IETF Logo Mail Archive

RE: [Int-area] Route Information Options in Redirect Messages

"Templin, Fred L" <Fred.L.Templin@boeing.com> Wed, 11 January 2017 22:22 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E16EB1295A5; Wed, 11 Jan 2017 14:22:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bfRw4ybD3ZRn; Wed, 11 Jan 2017 14:22:36 -0800 (PST)
Received: from phx-mbsout-02.mbs.boeing.net (phx-mbsout-02.mbs.boeing.net [130.76.184.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ACE0129439; Wed, 11 Jan 2017 14:22:35 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/DOWNSTREAM_MBSOUT) with SMTP id v0BMMZDC062637; Wed, 11 Jan 2017 15:22:35 -0700
Received: from XCH15-06-07.nw.nos.boeing.com (xch15-06-07.nw.nos.boeing.com [137.136.238.213]) by phx-mbsout-02.mbs.boeing.net (8.14.4/8.14.4/UPSTREAM_MBSOUT) with ESMTP id v0BMMOQM062026 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=OK); Wed, 11 Jan 2017 15:22:24 -0700
Received: from XCH15-06-08.nw.nos.boeing.com (2002:8988:eede::8988:eede) by XCH15-06-07.nw.nos.boeing.com (2002:8988:eed5::8988:eed5) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 11 Jan 2017 14:22:23 -0800
Received: from XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) by XCH15-06-08.nw.nos.boeing.com ([137.136.238.222]) with mapi id 15.00.1178.000; Wed, 11 Jan 2017 14:22:23 -0800
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Zied Bouziri <zied.bouziri@gmail.com>
Subject: RE: [Int-area] Route Information Options in Redirect Messages
Thread-Topic: [Int-area] Route Information Options in Redirect Messages
Thread-Index: AdJqj8MpX1D7bRpERNaWpSFDneETogAeC3cAABhBxNAAFKbugAAMs3RQACpBLgAAD+D48A==
Date: Wed, 11 Jan 2017 22:22:23 +0000
Message-ID: <c8baed16b3dc46d2a667614310f0334d@XCH15-06-08.nw.nos.boeing.com>
References: <b0d15d2e8b3e414abf4e87c60d39e252@XCH15-06-08.nw.nos.boeing.com> <32fbea25-01c9-aa32-e70f-3e1282f56294@gmail.com> <5cd024891c204a9bb37dcc23796c36c6@XCH15-06-08.nw.nos.boeing.com> <016f01d26b78$870895a0$9519c0e0$@huitema.net> <6d21dd17f0b94a39a71600944878ec39@XCH15-06-08.nw.nos.boeing.com> <BFB9A939-2CA7-4E00-8B93-5548CDA244E3@gmail.com>
In-Reply-To: <BFB9A939-2CA7-4E00-8B93-5548CDA244E3@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [137.136.248.6]
Content-Type: multipart/alternative; boundary="_000_c8baed16b3dc46d2a667614310f0334dXCH150608nwnosboeingcom_"
MIME-Version: 1.0
X-TM-AS-MML: disable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/JMA_wsf3ppQrvNKKa50RnSke4yU>
Cc: 6man WG <ipv6@ietf.org>, INT Area <int-area@ietf.org>, Christian Huitema <huitema@huitema.net>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2017 22:22:38 -0000

Hi Zied,

This is discussed in “IPv6 ND Trust Models and Threats [RFC3756]”. Under Section 4.2.4
it says: “This attack is not a concern if access to the link is restricted to trusted nodes”.
SEND [RFC3971] provides one possible mitigation in other cases.

Thanks - Fred

From: Zied Bouziri [mailto:zied.bouziri@gmail.com]
Sent: Wednesday, January 11, 2017 1:48 PM
To: Templin, Fred L <Fred.L.Templin@boeing.com>
Cc: Christian Huitema <huitema@huitema.net>; Brian E Carpenter <brian.e.carpenter@gmail.com>; 6man WG <ipv6@ietf.org>; INT Area <int-area@ietf.org>
Subject: Re: [Int-area] Route Information Options in Redirect Messages

Hi Fred
In section 6 :
"Namely, the protocol must take measures to secure IPv6 ND messages on links where spoofing attacks are possible »
By reading this passage, I have the impression that there are links where attack spoofing is possible and others not !
How can we know if this attack is possible or not in a specified link ?
Thank you
Zied

Le 10 janv. 2017 à 22:52, Templin, Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>> a écrit :

Hi Christian,


-----Original Message-----
From: Christian Huitema [mailto:huitema@huitema.net]
Sent: Tuesday, January 10, 2017 11:34 AM
To: Templin, Fred L <Fred.L.Templin@boeing.com<mailto:Fred.L.Templin@boeing.com>>; 'Brian E Carpenter' <brian.e.carpenter@gmail.com<mailto:brian.e.carpenter@gmail.com>>; '6man WG' <ipv6@ietf.org<mailto:ipv6@ietf.org>>;
'INT Area' <int-area@ietf.org<mailto:int-area@ietf.org>>
Subject: RE: [Int-area] Route Information Options in Redirect Messages

On Tuesday, January 10, 2017 9:55 AM, Fred Templin wrote:

...
What is being proposed in the document I submitted is the inclusion of
RIOs in Redirect messages for a *prefix* that is not on-link, as opposed
to a singleton destination. So, the same SHOULD in the paragraph above
would seem to apply also to prefix redirection the same as for ordinary
destination redirection.

Fred, I am reading the security section of your draft. I think it needs a
bit more work.

Currently, the RIO are only expected in router advertisements. RA are
somewhat special, and there is often specific code in switches to check RA
and prevent RA spoofing -- e.g., RA-Guard. Allowing the option in Redirect
messages could very well bypass the RA specific checks. Doesn't that open
the path for new attacks? Should you not say something about that in the
security section? How about specific mitigations, such as sanity checks when
processing redirect messages?

Since IP will still operate correctly if transmission of Redirect messages is
somehow suppressed (i.e., denial of Redirect service), the more serious
threat to be considered is spoofing. Here is what currently appears under
Security Considerations:

  "Security considerations for Redirect messages that include RIOs are
  the same as for any IPv6 ND messages as specified in Section 11 of
  [RFC4861].  Namely, the protocol must take measures to secure IPv6 ND
  messages on links where spoofing attacks are possible.

  A spoofed Redirect message containing no RIOs could cause corruption
  in the host's destination cache while a spoofed Redirect message
  containing RIOs could corrupt the host's routing tables.  While the
  latter would seem to be a more onerous result, the possibility for
  corruption is unacceptable in either case."

So, from the first paragraph, we can see that the protocol must take
measures to secure IPv6 ND messages on links where spoofing attacks
are possible. The second paragraph then analyzes the consequences of
what could happen if a spoofing attack were successful and we see that
there are unacceptable negative consequences for both traditional
Redirects and Redirects that include RIOs.

The text stops short of saying that "no Redirects of any kind should be
used on links where spoofing attacks are possible". Would adding a
statement such as this address the concern?

Thanks - Fred
fred.l.templin@boeing.com<mailto:fred.l.templin@boeing.com>

--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org<mailto:ipv6@ietf.org>
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

Best Regards, مع تحياتي
Zied BOUZIRI، زياد بوزيري
ISET Charguia, Tunisie
www.bouziri.tn<http://www.bouziri.tn/>

v2.23.0 | Report a Bug | By Email