IETF Logo Mail Archive

RE: [v6ops] Conclusion (was Re: CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability)

Greg Daley <gdaley@au.logicalis.com> Wed, 24 August 2016 02:13 UTC

Return-Path: <gdaley@au.logicalis.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCAEC12D09E; Tue, 23 Aug 2016 19:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSEv5aB49SZV; Tue, 23 Aug 2016 19:13:45 -0700 (PDT)
Received: from smtp2.au.logicalis.com (smtp2.au.logicalis.com [203.8.7.133]) by ietfa.amsl.com (Postfix) with ESMTP id 06E8612B02A; Tue, 23 Aug 2016 19:13:42 -0700 (PDT)
Authentication-Results: smtp2.au.logicalis.com; spf=None smtp.mailfrom=gdaley@au.logicalis.com; spf=None smtp.helo=postmaster@sdcexchht.au.logicalis.com
Received-SPF: None (smtp2.au.logicalis.com: no sender authenticity information available from domain of gdaley@au.logicalis.com) identity=mailfrom; client-ip=10.18.196.63; receiver=smtp2.au.logicalis.com; envelope-from="gdaley@au.logicalis.com"; x-sender="gdaley@au.logicalis.com"; x-conformance=spf_only
Received-SPF: None (smtp2.au.logicalis.com: no sender authenticity information available from domain of postmaster@sdcexchht.au.logicalis.com) identity=helo; client-ip=10.18.196.63; receiver=smtp2.au.logicalis.com; envelope-from="gdaley@au.logicalis.com"; x-sender="postmaster@sdcexchht.au.logicalis.com"; x-conformance=spf_only
Received: from unknown (HELO sdcexchht.au.logicalis.com) ([10.18.196.63]) by smtp2.au.logicalis.com with ESMTP; 24 Aug 2016 12:13:18 +1000
Received: from SDCEXCHMS.au.logicalis.com ([10.18.196.50]) by sdcexchht.au.logicalis.com ([100.64.20.45]) with mapi id 14.03.0279.002; Wed, 24 Aug 2016 12:13:18 +1000
From: Greg Daley <gdaley@au.logicalis.com>
To: 'Gert Doering' <gert@space.net>, Tore Anderson <tore@fud.no>
Subject: RE: [v6ops] Conclusion (was Re: CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability)
Thread-Topic: [v6ops] Conclusion (was Re: CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability)
Thread-Index: AQHR+h5NxdCcf1UpP0Oj3kWb+inp7aBS1IyAgAE1gon//2T1AIAAlXmAgABCSQCAABGXgIAAGnsAgAApnQCAAPrFgIAA0dMAgAD1Q+A=
Date: Wed, 24 Aug 2016 02:13:17 +0000
Message-ID: <72381AF1F18BAE4F890A0813768D99282DC9E068@sdcexchms.au.logicalis.com>
References: <CABdyVt77eSwccPNqrFfJSp0iHFABJqxq=GH+kKEAXnv1Jj8=jw@mail.gmail.com> <m1bbY2J-0000I5C@stereo.hq.phicoh.net> <CABdyVt4RBOb-PQ+YtgpcuPBDfU-MvYqAyjQYo9KK2H-idHed3g@mail.gmail.com> <CAO42Z2zs341+97JNmB6gJ-b916CfkF=+E2x=XAM2X0o-dYf2aQ@mail.gmail.com> <8751AC02-956E-4CF3-AA69-139F205209C1@employees.org> <20160822143302.2da13b80@envy> <B0447661-CC53-4667-A9BA-966DF1CD2014@employees.org> <20160822171046.3c62ffe7@envy> <5D8D4A35-1D8A-4D6D-A5CA-D0D2BF78CA8E@employees.org> <20160823103715.0b0a4a07@envy> <20160823210814.GO79185@Space.Net>
In-Reply-To: <20160823210814.GO79185@Space.Net>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.196.183]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/zorIX3PFQfQsjVdP5z1xxC95JU8>
Cc: "v6ops-chairs@ietf.org" <v6ops-chairs@ietf.org>, v6ops list <v6ops@ietf.org>, 6man WG <ipv6@ietf.org>, "6man-chairs@ietf.org" <6man-chairs@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Aug 2016 02:13:48 -0000

Hi Gert et al,

While there's not an explicit vulnerability in the protocol which wasn't considered previously, some of the points raised indicate it is not obvious to operators how to provide protection from ND messages (amongst other ICMP) ingressing or egressing your network.

Is it worth providing some guidance steps?

There's been some specific work done with ND-Shield (draft-gont-opsec-ipv6-nd-shield-00) and ND Problems (RFC6583), as well as filtering rules for ICMPv6 (RFC4890)

There is an explicit assumption in RFC 4890 S4.3.3 that the end device will make the right decision and drop packets based on protocol behaviour (i.e. pass ND traffic only with correct hop limits).  I would recommend a change to this behaviour to explicitly control traffic passing a network border.

This would allow systems with bugs and are hard to patch (e.g. IoT) to operate within a safer environment, even if they don't implement full ND checks.

If so, my guess is that sounds more like an operational WG approach rather than 6man.

Sincerely, 

Greg Daley
Solutions Architect
Logicalis Australia Pty Ltd
e gdaley@au.logicalis.com
t +61 3 8532 4042
m +61 401 772 770

> -----Original Message-----
> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Gert Doering
> Sent: Wednesday, 24 August 2016 7:08 AM
> To: Tore Anderson
> Cc: 6man WG; v6ops-chairs@ietf.org; v6ops list; 6man-chairs@ietf.org
> Subject: Re: [v6ops] Conclusion (was Re: CVE-2016-1409: IPv6 Neighbor
> Discovery Crafted Packet Denial of Service Vulnerability)
> 
> Hi,
> 
> On Tue, Aug 23, 2016 at 10:37:15AM +0200, Tore Anderson wrote:
> > So if all there is to this vulnerability is a simple volumetric DoS
> > attack on the control plane I really wonder what all the fuss is about.
> > Most operators are fully aware that *any* traffic from untrusted
>                  ^^^^^^^^^^^^^^^
> Your optimism on the state of the Internet is amazing :-) - you should be
> reading IXP mailing lists for a reality check on the amazingly low level of
> understanding out there.
> 
> > sources that is being allowed to reach the control plane is a
> > potential DoS vector. Shockingly enough, IPv6 ND is no exception - news at
> 11.
> 
> Seriously - I blatantly assumed that IOS XR LPTS would "do the right thing
> here", namely, protect me from Joe Random's ND packets sent all over the
> Internet to my boxes.  Now, if a peer at the local IXP turns out to be
> malicous or gets hacket, yes, this is an obvious attack angle - but "random
> packets from the Internet drowning out legitimate on-link
> IPv6 ND packets"?
> 
> Well, for me, this came as a surprise.
> 
> (Arguably, the hardware might not be able to look at TTL - but if it's smart
> enough to have a queue for IPv6 ND packets in the first place, why is it not
> smart enough to program proper source address filters there?)
> 
> Gert Doering
>         -- NetMaster
> --
> have you enabled IPv6 on something today...?
> 
> SpaceNet AG                        Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444           USt-IdNr.: DE813185279
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email