draft-ietf-v6ops-ra-guard-implementation-04.txt   draft-ietf-v6ops-ra-guard-implementation-05.txt 
IPv6 Operations Working Group (v6ops) F. Gont IPv6 Operations Working Group (v6ops) F. Gont
Internet-Draft UK CPNI Internet-Draft UK CPNI
Updates: 6105 (if approved) May 22, 2012 Updates: 6105 (if approved) October 26, 2012
Intended status: BCP Intended status: BCP
Expires: November 23, 2012 Expires: April 29, 2013
Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard) Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
draft-ietf-v6ops-ra-guard-implementation-04 draft-ietf-v6ops-ra-guard-implementation-05
Abstract Abstract
The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly
employed to mitigate attack vectors based on forged ICMPv6 Router employed to mitigate attack vectors based on forged ICMPv6 Router
Advertisement messages. Many existing IPv6 deployments rely on RA- Advertisement messages. Many existing IPv6 deployments rely on RA-
Guard as the first line of defense against the aforementioned attack Guard as the first line of defense against the aforementioned attack
vectors. However, some implementations of RA-Guard have been found vectors. However, some implementations of RA-Guard have been found
to be prone to circumvention by employing IPv6 Extension Headers. to be prone to circumvention by employing IPv6 Extension Headers.
This document describes the evasion techniques that affect the This document describes the evasion techniques that affect the
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 23, 2012. This Internet-Draft will expire on April 29, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 8, line 13 skipping to change at page 8, line 13
present in the first fragment (rather than the second). present in the first fragment (rather than the second).
3. RA-Guard implementation advice 3. RA-Guard implementation advice
The following filtering rules MUST be implemented as part of an "RA- The following filtering rules MUST be implemented as part of an "RA-
Guard" implementation on those ports that are not allowed to send Guard" implementation on those ports that are not allowed to send
ICMPv6 Router Advertisement messages, such that the vulnerabilities ICMPv6 Router Advertisement messages, such that the vulnerabilities
discussed in this document are eliminated: discussed in this document are eliminated:
1. If the IPv6 Source Address of the packet is not a link-local 1. If the IPv6 Source Address of the packet is not a link-local
address (fe80::/10), pass the packet. address (fe80::/10), RA-Guard MUST pass the packet.
Section 6.1.2 of [RFC4861] requires nodes to discard Router RATIONALE: Section 6.1.2 of [RFC4861] requires nodes to
Advertisement messages if their IPv6 Source Address is not a discard Router Advertisement messages if their IPv6 Source
link-local address. Address is not a link-local address.
2. If the Hop Limit is not 255, pass the packet. 2. If the Hop Limit is not 255, RA-Guard MUST pass the packet.
Section 6.1.2 of [RFC4861] requires nodes to discard Router RATIONALE: Section 6.1.2 of [RFC4861] requires nodes to
Advertisement messages if their Hop Limit is not 255. discard Router Advertisement messages if their Hop Limit is
not 255.
3. Try to identify whether the packet is an ICMPv6 Router 3. RA-Guard MUST parse the IPv6 entire header chain present in the
Advertisement message, by parsing the IPv6 header chain. When packet, to identify whether the packet is a Router Advertisement
doing so, enforce a limit on the maximum number of Extension message.
Headers that is allowed for each packet, and if such limit is hit
before the upper-layer protocol is identified, drop the packet.
[RFC6564] specifies a uniform format for IPv6 Extension RATIONALE: [RFC6564] specifies a uniform format for IPv6
Header, thus meaning that an IPv6 node should be able to parse Extension Header, thus meaning that an IPv6 node can parse an
an IPv6 header chain even if it contains Extension Headers IPv6 header chain even if it contains Extension Headers that
that are not currently supported by that node. are not currently supported by that node. Additionally,
[I-D.ietf-6man-oversized-header-chain] requires that if a
packet is fragmented, the first fragment contains the entire
IPv6 header chain.
4. If the layer-2 device is unable to identify whether the packet is RA-Guard implementations MUST NOT enforce a limit on the
an ICMPv6 Router Advertisement message or not (i.e., the packet number of bytes they can inspect (starting from the beginning
is a first-fragment, and the necessary information is missing), of the IPv6 packet), since this could introduce false-
drop the packet. positives: legitimate packets could be dropped simply because
the RA-Guard device does not parse the entire IPv6 header
chain present in the packet. An implementation that has such
an implementation-specific limit MUST NOT claim compliance
with this specification, and MUST pass the packet when such
implementation-specific limit is reached.
Note: This rule should only be applied to non-fragmented IPv6 4. When parsing the IPv6 header chain, if the packet is a first-
datagrams and IPv6 fragments with a Fragment Offset of 0 (non- fragment (i.e., a packet containing a Fragment Header with the
first fragments can be safely passed, since they will never Fragment Offset set to 0) and it fails to contain the entire IPv6
reassemble into a complete datagram if they are part of a header chain (i.e., all the headers starting from the IPv6 header
Router Advertisement received on a port where such packets are up to, and including, the upper-layer header), RA-Guard MUST drop
not allowed). the packet, and SHOULD log the packet drop event in an
implementation-specific manner as a security fault.
5. If the packet is identified to be an ICMPv6 Router Advertisement RATIONALE: [I-D.ietf-6man-oversized-header-chain] specifies
message, drop the packet. that the first-fragment (i.e., the fragment with the Fragment
Offset set to 0) MUST contain the entire IPv6 header chain,
and allows intermmediate systems such as routers to drop those
packets that fail to comply with this requirement.
6. In all other cases, pass the packet as usual. NOTE: This rule should only be applied to IPv6 fragments with
a Fragment Offset of 0 (non-first fragments can be safely
passed, since they will never reassemble into a complete
datagram if they are part of a Router Advertisement received
on a port where such packets are not allowed).
Note: For the purpose of enforcing the RA-Guard filtering policy, 5. When parsing the IPv6 header chain, if the packet is identified
to be an ICMPv6 Router Advertisement message, RA-Guard MUST drop
the packet, and SHOULD log the packet drop event in an
implementation-specific manner as a security fault.
RATIONALE: By definition, Router Advertisement messages MUST
originate on-link, MUST have a link-local IPv6 Source Address,
and MUST have a Hop Limit value of 255. [RFC4861].
6. In all other cases, RA-Guard MUST pass the packet as usual.
NOTE: For the purpose of enforcing the RA-Guard filtering policy,
an ESP header [RFC4303] should be considered to be an "upper-layer an ESP header [RFC4303] should be considered to be an "upper-layer
protocol" (that is, it should be considered the last header in the protocol" (that is, it should be considered the last header in the
IPv6 header chain). This means that packets employing ESP would IPv6 header chain). This means that packets employing ESP would
be passed by the RA-Guard device to the intended destination. If be passed by the RA-Guard device to the intended destination. If
the destination host does not have a security association with the the destination host does not have a security association with the
sender of the aforementioned IPv6 packet, the packet would be sender of the aforementioned IPv6 packet, the packet would be
dropped. Otherwise, if the packet is considered valid by the dropped. Otherwise, if the packet is considered valid by the
IPsec implementation at the receiving host and encapsulates a IPsec implementation at the receiving host and encapsulates a
Router Advertisement message, it is up to the receiving host what Router Advertisement message, it is up to the receiving host what
to do with such packet. to do with such packet.
If a packet is dropped due to this filtering policy, then the packet If a packet is dropped due to this filtering policy, then the packet
drop event SHOULD be logged. The logging mechanism SHOULD include a drop event SHOULD be logged in an implementation-specific manner as a
drop counter dedicated to RA-Guard packet drops. security fault. The logging mechanism SHOULD include a drop counter
dedicated to RA-Guard packet drops.
In order to protect current end-node IPv6 implementations, Rule #4 In order to protect current end-node IPv6 implementations, Rule #4
has been defined as a default rule to drop packets that cannot be has been defined as a default rule to drop packets that cannot be
positively identified as not being Router Advertisement (RA) messages positively identified as not being Router Advertisement (RA) messages
(possibly because the packet contains fragments that do not contain (because the packet is a fragment that fails to include the entire
the entire IPv6 header chain). This means that, at least in theory, IPv6 header chain). This means that, at least in theory, RA-Guard
RA-Guard could result in false-positive blocking of some legitimate could result in false-positive blocking of some legitimate non-RA
non-RA packets that could not be positively identified as being packets that could not be positively identified as being non-RA. In
non-RA. In order to reduce the likelihood of false positives, Rule order to reduce the likelihood of false positives, Rule #1 and Rule
#1 and Rule #2 require that packets that would not pass the required #2 require that packets that would not pass the required validation
validation checks for RA messages (Section 6.1.2 of [RFC4861]) be checks for RA messages (Section 6.1.2 of [RFC4861]) be passed without
passed without further inspection. In any case, as noted in further inspection. In any case, as noted in
[I-D.gont-6man-oversized-header-chain], IPv6 packets that fail to [I-D.ietf-6man-oversized-header-chain], IPv6 packets that fail to
include the entire IPv6 header chain are anyway unlikely to survive include the entire IPv6 header chain are virtually impossible to
in real networks. Whilst currently legitimate from a specifications police with state-less filters and firewalls, and hence are unlikely
standpoint, they are virtually impossible to police with state-less to survive in real networks. [I-D.ietf-6man-oversized-header-chain]
filters and firewalls, and are hence likely to be blocked by such requires that hosts employing fragmentation include the entire IPv6
filters and firewalls. header chain in the first fragment (the fragment with the Fragment
Offset set to 0), thus eliminating the aforementioned false
positives.
This filtering policy assumes that host implementations require that This filtering policy assumes that host implementations require that
the IPv6 Source Address of ICMPv6 Router Advertisement messages be a the IPv6 Source Address of ICMPv6 Router Advertisement messages be a
link-local address, and that they discard the packet if this check link-local address, and that they discard the packet if this check
fails, as required by the current IETF specifications [RFC4861]. fails, as required by the current IETF specifications [RFC4861].
Additionally, it assumes that hosts require the Hop Limit of Neighbor Additionally, it assumes that hosts require the Hop Limit of Neighbor
Discovery messages to be 255, and discard those packets otherwise. Discovery messages to be 255, and discard those packets otherwise.
The aforementioned filtering rules implicitly handle the case of The aforementioned filtering rules implicitly handle the case of
fragmented packets: if the RA-Guard device fails to identify the fragmented packets: if the RA-Guard device fails to identify the
skipping to change at page 13, line 35 skipping to change at page 13, line 35
Denial of Service (DoS). However, this does not really introduce a Denial of Service (DoS). However, this does not really introduce a
new attack vector, since an attacker could always perform the same new attack vector, since an attacker could always perform the same
attack by sending forged fragmented datagram in which at least one of attack by sending forged fragmented datagram in which at least one of
the fragments is missing. [CPNI-IPv6] discusses some resource the fragments is missing. [CPNI-IPv6] discusses some resource
management strategies that could be implemented for the fragment management strategies that could be implemented for the fragment
reassembly buffer. reassembly buffer.
We note that most effective and efficient mitigation for these We note that most effective and efficient mitigation for these
attacks would be to prohibit the use of IPv6 fragmentation with attacks would be to prohibit the use of IPv6 fragmentation with
Router Advertisement messages (as proposed by Router Advertisement messages (as proposed by
[I-D.gont-6man-nd-extension-headers]), such that the RA-Guard [I-D.ietf-6man-nd-extension-headers]), such that the RA-Guard
functionality is easier to implement. However, since such mitigation functionality is easier to implement. However, since such mitigation
would require an update to existing implementations, it cannot be would require an update to existing implementations, it cannot be
relied upon in the short or near term. relied upon in the short or near term.
Finally, we note that RA-Guard only mitigates attack vectors based on Finally, we note that RA-Guard only mitigates attack vectors based on
ICMPv6 Router advertisement messages. Protection against similar ICMPv6 Router advertisement messages. Protection against similar
attacks based on other messages (such as DCHPv6) is considered out of attacks based on other messages (such as DCHPv6) is considered out of
the scope of this document, and left for other documents(e.g. the scope of this document, and left for other documents(e.g.
[DHCPv6-Shield]). [DHCPv6-Shield]).
7. Acknowledgements 7. Acknowledgements
The author would like to thank Ran Atkinson, who provided very
detailed comments and suggested text that was incorporated into this
document.
The author would like to thank Ran Atkinson, Karl Auer, Robert The author would like to thank Ran Atkinson, Karl Auer, Robert
Downie, Washam Fan, David Farmer, Marc Heuse, Nick Hilliard, Ray Downie, Washam Fan, David Farmer, Marc Heuse, Nick Hilliard, Ray
Hunter, Joel Jaeggli, Simon Perreault, Arturo Servin, Gunter van de Hunter, Joel Jaeggli, Simon Perreault, Arturo Servin, Gunter van de
Velde, James Woodyatt, and Bjoern A. Zeeb, for providing valuable Velde, James Woodyatt, and Bjoern A. Zeeb, for providing valuable
comments on earlier versions of this document. comments on earlier versions of this document.
The author would like to thank Arturo Servin, who presented this The author would like to thank Arturo Servin, who presented this
document at IETF 81. document at IETF 81.
This document resulted from the project "Security Assessment of the This document resulted from the project "Security Assessment of the
skipping to change at page 15, line 26 skipping to change at page 15, line 26
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007. September 2007.
[RFC5722] Krishnan, S., "Handling of Overlapping IPv6 Fragments", [RFC5722] Krishnan, S., "Handling of Overlapping IPv6 Fragments",
RFC 5722, December 2009. RFC 5722, December 2009.
[RFC6564] Krishnan, S., Woodyatt, J., Kline, E., Hoagland, J., and [RFC6564] Krishnan, S., Woodyatt, J., Kline, E., Hoagland, J., and
M. Bhatia, "A Uniform Format for IPv6 Extension Headers", M. Bhatia, "A Uniform Format for IPv6 Extension Headers",
RFC 6564, April 2012. RFC 6564, April 2012.
[I-D.ietf-6man-oversized-header-chain]
Gont, F. and V. Manral, "Security and Interoperability
Implications of Oversized IPv6 Header Chains",
draft-ietf-6man-oversized-header-chain-01 (work in
progress), July 2012.
[I-D.ietf-6man-nd-extension-headers]
Gont, F., "Security Implications of the Use of IPv6
Extension Headers with IPv6 Neighbor Discovery",
draft-ietf-6man-nd-extension-headers-00 (work in
progress), June 2012.
8.2. Informative References 8.2. Informative References
[RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement [RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
Problem Statement", RFC 6104, February 2011. Problem Statement", RFC 6104, February 2011.
[RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J. [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105, Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
February 2011. February 2011.
[I-D.gont-6man-oversized-header-chain]
Gont, F. and V. Manral, "Security and Interoperability
Implications of Oversized IPv6 Header Chains",
draft-gont-6man-oversized-header-chain-01 (work in
progress), April 2012.
[I-D.gont-6man-nd-extension-headers]
Gont, F., "Security Implications of the Use of IPv6
Extension Headers with IPv6 Neighbor Discovery",
draft-gont-6man-nd-extension-headers-02 (work in
progress), January 2012.
[DHCPv6-Shield] [DHCPv6-Shield]
Gont, F., "DHCPv6-Shield: Protecting Against Rogue DHCPv6 Gont, F., "DHCPv6-Shield: Protecting Against Rogue DHCPv6
Servers", IETF Internet Draft, Servers", IETF Internet Draft,
draft-gont-opsec-dhcpv6-shield, work in progress, draft-gont-opsec-dhcpv6-shield, work in progress,
May 2012. May 2012.
[CPNI-IPv6] [CPNI-IPv6]
Gont, F., "Security Assessment of the Internet Protocol Gont, F., "Security Assessment of the Internet Protocol
version 6 (IPv6)", UK Centre for the Protection of version 6 (IPv6)", UK Centre for the Protection of
National Infrastructure, (available on request). National Infrastructure, (available on request).
skipping to change at page 16, line 24 skipping to change at page 16, line 24
kame/rafixd/>. kame/rafixd/>.
[ramond] "ramond", <http://ramond.sourceforge.net/>. [ramond] "ramond", <http://ramond.sourceforge.net/>.
[SI6-FRAG] [SI6-FRAG]
SI6 Networks, "IPv6 NIDS evasion and improvements in IPv6 SI6 Networks, "IPv6 NIDS evasion and improvements in IPv6
fragmentation/reassembly", 2012, <http:// fragmentation/reassembly", 2012, <http://
blog.si6networks.com/2012/02/ blog.si6networks.com/2012/02/
ipv6-nids-evasion-and-improvements-in.html>. ipv6-nids-evasion-and-improvements-in.html>.
[SI6-IPv6]
"SI6 Networks' IPv6 toolkit",
<http://www.si6networks.com/tools/ipv6toolkit>.
[THC-IPV6] [THC-IPV6]
"The Hacker's Choice IPv6 Attack Toolkit", "The Hacker's Choice IPv6 Attack Toolkit",
<http://www.thc.org/thc-ipv6/>. <http://www.thc.org/thc-ipv6/>.
Appendix A. Assessment tools Appendix A. Assessment tools
CPNI has produced assessment tools (which have not yet been made [SI6-IPv6] is a publicly-available set of tools (for Linux, *BSD, and
publicly available) to assess RA-Guard implementations with respect Mac OS) that implements the techniques described in this document.
to the issues described in this document. If you think that you
would benefit from these tools, we might be able to provide a copy of
the tools (please contact Fernando Gont at fernando@gont.com.ar).
[THC-IPV6] is a publicly-available set of tools that implements some [THC-IPV6] is a publicly-available set of tools (for Linux) that
of the techniques described in this document. implements some of the techniques described in this document.
Appendix B. Advice and guidance to vendors Appendix B. Advice and guidance to vendors
Vendors are urged to contact CSIRTUK (csirt@cpni.gsi.gov.uk) if they Vendors are urged to contact CSIRTUK (csirt@cpni.gsi.gov.uk) if they
think they may be affected by the issues described in this document. think they may be affected by the issues described in this document.
As the lead coordination centre for these issues, CPNI is well placed As the lead coordination centre for these issues, CPNI is well placed
to give advice and guidance as required. to give advice and guidance as required.
CPNI works extensively with government departments and agencies, CPNI works extensively with government departments and agencies,
commercial organisations and the academic community to research commercial organisations and the academic community to research
 End of changes. 24 change blocks. 
70 lines changed or deleted 104 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/