-02) exists of
draft-gont-6man-oversized-header-chain-00
== Outdated reference: A later version (-03) exists of
draft-gont-6man-nd-extension-headers-02
Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 Operations Working Group (v6ops) F. Gont
3 Internet-Draft UK CPNI
4 Intended status: BCP March 3, 2012
5 Expires: September 4, 2012
7 Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
8 draft-ietf-v6ops-ra-guard-implementation-01
10 Abstract
12 The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly
13 employed to mitigate attack vectors based on forged ICMPv6 Router
14 Advertisement messages. Many existing IPv6 deployments rely on RA-
15 Guard as the first line of defense against the aforementioned attack
16 vectors. However, some implementations of RA-Guard have been found
17 to be prone to circumvention by employing IPv6 Extension Headers.
18 This document describes the evasion techniques that affect the
19 aforementioned implementations, and provides advice on the
20 implementation of RA-Guard, such that the RA-Guard evasion vectors
21 are eliminated.
23 Status of this Memo
25 This Internet-Draft is submitted in full conformance with the
26 provisions of BCP 78 and BCP 79.
28 Internet-Drafts are working documents of the Internet Engineering
29 Task Force (IETF). Note that other groups may also distribute
30 working documents as Internet-Drafts. The list of current Internet-
31 Drafts is at http://datatracker.ietf.org/drafts/current/.
33 Internet-Drafts are draft documents valid for a maximum of six months
34 and may be updated, replaced, or obsoleted by other documents at any
35 time. It is inappropriate to use Internet-Drafts as reference
36 material or to cite them other than as "work in progress."
38 This Internet-Draft will expire on September 4, 2012.
40 Copyright Notice
42 Copyright (c) 2012 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (http://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the Simplified BSD License.
55 Table of Contents
57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
58 2. Evasion techniques for some Router Advertisement Guard (RA
59 Guard) implementations . . . . . . . . . . . . . . . . . . . . 4
60 2.1. Attack Vector based on IPv6 Extension Headers . . . . . . 4
61 2.2. Attack vector based on IPv6 fragmentation . . . . . . . . 4
62 3. RA-Guard implementation advice . . . . . . . . . . . . . . . . 8
63 4. Other Implications . . . . . . . . . . . . . . . . . . . . . . 10
64 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
65 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
66 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
67 7.1. Normative References . . . . . . . . . . . . . . . . . . . 13
68 7.2. Informative References . . . . . . . . . . . . . . . . . . 13
69 Appendix A. Changes from previous versions of the draft (to
70 be removed by the RFC Editor before publication
71 of this document as a RFC . . . . . . . . . . . . . . 15
72 A.1. Changes from
73 draft-ietf-v6ops-ra-guard-implementation-00 . . . . . . . 15
74 A.2. Changes from
75 draft-gont-v6ops-ra-guard-implementation-01 . . . . . . . 15
76 A.3. Changes from
77 draft-gont-v6ops-ra-guard-implementation-00 . . . . . . . 15
78 A.4. Changes from draft-gont-v6ops-ra-guard-evasion-01 . . . . 15
79 Appendix B. Assessment tools . . . . . . . . . . . . . . . . . . 16
80 Appendix C. Advice and guidance to vendors . . . . . . . . . . . 17
81 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 18
83 1. Introduction
85 IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique
86 for attack vectors based on ICMPv6 Router Advertisement messages.
87 [RFC6104] describes the problem statement of "Rogue IPv6 Router
88 Advertisements", and [RFC6105] specifies the "IPv6 Router
89 Advertisement Guard" functionality.
91 The basic concept behind RA-Guard is that a layer-2 device filters
92 ICMPv6 Router Advertisement messages, according to a number of
93 different criteria. The most basic filtering criterion is that
94 Router Advertisement messages are discarded by the layer-2 device
95 unless they are received on a specified port of the layer-2 device.
96 Clearly, the effectiveness of the RA Guard mitigation relies on the
97 ability of the layer-2 device to identify ICMPv6 Router Advertisement
98 messages.
100 Some popular RA-Guard implementations have been found to be easy to
101 circumvent by employing IPv6 extension headers [CPNI-IPv6]. This
102 document describes such evasion techniques, and provides advice to
103 RA-Guard implementers such that the aforementioned evasion vectors
104 can be eliminated.
106 It should be noted that the aforementioned techniques could also be
107 exploited to evade network monitoring tools such as NDPMon [NDPMon],
108 ramond [ramond], and rafixd [rafixd], and could probably be exploited
109 to perform stealth DHCPv6 attacks.
111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
113 document are to be interpreted as described in RFC 2119 [RFC2119].
115 2. Evasion techniques for some Router Advertisement Guard (RA Guard)
116 implementations
118 The following subsections describe two different vectors that have
119 been found to be effective for the evasion of popular implementations
120 of the RA-Guard protection. Section 2.1 describes an attack vector
121 based on the use of IPv6 Extension Headers with the ICMPv6 Router
122 Advertisement messages, which may be used to circumvent the RA-Guard
123 protection of those implementations that fail to process an entire
124 IPv6 header chain when trying to identify the ICMPv6 Router
125 Advertisement messages. Section 2.2 describes an attack method based
126 on the use of IPv6 fragmentation, possibly in conjunction with the
127 use of IPv6 Extension Headers. This later vector has been found to
128 be effective with all existing implementations of the RA-Guard
129 mechanism.
131 2.1. Attack Vector based on IPv6 Extension Headers
133 While there is currently no legitimate use for IPv6 Extension Headers
134 in ICMPv6 Router Advertisement messages, Neighbor Discovery
135 implementations allow the use of Extension Headers with these
136 messages, by simply ignoring the received options. Some RA-Guard
137 implementations try to identify ICMPv6 Router Advertisement messages
138 by simply looking at the "Next Header" field of the fixed IPv6
139 header, rather than following the entire header chain. As a result,
140 such implementations fail to identify any ICMPv6 Router Advertisement
141 messages that include any Extension Headers (for example, a Hop by
142 Hop Options header, a Destination Options Header, etc.), and can be
143 easily circumvented.
145 The following figure illustrates the structure of ICMPv6 Router
146 Advertisement messages that implement this evasion technique:
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 |NH=60| |NH=58| | |
150 +-+-+-+ +-+-+-+ + +
151 | IPv6 header | Dst Opt Hdr | ICMPv6 Router Advertisement |
152 + + + +
153 | | | |
154 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
156 2.2. Attack vector based on IPv6 fragmentation
158 This section presents a different attack vector, which has been found
159 to be effective against all implementations of RA-Guard. The basic
160 idea behind this attack vector is that if the forged ICMPv6 Router
161 Advertisement is fragmented into at least two fragments, the layer-2
162 device implementing "RA-Guard" would be unable to identify the attack
163 packet, and would thus fail to block it.
165 A first variant of this attack vector would be an original ICMPv6
166 Router Advertisement message preceded with a Destination Options
167 Header, that results in two fragments. The following figure
168 illustrates the "original" attack packet, prior to fragmentation, and
169 the two resulting fragments which are actually sent as part of the
170 attack.
172 Original packet:
174 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
175 |NH=60| |NH=58| | |
176 +-+-+-+ +-+-+-+ + +
177 | IPv6 header | Dst Opt Hdr | ICMPv6 RA |
178 + + + +
179 | | | |
180 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
182 First fragment:
184 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
185 |NH=44| |NH=60| |NH=58| |
186 +-+-+-+ +-+-+-+ +-+-+-+ +
187 | IPv6 Header | Frag Hdr | Dst Opt Hdr |
188 + + + +
189 | | | |
190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
192 Second fragment:
194 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
195 |NH=44| |NH=60| | | |
196 +-+-+-+ +-+-+-+ + + +
197 | IPv6 header | Frag Hdr | Dst Opt Hdr | ICMPv6 RA |
198 + + + + +
199 | | | | |
200 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
202 It should be noted that the "Hdr Ext Len" field of the Destination
203 Options Header is present in the first fragment (rather than the
204 second). Therefore, it is impossible for a device processing only
205 the second fragment to locate the ICMPv6 header contained in that
206 fragment, since it is unknown how many bytes should be "skipped" to
207 get to the next header following the Destination Options Header.
209 Thus, by leveraging the use of the Fragment Header together with the
210 use of the Destination Options header, the attacker is able to
211 conceal the type and contents of the ICMPv6 message he is sending (an
212 ICMPv6 Router Advertisement in this example). Unless the layer-2
213 device were to implement IPv6 fragment reassembly, it would be
214 impossible for the device to identify the ICMPv6 type of the message.
216 A layer-2 device could, however, at least detect that that an
217 ICMPv6 message (or some type) is being sent, since the "Next
218 Header" field of the Destination Options header contained in the
219 first fragment is set to "58" (ICMPv6).
221 This idea can be taken further, such that it is also impossible for
222 the layer-2 device to detect that the attacker is sending an ICMPv6
223 message in the first place. This can be achieved with an original
224 ICMPv6 Router Advertisement message preceded with two Destination
225 Options Headers, that results in two fragments. The following figure
226 illustrates the "original" attack packet, prior to fragmentation, and
227 the two resulting packets which are actually sent as part of the
228 attack.
230 Original packet:
232 +-+-+-+-+-+-+-+-+-+-+-+-//+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
233 |NH=60| |NH=60| |NH=58| | |
234 +-+-+-+ +-+-+-+ +-+-+-+ + +
235 | IPv6 header | Dst Opt Hdr | Dst Opt Hdr | ICMPv6 RA |
236 + + + + +
237 | | | | |
238 +-+-+-+-+-+-+-+-+-+-+-+-//+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
240 First fragment:
242 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
243 |NH=44| |NH=60| |NH=60| |
244 +-+-+-+ +-+-+-+ +-+-+-+ +
245 | IPv6 header | Frag Hdr | Dst Opt Hdr |
246 + + + +
247 | | | |
248 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
250 Second fragment:
252 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
253 |NH=44| |NH=60| | |NH=58| | |
254 +-+-+-+ +-+-+-+ + +-+-+-+ + +
255 | IPv6 header | Frag Hdr | Dst O Hdr | Dst Opt Hdr | ICMPv6 RA |
256 + + + + + +
257 | | | | | |
258 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
260 In this variant, the "Next Header" field of the Destination Options
261 header contained in the first fragment is set "60" (Destination
262 Options header), and thus it is impossible for a device processing
263 only the first fragment to detect that an ICMPv6 message is being
264 sent in the first place.
266 The second fragment presents the same challenges as the second
267 fragment of the previous variant. That is, it would be impossible
268 for a device processing only the second fragment to locate the second
269 Destination Options header (and hence the ICMPv6 header), since the
270 "Hdr Ext Len" field of the first Destination Options header is
271 present in the first fragment (rather than the second).
273 3. RA-Guard implementation advice
275 The following filtering rules MUST be implemented as part of an "RA-
276 Guard" implementation on those ports that are not allowed to send
277 ICMPv6 Router Advertisement messages, such that the vulnerabilities
278 discussed in this document are eliminated:
280 1. When trying to identify an ICMPv6 Router Advertisement message,
281 follow the IPv6 header chain, enforcing a limit on the maximum
282 number of Extension Headers that is allowed for each packet. If
283 such limit is hit before the upper-layer protocol is identified,
284 silently drop the packet.
286 2. If the packet is identified to be an ICMPv6 Router Advertisement
287 message, silently drop the packet.
289 3. If the layer-2 device is unable to identify whether the packet is
290 an ICMPv6 Router Advertisement message or not (i.e., the packet
291 is a fragment, and the necessary information is missing), the
292 IPv6 Source Address of the packet is a link-local address or the
293 unspecified address (::), and the Hop Limit is 255, silently drop
294 the packet.
296 4. In all other cases, pass the packet as usual.
298 Note: For the purpose of enforcing the RA-Guard filtering policy,
299 an ESP header [RFC4303] should be considered to be an "upper-layer
300 protocol" (that is, it should be considered the last header in the
301 IPv6 header chain). This means that packets employing ESP would
302 be passed by the RA-Guard device to the intended destination. If
303 the destination host does not have a security association with the
304 sender of the aforementioned IPv6 packet, the packet would be
305 dropped. Otherwise, if the packet is considered valid by the
306 IPsec implementation at the receiving host and encapsulates a
307 Router Advertisement message, it is up to the receiving host what
308 to do with such packet.
310 In order to protect current end-node IPv6 implementations, Rule #3
311 has been defined as a default rule to drop packets that cannot be
312 positively identified as RA packets or not (perhaps due to the fact
313 that it contains fragments that do not contain the entire IPv6 header
314 chain). This means that, at least in theory, RA-Guard could result
315 in false-positive blocking of some legitimate non-RA packets that
316 could not be positively identified as being non-RA. In order to
317 reduce the likelihood of false positives, Rule #3 also requires that
318 an RA-Guard implementation check, before dropping an unidentifiable
319 packet, that it has an IPv6 Source Address that is a link-local
320 address or the unspecified address (::), and that the Hop Limit is
321 255. In any case, as noted in
322 [I-D.gont-6man-oversized-header-chain], IPv6 packets that fail to
323 include the entire IPv6 header chain are anyway unlikely to survive
324 in real networks. Whilst currently legitimate from a specifications
325 standpoint, they are virtually impossible to police with state-less
326 filters and firewalls, and are hence likely to be blocked by such
327 filters and firewalls.
329 This filtering policy assumes that host implementations require that
330 the IPv6 Source Address of ICMPv6 Router Advertisement messages be a
331 link-local address, and that they discard the packet if this check
332 fails, as required by the current IETF specifications [RFC4861].
333 Additionally, it assumes that hosts require the Hop Limit of Neighbor
334 Discovery messages to be 255, and discard those packets otherwise.
336 Finally, note that the aforementioned filtering rules implicitly
337 handle the case of fragmented packets: if the RA-Guard device fails
338 to identify the upper-layer protocol as a result of the use of
339 fragmentation, the corresponding packets would be silently dropped.
341 4. Other Implications
343 A similar concept to that of "RA-Guard" has been implemented for
344 protecting against forged DHCPv6 messages. Such protection can be
345 circumvented with the same techniques discussed in this document, and
346 the counter-measures for such evasion attack are analogous to those
347 described in Section 3 of this document.
349 5. Security Considerations
351 This document describes a number of techniques that have been found
352 to be effective to circumvent popular RA-Guard implementations.
354 The most effective and efficient mitigation for these attacks would
355 be to prohibit the use of some IPv6 extension headers with Router
356 Advertisement messages (as proposed by
357 [I-D.gont-6man-nd-extension-headers]), such that the RA-Guard
358 functionality is easier to implement. However, since such mitigation
359 would require an update to existing implementations, it cannot be
360 relied upon in the short or near term.
362 6. Acknowledgements
364 The author would like to thank Ran Atkinson, Karl Auer, Robert
365 Downie, David Farmer, Marc Heuse, Ray Hunter, Simon Perreault, Arturo
366 Servin, and Gunter van de Velde, for providing valuable comments on
367 earlier versions of this document.
369 The author would like to thank Arturo Servin, who presented this work
370 at IETF 81.
372 This document resulted from the project "Security Assessment of the
373 Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by
374 Fernando Gont on behalf of the UK Centre for the Protection of
375 National Infrastructure (CPNI). The author would like to thank the
376 UK CPNI, for their continued support.
378 7. References
380 7.1. Normative References
382 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
383 Requirement Levels", BCP 14, RFC 2119, March 1997.
385 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
386 RFC 4303, December 2005.
388 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
389 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
390 September 2007.
392 7.2. Informative References
394 [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
395 Problem Statement", RFC 6104, February 2011.
397 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
398 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
399 February 2011.
401 [I-D.gont-6man-oversized-header-chain]
402 Gont, F. and V. Manral, "Security and Interoperability
403 Implications of Oversized IPv6 Header Chains",
404 draft-gont-6man-oversized-header-chain-00 (work in
405 progress), February 2012.
407 [I-D.gont-6man-nd-extension-headers]
408 Gont, F., "Security Implications of the Use of IPv6
409 Extension Headers with IPv6 Neighbor Discovery",
410 draft-gont-6man-nd-extension-headers-02 (work in
411 progress), January 2012.
413 [CPNI-IPv6]
414 Gont, F., "Security Assessment of the Internet Protocol
415 version 6 (IPv6)", UK Centre for the Protection of
416 National Infrastructure, (available on request).
418 [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor",
419 .
421 [rafixd] "rafixd", .
424 [ramond] "ramond", .
426 [THC-IPV6]
427 "THC-IPV6", .
429 Appendix A. Changes from previous versions of the draft (to be removed
430 by the RFC Editor before publication of this document as a
431 RFC
433 A.1. Changes from draft-ietf-v6ops-ra-guard-implementation-00
435 o The filtering rules in Section 3 have been further clarified.
437 A.2. Changes from draft-gont-v6ops-ra-guard-implementation-01
439 o Document resubmitted as draft-ietf to reflect wg adoption.
441 A.3. Changes from draft-gont-v6ops-ra-guard-implementation-00
443 o Miscellaneous (minor) editorial changes.
445 o The filtering rules in Section 3 have been polished.
447 A.4. Changes from draft-gont-v6ops-ra-guard-evasion-01
449 o The contents were updated to reflect that the evasion
450 vulnerabilities are based on implementation flaws, rather than on
451 the RA-Guard "concept" itself.
453 o The I-D now focuses on providing advice to RA-Guard implementers.
455 Appendix B. Assessment tools
457 CPNI has produced assessment tools (which have not yet been made
458 publicly available) to assess RA-Guard implementations with respect
459 to the issues described in this document. If you think that you
460 would benefit from these tools, we might be able to provide a copy of
461 the tools (please contact Fernando Gont at fernando@gont.com.ar).
463 [THC-IPV6] is a publicly-available set of tools that implements some
464 of the techniques described in this document.
466 Appendix C. Advice and guidance to vendors
468 Vendors are urged to contact CSIRTUK (csirt@cpni.gsi.gov.uk) if they
469 think they may be affected by the issues described in this document.
470 As the lead coordination centre for these issues, CPNI is well placed
471 to give advice and guidance as required.
473 CPNI works extensively with government departments and agencies,
474 commercial organisations and the academic community to research
475 vulnerabilities and potential threats to IT systems especially where
476 they may have an impact on Critical National Infrastructure's (CNI).
478 Other ways to contact CPNI, plus CPNI's PGP public key, are available
479 at http://www.cpni.gov.uk.
481 Author's Address
483 Fernando Gont
484 Centre for the Protection of National Infrastructure
486 Email: fgont@si6networks.com
487 URI: http://www.cpni.gov.uk