idnits 2.17.1 draft-moonesamy-ra-flood-limit-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 19, 2013) is 3781 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 2461 (ref. 'RFC4861') (Obsoleted by RFC 4861) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET-DRAFT S. Moonesamy 3 Intended Status: Informational 4 Expires: June 22, 2014 6 December 19, 2013 8 Mitigation against IPv6 Router Advertisements flooding 9 draft-moonesamy-ra-flood-limit-01 11 Abstract 13 An IPv6 Router Advertisements flooding attack can cause a node to 14 consume all CPU resources available making the system unusable and 15 unresponsive. This document recommends some configurable variables as 16 a mitigation against an IPv6 Router Advertisements flooding attack. 18 Status of this Memo 20 This Internet-Draft is submitted to IETF in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF), its areas, and its working groups. Note that 25 other groups may also distribute working documents as 26 Internet-Drafts. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 The list of current Internet-Drafts can be accessed at 34 http://www.ietf.org/1id-abstracts.html 36 The list of Internet-Draft Shadow Directories can be accessed at 37 http://www.ietf.org/shadow.html 39 Copyright and License Notice 41 Copyright (c) 2013 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Router Advertisement Configuration Variables . . . . . . . . . 3 58 2.1 MaxInterfacePrefixes . . . . . . . . . . . . . . . . . . . . 3 59 2.2. MaxInterfaceRouters . . . . . . . . . . . . . . . . . . . . 3 60 2.3. MaxRedirect . . . . . . . . . . . . . . . . . . . . . . . . 3 61 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 62 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 63 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 4 64 6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 6.1. Normative References . . . . . . . . . . . . . . . . . . . 4 66 6.2. Informative References . . . . . . . . . . . . . . . . . . 4 67 Appendix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 4 70 1. Introduction 72 The Neighbor Discovery protocol [RFC4861] describes the operation of 73 IPv6 Router Advertisements (RAs) that are used to determine node 74 configuration information during the IPv6 autoconfiguration process. 75 A Router Advertisements flooding attack [RAFLOOD] can cause a node to 76 consume all CPU resources available or cause kernel memory exhaustion 77 making the system unusable and unresponsive. The problem with rogue 78 IPv6 Router Advertisement is documented in RFC 6104 [RFC6104]. 80 This document recommends some configurable variables as a mitigation 81 against a Router Advertisements flooding attack. 83 2. Router Advertisement Configuration Variables 85 A host will silently discard a Router Advertisement once the 86 configurable limit is reached. Default values are specified to make 87 it unnecessary to configure any of these variables. 89 2.1 MaxInterfacePrefixes 91 This variable is the maximum number of prefixes created per interface 92 by Router Advertisements. 94 Default: 16 96 2.2. MaxInterfaceRouters 98 This variable is the maximum number of default routers created per 99 interface by Route Advertisements. 101 Default: 16 103 2.3. MaxRedirect 105 This variable is the maximum number of dynamic routes created via 106 ICMPv6 Redirect messages. 108 Default: 4096 110 3. Security Considerations 112 The Router Advertisements flooding attack can cause a denial-of- 113 service. The configuration variables described in this document can 114 be used to limit the scope of the attack. There is a high 115 probability that valid Router Advertisement information may be lost 116 even with the mitigation described in this document. It is 117 recommended to log a system alert about the configurable limit 118 reached. 120 4. IANA Considerations 122 [RFC Editor: please remove this section] 124 5. Acknowledgments 126 Marc Heuse published an advisory about the IPv6 Router Advertisements 127 flooding attack in 2011. The authors would like to thank David 128 Farmer, Joel M. Halpern, Marc Heuse and Arturo Servin for 129 contributing to the document. 131 6. References 133 6.1. Normative References 135 [RFC4861] Narten, T., Nordmark, E., and W. Simpson, "Neighbor 136 Discovery for IP Version 6 (IPv6)", RFC 2461, December 137 1998. 139 6.2. Informative References 141 [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement 142 Problem Statement", RFC 6104, February 2011. 144 [RAFLOOD] 147 Appendix A 149 The default values mentioned in Section 2 have been implemented in 150 FreeBSD, NetBSD and OpenBSD. 152 Authors' Addresses 154 S. Moonesamy 155 76, Ylang Ylang Avenue 156 Quatres Bornes 157 Mauritius 159 Email: sm+ietf@elandsys.com