Re: I-D Action: draft-ietf-6man-predictable-fragment-id-01.txt
Fernando Gont <fernando@gont.com.ar> Wed, 07 May 2014 10:20 UTC
Return-Path: <fernando@gont.com.ar>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE5471A03A7 for <ipv6@ietfa.amsl.com>; Wed, 7 May 2014 03:20:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id maSycl_2fVoq for <ipv6@ietfa.amsl.com>; Wed, 7 May 2014 03:20:42 -0700 (PDT)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:8240:6:a::1]) by ietfa.amsl.com (Postfix) with ESMTP id 30D811A029B for <ipv6@ietf.org>; Wed, 7 May 2014 03:20:42 -0700 (PDT)
Received: from [2001:5c0:1000:a::1cb7] by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from <fernando@gont.com.ar>) id 1Whyxl-0005SC-On; Wed, 07 May 2014 12:20:34 +0200
Message-ID: <536A0828.5040103@gont.com.ar>
Date: Wed, 07 May 2014 05:17:12 -0500
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Ray Hunter <v6ops@globis.net>, ipv6@ietf.org
Subject: Re: I-D Action: draft-ietf-6man-predictable-fragment-id-01.txt
References: <20140430065359.31690.30174.idtracker@ietfa.amsl.com> <5368A2B2.80405@globis.net>
In-Reply-To: <5368A2B2.80405@globis.net>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ipv6/XMOXxbBxp8DkbtU8adhSxCuLLxM
Cc: fgont@si6networks.com
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 10:20:45 -0000
Hi, Ray,
Thanks so much for your feedback! -- Please find my comments in-line...
On 05/06/2014 03:52 AM, Ray Hunter wrote:
> I have read this draft and think thatit is very well written and that it
> is important work.
Thanks!
>
>> Finally,
>> the attacker send forged IPv6 fragments to the Host B, with their
>> IPv6 Source Address set to that of Host A, and Identification values
>> that would result in collisions with the Identification values
>> employed for the legitimate traffic sent by Host A to Host B. If Host
>> B discards fragments that result in collisions of Identification
>> values (e.g., such fragments overlap, and the host implements
>> [RFC5722]), the attacker could simply trash the Identification space
>> by sending multiple forged fragments with different Identification
>> values, such that any subsequent packets from Host A to Host B are
>> discarded at Host B as a result of the malicious fragments sent by
>> the attacker.
> Comment 1.
> Would this attack also be applicable to any middleware boxes that track
> session progress at the fragmentation level?
It certainly would. Question: do these voxes just "monitor" the traffic
(i.e., just snoop it), or do they actually receive-inspect-filter-if
appropriate)? -- If the former, the attack could result in "evasion".
If the later, the attack would result in DoS.
> DoS attacker Host C could create a race condition by sending spoofed
> packets from A to B with forged fragment ident values, and the
> middelware box would potentially forward (or attempt to re-assemble)
> these packets in preference to the real next fragments arriving from A.
Agreed. That's, for instance, the DNS data-injection attack referenced
in the I-D.
> s/If Host B discards fragments /If Host B, or any intermediate
> middleware box tracking the session, discards fragments/ ?
I'd personally have the middleware stuff as a separate section or
paragraph.. what do you think?
> Comment 2.
> /The Identification value of the Fragment Header MUST NOT be predictable
> by an off-path attacker./
>
> I think there should be more of a constraint on what is "good enough"
>
> Is this not a s/MUST NOT/SHOULD NOT/?
>
> Nothing actually breaks immediately if the advice is ignored.
I agree with the "nothing breaks" (and could certainly live with a
"SHOULD NOT")... although I'd note that it's pretty common to use
"MUST"s for security reasons... --- as in "the secret key MUST NOT be
known to possible attackers" or the like..
Another view is that if you include a "SHOULD NOT" (rather than MUST),
you should include cases where an implementer might decide to go against
the advice... but I don't see any reasons for that...
> Comment 3.
> I have a concern with the ability of implementations to be able to
> comply with this requirement.
>
> The effective field length is apparently only 16 bits when used in
> combination with IPv6/IPv4 translation (according to Section 5).
>
> Sending 2^16 attack packets is not a big ask.
I'd call that "brute forcing" rather than "predicting the ID".
> And it will be far fewer if the attacker relies on birthday type
> collisions to only disrupt 1 in n packets. e.g. if there are many
> packets in the stream and the aim of the attacker is to occasionally
> disrupt the stream they only need to send a fraction of the number of
> attack packets needed to disrupt every single packet.
>
> So I think I also have to ask "is the fragment ident itself sufficiently
> long/ protected to be resistant to birthday type attacks, especially in
> combination with RFC6415 IPv6/IPv4 translation?"
It's certainly long enough. In this case, the problem is really in IPv4,
that has a far shorter Frag ID. I'd also say that I don't quite
understand why the translators expect to learn a sensible IPv4 Frag ID
from the IPv6 frag ID. For instance, if the NAT64 box shares the same
IPv4 address among many IPv6 nodes, then, it may even lead to
collissions. -- e.g.:
Host A -----------
2001:db8::1 \+--------+
| | 100.0.0.1
| NAT 64 +------------------ Host C
Host B ------------| | 8.8.8.8
2001:db8::2 +--------+
Host A sends a packet "to 8.8.8.8" with frag ID 0xaaaa11111. Host B
sends a packet "to 8.8.8.8" with Frag ID 0xbbbb1111. Now both packets
employ the tuple (src 100.0.0.1, dst 8.8.8.8, frag id 0x1111) thus
resulting in a colision of Frag IDs.
> Comment 4.
> Do we also need to mandate /Nodes SHOULD also implement ICMP specific
> attack countermeasures as described in [RFC 5927] / in section 4, to
> prevent an off-path attacker being able force use of fragmentation in
> the first place?
I think they should -- also referencing RFC5927 in such a way would be a
down ref 8bcp/std track mandating an informational document). The only
caveat is: If the header chain is long enough (>1280 bytes), then the
transport protocol header will not be available in the ICMPv6 error.
(Unfortunately, mmany implementations don't even validate it when it's
available)
Thoughts?
Thanks!
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
- I-D Action: draft-ietf-6man-predictable-fragment-… internet-drafts
- Re: I-D Action: draft-ietf-6man-predictable-fragm… Ray Hunter
- Re: I-D Action: draft-ietf-6man-predictable-fragm… Fernando Gont