idnits 2.17.1
draft-ietf-v6ops-ra-guard-implementation-02.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
-- The document date (March 8, 2012) is 4432 days in the past. Is this
intentional?
Checking references for intended status: Best Current Practice
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Outdated reference: A later version (-02) exists of
draft-gont-6man-oversized-header-chain-00
== Outdated reference: A later version (-03) exists of
draft-gont-6man-nd-extension-headers-02
Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 IPv6 Operations Working Group (v6ops) F. Gont
3 Internet-Draft UK CPNI
4 Intended status: BCP March 8, 2012
5 Expires: September 9, 2012
7 Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
8 draft-ietf-v6ops-ra-guard-implementation-02
10 Abstract
12 The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly
13 employed to mitigate attack vectors based on forged ICMPv6 Router
14 Advertisement messages. Many existing IPv6 deployments rely on RA-
15 Guard as the first line of defense against the aforementioned attack
16 vectors. However, some implementations of RA-Guard have been found
17 to be prone to circumvention by employing IPv6 Extension Headers.
18 This document describes the evasion techniques that affect the
19 aforementioned implementations, and provides advice on the
20 implementation of RA-Guard, such that the RA-Guard evasion vectors
21 are eliminated.
23 Status of this Memo
25 This Internet-Draft is submitted in full conformance with the
26 provisions of BCP 78 and BCP 79.
28 Internet-Drafts are working documents of the Internet Engineering
29 Task Force (IETF). Note that other groups may also distribute
30 working documents as Internet-Drafts. The list of current Internet-
31 Drafts is at http://datatracker.ietf.org/drafts/current/.
33 Internet-Drafts are draft documents valid for a maximum of six months
34 and may be updated, replaced, or obsoleted by other documents at any
35 time. It is inappropriate to use Internet-Drafts as reference
36 material or to cite them other than as "work in progress."
38 This Internet-Draft will expire on September 9, 2012.
40 Copyright Notice
42 Copyright (c) 2012 IETF Trust and the persons identified as the
43 document authors. All rights reserved.
45 This document is subject to BCP 78 and the IETF Trust's Legal
46 Provisions Relating to IETF Documents
47 (http://trustee.ietf.org/license-info) in effect on the date of
48 publication of this document. Please review these documents
49 carefully, as they describe your rights and restrictions with respect
50 to this document. Code Components extracted from this document must
51 include Simplified BSD License text as described in Section 4.e of
52 the Trust Legal Provisions and are provided without warranty as
53 described in the Simplified BSD License.
55 Table of Contents
57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
58 2. Evasion techniques for some Router Advertisement Guard (RA
59 Guard) implementations . . . . . . . . . . . . . . . . . . . . 4
60 2.1. Attack Vector based on IPv6 Extension Headers . . . . . . 4
61 2.2. Attack vector based on IPv6 fragmentation . . . . . . . . 4
62 3. RA-Guard implementation advice . . . . . . . . . . . . . . . . 8
63 4. Other Implications . . . . . . . . . . . . . . . . . . . . . . 10
64 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
65 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
66 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
67 7.1. Normative References . . . . . . . . . . . . . . . . . . . 13
68 7.2. Informative References . . . . . . . . . . . . . . . . . . 13
69 Appendix A. Changes from previous versions of the draft (to
70 be removed by the RFC Editor before publication
71 of this document as a RFC . . . . . . . . . . . . . . 15
72 A.1. Changes from
73 draft-ietf-v6ops-ra-guard-implementation-00 . . . . . . . 15
74 A.2. Changes from
75 draft-gont-v6ops-ra-guard-implementation-01 . . . . . . . 15
76 A.3. Changes from
77 draft-gont-v6ops-ra-guard-implementation-00 . . . . . . . 15
78 A.4. Changes from draft-gont-v6ops-ra-guard-evasion-01 . . . . 15
79 Appendix B. Assessment tools . . . . . . . . . . . . . . . . . . 16
80 Appendix C. Advice and guidance to vendors . . . . . . . . . . . 17
81 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 18
83 1. Introduction
85 IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique
86 for attack vectors based on ICMPv6 Router Advertisement messages.
87 [RFC6104] describes the problem statement of "Rogue IPv6 Router
88 Advertisements", and [RFC6105] specifies the "IPv6 Router
89 Advertisement Guard" functionality.
91 The basic concept behind RA-Guard is that a layer-2 device filters
92 ICMPv6 Router Advertisement messages, according to a number of
93 different criteria. The most basic filtering criterion is that
94 Router Advertisement messages are discarded by the layer-2 device
95 unless they are received on a specified port of the layer-2 device.
96 Clearly, the effectiveness of the RA Guard mitigation relies on the
97 ability of the layer-2 device to identify ICMPv6 Router Advertisement
98 messages.
100 Some popular RA-Guard implementations have been found to be easy to
101 circumvent by employing IPv6 extension headers [CPNI-IPv6]. This
102 document describes such evasion techniques, and provides advice to
103 RA-Guard implementers such that the aforementioned evasion vectors
104 can be eliminated.
106 It should be noted that the aforementioned techniques could also be
107 exploited to evade network monitoring tools such as NDPMon [NDPMon],
108 ramond [ramond], and rafixd [rafixd], and could probably be exploited
109 to perform stealth DHCPv6 attacks.
111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
113 document are to be interpreted as described in RFC 2119 [RFC2119].
115 2. Evasion techniques for some Router Advertisement Guard (RA Guard)
116 implementations
118 The following subsections describe two different vectors that have
119 been found to be effective for the evasion of popular implementations
120 of the RA-Guard protection. Section 2.1 describes an attack vector
121 based on the use of IPv6 Extension Headers with the ICMPv6 Router
122 Advertisement messages, which may be used to circumvent the RA-Guard
123 protection of those implementations that fail to process an entire
124 IPv6 header chain when trying to identify the ICMPv6 Router
125 Advertisement messages. Section 2.2 describes an attack method based
126 on the use of IPv6 fragmentation, possibly in conjunction with the
127 use of IPv6 Extension Headers. This later vector has been found to
128 be effective with all existing implementations of the RA-Guard
129 mechanism.
131 2.1. Attack Vector based on IPv6 Extension Headers
133 While there is currently no legitimate use for IPv6 Extension Headers
134 in ICMPv6 Router Advertisement messages, Neighbor Discovery
135 implementations allow the use of Extension Headers with these
136 messages, by simply ignoring the received options. Some RA-Guard
137 implementations try to identify ICMPv6 Router Advertisement messages
138 by simply looking at the "Next Header" field of the fixed IPv6
139 header, rather than following the entire header chain. As a result,
140 such implementations fail to identify any ICMPv6 Router Advertisement
141 messages that include any Extension Headers (for example, a Hop by
142 Hop Options header, a Destination Options Header, etc.), and can be
143 easily circumvented.
145 The following figure illustrates the structure of ICMPv6 Router
146 Advertisement messages that implement this evasion technique:
148 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
149 |NH=60| |NH=58| | |
150 +-+-+-+ +-+-+-+ + +
151 | IPv6 header | Dst Opt Hdr | ICMPv6 Router Advertisement |
152 + + + +
153 | | | |
154 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
156 2.2. Attack vector based on IPv6 fragmentation
158 This section presents a different attack vector, which has been found
159 to be effective against all implementations of RA-Guard. The basic
160 idea behind this attack vector is that if the forged ICMPv6 Router
161 Advertisement is fragmented into at least two fragments, the layer-2
162 device implementing "RA-Guard" would be unable to identify the attack
163 packet, and would thus fail to block it.
165 A first variant of this attack vector would be an original ICMPv6
166 Router Advertisement message preceded with a Destination Options
167 Header, that results in two fragments. The following figure
168 illustrates the "original" attack packet, prior to fragmentation, and
169 the two resulting fragments which are actually sent as part of the
170 attack.
172 Original packet:
174 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
175 |NH=60| |NH=58| | |
176 +-+-+-+ +-+-+-+ + +
177 | IPv6 header | Dst Opt Hdr | ICMPv6 RA |
178 + + + +
179 | | | |
180 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
182 First fragment:
184 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
185 |NH=44| |NH=60| |NH=58| |
186 +-+-+-+ +-+-+-+ +-+-+-+ +
187 | IPv6 Header | Frag Hdr | Dst Opt Hdr |
188 + + + +
189 | | | |
190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
192 Second fragment:
194 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
195 |NH=44| |NH=60| | | |
196 +-+-+-+ +-+-+-+ + + +
197 | IPv6 header | Frag Hdr | Dst Opt Hdr | ICMPv6 RA |
198 + + + + +
199 | | | | |
200 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
202 It should be noted that the "Hdr Ext Len" field of the Destination
203 Options Header is present in the first fragment (rather than the
204 second). Therefore, it is impossible for a device processing only
205 the second fragment to locate the ICMPv6 header contained in that
206 fragment, since it is unknown how many bytes should be "skipped" to
207 get to the next header following the Destination Options Header.
209 Thus, by leveraging the use of the Fragment Header together with the
210 use of the Destination Options header, the attacker is able to
211 conceal the type and contents of the ICMPv6 message he is sending (an
212 ICMPv6 Router Advertisement in this example). Unless the layer-2
213 device were to implement IPv6 fragment reassembly, it would be
214 impossible for the device to identify the ICMPv6 type of the message.
216 A layer-2 device could, however, at least detect that that an
217 ICMPv6 message (or some type) is being sent, since the "Next
218 Header" field of the Destination Options header contained in the
219 first fragment is set to "58" (ICMPv6).
221 This idea can be taken further, such that it is also impossible for
222 the layer-2 device to detect that the attacker is sending an ICMPv6
223 message in the first place. This can be achieved with an original
224 ICMPv6 Router Advertisement message preceded with two Destination
225 Options Headers, that results in two fragments. The following figure
226 illustrates the "original" attack packet, prior to fragmentation, and
227 the two resulting packets which are actually sent as part of the
228 attack.
230 Original packet:
232 +-+-+-+-+-+-+-+-+-+-+-+-//+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
233 |NH=60| |NH=60| |NH=58| | |
234 +-+-+-+ +-+-+-+ +-+-+-+ + +
235 | IPv6 header | Dst Opt Hdr | Dst Opt Hdr | ICMPv6 RA |
236 + + + + +
237 | | | | |
238 +-+-+-+-+-+-+-+-+-+-+-+-//+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
240 First fragment:
242 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
243 |NH=44| |NH=60| |NH=60| |
244 +-+-+-+ +-+-+-+ +-+-+-+ +
245 | IPv6 header | Frag Hdr | Dst Opt Hdr |
246 + + + +
247 | | | |
248 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
250 Second fragment:
252 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
253 |NH=44| |NH=60| | |NH=58| | |
254 +-+-+-+ +-+-+-+ + +-+-+-+ + +
255 | IPv6 header | Frag Hdr | Dst O Hdr | Dst Opt Hdr | ICMPv6 RA |
256 + + + + + +
257 | | | | | |
258 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
260 In this variant, the "Next Header" field of the Destination Options
261 header contained in the first fragment is set "60" (Destination
262 Options header), and thus it is impossible for a device processing
263 only the first fragment to detect that an ICMPv6 message is being
264 sent in the first place.
266 The second fragment presents the same challenges as the second
267 fragment of the previous variant. That is, it would be impossible
268 for a device processing only the second fragment to locate the second
269 Destination Options header (and hence the ICMPv6 header), since the
270 "Hdr Ext Len" field of the first Destination Options header is
271 present in the first fragment (rather than the second).
273 3. RA-Guard implementation advice
275 The following filtering rules MUST be implemented as part of an "RA-
276 Guard" implementation on those ports that are not allowed to send
277 ICMPv6 Router Advertisement messages, such that the vulnerabilities
278 discussed in this document are eliminated:
280 1. When trying to identify an ICMPv6 Router Advertisement message,
281 follow the IPv6 header chain, enforcing a limit on the maximum
282 number of Extension Headers that is allowed for each packet. If
283 such limit is hit before the upper-layer protocol is identified,
284 silently drop the packet.
286 2. If the packet is identified to be an ICMPv6 Router Advertisement
287 message, silently drop the packet.
289 3. If the layer-2 device is unable to identify whether the packet is
290 an ICMPv6 Router Advertisement message or not (i.e., the packet
291 is a first-fragment, and the necessary information is missing),
292 the IPv6 Source Address of the packet is a link-local address or
293 the unspecified address (::), and the Hop Limit is 255, silently
294 drop the packet.
296 Note: This rule should only be applied to non-fragmented IPv6
297 datagrams and IPv6 fragments with a Fragment Offset of 0 (non-
298 first fragments can be safely passed, since they will never
299 reassemble into a complete datagram if they are part of a
300 Router Advertisement received on a port where such packets are
301 not allowed).
303 4. In all other cases, pass the packet as usual.
305 Note: For the purpose of enforcing the RA-Guard filtering policy,
306 an ESP header [RFC4303] should be considered to be an "upper-layer
307 protocol" (that is, it should be considered the last header in the
308 IPv6 header chain). This means that packets employing ESP would
309 be passed by the RA-Guard device to the intended destination. If
310 the destination host does not have a security association with the
311 sender of the aforementioned IPv6 packet, the packet would be
312 dropped. Otherwise, if the packet is considered valid by the
313 IPsec implementation at the receiving host and encapsulates a
314 Router Advertisement message, it is up to the receiving host what
315 to do with such packet.
317 In order to protect current end-node IPv6 implementations, Rule #3
318 has been defined as a default rule to drop packets that cannot be
319 positively identified as RA packets or not (perhaps due to the fact
320 that it contains fragments that do not contain the entire IPv6 header
321 chain). This means that, at least in theory, RA-Guard could result
322 in false-positive blocking of some legitimate non-RA packets that
323 could not be positively identified as being non-RA. In order to
324 reduce the likelihood of false positives, Rule #3 also requires that
325 an RA-Guard implementation check, before dropping an unidentifiable
326 packet, that it has an IPv6 Source Address that is a link-local
327 address or the unspecified address (::), and that the Hop Limit is
328 255. In any case, as noted in
329 [I-D.gont-6man-oversized-header-chain], IPv6 packets that fail to
330 include the entire IPv6 header chain are anyway unlikely to survive
331 in real networks. Whilst currently legitimate from a specifications
332 standpoint, they are virtually impossible to police with state-less
333 filters and firewalls, and are hence likely to be blocked by such
334 filters and firewalls.
336 This filtering policy assumes that host implementations require that
337 the IPv6 Source Address of ICMPv6 Router Advertisement messages be a
338 link-local address, and that they discard the packet if this check
339 fails, as required by the current IETF specifications [RFC4861].
340 Additionally, it assumes that hosts require the Hop Limit of Neighbor
341 Discovery messages to be 255, and discard those packets otherwise.
343 Finally, note that the aforementioned filtering rules implicitly
344 handle the case of fragmented packets: if the RA-Guard device fails
345 to identify the upper-layer protocol as a result of the use of
346 fragmentation, the corresponding packets would be silently dropped.
348 4. Other Implications
350 A similar concept to that of "RA-Guard" has been implemented for
351 protecting against forged DHCPv6 messages. Such protection can be
352 circumvented with the same techniques discussed in this document, and
353 the counter-measures for such evasion attack are analogous to those
354 described in Section 3 of this document.
356 5. Security Considerations
358 This document describes a number of techniques that have been found
359 to be effective to circumvent popular RA-Guard implementations, and
360 provides advice to RA-Guard implementations such that those evasion
361 vulnerabilities are eliminated.
363 We note that if an attacker sends a fragmented Router Advertisement
364 message on a port not allowed to send such packets, the first-
365 fragment would be dropped, and the rest of the fragments would be
366 passed. This means that the victim node would tie memory buffers for
367 the aforementioned fragments, which would never reassemble into a
368 complete datagram. If a large number of such packets were sent by an
369 attacker, and the victim node failed to implement proper resource
370 management for the fragment reassembly buffer, this could lead to a
371 Denial of Service (DoS). However, this does not really introduce a
372 new attack vector, since an attacker could always perform the same
373 attack by sending forged fragmented datagram in which at least one of
374 the fragments is missing. [CPNI-IPv6] discusses some resource
375 management strategies that could be implemented for the fragment
376 reassembly buffer.
378 Finally, we note that most effective and efficient mitigation for
379 these attacks would be to prohibit the use of IPv6 fragmentation with
380 Router Advertisement messages (as proposed by
381 [I-D.gont-6man-nd-extension-headers]), such that the RA-Guard
382 functionality is easier to implement. However, since such mitigation
383 would require an update to existing implementations, it cannot be
384 relied upon in the short or near term.
386 6. Acknowledgements
388 The author would like to thank Ran Atkinson, Karl Auer, Robert
389 Downie, Washam Fan, David Farmer, Marc Heuse, Ray Hunter, Simon
390 Perreault, Arturo Servin, and Gunter van de Velde, for providing
391 valuable comments on earlier versions of this document.
393 The author would like to thank Arturo Servin, who presented this
394 document at IETF 81.
396 This document resulted from the project "Security Assessment of the
397 Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by
398 Fernando Gont on behalf of the UK Centre for the Protection of
399 National Infrastructure (CPNI). The author would like to thank the
400 UK CPNI, for their continued support.
402 7. References
404 7.1. Normative References
406 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
407 Requirement Levels", BCP 14, RFC 2119, March 1997.
409 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
410 RFC 4303, December 2005.
412 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
413 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
414 September 2007.
416 7.2. Informative References
418 [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
419 Problem Statement", RFC 6104, February 2011.
421 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
422 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
423 February 2011.
425 [I-D.gont-6man-oversized-header-chain]
426 Gont, F. and V. Manral, "Security and Interoperability
427 Implications of Oversized IPv6 Header Chains",
428 draft-gont-6man-oversized-header-chain-00 (work in
429 progress), February 2012.
431 [I-D.gont-6man-nd-extension-headers]
432 Gont, F., "Security Implications of the Use of IPv6
433 Extension Headers with IPv6 Neighbor Discovery",
434 draft-gont-6man-nd-extension-headers-02 (work in
435 progress), January 2012.
437 [CPNI-IPv6]
438 Gont, F., "Security Assessment of the Internet Protocol
439 version 6 (IPv6)", UK Centre for the Protection of
440 National Infrastructure, (available on request).
442 [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor",
443 .
445 [rafixd] "rafixd", .
448 [ramond] "ramond", .
450 [THC-IPV6]
451 "THC-IPV6", .
453 Appendix A. Changes from previous versions of the draft (to be removed
454 by the RFC Editor before publication of this document as a
455 RFC
457 A.1. Changes from draft-ietf-v6ops-ra-guard-implementation-00
459 o The filtering rules in Section 3 have been further clarified.
461 A.2. Changes from draft-gont-v6ops-ra-guard-implementation-01
463 o Document resubmitted as draft-ietf to reflect wg adoption.
465 A.3. Changes from draft-gont-v6ops-ra-guard-implementation-00
467 o Miscellaneous (minor) editorial changes.
469 o The filtering rules in Section 3 have been polished.
471 A.4. Changes from draft-gont-v6ops-ra-guard-evasion-01
473 o The contents were updated to reflect that the evasion
474 vulnerabilities are based on implementation flaws, rather than on
475 the RA-Guard "concept" itself.
477 o The I-D now focuses on providing advice to RA-Guard implementers.
479 Appendix B. Assessment tools
481 CPNI has produced assessment tools (which have not yet been made
482 publicly available) to assess RA-Guard implementations with respect
483 to the issues described in this document. If you think that you
484 would benefit from these tools, we might be able to provide a copy of
485 the tools (please contact Fernando Gont at fernando@gont.com.ar).
487 [THC-IPV6] is a publicly-available set of tools that implements some
488 of the techniques described in this document.
490 Appendix C. Advice and guidance to vendors
492 Vendors are urged to contact CSIRTUK (csirt@cpni.gsi.gov.uk) if they
493 think they may be affected by the issues described in this document.
494 As the lead coordination centre for these issues, CPNI is well placed
495 to give advice and guidance as required.
497 CPNI works extensively with government departments and agencies,
498 commercial organisations and the academic community to research
499 vulnerabilities and potential threats to IT systems especially where
500 they may have an impact on Critical National Infrastructure's (CNI).
502 Other ways to contact CPNI, plus CPNI's PGP public key, are available
503 at http://www.cpni.gov.uk.
505 Author's Address
507 Fernando Gont
508 Centre for the Protection of National Infrastructure
510 Email: fgont@si6networks.com
511 URI: http://www.cpni.gov.uk