IETF Logo Mail Archive

Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)

"C. M. Heard" <heard@pobox.com> Tue, 10 February 2015 02:58 UTC

Return-Path: <heard@pobox.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 389891A86E2 for <opsec@ietfa.amsl.com>; Mon, 9 Feb 2015 18:58:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWcmSHEkijkq for <opsec@ietfa.amsl.com>; Mon, 9 Feb 2015 18:58:16 -0800 (PST)
Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 416FF1A8547 for <opsec@ietf.org>; Mon, 9 Feb 2015 18:58:16 -0800 (PST)
Received: (qmail 26847 invoked from network); 9 Feb 2015 18:51:25 -0800
Received: from shell4.bayarea.net (209.128.82.1) by shell4.bayarea.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 9 Feb 2015 18:51:25 -0800
Date: Mon, 09 Feb 2015 18:51:24 -0800
From: "C. M. Heard" <heard@pobox.com>
X-X-Sender: heard@shell4.bayarea.net
To: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <CDA3CF60-BB2E-4F77-B325-B3057C01FBD1@nominum.com>
Message-ID: <Pine.LNX.4.64.1502091713320.26279@shell4.bayarea.net>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <D5B607FA-9B47-4F1B-A0C1-FB0C94A97CDB@bogus.com> <Pine.LNX.4.64.1502071930100.25761@shell4.bayarea.net> <06B01D8E-981D-4D06-B6CC-3B5CE92782C5@nominum.com> <Pine.LNX.4.64.1502080813060.2950@shell4.bayarea.net> <D97E8BB3-0DB3-4B41-8C91-DBB3121DCEF7@nominum.com> <Pine.LNX.4.64.1502081507150.24776@shell4.bayarea.net> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net> <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com> <Pine.LNX.4.64.1502090708270.22936@shell4.bayarea.net> <174AA530-3993-4894-BCE7-2AE8818EB35E@nominum.com> <54D8F98D.1030101@si6networks.com> <B3474476-3FA1-484E-BAAD-E7A6474BA11C@nominum.com> <54D90EE5.2060002@gmail.com> <5C9CF492-A795-4023-BB91-28B1B52706E4@nominum.com> <54D92987.2080505@gmail.com> <CDA3CF60-BB2E-4F77-B325-B3057C01FBD1@nominum.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/W-5oxQ04z2Z1Js5uBHva9jS6Eag>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, Pete Resnick <presnick@qti.qualcomm.com>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, The IESG <iesg@ietf.org>, Fernando Gont <fgont@si6networks.com>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 02:58:18 -0000

On Mon, 9 Feb 2015, Ted Lemon wrote:
> On Feb 9, 2015, at 4:41 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> > OK Ted, then please provide the pseudo-code for making that
> > determination:
> > 
> >  if ???? then #it's an unknown extension header conforming to RFC 6564
> >          else #it's an unknown transport protocol;
> > 
> >    Brian
> 
> Apologies if there are horrific buffer overflow bugs, but here's roughly how you would do it:
> 
> // return true if it's a dhcpv6 packet that we should drop
> BOOL
> guard_p(int next_header_type, u_int8_t *bufp, int buflen)
> {
>   int header_len;
>   // no space for a valid protocol or extension header?
>   if (buflen < 2)
>     return false;
>   if (next_header_type == 59)
>     return false;
>   if (udp_p(next_header_type))
>     return dhcpv6_guard_p(bufp, buflen);
>   if (known_proto_header_type_p(next_header_type))
>     return false;
>   if (known_extension_header_type_p(next_header_type))
>     {
>       header_len = header_extension_len(next_header_type, bufp, buflen);
>       // evidently malformed header?
>       if (header_len == 0)
>         return false;
>       // tail call to check next header
>       return guard_p(known_extension_header_next_type(next_header_type, bufp, buflen),
>                      bufp + header_len, buflen - header_len);
>     }
>   // tail call to check presumed RFC 6564 header.
>   // if it's actually an unknown protocol header, we may 
>   // have to parse over some garbage before running off
>   // the end of the packet and returning false.
>   // It may also be deliberate garbage, in which case the
>   // same thing will happen, but possibly more slowly.
>   return guard_p(bufp[0], bufp + bufp[1] + 2, buflen - bufp[1] - 2);> 
> }
[ final statement corrected as indicated in subsequent e-mail ]

I think this pseudo-code pretty clearly makes the point I was trying 
to make about DOS attacks on the DHCPv6-Sheild engine.  In an 
earlier message, you wrote:

> I asked you earlier in this conversation to describe a specific 
> attack, not make general speculations.

OK.  Here is a crafted packet that will make things go slowly:
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    6  | Traffic Class |           Flow Label                  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                880            |     143       |   Hop Limit   |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   +                                                               +
   |                                                               |
   +                         Source Address                        +
   |                                                               |
   +                                                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   +                                                               +
   |                                                               |
   +                      Destination Address                      +
   |                                                               |
   +                                                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      144      |       0       |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      145      |       0       |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   ~                                                               ~
   ~                                                               ~
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      252      |       0       |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       59      |       0       |                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               +
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

If I counted correctly, this "packet" uses all 110 unassigned 
protocol numbers (aka next header values).  It would be easy to 
include more or fewer headers.  Or make the last header length point 
outside the packet.

Note that this is not an attack on the destination host.  The 
destination host should drop the packet immediately upon 
encountering an unknown next header value.  Rather, it is an attack 
on the DHCPv6-Shield engine, which has to do a lot of work to figure 
out what to do with this packet.  Is a typical implementation robust 
enough to deal with a line-rate stream of stuff like this?  Do 
implementations with hardware accelerators (and limited header 
memory) suffer no adverse effects at all?  What do they do if the 
header chain won't fit?  I'm sure the effects vary greatly, but is 
is really true that this attack is nothing to worry about?

//cmh

v2.23.0 | Report a Bug | By Email