[CGA-EXT] Subject: A new old attack on the NDP/SEND
Tony Cheneau <tony.cheneau@int-evry.fr> Mon, 14 January 2008 09:10 UTC
Return-path: <cga-ext-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JELKe-0002B6-7z; Mon, 14 Jan 2008 04:10:12 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JELKd-00028y-Fc for cga-ext@ietf.org; Mon, 14 Jan 2008 04:10:11 -0500
Received: from smtp2.int-evry.fr ([157.159.10.45]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1JELKc-0002zI-PR for cga-ext@ietf.org; Mon, 14 Jan 2008 04:10:11 -0500
Received: from whitebox (unknown [157.159.103.69]) by smtp2.int-evry.fr (Postfix) with ESMTP id CC0DA3EDBC0 for <cga-ext@ietf.org>; Mon, 14 Jan 2008 10:10:06 +0100 (CET)
Date: Mon, 14 Jan 2008 10:08:46 +0100
From: Tony Cheneau <tony.cheneau@int-evry.fr>
To: cga-ext@ietf.org
Message-ID: <20080114100846.210e15b4@whitebox>
X-Mailer: Claws Mail 3.0.2 (GTK+ 2.12.1; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-int-MailScanner-Information: Please contact the ISP for more information
X-int-MailScanner: Found to be clean
X-int-MailScanner-SpamCheck:
X-int-MailScanner-From: tony.cheneau@int-evry.fr
X-Spam-Status: No
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d8ae4fd88fcaf47c1a71c804d04f413d
Subject: [CGA-EXT] Subject: A new old attack on the NDP/SEND
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
Errors-To: cga-ext-bounces@ietf.org
Hello, I'm currently writing an article about an attack on the Duplicate Address Detection (DAD) mechanism that works even with a SEND enabled architecture. Any comments are welcome. The attack occurs when a node joins a network. An attacker can prevent a node from joining a link by replaying the Neighbor Solicitation packet (even if the packet contains the SEND protections). This is a remake of the Section 4.1.3 in the RFC 3756: the "Duplicate Address Detection DoS Attack". As of Section 9.2.3 of RFC 3971 this old attack isn't supposed to work anymore since the NA are "verified" with a RSA signature. Here, we replay a NS message during the attack, so we will have a valid RSA signature and this security mechanisms will be void. According to Section 8 of RFC 3971 a DAD process is considered as unsuccessful after 3 failures. Here again, an attacker can replay the packets 3 times simulating unavailable addresses. The success of the validity check on the packet is based on these points: - The CGA is fully valid as the packets are being replayed. - The RSA signatures are still valid (the packet wasn't altered). - Though RFC 3971 suggests using the "nonce" option to match requests with responses, there's no specific usage defined for it. There isn't any recommendation of how to use this option in SEND. - Concerning the Timestamp protection: according to Section 5.3.3, the victim node will set the Timestamp field to his current time when it sends his packet. So the attacker will have the same value in the (replayed) Timestamp field. The replayed packet will be considered as a new by the victim. This implies that the victim should verify the packet with the following equation (according to Section 5.3.4.2): - Delta < RDnew - TSnew < + Delta RDnew is time of receiving of the message and TSnew is the Timestamp of this new message. From the attacker perspective, RDnew is the time when he received the packet plus the time to effectively replay it. Since TSnew is supposed to be the current time of the victim when he sent the packet, RDnew should be close to that value. (as a side note, on the OpenSource NTT DoCoMo SEND's implementation, this Delta value is set by default to 300 seconds) We may think that the node won't listen to the packet since it's a copy of its own packet. Section 5.4.3 of RFC 4862 says it depends on the loopback semantic (which means here that in any cases, a replayed packet won't be considered as duplicated). The requirement for the attacker is to have access on the link resources. The attacker must be able to listen to multicast packets emitted by the victim (to be able to listen to the packets sent to victim's "solicited node" multicast group). The packet must be replayed during the time window of DupAddrDetectTransmists * RetransTimer (which with the default value is 1 second). There is some ways to mitigate or to cancel the effects of this attacks. One way is to give a semantic to the Nonce option in this particular case and say that if there is a Neighbor Solicitation received during the DAD process indicating a collision containing the same Nonce option, the first time, it will trigger the computing of a new address and the second time it will keep the address and ignore the message. I was only able to test it on the NTT DoCoMo SEND's implementation and it didn't work due to the non-full implementation of the DAD support part. I have a PoC written with the Scapy framework, I can send it to anyone wishing it. Thanks in advance for all your feedbacks. Best regards, Tony Cheneau _______________________________________________ CGA-EXT mailing list CGA-EXT@ietf.org https://www1.ietf.org/mailman/listinfo/cga-ext
- [CGA-EXT] Subject: A new old attack on the NDP/SE… Tony Cheneau