--- 1/draft-ietf-v6ops-6to4-security-01.txt 2006-02-05 02:07:09.000000000 +0100 +++ 2/draft-ietf-v6ops-6to4-security-02.txt 2006-02-05 02:07:09.000000000 +0100 @@ -1,146 +1,149 @@ v6ops Working Group P. Savola Internet-Draft CSC/FUNET -Expires: August 10, 2004 C. Patel +Expires: September 7, 2004 C. Patel All Play, No Work - Feb 10, 2004 + Mar 9, 2004 Security Considerations for 6to4 - draft-ietf-v6ops-6to4-security-01.txt + draft-ietf-v6ops-6to4-security-02.txt Status of this Memo - This document is an Internet-Draft and is in full conformance with - all provisions of Section 10 of RFC2026. + By submitting this Internet-Draft, I certify that any applicable + patent or other IPR claims of which I am aware have been disclosed, + and any of which I become aware will be disclosed, in accordance with + RFC 3667. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on August 10, 2004. + This Internet-Draft will expire on September 7, 2004. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract The IPv6 interim mechanism 6to4 (RFC3056) uses automatic IPv6-over-IPv4 tunneling to interconnect IPv6 networks. The architecture includes 6to4 routers and 6to4 relay routers, which accept and decapsulate IPv4 protocol-41 ("IPv6-in-IPv4") traffic from - any node in the IPv4 internet. This characteristic enable ones to go - around access controls and perform Denial of Service attacks using - 6to4 relays or 6to4 routers. It also makes it easier for nodes to - spoof IPv6 addresses. This document discusses these issues in more - detail and suggests enhancements to alleviate the problems. + any node in the IPv4 internet. This characteristic enables a number + of security threats, mainly Denial of Service. It also makes it + easier for nodes to spoof IPv6 addresses. This document discusses + these issues in more detail and suggests enhancements to alleviate + the problems. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 - 2. Different 6to4 Forwarding Scenarios . . . . . . . . . . . . 5 - 2.1 From 6to4 to 6to4 . . . . . . . . . . . . . . . . . . . . . 5 - 2.2 From Native to 6to4 . . . . . . . . . . . . . . . . . . . . 5 - 2.3 From 6to4 to Native . . . . . . . . . . . . . . . . . . . . 6 - 2.4 Other Models . . . . . . . . . . . . . . . . . . . . . . . . 6 - 2.4.1 BGP Between 6to4 Routers and Relays . . . . . . . . . . . . 7 - 2.4.2 6to4 as an Optimization Method . . . . . . . . . . . . . . . 7 - 2.4.3 6to4 as Tunnel End-Point Addressing Mechanism . . . . . . . 7 - 3. Functionalities of 6to4 Network Components . . . . . . . . . 9 - 3.1 6to4 Routers . . . . . . . . . . . . . . . . . . . . . . . . 9 - 3.2 6to4 Relay Routers . . . . . . . . . . . . . . . . . . . . . 10 - 4. Threat Analysis . . . . . . . . . . . . . . . . . . . . . . 11 - 4.1 Attacks on 6to4 Networks . . . . . . . . . . . . . . . . . . 12 - 4.1.1 Attacks with ND Messages . . . . . . . . . . . . . . . . . . 13 - 4.1.2 Spoofing Traffic to 6to4 Nodes . . . . . . . . . . . . . . . 14 - 4.1.3 Reflecting Traffic to 6to4 Nodes . . . . . . . . . . . . . . 16 - 4.1.4 Local IPv4 Broadcast Attack . . . . . . . . . . . . . . . . 18 - 4.2 Attacks on Native IPv6 Internet . . . . . . . . . . . . . . 19 - 4.2.1 Attacks with ND Messages . . . . . . . . . . . . . . . . . . 20 - 4.2.2 Spoofing Traffic to Native IPv6 node . . . . . . . . . . . . 20 - 4.2.3 Reflecting Traffic to Native IPv6 nodes . . . . . . . . . . 22 - 4.2.4 Local IPv4 Broadcast Attack . . . . . . . . . . . . . . . . 23 - 4.2.5 Theft of Service . . . . . . . . . . . . . . . . . . . . . . 24 - 4.2.6 Relay Operators Seen as Source of Abuse . . . . . . . . . . 25 - 4.3 Attacks on IPv4 Internet . . . . . . . . . . . . . . . . . . 26 - 4.4 Summary of the Attacks . . . . . . . . . . . . . . . . . . . 27 - 5. Implementing Proper Security Checks in 6to4 . . . . . . . . 29 - 5.1 Encapsulating IPv6 into IPv4 . . . . . . . . . . . . . . . . 29 - 5.2 Decapsulating IPv4 into IPv6 . . . . . . . . . . . . . . . . 30 - 5.3 IPv4 and IPv6 Sanity Checks . . . . . . . . . . . . . . . . 30 - 5.3.1 IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 - 5.3.2 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 - 5.3.3 Optional Ingress Filtering . . . . . . . . . . . . . . . . . 32 - 5.3.4 Notes About the Checks . . . . . . . . . . . . . . . . . . . 32 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Different 6to4 Forwarding Scenarios . . . . . . . . . . . . 4 + 2.1 From 6to4 to 6to4 . . . . . . . . . . . . . . . . . . 4 + 2.2 From Native to 6to4 . . . . . . . . . . . . . . . . . 4 + 2.3 From 6to4 to Native . . . . . . . . . . . . . . . . . 5 + 2.4 Other Models . . . . . . . . . . . . . . . . . . . . . 5 + 2.4.1 BGP Between 6to4 Routers and Relays . . . . . . 6 + 2.4.2 6to4 as an Optimization Method . . . . . . . . . 6 + 2.4.3 6to4 as Tunnel End-Point Addressing Mechanism . 6 + 3. Functionalities of 6to4 Network Components . . . . . . . . . 8 + 3.1 6to4 Routers . . . . . . . . . . . . . . . . . . . . . 8 + 3.2 6to4 Relay Routers . . . . . . . . . . . . . . . . . . 9 + 4. Threat Analysis . . . . . . . . . . . . . . . . . . . . . . 10 + 4.1 Attacks on 6to4 Networks . . . . . . . . . . . . . . . 11 + 4.1.1 Attacks with ND Messages . . . . . . . . . . . . 12 + 4.1.2 Spoofing Traffic to 6to4 Nodes . . . . . . . . . 13 + 4.1.3 Reflecting Traffic to 6to4 Nodes . . . . . . . . 16 + 4.1.4 Local IPv4 Broadcast Attack . . . . . . . . . . 17 + 4.2 Attacks on Native IPv6 Internet . . . . . . . . . . . 19 + 4.2.1 Attacks with ND Messages . . . . . . . . . . . . 19 + 4.2.2 Spoofing Traffic to Native IPv6 node . . . . . . 20 + 4.2.3 Reflecting Traffic to Native IPv6 nodes . . . . 21 + 4.2.4 Local IPv4 Broadcast Attack . . . . . . . . . . 23 + 4.2.5 Theft of Service . . . . . . . . . . . . . . . . 23 + 4.2.6 Relay Operators Seen as Source of Abuse . . . . 25 + 4.3 Attacks on IPv4 Internet . . . . . . . . . . . . . . . 26 + 4.4 Summary of the Attacks . . . . . . . . . . . . . . . . 26 + 5. Implementing Proper Security Checks in 6to4 . . . . . . . . 28 + 5.1 Encapsulating IPv6 into IPv4 . . . . . . . . . . . . . 29 + 5.2 Decapsulating IPv4 into IPv6 . . . . . . . . . . . . . 29 + 5.3 IPv4 and IPv6 Sanity Checks . . . . . . . . . . . . . 30 + 5.3.1 IPv4 . . . . . . . . . . . . . . . . . . . . . . 30 + 5.3.2 IPv6 . . . . . . . . . . . . . . . . . . . . . . 31 + 5.3.3 Optional Ingress Filtering . . . . . . . . . . . 31 + 5.3.4 Notes About the Checks . . . . . . . . . . . . . 31 6. Issues in 6to4 Implementation and Use . . . . . . . . . . . 32 - 6.1 Implementation Considerations with Automatic Tunnels . . . . 32 - 6.2 Anyone Pretending to Be a 6to4 Relay . . . . . . . . . . . . 33 - 6.2.1 Limited Distribution of More Specific Routes . . . . . . . . 34 - 6.2.2 A Different Model for 6to4 Deployment . . . . . . . . . . . 35 - 7. Security Considerations . . . . . . . . . . . . . . . . . . 35 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 36 - Normative References . . . . . . . . . . . . . . . . . . . . 36 - Informative References . . . . . . . . . . . . . . . . . . . 37 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 38 - A. Some Trivial Attack Scenarios Outlined . . . . . . . . . . . 38 - B. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 39 - Intellectual Property and Copyright Statements . . . . . . . 40 + 6.1 Implementation Considerations with Automatic Tunnels . 32 + 6.2 A Different Model for 6to4 Deployment . . . . . . . . 33 + 7. Security Considerations . . . . . . . . . . . . . . . . . . 34 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 34 + Normative References . . . . . . . . . . . . . . . . . . . . 35 + Informative References . . . . . . . . . . . . . . . . . . . 35 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 36 + A. Some Trivial Attack Scenarios Outlined . . . . . . . . . . . 37 + B. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 38 + Intellectual Property and Copyright Statements . . . . . . . 39 1. Introduction The IPv6 interim mechanism "6to4" [1] specifies automatic IPv6-over-IPv4 tunneling to interconnect isolated IPv6 clouds by embedding the tunnel IPv4 address in the IPv6 6to4 prefix. Two characteristics of the 6to4 mechanism introduce most of the security considerations: 1. All 6to4 routers must accept and decapsulate IPv4 packets from every other 6to4 router, and 6to4 relays. 2. 6to4 relay routers must accept traffic from any native IPv6 node. Since the 6to4 router must accept from traffic from any other 6to4 - router or relay, it implies a certain level of trust, and there are - no strict constraints on what the IPv6 packet may contain. Thus, - addresses within the IPv4, and IPv6 header may be spoofed, and this - property leads to various types of threats including DoS, and - reflection DoS. + router or relay, a certain requirement for trust is implied, and + there are no strict constraints on what the IPv6 packet may contain. + Thus, addresses within the IPv4, and IPv6 header may be spoofed, and + this property leads to various types of threats including different + flavors of Denial of Service -attacks. - The 6to4 specification outlined quite a few security considerations, - but it has been shown that in practice some of them have been - difficult to get implemented due to their abstract nature. + The 6to4 specification outlined a few security considerations and + rules, but was very ambiguous on their exact requirement level. + Further, the description of the considerations was rather short, and + in fact, some of them have been proven to be difficult to understand + or impossible to implement. This draft analyzes the 6to4 security issues in more detail and outlines some enhancements and caveats. Section 2, and Section 3 are more or less introductory in nature, rehashing how 6to4 is used today based on the 6to4 specification, so that it is easier to understand how security could be affected. Section 4 provides a threat analysis for implementations that already - implement most of the security checks. Section 5 introduces some - filtering rules for 6to4 implementations, and Section 6 provides - further discussion on a few issues which have proven to be difficult. - Appendix A outlines a few possible trivial attack scenarios in the - case that very little or no security has been implemented. + implement most of the security checks. Section 5 describes the + optimal decapsulation/encapsulation rules for 6to4 implementations, + and Section 6 provides further discussion on a few issues which have + proven to be difficult to implement. Appendix A outlines a few + possible trivial attack scenarios in the case that very little or no + security has been implemented. For the sake of simplicity, in this document, native IPv6 Internet is assumed to encompass IPv6 networks formed using other transition mechanisms (e.g. RFC 2893 [4]), as these mechanisms cannot talk directly 6to4 network. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [2]. @@ -241,22 +244,24 @@ 2.4.1 BGP Between 6to4 Routers and Relays Section 5.2.2.2 in [1] presents a model where, instead of static configuration, BGP [5] is used between 6to4 relay routers and 6to4 routers. If the 6to4 router established a BGP session between all the possible 6to4 relays, and advertised its /48 prefix to them, the traffic from non-6to4 sites would always come from a "known" relay. Alternatively, the 6to4 relays might advertise the more specific 6to4 - routes between 6to4 relays, as described in Section 6.2.1 in this - memo. + routes between 6to4 relays. + + Both of these approaches are more or less obviously infeasible due to + scalability issues. Neither of these models are known to be used at the time of writing; this is probably caused by the fact that parties that need 6to4 are those that are not able to run BGP, and because setting up these sessions would be much more work for relay operators. 2.4.2 6to4 as an Optimization Method Some sites seem to use 6to4 as an IPv6 connectivity "optimization method"; that is, they have also non-6to4 addresses on their nodes @@ -345,63 +349,74 @@ provided in Section 5. This section summarizes the main functions of the various components that are part of a 6to4 network - 6to4 relay routers, and 6to4 routers. Refer to Section 1.1 of RFC 3056 [1] for 6to4 related definitions. 3.1 6to4 Routers The 6to4 routers acts as the border router of a 6to4 domain. It does - not have a native, global IPv6 address. The main functions of the - 6to4 router are: + not have a native, global IPv6 address except in certain special + cases. Since the specification [1] uses the term "6to4 router", this + memo does the same; however, note that we also include a single host + with a 6to4 pseudo-interface, which doesn't otherwise act as a + router, in this definition. The main functions of the 6to4 router + are: o Provide IPv6 connectivity to local clients and routers. o Tunnel packets sent to foreign 6to4 addresses to the destination 6to4 router using IPv4. o Forward packets sent to locally configured 6to4 addresses to the 6to4 network. o Tunnel packets sent to non-6to4 addresses, to the configured/ closest-by-anycast 6to4 relay router. o Decapsulate directly received IPv4 packets from foreign 6to4 addresses. o Decapsulate IPv4 packets received via the relay closest to the native IPv6 sources. Note, it is not easily distinguishable that the packet was really received from a 6to4 relay router, not from a spoofing third party.) - The 6to4 router will also perform security checks on traffic that it - will receive from other 6to4 relays, or 6to4 routers, or from within - the 6to4 site. These checks include: + The 6to4 router should also perform security checks on traffic that + it will receive from other 6to4 relays, or 6to4 routers, or from + within the 6to4 site. These checks include: o Disallow traffic that has private, broadcast or reserved IPv4 addresses in tunnels, or the matching 6to4 prefixes. o Disallow traffic from 6to4 routers where the IPv4 tunnel source - address does not match the 6to4 prefix. + address does not match the 6to4 prefix. (Note that the + pseudo-interface must pick the IPv4 address corresponding to the + prefix when encapsulating, or else problems may ensue on e.g., + multi-interface routers.) o Disallow traffic where the destination IPv6 address is not a global address; in particular, e.g. link-local addresses, mapped addresses and such should not be used. o Disallow traffic transmission to other 6to4 domains through 6to4 - relay router or via some third party 6to4 router. + relay router or via some third party 6to4 router. (To avoid + transmission to the relay router, the pseudo-interface prefix + length must be configured correctly to be /16. Further, to avoid + the traffic being discarded, 6to4 source addresses must always + correspond to the IPv4 address encapsulating the traffic.) o Discard traffic received from other 6to4 domains via a 6to4 relay router. - o Discard traffic received for prefixes other than self 6to4 + o Discard traffic received for prefixes other than your own 6to4 prefix(es). 3.2 6to4 Relay Routers The 6to4 relay router acts as a relay between all 6to4 domains and native IPv6 networks; more specifically: o It advertises the reachability of the 2002::/16 prefix to native IPv6 routing, thus receiving traffic to all 6to4 addresses from closest native IPv6 nodes. @@ -411,34 +426,36 @@ thus receiving some tunneled traffic to native IPv6 nodes from 6to4 routers. o Decapsulate, and forward packets received from 6to4 addresses through tunneling, using normal IPv6 routing. o Tunnels packets received through normal IPv6 routing from native addresses, and are destined for 2002::/16, to the corresponding 6to4 router. - The 6to4 relay will also perform security checks on traffic that it + The 6to4 relay should also perform security checks on traffic that it will receive from 6to4 routers, or from native IPv6 nodes. These checks are: o Disallow traffic that has private, broadcast or reserved IPv4 addresses in tunnels, or the matching 6to4 prefixes. o Disallow traffic from 6to4 routers where the IPv4 tunnel source - address does not match the 6to4 prefix. + address does not match the 6to4 prefix. (Note that the + pseudo-interface must pick the IPv4 address corresponding to the + prefix when encapsulating, or else problems may ensue on e.g., + multi-interface routers.) o Disallow traffic where the destination IPv6 address is not a global address; in particular, e.g. link-local addresses, mapped - addresses and such should not be used. Note, this check might be - incorrect if 6to4 were to be used. + addresses and such should not be used. o Discard traffic received from 6to4 routers with the destination as a 6to4 prefix. 4. Threat Analysis This section discusses attacks against the 6to4 network or attacks that are caused by the 6to4 network. The threats are discussed in light of the 6to4 deployment models defined in the Section 2. @@ -488,21 +505,21 @@ Note, one of the mitigation methods listed for various attacks is based on the premise that 6to4 relays will a have a feature that may be able to limit traffic to/from specific 6to4 sites. At the time of writing this document, such a feature is speculation, and more work needs to be done to determine the logistics of such a feature. 4.1 Attacks on 6to4 Networks This section describes attacks against 6to4 networks. Attacks which - legerate 6to4 networks, but where the ultimate victim is elsewhere + leverage 6to4 networks, but where the ultimate victim is elsewhere (e.g., a native IPv6 user, an IPv4 user) are described later in the memo. 6to4 relays and routers are IPv4 nodes, and there is no way for any 6to4 router to confirm the identity of the IPv4 node from which it is receiving traffic -- whether it is a legitimate 6to4 relay or some other node. A 6to4 router has to process traffic from all IPv4 nodes. Malicious IPv4 nodes can exploit this property and attack nodes within the 6to4 network. @@ -524,20 +541,29 @@ Since the 6to4 router assumes all the other 6to4 routers, and 6to4 relays are "on-link" it is possible to attack the 6to4 router using ND messages from any node in the IPv4 network, unless a prior trust relationship has been established. The attacks are targeting the 6to4 pseudo-interface. As long as the 6to4 addresses are not used in the source or destination address, the security checks specified by 6to4 take no stance on these packets. Typically these use link-local addresses. + For example, a possible attack could be a Route Advertisement or + Neighor Advertisement message, crafted specifically to cause havoc; + the addresses in such a packet could be like: + + src_v6 = fe80::2 (forged address) + dst_v6 = fe80::1 (valid or invalid address) + src_v4 = 8.0.0.1 (valid or forged address) + dst_v4 = 9.0.0.2 (valid address, matches dst_v6) + These attacks are exacerbated in case the implementation supports more tunneling mechanisms than just 6to4 (or configured tunneling), because it is impossible to disambiguate such mechanisms, making it difficult to enable strict security checks (see Section 6.1). The Neighbor Discovery threats (Redirect DoS, or DoS) are described in [7]. Note that all attacks may not be applicable, as the 6to4 pseudo-interface is assumed not to have a link-layer address (Section 3.8 RFC 2893 [4]). However, one should note that the 6to4 router can be either a router or host from the Neighbor Discovery perspective. @@ -570,22 +596,24 @@ tunnel end-point). However, as 6to4 provides open decapsulation, and automatic tunneling is being deprecated [9], 6to4 provides an easy means which would not exist without 6to4. 4.1.2 Spoofing Traffic to 6to4 Nodes ATTACK DESCRIPTION - The attacker - a malicious IPv4 or IPv6 node - can send packets with - spoofed source address to a 6to4 node to accomplish a DoS attack. + The attacker - a malicious IPv4 or IPv6 node - can send packets which + are difficult to trace (e.g., due to spoofing or going through a + relay) to a 6to4 node. This can be used e.g., to accomplish a DoS + attack. The IPv6 and IPv4 addresses of the packets will be similar to: src_v6 = 2001:db8::1 (forged address) dst_v6 = 2002:0900:0002::1 (valid address) src_v4 = 8.0.0.1 (valid or forged address) dst_v4 = 9.0.0.2 (valid address, matches dst_v6) For attacks launched from a native IPv6 node, the src_v4 will be the address of the relay through which the traffic will reach the 6to4 @@ -774,22 +802,25 @@ implemented, it's typically easier to attack directly than through reflection -- unless "traffic laundering" is an explicit goal in the attack. Therefore, this attack does not seem very serious. 4.1.4 Local IPv4 Broadcast Attack ATTACK DESCRIPTION This threat is applicable if the 6to4 router does not check whether the IPv4 address it tries to send encapsulated IPv6 packets to a - local broadcast address, or a multicast address. This threat is - mentioned in the specification [1]. + local broadcast address, or a multicast address. + + This threat is described in the specification [1], and implementing + the checks eliminates this threat. However, as this has not been + widely implemented, it is included here regardless for completeness. There practically two kinds of attacks: where a local 6to4 user tries to send packets to the address corresponding to the broadcast address, or when someone is able to do that remotely. In the first option, assume that 9.0.0.255 is the 6to4 router's broadcast address. After receiving the packet with a destionation address like "2002:0900:00ff::bbbb" from a local 6to4 node, if the router doesn't check the destination address for subnet broadcast, it would send the encapsulated protocol-41 packet to 9.0.0.255. This @@ -848,23 +879,23 @@ This section describes attacks against native IPv6 Internet which leverage 6to4 architecture somehow. Attacks against 6to4 nodes were described in the previous section. Native IPv6 nodes can be accessed by 6to4 and IPv4 nodes through the 6to4 relay routers. Thus the 6to4 relays play a crucial role in any attack on native IPv6 nodes by IPv4 nodes or 6to4 nodes. 6to4 relays have only one significant security check they must perform for general safety: when decapsulating IPv4 packets, check - that 2002:V4ADDR::/48 and V4ADDR match. If this is not done, several - threats become more serious; in the following analysis, it is assumed - that such checks are implemented. + that 2002:V4ADDR::/48 and V4ADDR match in the source address. If + this is not done, several threats become more serious; in the + following analysis, it is assumed that such checks are implemented. 6to4 relay should not relay packets between 6to4 addresses. In particular, packets decapsulated from 6to4 routers should not be encapsulated again towards 6to4 routers, as described in rules in Section 5. Similarly, packets with 6to4 source and destination address sent from IPv6 nodes should not be relayed. It is not clear whether this kind of check is typically implemented. The attacks described below assume that such checks are not implemented. 4.2.1 Attacks with ND Messages @@ -1184,26 +1216,20 @@ Attacks initiated by IPv4 nodes that send spoofed traffic that will not utilize the 6to4 infrastructure are considered out of scope of this document. 6to4 infrastructure may be utilized in reflection attacks that are initiated by IPv4 nodes. It is difficult for these attacks to be effective as the traffic sent out will be IPv6-in-IPv4. Such traffic will be rejected by most IPv4 nodes unless they have implemented some sort of IPv6-in-IPv4 tunneling. - Such attacks can easily be thwarted by implementing protocol-41 - filtering in IPv4 nodes or sites that do not implement IPv6 over IPv4 - tunneling. Such filters should not be made permanent, as they would - act as a hurdle if IPv6 over IPv4 tunneling mechanisms were ever to - be implemented by the IPv4 node or site. - XXX: do these need to be spelled out, as in previous sections? 4.4 Summary of the Attacks Columns: o Section number. The section that describes the attack. o Attack name. @@ -1255,60 +1280,59 @@ +-------+----------------------+---------+----------+-----+-----+ | 4.1.1 | Attacks with ND | I_4 | Router | D | 6 | +-------+----------------------+---------+----------+-----+-----+ | 4.1.2 | Spoofing Traffic | I_4,I_6 | 6to4 | D | E | +-------+----------------------+---------+----------+-----+-----+ | 4.1.3 | Reflection Attacks | * | 6to4 | R | 6* | +-------+----------------------+---------+----------+-----+-----+ | 4.1.4 | Local IPv4 Broadcast | * | Router | D | 6 | +-------+----------------------+---------+----------+-----+-----+ - Figure 8 - + Figure 9 Summary of attacks on the native IPv6 internet: +-------+----------------------+---------+----------+-----+-----+ | Sec | Attack name |Initiator| Victim | ToA | Fix | +-------+----------------------+---------+----------+-----+-----+ | 4.2.1 | Attacks with ND | I_4 | Relay | D | 6 | +-------+----------------------+---------+----------+-----+-----+ | 4.2.2 | Spoofing Traffic | I_4,6to4| I_6 | D | 6* | +-------+----------------------+---------+----------+-----+-----+ | 4.2.3 | Reflection Attacks | * | I_6 | R | 6* | +-------+----------------------+---------+----------+-----+-----+ | 4.2.4 | Local IPv4 Broadcast | * | Relay | D | 6 | +-------+----------------------+---------+----------+-----+-----+ | 4.2.5 | Theft of Service | 6to4 | Relay | T | 6 | +-------+----------------------+---------+----------+-----+-----+ | 4.2.6 | Relay Operators ... | - | - | D | 1) | +-------+----------------------+---------+----------+-----+-----+ - Figure 9 + Figure 10 Notes: 1) This attack is a side-effect of the other attacks, and thus does not have any Initiator, Victim, and Fix. It is a Denial of Service attack not on the network but on the organization in-charge of the relay. Summary of attacks on IPv4 internet: +-------+----------------------+---------+----------+-----+-----+ | Sec | Attack name |Initiator| Victim | ToA | Fix | +-------+----------------------+---------+----------+-----+-----+ | 4.3 | Spoofing Traffic | * | I_4 | D | 6* | +-------+----------------------+---------+----------+-----+-----+ | 4.3 | Reflection Attacks | * | I_4 | R | 6* | +-------+----------------------+---------+----------+-----+-----+ - Figure 10 + Figure 11 5. Implementing Proper Security Checks in 6to4 In this section, several ways to implement the security checks required or implied by the specification [1] or augmented by this memo are described. These do not, in general, protect against the majority of the threats listed above in the "Threat Analysis" section. They're just prerequisites for a relatively safe and simple 6to4 implementation. @@ -1318,26 +1342,31 @@ interface is brought up, but at least in February 2004, no implementations were known to do that. Due to that, the checks are described as one -- which works independent of whether the node is a router or relay. 5.1 Encapsulating IPv6 into IPv4 The checks described in this section are to be performed when encapsulating IPv6 into IPv4. + The encapsulation rules are mainly designed to keep one from + "shooting yourself on the foot" -- for example, the source address + check verifies that the packet will be acceptable to the + decapsulator, or the sanity checks ensure that addresses derived from + private addresses are not used (which would be equally unacceptable). + src_v6 and dst_v6 MUST pass ipv6-sanity checks (see below), else drop if prefix (src_v6) == 2002::/16 ipv4 address embedded in src_v6 MUST match src_v4 - if prefix (dst_v6) == 2002::/16 + else if prefix (dst_v6) == 2002::/16 dst_v4 SHOULD NOT be assigned to the router - fi else drop /* we somehow got a native-native ipv6 packet */ fi accept 5.2 Decapsulating IPv4 into IPv6 The checks described in this section are to be performed when decapsulating IPv4 into IPv6. They will be performed in both the @@ -1482,104 +1511,42 @@ Configured tunneling [4] does not suffer from this as it is point-to-point, and based on src_v6/dst_v6 pairs of both IPv4 and IPv6 addresses it can be deduced which logical tunnel interface is in the question. Solutions for this include 1) not using more than one automatic tunneling mechanism in a node or 2) binding different mechanisms to different IPv4 addresses. -6.2 Anyone Pretending to Be a 6to4 Relay +6.2 A Different Model for 6to4 Deployment Even though this was already discussed in Section 4.1.2, it bears some additional elaboration as it was the only problem which cannot - be even partially solved. + be even partially solved using the current deployment model -- but + there are some mitigation methods. That is, 6to4 routers receive traffic from non-6to4 ("native") sources via 6to4 relays. 6to4 routers have no way of matching IPv4 source address of the relay with non-6to4 IPv6 address of the source. Consequently, anyone can spoof any non-6to4 IPv6 address he wants by sending traffic, encapsulated, directly to 6to4 routers. - Two different models of thinking have been proposed to fix this - problem if it is considered to be important: - - o Every 6to4 relay must participate in an eBGP multi-hop peering - mesh (which can be hierarchical); it would be used to advertise - more specific routes. - - o The 6to4 usage model would be turned upside-down, and the - deployment of 6to4 would be have to be borne by native IPv6 users. - - These are described at a bit more length below. - -6.2.1 Limited Distribution of More Specific Routes - - If 6to4 prefixes more specific than 2002::/16 could be advertised, - the traffic model between native to 6to4 and 6to4 to native could be - changed so that only one 6to4 relay would always be used, most often - the one closest to the 6to4 router. - - This model was rejected in the base specification, as IPv6 routing - table was not to be polluted by 6to4 prefixes derived of IPv4 - prefixes. - - However, the problem could be avoided with some effort: creating a - separate, possibly hierarchical based on IPv6 connections, peering - mesh for 6to4 relay routers. This could be done by forming eBGP [5] - multi-hop peerings between 6to4 relays, and advertising more specific - routes (e.g., the same superblocks of IPv4 addresses one expects to - service) to all the other routers. - - In that way, the global routing table would not be impacted at all. - - This seems to have at least three potential issues: - - 1. Every 6to4 relay should be part of this (if one wants to have - some extra safety that the addresses haven't been spoofed), - - 2. The route from a native source takes the path to the first 6to4 - relay, and there (possibly through other Relays) to the last 6to4 - relay to tunnel the packet to the 6to4 router; this adds at least - some latency, and - - 3. The mechanism of redistributing IPv4 6to4 client addresses to - other relays as 6to4 prefixes needs work. - - Of these, only the last requires more discussion. It could be argued - that this advertising should either be manually configured once - (i.e., relatively static prefixes, or generated from IPv4 - route-objects in RADB [16] or generated automatically (e.g., when a - 6to4 router first sends a "triggering" packet through the 6to4 - relay). Of course, this data could even be derived in some form from - the IPv4 routing tables. Further analysis on this is TBD if - necessary. - - Even if the traffic to 6to4 routers is limited to few relays, other - IPv4 nodes can still spoof both IPv4, and IPv6 address and perform - the spoofing attack. Hence, a necessary step is to use strong - cryptography-based mechanisms to ensure the 6to4 router - 6to4 relay - relationship. Alternatively, some sort of infrastructure (e.g., - small-scale PKI) would have to be established which would have to - include all the possible 6to4 relays in the Internet. - -6.2.2 A Different Model for 6to4 Deployment - It could be possible to turn the deployment assumptions of 6to4 around a bit to eliminate some threats caused by untrusted 6to4 relays. That is: o Every dual-stack site (or even ISP) would be required to have - their own 6to4 relay. That is, there would not be third-party - relays, and the 2002::/16 route would not need to be advertised - globally, and + their own 6to4 relay. (This assumes that IPv6-only is so long away + that 6to4 would be hopefully retired at that point.) That is, + there would not be third-party relays, and the 2002::/16 route + would not need to be advertised globally, and o The security implications of 6to4 use could be pushed back to the level of trust inside the site or ISP (or their acceptable use policies) -- this is something that the sites and ISP's should be familiar with already. However, this has a number of problems: This model would shift the majority of burden of supporting 6to4 to IPv6 sites which don't employ or use 6to4 at all, i.e., "those who @@ -1622,43 +1589,42 @@ can be fixed by ensuring the correctness of implementations; this is important. The third is also a very difficult problem, and impossible to solve completely -- therefore it is important to be able to analyze whether this results in a significant increase of threats. The fourth problem seems to have feasible solutions. These are analyzed in detail in Threat Analysis, in Section 4. 8. Acknowledgments - Some issues were first brought up by Itojun Hagino in [17], and Alain + Some issues were first brought up by Itojun Hagino in [16], and Alain Durand introduced one specific problem at IETF51 in August 2001 (though there was some discussion on the list prior to that); these gave the author the push to start looking into the details of securing 6to4. Alexey Kuznetsov brought up the implementation problem with IPv6 martian checks. Christian Huitema formulated the rules that rely on 6to4 relays using only anycast. Keith Moore brought up the point about reduced flexibility. Brian Carpenter, Tony Hain and Vladislav Yasevich are acknowledged for lengthy discussions. Alain Durand reminded of relay spoofing problems. Brian Carpenter reminded of the BGP-based 6to4 router model. Christian Huitema gave a push to a more complete threat analysis. Itojun Hagino spelled out the operators' fears about 6to4 relay abuse. Rob Austein brought up the idea of a different 6to4 deployment model. In the latter phase, especially discussions with Christian Huitema, Brian Carpenter and Alain Durand were helpful when improving the document. - David Malone and [your name could be here] gave feedback on the - document. + David Malone and Iljitsch van Beijnum gave feedback on the document. Normative References [1] Carpenter, B. and K. Moore, "Connection of IPv6 Domains via IPv4 Clouds", RFC 3056, February 2001. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [3] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers", RFC @@ -1673,21 +1639,21 @@ RFC 1771, March 1995. [6] Draves, R., "Default Address Selection for Internet Protocol version 6 (IPv6)", RFC 3484, February 2003. [7] Nikander, P., "IPv6 Neighbor Discovery trust models and threats", draft-ietf-send-psreq-04 (work in progress), October 2003. [8] Arkko, J., "SEcure Neighbor Discovery (SEND)", - draft-ietf-send-ndopt-03 (work in progress), January 2004. + draft-ietf-send-ndopt-04 (work in progress), February 2004. [9] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms for IPv6 Hosts and Routers", draft-ietf-v6ops-mech-v2-02 (work in progress), February 2004. [10] Savola, P., "Security of IPv6 Routing Header and Home Address Options", draft-savola-ipv6-rh-ha-security-02 (work in progress), March 2002. [11] Ferguson, P. and D. Senie, "Network Ingress Filtering: @@ -1696,34 +1662,34 @@ [12] Bellovin, S., Leech, M. and T. Taylor, "ICMP Traceback Messages", draft-ietf-itrace-04 (work in progress), February 2003. [13] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, June 1995. [14] Templin, F., Gleeson, T., Talwar, M. and D. Thaler, "Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)", - draft-ietf-ngtrans-isatap-18 (work in progress), February 2004. + draft-ietf-ngtrans-isatap-20 (work in progress), February 2004. [15] Simpson, W., "IP in IP Tunneling", RFC 1853, October 1995. - [16] Merit Network Inc., "Routing Assets Database (http:// - www.radb.net)". - - [17] Hagino, J., "Possible abuse against IPv6 transition + [16] Hagino, J., "Possible abuse against IPv6 transition technologies", draft-itojun-ipv6-transition-abuse-01.txt (expired, work-in-progress) , July 2000. - [18] Barros, C., "Proposal for ICMP Traceback Messages", http:// + [17] Barros, C., "Proposal for ICMP Traceback Messages", http:// www.research.att.com/lists/ietf-itrace/2000/09/msg00044.html . + [18] Merit Network Inc., "Routing Assets Database (http:// + www.radb.net)". + Authors' Addresses Pekka Savola CSC/FUNET Espoo Finland EMail: psavola@funet.fi Chirayu Patel @@ -1785,73 +1751,71 @@ Some implementations might have been careful enough to have designed the stack to as to avoid the incoming (or reply) packets going to IPv4 packet processing through special addresses (e.g., IPv4-mapped addresses), but who can say for all ... Appendix B. Change Log [[ RFC-EDITOR note: to be removed before publication ]] + Changes from -01 to -02 + + 1. Incorporate Iljitsch's feedback + + 2. Clean up section 6.2 + + 3. Fix encapsulation code (had been munged in -01) + Changes from -00 to -01 1. Lots of editorial changes in other sections 2. Revamped the "Threat Analysis" section completely; ripple the effects elsewhere in the document as well. 3. Added Chirayu Patel as a co-author. Intellectual Property Statement The IETF takes no position regarding the validity or scope of any - intellectual property or other rights that might be claimed to + Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights - might or might not be available; neither does it represent that it - has made any effort to identify any such rights. Information on the - IETF's procedures with respect to rights in standards-track and - standards-related documentation can be found in BCP-11. Copies of - claims of rights made available for publication and any assurances of - licenses to be made available, or the result of an attempt made to - obtain a general license or permission for the use of such - proprietary rights by implementors or users of this specification can - be obtained from the IETF Secretariat. + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the IETF's procedures with respect to rights in IETF Documents can + be found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary - rights which may cover technology that may be required to practice - this standard. Please address the information to the IETF Executive - Director. - -Full Copyright Statement + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. - Copyright (C) The Internet Society (2004). All Rights Reserved. +Disclaimer of Validity - This document and translations of it may be copied and furnished to - others, and derivative works that comment on or otherwise explain it - or assist in its implementation may be prepared, copied, published - and distributed, in whole or in part, without restriction of any - kind, provided that the above copyright notice and this paragraph are - included on all such copies and derivative works. However, this - document itself may not be modified in any way, such as by removing - the copyright notice or references to the Internet Society or other - Internet organizations, except as needed for the purpose of - developing Internet standards in which case the procedures for - copyrights defined in the Internet Standards process must be - followed, or as required to translate it into languages other than - English. + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - The limited permissions granted above are perpetual and will not be - revoked by the Internet Society or its successors or assignees. +Copyright Statement - This document and the information contained herein is provided on an - "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING - TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING - BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION - HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF - MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + Copyright (C) The Internet Society (2004). This document is subject + to the rights, licenses and restrictions contained in BCP 78, and + except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society.