IETF Logo Mail Archive

Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 29 June 2022 23:03 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14207C14F734 for <ipv6@ietfa.amsl.com>; Wed, 29 Jun 2022 16:03:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xlnG4B8by_Mj for <ipv6@ietfa.amsl.com>; Wed, 29 Jun 2022 16:03:04 -0700 (PDT)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34CA4C14F744 for <ipv6@ietf.org>; Wed, 29 Jun 2022 16:03:04 -0700 (PDT)
Received: by mail-pg1-x529.google.com with SMTP id q140so16714555pgq.6 for <ipv6@ietf.org>; Wed, 29 Jun 2022 16:03:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=etXbCaJk2qukvY4dLz9xmI0LNdF87W6bnch8ipSJdPA=; b=M0pKFnbERHKOREE98YWrXeFflh61g8No9ETpHlyzvBEwgkOMK/AdnA7Zggu7AUA3lz Zo8lV35gUrWaCiTd6gFIHwxSHEfRE67Wi9THSPO8szb9rO5Otl/yDSm2gH+OSgWsBeW6 HS5MvociaFD+U6c2jLy5yKj0Zxw+WqL+qEJQwKnEg/WcmxUWbWyz34Jnjg18ROf27Xqr 99nz95hT6n3KVPGx+8g/y3GghM+1kuDiNM7Aw8lTy0PNrjJQO25UgmoLReUd6HDQCAZc DLDfS0XVr030LDZw/Wq4+5qfW420ITiZvOPH0KDPaDNseZfFs2tqO8lM/LebH6m5MM5z WYxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=etXbCaJk2qukvY4dLz9xmI0LNdF87W6bnch8ipSJdPA=; b=rg8mxHV7BbP/sQVpoPnA5/7SgzhgRFq7klCz6IG1+SC3WJfnyh++qk7Y8x3UBdM7cL a4liiW6TahPiD4IleDHS+HcPu/v7QGLXJwtHgmhDQv3TqGhSOr2Kgh1JcGE2mo08Yv8T bUuQ1C19O8ZCecllEIvIdyWhb67ZGZEbML+8G4EIRJb/D5MJShZfGBSsCcJWQpte2FR7 7VSuyjeetAtrHsBfyvymtlH/7NtvUYILpmlPOCCasrtinRgmMW4j5nQs3PpYrcw1NLKU w73yq1o80HlQbxSxryKZcsKNQdRqcBzl3lk8c2jY30zrl2gx11YZ2URfXbvZRa2dDYcr Idpg==
X-Gm-Message-State: AJIora+aJUItIcjHs3d0ok9qlZDWne4Ea+2X6qSTiod0bYyGrZu48oIC G/XYUsySes+UDRuKy9fQQ6E=
X-Google-Smtp-Source: AGRyM1snqmQKqbyyKFd8G9XZ8LNowJRLlyMyyyxQ8pq1cPQQZqqpIwGJh5SEmk5NRnJLgAqF0m2CAw==
X-Received: by 2002:a05:6a00:2410:b0:522:9837:581f with SMTP id z16-20020a056a00241000b005229837581fmr12591648pfh.11.1656543783430; Wed, 29 Jun 2022 16:03:03 -0700 (PDT)
Received: from ?IPV6:2406:e003:1124:9301:80b2:5c79:2266:e431? ([2406:e003:1124:9301:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm12474211pfc.15.2022.06.29.16.03.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Jun 2022 16:03:02 -0700 (PDT)
Message-ID: <6968ca7b-dac3-b192-41ed-a193adab7eb4@gmail.com>
Date: Thu, 30 Jun 2022 11:02:57 +1200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Subject: Scripting attacks [was Next step for draft-ietf-6man-rfc6874bis]
Content-Language: en-US
To: "Philipp S. Tiesel" <philipp@tiesel.net>
Cc: 6man <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>, Stuart Cheshire <cheshire@apple.com>
References: <164938402532.17740.11717866110301931501@ietfa.amsl.com> <b1780128-2069-b32e-7ca5-86977c119f0c@gmail.com> <11d4e419-11a9-8768-abf2-1335e5f1c3d8@gmail.com> <149924f9-da30-fa79-0509-c01c439d1796@gmail.com> <5BEFA97B-CF09-44D7-8C10-017FEAE4C3A8@tiesel.net> <e6ff75e7-b6c6-ea03-2e10-b1ad95d650f0@gmail.com> <98D15BD9-A631-4D09-AE9E-9D4C750714C9@tiesel.net> <95c82ad3-2138-ab2a-7ba5-57ad80472964@gmail.com> <E5C368C5-9DAE-4C61-ADDE-B881EA11EDA0@tiesel.net>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <E5C368C5-9DAE-4C61-ADDE-B881EA11EDA0@tiesel.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/YDRrY71hxhQBdMGLS-XByHS1f7I>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2022 23:03:08 -0000

One more item about scripting attacks on link-local literal URLs:

I spent a little time investigating this, using LL addresses
without a zone ID, but with current browsers on Windows 10,
where a default (null) zone ID is supported.

I won't give details here, but it is quite possible to test
whether a specific LL address is present or absent on the local
link, in fewer than 20 lines of Javascript embedded in an
HTML document. However, it takes about 3500 milliseconds,
because I could not time out the HTTP request sooner than that
and still detect an active address. (The target that I tested
was my CE router, the browser was FireFox. The result for
Chrome was similar.)

That means that a full search of the 64-bit IID space would
take 2^64 x 3500 ms, or about 2047 billion years.

Even a full search of the 24-bit low order bits of a Modified EUI
identifier would take 2^24 x 3500 ms, or about 1.9 years.
(We can assume that a smart attacker would know the possible
manufacturer ID values for popular CE routers, so would only need
to brute-force search the low order bits: see RFC7707.)

I don't think we should put these numbers in the draft, but I
think they illustrate (a) that a successful exploit is probably
not practical today and (b) using Modified EUI identifiers
is a really bad idea (which we knew, of course).

Regards
    Brian

On 22-Jun-22 20:28, Philipp S. Tiesel wrote:
> Hi Brian,
> 
>> On 21. Jun 2022, at 22:32, Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>>
>> On 21-Jun-22 22:07, Philipp S. Tiesel wrote:
>>> Hi Brian,
>>>> On 17. Jun 2022, at 06:27, Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>>>>
>>>> Philipp,
>>>>
>>>> First, thanks for taking the time to read the draft. Some comments in line:
>>>>
>>>> On 15-Jun-22 01:54, Philipp S. Tiesel wrote:
>>>>> Dear authors and WG,
>>>>> based on this WG last call, I reviewed the document. Overall, it is well written and mostly ready to publish,
>>>>> but I have a) one issue with the Security considerations section and b) a possibly stupid question on usefulness in web context:
>>>>> a) The Security Considerations Section states:
>>>>>> It is conceivable that this format could be misused to probe a local
>>>>>> network configuration in some way. However, that would only be
>>>>>> possible for an attacker that had already gained sufficient control
>>>>>> of a host to originate HTTP messages. Such an attacker could more
>>>>>> easily probe using basic mechanisms such as the "ping" command.
>>>>> Is this true? What prevents an attack from embedding scoped IPv6 addresses in HTML documents, e.g., as part of an AD.
>>>>
>>>> Nothing, except that the attacker has no way of knowing a link-local address in advance, and the search space for interface identifiers is 2^64 (since we abandoned Modified EUI64).
>>> The CPEs I used recently, e.g,, products from AVM, still do EUI64 for link-local, secured IIDs are only used for GUAs.
>>
>> I have a FritzBox and indeed it uses EUI64, both for link-local (its address as the default router) and for its address as a DNS server (GUA or ULA).
>>
>>> Assuming an attacker who wants to use this as a fingerprinting-attack and has some idea which CPEs are used from which provider, this dramatically reduces the search space and may make fingerprinting feasible.
>>
>> Indeed. However, I am not sure that the browser itself supporting the link-local zone ID will change that, especially on hosts that support a default zone for link-local, where RFC6874[bis] is not even required.
> 
> I guess the problem is rather exposing Link-Local networking as an URL that the Zone-ID itself.
> Adding the Zone-ID is just moving it from “something broken no-one really implemented” to “something that has a fair chance getting implemented.
> 
> So, I agreed that the attack vector is not new and not really changed by draft-ietf-6man-rfc6874bis. Still I would prefer mentioning it in the security considerations and being less optimistic about EUI64 (and other schemes that enable fingerprinting) going away.
> 
> AVE!
>     Philipp
> 
>> Brian
>>
>>>>
>>>> So, as I realised while reading Ted Lemon's comment, the only available mechanism seems to be Javascript that would search the fe80::/64 space for a valid address. I just don't know enough about what JS can do to investigate this. Any further input would be very welcome.
>>>>
>>>>> While the security model of the browser/device should prevent abusing it from taking action REST calls to your home router, including a well-known image from such a device should be possible and could be used to verify an identity by linking to the EUI64 address of your home router and verifying the image was loaded. This is far easier than “pinging” the router.
>>>>
>>>> I suppose there are many old home routers still using Modified EUI64, but even so, the Interface ID contains 48 arbitrary bits (even the OUI bits have to be guessed). So there is quite a guessing game, and by the way, guessing the IPv4 address of the home router should be *much* easier. Is this an exploit that anyone will find useful?
>>> Based on the experience in the cookie and tracker wars, this seems not too far-fetched to assume someone tries to use CPE IIDs as super-cookie.
>>> Still, this kind of attack seems relatively easy to mitigate by restricting the usage of IPv6 literals with zone-identifiers.
>>>>
>>>>> b) Assuming a device has only link-local connectivity and a web interface, is there a way to reference “same interface as used for this connection”?
>>>>
>>>> Not that I can think of. In an o/s that assumes a default zone (recommended by RFC 4007, but not always implemented) the same effect might be possible, but that is true today, at least on Windows.
>>>>
>>>>> If not, such a web interface could only use relative links and things like re-direction to https will become hard.
>>>>
>>>> Thanks again. I think we need to ask for an early security review to get this right.
>>>>
>>>> Brian
>>>>
>>>>> AVE!
>>>>> Philipp
>>>>>> On 11. Jun 2022, at 03:56, Brian E Carpenter <brian.e.carpenter@gmail.com <mailto:brian.e.carpenter@gmail.com>> wrote:
>>>>>>
>>>>>> Dear 6man-chairs (especially Jen),
>>>>>>
>>>>>> The authors believe that this draft is now stable and we request a WG Last Call. It would be nice to get this done before the IETF meeting.
>>>>>>
>>>>>> Regards
>>>>>> Brian Carpenter
>>>>>>
>>>>>> On 19-May-22 12:52, Brian E Carpenter wrote:
>>>>>>> There's been no more discussion for several weeks. Can we move
>>>>>>> on to a WG Last Call?
>>>>>>> Regards
>>>>>>> Brian Carpenter
>>>>>>> On 08-Apr-22 14:29, Brian E Carpenter wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> This version reflects comments at the IETF and on the list.
>>>>>>>> Change log:
>>>>>>>> * Extended use cases (added Microsoft WSD)
>>>>>>>> * Clarified relationship with RFC3986 language
>>>>>>>> * Allow for legacy use of RFC6874 format
>>>>>>>> * Augmented security considerations
>>>>>>>> * Editorial and reference improvements
>>>>>>>>
>>>>>>>> Note that some of the text about RFC3986 that Shang Ye
>>>>>>>> suggested to remove has been retained, but modified. Further
>>>>>>>> comments about this, or any other aspect, are very welcome.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Brian + co-authors
>>>>>>>>
>>>>>>>> On 08-Apr-22 14:13, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> wrote:
>>>>>>>>>
>>>>>>>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>>>>>>>> This draft is a work item of the IPv6 Maintenance WG of the IETF.
>>>>>>>>>
>>>>>>>>> Title : Representing IPv6 Zone Identifiers in Address Literals and Uniform Resource Identifiers
>>>>>>>>> Authors : Brian Carpenter
>>>>>>>>> Stuart Cheshire
>>>>>>>>> Robert M. Hinden
>>>>>>>>> Filename : draft-ietf-6man-rfc6874bis-01.txt
>>>>>>>>> Pages : 13
>>>>>>>>> Date : 2022-04-07
>>>>>>>>>
>>>>>>>>> Abstract:
>>>>>>>>> This document describes how the zone identifier of an IPv6 scoped
>>>>>>>>> address, defined as <zone_id> in the IPv6 Scoped Address Architecture
>>>>>>>>> (RFC 4007), can be represented in a literal IPv6 address and in a
>>>>>>>>> Uniform Resource Identifier that includes such a literal address. It
>>>>>>>>> updates the URI Generic Syntax and Internationalized Resource
>>>>>>>>> Identifier specifications (RFC 3986, RFC 3987) accordingly, and
>>>>>>>>> obsoletes RFC 6874.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The IETF datatracker status page for this draft is:
>>>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/ <https://datatracker.ietf.org/doc/draft-ietf-6man-rfc6874bis/>
>>>>>>>>>
>>>>>>>>> There is also an HTML version available at:
>>>>>>>>> https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-01.html
>>>>>>>>>
>>>>>>>>> A diff from the previous version is available at:
>>>>>>>>> https://www.ietf.org/rfcdiff?url2=draft-ietf-6man-rfc6874bis-01
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> I-D-Announce mailing list
>>>>>>>>> I-D-Announce@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/i-d-announce
>>>>>>>>> Internet-Draft directories: http://www.ietf.org/shadow.html
>>>>>>>>> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>>>>>>>>>
>>>>>>
>>>>>> --------------------------------------------------------------------
>>>>>> IETF IPv6 working group mailing list
>>>>>> ipv6@ietf.org <mailto:ipv6@ietf.org>
>>>>>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
>>>>>> --------------------------------------------------------------------
>>>>>>
>>>>> --
>>>>> Philipp S. Tiesel
>>>>> https://philipp.tiesel.net/ <https://philipp.tiesel.net/>
>>>>> .
>>> AVE!
>>> Philipp S. Tiesel
>>> --
>>> Philipp S. Tiesel
>>> https://philipp.tiesel.net/ <https://philipp.tiesel.net/>
> 
> AVE!
>    Philipp S. Tiesel / phils…
> -- 
>     {phils}--->---(phils@in-panik.de <mailto:phils@in-panik.de>)--->---(http://phils.in-panik.de <http://phils.in-panik.de>)----,
>        wenn w eine   aube ist dn      man au dran dre en                   |
>             o     Schr        an muss     hc         h   (Kurt Schwitters) |
> :wq!  <----(phone: +49-179-6737439)---<---(jabber: phils@in-panik.de <mailto:phils@in-panik.de>)----'
>

v2.23.0 | Report a Bug | By Email