--- 1/draft-ietf-v6ops-ra-guard-implementation-04.txt 2012-10-29 17:16:19.377758757 +0100
+++ 2/draft-ietf-v6ops-ra-guard-implementation-05.txt 2012-10-29 17:16:19.413761338 +0100
@@ -1,19 +1,19 @@
IPv6 Operations Working Group (v6ops) F. Gont
Internet-Draft UK CPNI
-Updates: 6105 (if approved) May 22, 2012
+Updates: 6105 (if approved) October 26, 2012
Intended status: BCP
-Expires: November 23, 2012
+Expires: April 29, 2013
Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
- draft-ietf-v6ops-ra-guard-implementation-04
+ draft-ietf-v6ops-ra-guard-implementation-05
Abstract
The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly
employed to mitigate attack vectors based on forged ICMPv6 Router
Advertisement messages. Many existing IPv6 deployments rely on RA-
Guard as the first line of defense against the aforementioned attack
vectors. However, some implementations of RA-Guard have been found
to be prone to circumvention by employing IPv6 Extension Headers.
This document describes the evasion techniques that affect the
@@ -28,21 +28,21 @@
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on November 23, 2012.
+ This Internet-Draft will expire on April 29, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
@@ -262,92 +262,121 @@
present in the first fragment (rather than the second).
3. RA-Guard implementation advice
The following filtering rules MUST be implemented as part of an "RA-
Guard" implementation on those ports that are not allowed to send
ICMPv6 Router Advertisement messages, such that the vulnerabilities
discussed in this document are eliminated:
1. If the IPv6 Source Address of the packet is not a link-local
- address (fe80::/10), pass the packet.
+ address (fe80::/10), RA-Guard MUST pass the packet.
- Section 6.1.2 of [RFC4861] requires nodes to discard Router
- Advertisement messages if their IPv6 Source Address is not a
- link-local address.
+ RATIONALE: Section 6.1.2 of [RFC4861] requires nodes to
+ discard Router Advertisement messages if their IPv6 Source
+ Address is not a link-local address.
- 2. If the Hop Limit is not 255, pass the packet.
+ 2. If the Hop Limit is not 255, RA-Guard MUST pass the packet.
- Section 6.1.2 of [RFC4861] requires nodes to discard Router
- Advertisement messages if their Hop Limit is not 255.
+ RATIONALE: Section 6.1.2 of [RFC4861] requires nodes to
+ discard Router Advertisement messages if their Hop Limit is
+ not 255.
- 3. Try to identify whether the packet is an ICMPv6 Router
- Advertisement message, by parsing the IPv6 header chain. When
- doing so, enforce a limit on the maximum number of Extension
- Headers that is allowed for each packet, and if such limit is hit
- before the upper-layer protocol is identified, drop the packet.
+ 3. RA-Guard MUST parse the IPv6 entire header chain present in the
+ packet, to identify whether the packet is a Router Advertisement
+ message.
- [RFC6564] specifies a uniform format for IPv6 Extension
- Header, thus meaning that an IPv6 node should be able to parse
- an IPv6 header chain even if it contains Extension Headers
- that are not currently supported by that node.
+ RATIONALE: [RFC6564] specifies a uniform format for IPv6
+ Extension Header, thus meaning that an IPv6 node can parse an
+ IPv6 header chain even if it contains Extension Headers that
+ are not currently supported by that node. Additionally,
+ [I-D.ietf-6man-oversized-header-chain] requires that if a
+ packet is fragmented, the first fragment contains the entire
+ IPv6 header chain.
- 4. If the layer-2 device is unable to identify whether the packet is
- an ICMPv6 Router Advertisement message or not (i.e., the packet
- is a first-fragment, and the necessary information is missing),
- drop the packet.
+ RA-Guard implementations MUST NOT enforce a limit on the
+ number of bytes they can inspect (starting from the beginning
+ of the IPv6 packet), since this could introduce false-
+ positives: legitimate packets could be dropped simply because
+ the RA-Guard device does not parse the entire IPv6 header
+ chain present in the packet. An implementation that has such
+ an implementation-specific limit MUST NOT claim compliance
+ with this specification, and MUST pass the packet when such
+ implementation-specific limit is reached.
- Note: This rule should only be applied to non-fragmented IPv6
- datagrams and IPv6 fragments with a Fragment Offset of 0 (non-
- first fragments can be safely passed, since they will never
- reassemble into a complete datagram if they are part of a
- Router Advertisement received on a port where such packets are
- not allowed).
+ 4. When parsing the IPv6 header chain, if the packet is a first-
+ fragment (i.e., a packet containing a Fragment Header with the
+ Fragment Offset set to 0) and it fails to contain the entire IPv6
+ header chain (i.e., all the headers starting from the IPv6 header
+ up to, and including, the upper-layer header), RA-Guard MUST drop
+ the packet, and SHOULD log the packet drop event in an
+ implementation-specific manner as a security fault.
- 5. If the packet is identified to be an ICMPv6 Router Advertisement
- message, drop the packet.
+ RATIONALE: [I-D.ietf-6man-oversized-header-chain] specifies
+ that the first-fragment (i.e., the fragment with the Fragment
+ Offset set to 0) MUST contain the entire IPv6 header chain,
+ and allows intermmediate systems such as routers to drop those
+ packets that fail to comply with this requirement.
- 6. In all other cases, pass the packet as usual.
+ NOTE: This rule should only be applied to IPv6 fragments with
+ a Fragment Offset of 0 (non-first fragments can be safely
+ passed, since they will never reassemble into a complete
+ datagram if they are part of a Router Advertisement received
+ on a port where such packets are not allowed).
- Note: For the purpose of enforcing the RA-Guard filtering policy,
+ 5. When parsing the IPv6 header chain, if the packet is identified
+ to be an ICMPv6 Router Advertisement message, RA-Guard MUST drop
+ the packet, and SHOULD log the packet drop event in an
+ implementation-specific manner as a security fault.
+
+ RATIONALE: By definition, Router Advertisement messages MUST
+ originate on-link, MUST have a link-local IPv6 Source Address,
+ and MUST have a Hop Limit value of 255. [RFC4861].
+
+ 6. In all other cases, RA-Guard MUST pass the packet as usual.
+
+ NOTE: For the purpose of enforcing the RA-Guard filtering policy,
an ESP header [RFC4303] should be considered to be an "upper-layer
protocol" (that is, it should be considered the last header in the
IPv6 header chain). This means that packets employing ESP would
be passed by the RA-Guard device to the intended destination. If
the destination host does not have a security association with the
sender of the aforementioned IPv6 packet, the packet would be
dropped. Otherwise, if the packet is considered valid by the
IPsec implementation at the receiving host and encapsulates a
Router Advertisement message, it is up to the receiving host what
to do with such packet.
If a packet is dropped due to this filtering policy, then the packet
- drop event SHOULD be logged. The logging mechanism SHOULD include a
- drop counter dedicated to RA-Guard packet drops.
+ drop event SHOULD be logged in an implementation-specific manner as a
+ security fault. The logging mechanism SHOULD include a drop counter
+ dedicated to RA-Guard packet drops.
In order to protect current end-node IPv6 implementations, Rule #4
has been defined as a default rule to drop packets that cannot be
positively identified as not being Router Advertisement (RA) messages
- (possibly because the packet contains fragments that do not contain
- the entire IPv6 header chain). This means that, at least in theory,
- RA-Guard could result in false-positive blocking of some legitimate
- non-RA packets that could not be positively identified as being
- non-RA. In order to reduce the likelihood of false positives, Rule
- #1 and Rule #2 require that packets that would not pass the required
- validation checks for RA messages (Section 6.1.2 of [RFC4861]) be
- passed without further inspection. In any case, as noted in
- [I-D.gont-6man-oversized-header-chain], IPv6 packets that fail to
- include the entire IPv6 header chain are anyway unlikely to survive
- in real networks. Whilst currently legitimate from a specifications
- standpoint, they are virtually impossible to police with state-less
- filters and firewalls, and are hence likely to be blocked by such
- filters and firewalls.
+ (because the packet is a fragment that fails to include the entire
+ IPv6 header chain). This means that, at least in theory, RA-Guard
+ could result in false-positive blocking of some legitimate non-RA
+ packets that could not be positively identified as being non-RA. In
+ order to reduce the likelihood of false positives, Rule #1 and Rule
+ #2 require that packets that would not pass the required validation
+ checks for RA messages (Section 6.1.2 of [RFC4861]) be passed without
+ further inspection. In any case, as noted in
+ [I-D.ietf-6man-oversized-header-chain], IPv6 packets that fail to
+ include the entire IPv6 header chain are virtually impossible to
+ police with state-less filters and firewalls, and hence are unlikely
+ to survive in real networks. [I-D.ietf-6man-oversized-header-chain]
+ requires that hosts employing fragmentation include the entire IPv6
+ header chain in the first fragment (the fragment with the Fragment
+ Offset set to 0), thus eliminating the aforementioned false
+ positives.
This filtering policy assumes that host implementations require that
the IPv6 Source Address of ICMPv6 Router Advertisement messages be a
link-local address, and that they discard the packet if this check
fails, as required by the current IETF specifications [RFC4861].
Additionally, it assumes that hosts require the Hop Limit of Neighbor
Discovery messages to be 255, and discard those packets otherwise.
The aforementioned filtering rules implicitly handle the case of
fragmented packets: if the RA-Guard device fails to identify the
@@ -400,33 +429,37 @@
Denial of Service (DoS). However, this does not really introduce a
new attack vector, since an attacker could always perform the same
attack by sending forged fragmented datagram in which at least one of
the fragments is missing. [CPNI-IPv6] discusses some resource
management strategies that could be implemented for the fragment
reassembly buffer.
We note that most effective and efficient mitigation for these
attacks would be to prohibit the use of IPv6 fragmentation with
Router Advertisement messages (as proposed by
- [I-D.gont-6man-nd-extension-headers]), such that the RA-Guard
+ [I-D.ietf-6man-nd-extension-headers]), such that the RA-Guard
functionality is easier to implement. However, since such mitigation
would require an update to existing implementations, it cannot be
relied upon in the short or near term.
Finally, we note that RA-Guard only mitigates attack vectors based on
ICMPv6 Router advertisement messages. Protection against similar
attacks based on other messages (such as DCHPv6) is considered out of
the scope of this document, and left for other documents(e.g.
[DHCPv6-Shield]).
7. Acknowledgements
+ The author would like to thank Ran Atkinson, who provided very
+ detailed comments and suggested text that was incorporated into this
+ document.
+
The author would like to thank Ran Atkinson, Karl Auer, Robert
Downie, Washam Fan, David Farmer, Marc Heuse, Nick Hilliard, Ray
Hunter, Joel Jaeggli, Simon Perreault, Arturo Servin, Gunter van de
Velde, James Woodyatt, and Bjoern A. Zeeb, for providing valuable
comments on earlier versions of this document.
The author would like to thank Arturo Servin, who presented this
document at IETF 81.
This document resulted from the project "Security Assessment of the
@@ -449,41 +482,41 @@
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007.
[RFC5722] Krishnan, S., "Handling of Overlapping IPv6 Fragments",
RFC 5722, December 2009.
[RFC6564] Krishnan, S., Woodyatt, J., Kline, E., Hoagland, J., and
M. Bhatia, "A Uniform Format for IPv6 Extension Headers",
RFC 6564, April 2012.
+ [I-D.ietf-6man-oversized-header-chain]
+ Gont, F. and V. Manral, "Security and Interoperability
+ Implications of Oversized IPv6 Header Chains",
+ draft-ietf-6man-oversized-header-chain-01 (work in
+ progress), July 2012.
+
+ [I-D.ietf-6man-nd-extension-headers]
+ Gont, F., "Security Implications of the Use of IPv6
+ Extension Headers with IPv6 Neighbor Discovery",
+ draft-ietf-6man-nd-extension-headers-00 (work in
+ progress), June 2012.
+
8.2. Informative References
[RFC6104] Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
Problem Statement", RFC 6104, February 2011.
[RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
February 2011.
- [I-D.gont-6man-oversized-header-chain]
- Gont, F. and V. Manral, "Security and Interoperability
- Implications of Oversized IPv6 Header Chains",
- draft-gont-6man-oversized-header-chain-01 (work in
- progress), April 2012.
-
- [I-D.gont-6man-nd-extension-headers]
- Gont, F., "Security Implications of the Use of IPv6
- Extension Headers with IPv6 Neighbor Discovery",
- draft-gont-6man-nd-extension-headers-02 (work in
- progress), January 2012.
-
[DHCPv6-Shield]
Gont, F., "DHCPv6-Shield: Protecting Against Rogue DHCPv6
Servers", IETF Internet Draft,
draft-gont-opsec-dhcpv6-shield, work in progress,
May 2012.
[CPNI-IPv6]
Gont, F., "Security Assessment of the Internet Protocol
version 6 (IPv6)", UK Centre for the Protection of
National Infrastructure, (available on request).
@@ -495,34 +528,35 @@
kame/rafixd/>.
[ramond] "ramond", .
[SI6-FRAG]
SI6 Networks, "IPv6 NIDS evasion and improvements in IPv6
fragmentation/reassembly", 2012, .
+ [SI6-IPv6]
+ "SI6 Networks' IPv6 toolkit",
+ .
+
[THC-IPV6]
"The Hacker's Choice IPv6 Attack Toolkit",
.
Appendix A. Assessment tools
- CPNI has produced assessment tools (which have not yet been made
- publicly available) to assess RA-Guard implementations with respect
- to the issues described in this document. If you think that you
- would benefit from these tools, we might be able to provide a copy of
- the tools (please contact Fernando Gont at fernando@gont.com.ar).
+ [SI6-IPv6] is a publicly-available set of tools (for Linux, *BSD, and
+ Mac OS) that implements the techniques described in this document.
- [THC-IPV6] is a publicly-available set of tools that implements some
- of the techniques described in this document.
+ [THC-IPV6] is a publicly-available set of tools (for Linux) that
+ implements some of the techniques described in this document.
Appendix B. Advice and guidance to vendors
Vendors are urged to contact CSIRTUK (csirt@cpni.gsi.gov.uk) if they
think they may be affected by the issues described in this document.
As the lead coordination centre for these issues, CPNI is well placed
to give advice and guidance as required.
CPNI works extensively with government departments and agencies,
commercial organisations and the academic community to research