IETF Logo Mail Archive

RE: [**EXTERNAL**] RE: New draft-vasilenko-6man-nd-mitm-protection - trust model

Vasilenko Eduard <vasilenko.eduard@huawei.com> Thu, 19 November 2020 15:38 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3C343A0B0E for <ipv6@ietfa.amsl.com>; Thu, 19 Nov 2020 07:38:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oeowIuIU4hbJ for <ipv6@ietfa.amsl.com>; Thu, 19 Nov 2020 07:38:41 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1FF53A0B5D for <ipv6@ietf.org>; Thu, 19 Nov 2020 07:38:05 -0800 (PST)
Received: from fraeml713-chm.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4CcP0k3zknz67FQX for <ipv6@ietf.org>; Thu, 19 Nov 2020 23:36:22 +0800 (CST)
Received: from msceml704-chm.china.huawei.com (10.219.141.143) by fraeml713-chm.china.huawei.com (10.206.15.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Thu, 19 Nov 2020 16:37:58 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml704-chm.china.huawei.com (10.219.141.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 19 Nov 2020 18:37:57 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.2106.002; Thu, 19 Nov 2020 18:37:57 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: "Mudric, Dusan" <dmudric@ciena.com>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: RE: [**EXTERNAL**] RE: New draft-vasilenko-6man-nd-mitm-protection - trust model
Thread-Topic: [**EXTERNAL**] RE: New draft-vasilenko-6man-nd-mitm-protection - trust model
Thread-Index: AQHWvPnq9fn0xG7Xj0S099FO96g6NKnMewaA//+x+ICAAHjMAP//7WQAgAGLpfCAAAL5AIABc7Nw
Date: Thu, 19 Nov 2020 15:37:57 +0000
Message-ID: <61cdbf6d9f7c4c46b818a1e4c4446604@huawei.com>
References: <4C66A52E-8B42-4F07-B41E-E461CE03B34A@ciena.com> <1ddcaf0696174beda6e6c5fb182cdc98@huawei.com> <696EA1FE-880E-40D1-A0C8-D8781BF243DD@ciena.com> <792263e6bd9b42d8bf14b02759dd4651@huawei.com> <3D4EA14C-9A86-4A89-9BEF-A5B84A40975F@ciena.com> <c1ebb18cc5d94074b6b2963d47bd2729@huawei.com> <E605603B-B436-4705-94BC-C08D5972DF3F@ciena.com>
In-Reply-To: <E605603B-B436-4705-94BC-C08D5972DF3F@ciena.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.202.204]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/VtlxkfojJOInhS3ztpctz7KNbH4>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 15:38:44 -0000

Hi Dusan,

Let's assume that 1st legal host is working fine.
Second legal host in DAD status (checking) would not try to override cache on any router.
Hence, The algorithm from my draft would not try to block anybody.
I did not discuss it in the draft because there is no problem. It is potentially possible to add.

Optimistic DAD:
* (modifies section 5.4.3) The node MUST reply to a Neighbor
        Solicitation for an Optimistic Address from a unicast address,
        but the reply MUST have the Override flag cleared (O=0).

GRAND:
If the address is in the Optimistic state then the Override flag MUST NOT be set.

Eduard
> -----Original Message-----
> From: Mudric, Dusan [mailto:dmudric@ciena.com]
> Sent: 19 ноября 2020 г. 1:12
> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>; ipv6@ietf.org
> Subject: Re: [**EXTERNAL**] RE: New draft-vasilenko-6man-nd-mitm-
> protection - trust model
> 
> Hi Eduard,
> 
> Neither in presentation nor in draft, I did not get how the solution works. Is
> there a step by step process to detect DAD attacks?
> 
> " But node in DAD stage would not answer by NA,"
> You mean a host doing DAD is not answering with NA or a host with the same
> address is not answering with NA?
> 
> "And node would not rise any flag (even with GRAND) at the time of DAD."
> Which node, which flag?
> 
> "MAC write or rewrite would not happen (no override bit set) - the mechanism
> proposed in this draft would not be activated."
> I guess this means normal DAD would not start new algorithm (which I could not
> get from the draft)?
> 
> " Then DAD would help to resolve the collision."
> You mean current DAD will resolve the collision buy assigning a new address?
> 
> "[Ed: ] I hope it clear now."
> I suppose we agree on the current DAD, but I have no idea what the new
> algorithm does. Can you please add a section in the draft explaining the main
> DAD attack detection ideas?
> 
> Thanks,
> Dusan.
> 
> On 2020-11-18, 12:07 PM, "Vasilenko Eduard" <vasilenko.eduard@huawei.com>
> wrote:
> 
> > -----Original Message-----
> > From: Mudric, Dusan [mailto:dmudric@ciena.com]
> > Sent: 18 ноября 2020 г. 1:25
> > To: Vasilenko Eduard <vasilenko.eduard@huawei.com>; Philip Homburg
> > <pch- ipv6-ietf-6@u-1.phicoh.com>; ipv6@ietf.org
> > Subject: Re: [**EXTERNAL**] RE: New draft-vasilenko-6man-nd-mitm-
> > protection - trust model
> >
> > Hi Eduard,
> >
> > " during DAD nobody (except Intruder) would respond by NA that he does
> > use this IP address"
> > GUA is pseudo random. It is possible to generate GUA that already exists on
> link.
> [Ed: ] Fully possible. Especially if IID would be cut to 8bits (the flame is going in
> parallel - already 500 messages).
> But node in DAD stage would not answer by NA, And node would not rise any
> flag (even with GRAND) at the time of DAD.
> MAC write or rewrite would not happen (no override bit set) - the mechanism
> proposed in this draft would not be activated.
> 
> Then DAD would help to resolve the collision.
> >
> > If DuplicityLevel=1 and after NS there is one NA, how does the host
> > know it is NOT an attack? One NA response can still be an attack.
> [Ed: ] If only one NA to multicast NS - then no any attack, nothing to block.
> Collision would be resolved by DAD. No one legal host would answer with flags
> set during DAD timer.
> >
> > I still don't see how DAD attack is detected.
> [Ed: ] I hope it clear now.
> >
> > Regards,
> > Dusan.
> >
> > On 2020-11-17, 1:40 PM, "Vasilenko Eduard"
> > <vasilenko.eduard@huawei.com>
> > wrote:
> >
> > Hi Dusan,
> > The logic is encoded in the section 4.1.1.
> > If more responses then configured "DuplicityLevel" (that is
> > decremented on every NA received), Then block this IP address:
> > " If DUPLICITY counter is 0: Change Neighbor Cache entry to DUPLICATE state.
> > Clear all packets in the queue related to this target address. Log
> > duplicate address event with target address and both Link Layer
> > addresses (from received NA and from cache entry). Start DuplicateTimer for
> this Neighbor Cache entry. "
> > But it is exactly the point that discussable: what to do in this situation?
> >
> > All of this is not related to address collision, because during DAD
> > nobody (except
> > Intruder) would respond by NA that he does use this IP address. MAC
> > re-write would not happen - nothing to react.
> > If DAD would fail it's duty - it is not acceptable problem that needs ND
> redesign.
> > Hence, we could assume that DAD works.
> > Eduard
> > > -----Original Message-----
> > > From: Mudric, Dusan [mailto:dmudric@ciena.com]
> > > Sent: 17 ноября 2020 г. 19:19
> > > To: Vasilenko Eduard <vasilenko.eduard@huawei.com>; Philip Homburg
> > > <pch- ipv6-ietf-6@u-1.phicoh.com>; ipv6@ietf.org
> > > Subject: Re: [**EXTERNAL**] RE: New draft-vasilenko-6man-nd-mitm-
> > > protection - trust model
> > >
> > > Hi Eduard,
> > >
> > > The draft is not clear.
> > >
> > > What is a host (or a router) supposed to do when it detects two
> > > responses to a multicasted NS, during address resolution?
> > >
> > > Section 4, Security DAD,
> > > "Multicast would give a chance for Poisoned Victim
> > >       to understand that many nodes are going to use the same IP
> > >       address."
> > > Address collision is very rare. Most of the time the attacker would
> > > be the only one responding to multicated NS for DAD detection. What
> > > is the host supposed to do after this attack?
> > >
> > > Thanks,
> > > Dusan.
> > >
> > > On 2020-11-17, 11:06 AM, "Vasilenko Eduard"
> > > <vasilenko.eduard@huawei.com>
> > > wrote:
> > >
> > > Hi Dusan,
> > > We do not propose any DoS mitigation. Only MITM protection (prevent
> > > leakage of information).
> > >
> > > By this draft we propose the same algorithm for both: host and
> > > routers (count NAs after multicast NS).
> > > Host to host communication typically needs one multicast NS, second
> > > host would get stale record that could be checked by unicast NS.
> > > Here is deficiency of this draft that second host should do multicast NS too.
> > > It is important to get the protection of routers 1st - primary
> > > communication is to default router.
> > > Hence, despite universal rules, We hope that routers would be protected
> first.
> > > If it would happen that ND would be never patched on hosts - it is
> > > the small problem.
> > > But yes, it is needed to count NA responses on hosts for host to
> > > host communication.
> > >
> > > All of these are stated in the draft.
> > >
> > > Eduard
> > > > -----Original Message-----
> > > > From: Mudric, Dusan [mailto:dmudric@ciena.com]
> > > > Sent: 17 ноября 2020 г. 18:54
> > > > To: Vasilenko Eduard <vasilenko.eduard@huawei.com>; Philip Homburg
> > > > <pch- ipv6-ietf-6@u-1.phicoh.com>; ipv6@ietf.org
> > > > Subject: Re: [**EXTERNAL**] RE: New draft-vasilenko-6man-nd-mitm-
> > > > protection - trust model
> > > >
> > > > Hi Eduard,
> > > >
> > > > Is the algorithm saying that NS should be multicasted from hosts,
> > > > during address resolution, and if a host should check if there are
> > > > multiple responses? What is the host supposed to do when the
> > > > attack is discovered? How the attacker can be identified and blocked?
> > > >
> > > > is the algorithm protecting against DAD attacks?
> > > >
> > > > Thanks,
> > > > Dusan
> > > >
> > > > On 2020-11-17, 10:28 AM, "ipv6 on behalf of Vasilenko Eduard"
> > > > <ipv6- bounces@ietf.org on behalf of vasilenko.eduard@huawei.com>
> wrote:
> > > >
> > > > Hi Philip,
> > > > It is not possible to force Intruder to do anything. Intruder
> > > > could send unicast NS with any possible flag set. He is intruder -
> > > > definitely out of any
> > > IETF restrictions.
> > > > You have misunderstood proposal.
> > > >
> > > > Intruder is trying to poison cache on the router. Rewrite (or
> > > > initial
> > > > write) of MAC should happen on the router.
> > > > Hence, router should sent multicast NS to give chance for victim
> > > > to reply, then router would see duplicity.
> > > >
> > > > By the way, in the absence of GRAND, Router would send multicast
> > > > NS anyway (after traffic would return from the Internet).
> > > > Additional functionality is just count how many NA responses would
> > > > be
> > > received.
> > > >
> > > > Hence, your excepts from ND and IP addressing RFCs are not
> > > > relevant
> > > > - I do not propose to change anything in the way how NS/NA should
> > > > be
> > done.
> > > > I propose to just count number of NAs after multicast NS.
> > > > And additionally (in GRAND environment) to generate multicast NS
> > > > (where before was possible to check reachability by unicast NS).
> > > >
> > > > Eduard
> > > > > -----Original Message-----
> > > > > From: pch-b9D3CB0F5@u-1.phicoh.com [mailto:pch-b9D3CB0F5@u-
> > > > > 1.phicoh.com] On Behalf Of Philip Homburg
> > > > > Sent: 17 ноября 2020 г. 18:09
> > > > > To: ipv6@ietf.org
> > > > > Cc: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> > > > > Subject: Re: New draft-vasilenko-6man-nd-mitm-protection - trust
> > > > > model
> > > > >
> > > > > > Then it is not
> > > > > > the way how security is done. Security is "the many layers
> > > > > > that Intruder should penetrate".
> > > > >
> > > > > I don't like this approach at all. ND is fundamental to IPv6. We
> > > > > should be very careful making changes to ND. Making changes that
> > > > > break things ("Link Layer Address rewrite or initial write for
> > > > > any Neighbor Cache entry MUST be the result of only *multicast*
> > > > > Neighbor
> > > > > Solicitation.") need very strong justification. In my opinion
> > > > > the marginal effect
> > > > this draft has on security is not worth it.
> > > > >
> > > > > However, upon reflection there also seems to be a fundamental
> > > > > flaw in how this draft works.
> > > > >
> > > > > The key idea of this draft is the following:
> > > > > "Link Layer Address rewrite or initial write for any Neighbor
> > > > > "Cache entry MUST be the result of only *multicast* Neighbor
> > "Solicitation.
> > > > > Multicast would give a chance for Poisoned Victim "to understand
> > > > > that many nodes are going to use the same IP "address.
> > > > >
> > > > > So an attacker A wants to update the neighbor cache entry for
> > > > > victim V on router R with MAC address of the atacker MAC_A.
> > > > >
> > > > > Today the attacker can send a point-to-point NS with source V
> > > > > and destination R and source link-layer address option with value MAC_A.
> > > > >
> > > > > The proposal is to force the attacker to send a multicast NS.
> > > > > Then, the idea is that the victim will also see this multicast
> > > > > and can generate an
> > > alert.
> > > > >
> > > > > This is what RFC 4861 (ND) says about multicast:
> > > > > "the solicited-node multicast address corresponding to the target
> address"
> > > > > (Section 4.3).
> > > > >
> > > > > This multicast address is defined in RFC 4291 (IP Version 6
> > > > > Addressing
> > > > > Architecture) as:
> > > > > "Solicited-Node multicast address are computed as a function of
> > > > > a "node's unicast and anycast addresses.  A Solicited-Node
> > > > > multicast "address is formed by taking the low-order 24 bits of
> > > > > an address "(unicast or anycast) and appending those bits to the
> > > > > prefix
> > > > > "FF02:0:0:0:0:1:FF00::/104
> > > > > (Section 2.7.1)
> > > > >
> > > > > Section 7.2.1. of RFC 4861 has this:
> > > > > "When a multicast-capable interface becomes enabled, the node
> > > > > MUST "join the all-nodes multicast address on that interface, as
> > > > > well as "the solicited-node multicast address corresponding to
> > > > > each of the IP "addresses assigned to the interface.
> > > > >
> > > > > So the victim host does not listen to the solicited-node
> > > > > multicast address of the NS, because that packet goes to the
> > > > > router. So the victim will never know, unless the victim does
> > > > > not do multicast filtering (and
> > > > neither does the network).
> > > > >
> > > > > This proposal also requires interesting layering violations to
> > > > > implement correctly, but I'll leave that for another discussion.
> > > >
> > > > ------------------------------------------------------------------
> > > > -- IETF IPv6 working group mailing list ipv6@ietf.org
> > > > Administrative
> > > > Requests:
> > > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/
> > > > ip
> > > > v6
> > > > __;!!O
> > >
> >
> SsGDw!blQRTv4BqQkFOeKBoJDQq5j3MA7FeNpCZnNBY3CboPhC1m0ebd8aMRUl
> > > > vIET$
> > > > ------------------------------------------------------------------
> > > > --
> > >
> >
>

v2.23.0 | Report a Bug | By Email