idnits 2.17.1 draft-ietf-v6ops-ra-guard-implementation-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 11, 2012) is 4368 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Best Current Practice ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-02) exists of draft-gont-6man-oversized-header-chain-01 == Outdated reference: A later version (-03) exists of draft-gont-6man-nd-extension-headers-02 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 IPv6 Operations Working Group (v6ops) F. Gont 3 Internet-Draft UK CPNI 4 Intended status: BCP May 11, 2012 5 Expires: November 12, 2012 7 Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard) 8 draft-ietf-v6ops-ra-guard-implementation-03 10 Abstract 12 The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly 13 employed to mitigate attack vectors based on forged ICMPv6 Router 14 Advertisement messages. Many existing IPv6 deployments rely on RA- 15 Guard as the first line of defense against the aforementioned attack 16 vectors. However, some implementations of RA-Guard have been found 17 to be prone to circumvention by employing IPv6 Extension Headers. 18 This document describes the evasion techniques that affect the 19 aforementioned implementations, and provides advice on the 20 implementation of RA-Guard, such that the RA-Guard evasion vectors 21 are eliminated. 23 Status of this Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on November 12, 2012. 40 Copyright Notice 42 Copyright (c) 2012 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Evasion techniques for some Router Advertisement Guard (RA 59 Guard) implementations . . . . . . . . . . . . . . . . . . . . 4 60 2.1. Attack Vector based on IPv6 Extension Headers . . . . . . 4 61 2.2. Attack vector based on IPv6 fragmentation . . . . . . . . 4 62 3. RA-Guard implementation advice . . . . . . . . . . . . . . . . 8 63 4. Other Implications . . . . . . . . . . . . . . . . . . . . . . 11 64 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 65 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 66 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 67 7.1. Normative References . . . . . . . . . . . . . . . . . . . 14 68 7.2. Informative References . . . . . . . . . . . . . . . . . . 14 69 Appendix A. Assessment tools . . . . . . . . . . . . . . . . . . 16 70 Appendix B. Advice and guidance to vendors . . . . . . . . . . . 17 71 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 18 73 1. Introduction 75 IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique 76 for attack vectors based on ICMPv6 Router Advertisement messages. 77 [RFC6104] describes the problem statement of "Rogue IPv6 Router 78 Advertisements", and [RFC6105] specifies the "IPv6 Router 79 Advertisement Guard" functionality. 81 The concept behind RA-Guard is that a layer-2 device filters ICMPv6 82 Router Advertisement messages, according to a number of different 83 criteria. The most basic filtering criterion is that Router 84 Advertisement messages are discarded by the layer-2 device unless 85 they are received on a specified port of the layer-2 device. 86 Clearly, the effectiveness of the RA Guard mitigation relies on the 87 ability of the layer-2 device to identify ICMPv6 Router Advertisement 88 messages. 90 Some popular RA-Guard implementations have been found to be easy to 91 circumvent by employing IPv6 extension headers [CPNI-IPv6]. This 92 document describes such evasion techniques, and provides advice to 93 RA-Guard implementers such that the aforementioned evasion vectors 94 can be eliminated. 96 It should be noted that the aforementioned techniques could also be 97 exploited to evade network monitoring tools such as NDPMon [NDPMon], 98 ramond [ramond], and rafixd [rafixd], and could probably be exploited 99 to perform stealth DHCPv6 attacks. 101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 103 document are to be interpreted as described in RFC 2119 [RFC2119]. 105 2. Evasion techniques for some Router Advertisement Guard (RA Guard) 106 implementations 108 The following subsections describe two different vectors that have 109 been found to be effective for the evasion of popular implementations 110 of the RA-Guard protection. Section 2.1 describes an attack vector 111 based on the use of IPv6 Extension Headers with the ICMPv6 Router 112 Advertisement messages, which may be used to circumvent the RA-Guard 113 protection of those implementations that fail to process an entire 114 IPv6 header chain when trying to identify the ICMPv6 Router 115 Advertisement messages. Section 2.2 describes an attack method based 116 on the use of IPv6 fragmentation, possibly in conjunction with the 117 use of IPv6 Extension Headers. This later vector has been found to 118 be effective with all existing implementations of the RA-Guard 119 mechanism. 121 2.1. Attack Vector based on IPv6 Extension Headers 123 While there is currently no legitimate use for IPv6 Extension Headers 124 in ICMPv6 Router Advertisement messages, Neighbor Discovery 125 implementations allow the use of Extension Headers with these 126 messages, by simply ignoring the received options. Some RA-Guard 127 implementations try to identify ICMPv6 Router Advertisement messages 128 by simply looking at the "Next Header" field of the fixed IPv6 129 header, rather than following the entire header chain. As a result, 130 such implementations fail to identify any ICMPv6 Router Advertisement 131 messages that include any Extension Headers (for example, a Hop by 132 Hop Options header, a Destination Options Header, etc.), and can be 133 easily circumvented. 135 The following figure illustrates the structure of ICMPv6 Router 136 Advertisement messages that implement this evasion technique: 138 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 139 |NH=60| |NH=58| | | 140 +-+-+-+ +-+-+-+ + + 141 | IPv6 header | Dst Opt Hdr | ICMPv6 Router Advertisement | 142 + + + + 143 | | | | 144 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 146 2.2. Attack vector based on IPv6 fragmentation 148 This section presents a different attack vector, which has been found 149 to be effective against all implementations of RA-Guard. The basic 150 idea behind this attack vector is that if the forged ICMPv6 Router 151 Advertisement is fragmented into at least two fragments, the layer-2 152 device implementing "RA-Guard" would be unable to identify the attack 153 packet, and would thus fail to block it. 155 A first variant of this attack vector would be an original ICMPv6 156 Router Advertisement message preceded with a Destination Options 157 Header, that results in two fragments. The following figure 158 illustrates the "original" attack packet, prior to fragmentation, and 159 the two resulting fragments which are actually sent as part of the 160 attack. 162 Original packet: 164 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 165 |NH=60| |NH=58| | | 166 +-+-+-+ +-+-+-+ + + 167 | IPv6 header | Dst Opt Hdr | ICMPv6 RA | 168 + + + + 169 | | | | 170 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 172 First fragment: 174 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 175 |NH=44| |NH=60| |NH=58| | 176 +-+-+-+ +-+-+-+ +-+-+-+ + 177 | IPv6 Header | Frag Hdr | Dst Opt Hdr | 178 + + + + 179 | | | | 180 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 182 Second fragment: 184 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 185 |NH=44| |NH=60| | | | 186 +-+-+-+ +-+-+-+ + + + 187 | IPv6 header | Frag Hdr | Dst Opt Hdr | ICMPv6 RA | 188 + + + + + 189 | | | | | 190 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 192 It should be noted that the "Hdr Ext Len" field of the Destination 193 Options Header is present in the first fragment (rather than the 194 second). Therefore, it is impossible for a device processing only 195 the second fragment to locate the ICMPv6 header contained in that 196 fragment, since it is unknown how many bytes should be "skipped" to 197 get to the next header following the Destination Options Header. 199 Thus, by leveraging the use of the Fragment Header together with the 200 use of the Destination Options header, the attacker is able to 201 conceal the type and contents of the ICMPv6 message he is sending (an 202 ICMPv6 Router Advertisement in this example). Unless the layer-2 203 device were to implement IPv6 fragment reassembly, it would be 204 impossible for the device to identify the ICMPv6 type of the message. 206 A layer-2 device could, however, at least detect that that an 207 ICMPv6 message (or some type) is being sent, since the "Next 208 Header" field of the Destination Options header contained in the 209 first fragment is set to "58" (ICMPv6). 211 This idea can be taken further, such that it is also impossible for 212 the layer-2 device to detect that the attacker is sending an ICMPv6 213 message in the first place. This can be achieved with an original 214 ICMPv6 Router Advertisement message preceded with two Destination 215 Options Headers, that results in two fragments. The following figure 216 illustrates the "original" attack packet, prior to fragmentation, and 217 the two resulting packets which are actually sent as part of the 218 attack. 220 Original packet: 222 +-+-+-+-+-+-+-+-+-+-+-+-//+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 223 |NH=60| |NH=60| |NH=58| | | 224 +-+-+-+ +-+-+-+ +-+-+-+ + + 225 | IPv6 header | Dst Opt Hdr | Dst Opt Hdr | ICMPv6 RA | 226 + + + + + 227 | | | | | 228 +-+-+-+-+-+-+-+-+-+-+-+-//+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 230 First fragment: 232 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 233 |NH=44| |NH=60| |NH=60| | 234 +-+-+-+ +-+-+-+ +-+-+-+ + 235 | IPv6 header | Frag Hdr | Dst Opt Hdr | 236 + + + + 237 | | | | 238 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 240 Second fragment: 242 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 243 |NH=44| |NH=60| | |NH=58| | | 244 +-+-+-+ +-+-+-+ + +-+-+-+ + + 245 | IPv6 header | Frag Hdr | Dst O Hdr | Dst Opt Hdr | ICMPv6 RA | 246 + + + + + + 247 | | | | | | 248 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 250 In this variant, the "Next Header" field of the Destination Options 251 header contained in the first fragment is set "60" (Destination 252 Options header), and thus it is impossible for a device processing 253 only the first fragment to detect that an ICMPv6 message is being 254 sent in the first place. 256 The second fragment presents the same challenges as the second 257 fragment of the previous variant. That is, it would be impossible 258 for a device processing only the second fragment to locate the second 259 Destination Options header (and hence the ICMPv6 header), since the 260 "Hdr Ext Len" field of the first Destination Options header is 261 present in the first fragment (rather than the second). 263 3. RA-Guard implementation advice 265 The following filtering rules MUST be implemented as part of an "RA- 266 Guard" implementation on those ports that are not allowed to send 267 ICMPv6 Router Advertisement messages, such that the vulnerabilities 268 discussed in this document are eliminated: 270 1. If the IPv6 Source Address of the packet is not a link-local 271 address (fe80::/10), pass the packet. 273 Section 6.1.2 of [RFC4861] requires nodes to discard Router 274 Advertisement messages if their IPv6 Source Address is not a 275 link-local address. 277 2. If the Hop Limit is not 255, pass the packet. 279 Section 6.1.2 of [RFC4861] requires nodes to discard Router 280 Advertisement messages if their Hop Limit is not 255. 282 3. Try to identify whether the packet is an ICMPv6 Router 283 Advertisement message, by parsing the IPv6 header chain. When 284 doing so, enforce a limit on the maximum number of Extension 285 Headers that is allowed for each packet, and if such limit is hit 286 before the upper-layer protocol is identified, drop the packet. 288 [RFC6564] specifies a uniform format for IPv6 Extension 289 Header, thus meaning that an IPv6 node should be able to parse 290 an IPv6 header chain even if it contains Extension Headers 291 that are not currently supported by that node. 293 4. If the layer-2 device is unable to identify whether the packet is 294 an ICMPv6 Router Advertisement message or not (i.e., the packet 295 is a first-fragment, and the necessary information is missing), 296 drop the packet. 298 Note: This rule should only be applied to non-fragmented IPv6 299 datagrams and IPv6 fragments with a Fragment Offset of 0 (non- 300 first fragments can be safely passed, since they will never 301 reassemble into a complete datagram if they are part of a 302 Router Advertisement received on a port where such packets are 303 not allowed). 305 5. If the packet is identified to be an ICMPv6 Router Advertisement 306 message, drop the packet. 308 6. In all other cases, pass the packet as usual. 310 Note: For the purpose of enforcing the RA-Guard filtering policy, 311 an ESP header [RFC4303] should be considered to be an "upper-layer 312 protocol" (that is, it should be considered the last header in the 313 IPv6 header chain). This means that packets employing ESP would 314 be passed by the RA-Guard device to the intended destination. If 315 the destination host does not have a security association with the 316 sender of the aforementioned IPv6 packet, the packet would be 317 dropped. Otherwise, if the packet is considered valid by the 318 IPsec implementation at the receiving host and encapsulates a 319 Router Advertisement message, it is up to the receiving host what 320 to do with such packet. 322 If a packet is dropped due to this filtering policy, then the packet 323 drop event SHOULD be logged. The logging mechanism SHOULD include a 324 drop counter dedicated to RA-Guard packet drops. 326 In order to protect current end-node IPv6 implementations, Rule #4 327 has been defined as a default rule to drop packets that cannot be 328 positively identified as not being Router Advertisement (RA) messages 329 (possibly because the packet contains fragments that do not contain 330 the entire IPv6 header chain). This means that, at least in theory, 331 RA-Guard could result in false-positive blocking of some legitimate 332 non-RA packets that could not be positively identified as being 333 non-RA. In order to reduce the likelihood of false positives, Rule 334 #1 and Rule #2 require that packets that would not pass the required 335 validation checks for RA messages (Section 6.1.2 of [RFC4861]) be 336 passed without further inspection. In any case, as noted in 337 [I-D.gont-6man-oversized-header-chain], IPv6 packets that fail to 338 include the entire IPv6 header chain are anyway unlikely to survive 339 in real networks. Whilst currently legitimate from a specifications 340 standpoint, they are virtually impossible to police with state-less 341 filters and firewalls, and are hence likely to be blocked by such 342 filters and firewalls. 344 This filtering policy assumes that host implementations require that 345 the IPv6 Source Address of ICMPv6 Router Advertisement messages be a 346 link-local address, and that they discard the packet if this check 347 fails, as required by the current IETF specifications [RFC4861]. 348 Additionally, it assumes that hosts require the Hop Limit of Neighbor 349 Discovery messages to be 255, and discard those packets otherwise. 351 The aforementioned filtering rules implicitly handle the case of 352 fragmented packets: if the RA-Guard device fails to identify the 353 upper-layer protocol as a result of the use of fragmentation, the 354 corresponding packets would be dropped. 356 Finally, we note that IPv6 implementations that allow overlapping 357 fragments (i.e. that do not comply with [RFC5722]) might still be 358 subject of RA-based attacks. However, a recent assessment of IPv6 359 implementations [SI6-FRAG] with respect to their fragment reassembly 360 policy seems to indicate that most current implementations comply 361 with [RFC5722]. 363 4. Other Implications 365 A similar concept to that of "RA-Guard" has been implemented for 366 protecting against forged DHCPv6 messages. Such protection can be 367 circumvented with the same techniques discussed in this document, and 368 the counter-measures for such evasion attack are analogous to those 369 described in Section 3 of this document. 371 5. Security Considerations 373 This document describes a number of techniques that have been found 374 to be effective to circumvent popular RA-Guard implementations, and 375 provides advice to RA-Guard implementations such that those evasion 376 vulnerabilities are eliminated. 378 As noted in Section 3, IPv6 implementations that allow overlapping 379 fragments (i.e. that do not comply with [RFC5722]) might still be 380 subject of RA-based attacks. However, most current 381 implementations seem to comply with [RFC5722]. 383 We note that if an attacker sends a fragmented Router Advertisement 384 message on a port not allowed to send such packets, the first- 385 fragment would be dropped, and the rest of the fragments would be 386 passed. This means that the victim node would tie memory buffers for 387 the aforementioned fragments, which would never reassemble into a 388 complete datagram. If a large number of such packets were sent by an 389 attacker, and the victim node failed to implement proper resource 390 management for the fragment reassembly buffer, this could lead to a 391 Denial of Service (DoS). However, this does not really introduce a 392 new attack vector, since an attacker could always perform the same 393 attack by sending forged fragmented datagram in which at least one of 394 the fragments is missing. [CPNI-IPv6] discusses some resource 395 management strategies that could be implemented for the fragment 396 reassembly buffer. 398 Finally, we note that most effective and efficient mitigation for 399 these attacks would be to prohibit the use of IPv6 fragmentation with 400 Router Advertisement messages (as proposed by 401 [I-D.gont-6man-nd-extension-headers]), such that the RA-Guard 402 functionality is easier to implement. However, since such mitigation 403 would require an update to existing implementations, it cannot be 404 relied upon in the short or near term. 406 6. Acknowledgements 408 The author would like to thank Ran Atkinson, Karl Auer, Robert 409 Downie, Washam Fan, David Farmer, Marc Heuse, Nick Hilliard, Ray 410 Hunter, Simon Perreault, Arturo Servin, Gunter van de Velde, James 411 Woodyatt, and Bjoern A. Zeeb, for providing valuable comments on 412 earlier versions of this document. 414 The author would like to thank Arturo Servin, who presented this 415 document at IETF 81. 417 This document resulted from the project "Security Assessment of the 418 Internet Protocol version 6 (IPv6)" [CPNI-IPv6], carried out by 419 Fernando Gont on behalf of the UK Centre for the Protection of 420 National Infrastructure (CPNI). The author would like to thank the 421 UK CPNI, for their continued support. 423 7. References 425 7.1. Normative References 427 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 428 Requirement Levels", BCP 14, RFC 2119, March 1997. 430 [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", 431 RFC 4303, December 2005. 433 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, 434 "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, 435 September 2007. 437 [RFC5722] Krishnan, S., "Handling of Overlapping IPv6 Fragments", 438 RFC 5722, December 2009. 440 [RFC6564] Krishnan, S., Woodyatt, J., Kline, E., Hoagland, J., and 441 M. Bhatia, "A Uniform Format for IPv6 Extension Headers", 442 RFC 6564, April 2012. 444 7.2. Informative References 446 [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement 447 Problem Statement", RFC 6104, February 2011. 449 [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. 450 Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, 451 February 2011. 453 [I-D.gont-6man-oversized-header-chain] 454 Gont, F. and V. Manral, "Security and Interoperability 455 Implications of Oversized IPv6 Header Chains", 456 draft-gont-6man-oversized-header-chain-01 (work in 457 progress), April 2012. 459 [I-D.gont-6man-nd-extension-headers] 460 Gont, F., "Security Implications of the Use of IPv6 461 Extension Headers with IPv6 Neighbor Discovery", 462 draft-gont-6man-nd-extension-headers-02 (work in 463 progress), January 2012. 465 [CPNI-IPv6] 466 Gont, F., "Security Assessment of the Internet Protocol 467 version 6 (IPv6)", UK Centre for the Protection of 468 National Infrastructure, (available on request). 470 [NDPMon] "NDPMon - IPv6 Neighbor Discovery Protocol Monitor", 471 . 473 [rafixd] "rafixd", . 476 [ramond] "ramond", . 478 [SI6-FRAG] 479 SI6 Networks, "IPv6 NIDS evasion and improvements in IPv6 480 fragmentation/reassembly", 2012, . 484 [THC-IPV6] 485 "The Hacker's Choice IPv6 Attack Toolkit", 486 . 488 Appendix A. Assessment tools 490 CPNI has produced assessment tools (which have not yet been made 491 publicly available) to assess RA-Guard implementations with respect 492 to the issues described in this document. If you think that you 493 would benefit from these tools, we might be able to provide a copy of 494 the tools (please contact Fernando Gont at fernando@gont.com.ar). 496 [THC-IPV6] is a publicly-available set of tools that implements some 497 of the techniques described in this document. 499 Appendix B. Advice and guidance to vendors 501 Vendors are urged to contact CSIRTUK (csirt@cpni.gsi.gov.uk) if they 502 think they may be affected by the issues described in this document. 503 As the lead coordination centre for these issues, CPNI is well placed 504 to give advice and guidance as required. 506 CPNI works extensively with government departments and agencies, 507 commercial organisations and the academic community to research 508 vulnerabilities and potential threats to IT systems especially where 509 they may have an impact on Critical National Infrastructure's (CNI). 511 Other ways to contact CPNI, plus CPNI's PGP public key, are available 512 at http://www.cpni.gov.uk. 514 Author's Address 516 Fernando Gont 517 Centre for the Protection of National Infrastructure 519 Email: fgont@si6networks.com 520 URI: http://www.cpni.gov.uk