Errata for RFC4862
Mark Smith <markzzzsmith@gmail.com> Sun, 08 January 2017 05:30 UTC
Return-Path: <markzzzsmith@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F0101294A9 for <ipv6@ietfa.amsl.com>; Sat, 7 Jan 2017 21:30:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kXOfDujvRRfi for <ipv6@ietfa.amsl.com>; Sat, 7 Jan 2017 21:30:35 -0800 (PST)
Received: from mail-ua0-x22b.google.com (mail-ua0-x22b.google.com [IPv6:2607:f8b0:400c:c08::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7022E129415 for <ipv6@ietf.org>; Sat, 7 Jan 2017 21:30:35 -0800 (PST)
Received: by mail-ua0-x22b.google.com with SMTP id y9so108539493uae.2 for <ipv6@ietf.org>; Sat, 07 Jan 2017 21:30:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=+Yh8UHvZ7KriKyHcmjb9R1ZS7dayCozEV7/EBo91U+Y=; b=E4UPvIMEZ6c4c2/kZTdegkp1u1wHShXGH+XZV03ae9fLDcf6quc50c7JsMfPnf8XrQ Km7Vz48NP2T7uvSs2/RtjhVd+QrB94x/RQ4zIYZtmQcdbKBzlHswxypQQue4OsCzeaJr 1yKqDprl5YjiBw2dLFeaSMNDv5c9D9DeIOjdIqm6OKFVeZGQ7eFgtyv22eBoJY/nZIkZ a6zGLzbHXhtSwrfKoVF6V5R8vfrBFyU1eK8nyXc/RgC/Fx1Yovut+oNncJIAHjfK4FCc DN2qqRQBhl7fnnONgR/qT5GxKrKzmu9F+3uogOfYlp3jAJL1cyZSqvGQOKkGPWYCsSxg AXdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=+Yh8UHvZ7KriKyHcmjb9R1ZS7dayCozEV7/EBo91U+Y=; b=QVQRt/X+R6gZ7blG8PjkKwE73N7Qoz9rXi2zg7wJezmDLJCb4L5LSzfq7GcKklR2bu igS6sbM1tiOlI+DU0V4acH8m0Ej9px9Kjke4TKaZK/jDuFK1rKw+sH6n+P8YrQjomg51 kvhAmXDU3CwUpWeM9SucqXvGeNIFzsWuSQO0V9bfVsLY+gXJVB8IT4aJCbARwDkwenQK oZ35EwKucqJQU+zpBH/pVIsbjcgnBtNGccels8dY+evy2WUP3jQiQi47jzcKDfLUYPgL kPXFkRSouFaGHzAFrCpTY0PnfYMK7Q1NgEjt31EoziNN/t3MuTBk8iA1xRD3Y7etF0JR HBGA==
X-Gm-Message-State: AIkVDXL4WOa36aXsoFHiLCvexMVZm60BVXcnYeh+tz3mjtpPsAvzV7+nKYblIHu/BTMrRd/7ulfZjt2NLGkCWg==
X-Received: by 10.159.36.73 with SMTP id 67mr14084522uaq.124.1483853434435; Sat, 07 Jan 2017 21:30:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.8.217 with HTTP; Sat, 7 Jan 2017 21:30:04 -0800 (PST)
From: Mark Smith <markzzzsmith@gmail.com>
Date: Sun, 08 Jan 2017 16:30:04 +1100
Message-ID: <CAO42Z2xH9wqXKFjtAbv6isQ3cG1=FNUmkNFq2DGJdqj9BFDVaQ@mail.gmail.com>
Subject: Errata for RFC4862
To: 6man WG <ipv6@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/6skiNI-avZHMnqDR3v5ts63qaJM>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jan 2017 05:30:36 -0000
Hi,
I've struggled with the Errata tool complaining about not having line
breaks at 72 characters for the last 15 or so minutes, and after
making number of failed attempts to fix that, that's enough!
Section:
5.5.3 RouterAdvertisement Processing
Original Text:
1. If the received Valid Lifetime is greater than 2 hours or
greater than RemainingLifetime, set the valid lifetime of the
corresponding address to the advertised Valid Lifetime.
2. If RemainingLifetime is less than or equal to 2 hours, ignore
the Prefix Information option with regards to the valid
lifetime, unless the Router Advertisement from which this
option was obtained has been authenticated (e.g., via Secure
Neighbor Discovery [RFC3971]). If the Router Advertisement
was authenticated, the valid lifetime of the corresponding
address should be set to the Valid Lifetime in the received
option.
3. Otherwise, reset the valid lifetime of the corresponding
address to 2 hours.
Corrected Text:
1. If the Router Advertisement is not authenticated (e.g., via Secure
Neighbor Discovery [RFC3971]), and if the received Valid Lifetime is greater
than 2 hours, set the valid lifetime of the corresponding address to the
advertised Valid Lifetime.
2. If the Router Advertisement has been authenticated (e.g., via Secure
Neighbor Discovery [RFC3971]), the valid lifetime of the corresponding
address should be set to the Valid Lifetime in the received option
(regardless of whether it is greater than 2 hours or not).
3. Otherwise, reset the valid lifetime of the corresponding address to 2
hours.
In other words, unless an RA is authenticated, Valid Lifetimes in RA PIOs
MUST be greater than 2 hours.
Notes:
For unauthenticated RAs, throughout the text there are numerous checks
to prevent a possible DoS attack described in the subsequent
paragraph:
"The above rules address a specific denial-of-service attack in
which a bogus advertisement could contain prefixes with very small
Valid Lifetimes."
Check 1 above would seem to allow a Valid Lifetime in an RA PIO that
is much less than 2 hours, as long as the value is greater than the
RemainingLifetime. For example, if a host's RemainingLifetime for an
address is 60 seconds, an RA PIO ValidLifetime of 61 seconds would be
acceptable. This would seem to contradict the DoS protection goal.
Check 2 does check to ensure that RemainingLifetime is greater than 2
hours, however Check 1 has
already accepted the RA PIO VL <2 hours (if greater than
RemainingLifetime) and set the address's Valid
Lifetime to a value possibly much less than 2 hours.
An attacker could take advantage of this by doing the following:
1. Send an initial RA with a ValidLifetime of 2 hours, which would pass Check 1.
2. Wait until around 1 hour and 59.5 minutes, and then send an RA with
a ValidLifetime of 61 seconds.
3. Send RAs every 30 or so seconds with a ValidLifetime of 61 seconds,
holding all of the victim hosts'
ValidLifetimes at a low value. These RAs would also pass Check 1 as
long as the VL in the RA was
greater than the hosts' current VL for the addresses.
4. When it could cause the most significant denial of service, stop
sending the RAs, causing the hosts'
address VLs and therefore the addresses to expire within 60 seconds or so.
Regards,
Mark.
- Errata for RFC4862 Mark Smith
- Re: Errata for RFC4862 otroan
- Re: Errata for RFC4862 Fernando Gont
- Re: Errata for RFC4862 otroan
- Re: Errata for RFC4862 神明達哉
- Re: Errata for RFC4862 Mark Smith
- Re: Errata for RFC4862 Tim Chown
- Re: Errata for RFC4862 神明達哉
- Re: Errata for RFC4862 Mark Smith
- Re: Errata for RFC4862 Tim Chown