[Roll] Security Considerations for useofrplinfo draft
Ines Robles <mariainesrobles@googlemail.com> Wed, 30 January 2019 20:55 UTC
Return-Path: <mariainesrobles@googlemail.com>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 730F7130FEC for <roll@ietfa.amsl.com>; Wed, 30 Jan 2019 12:55:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=googlemail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oV9e0t7KeZL0 for <roll@ietfa.amsl.com>; Wed, 30 Jan 2019 12:55:38 -0800 (PST)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3011130FEB for <roll@ietf.org>; Wed, 30 Jan 2019 12:55:37 -0800 (PST)
Received: by mail-ed1-x534.google.com with SMTP id y56so761498edd.11 for <roll@ietf.org>; Wed, 30 Jan 2019 12:55:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=iIzlfGCXVgp2JdBaozQodx27QFhhCtbt2o5tvvkAtLo=; b=KeI6+Eo0SrH+ecmwVVTUkP82Z8cesMnTc2N93zpHT/c3HJOxMcg/tO0ZXxQux85OnO s08YBWU9Hz9TDz8OVWmqAnKl0SsxP0gzQtXr+eLMi5WpLg3eqoxKYtcOCXQJ1Q6yBomm a2LWqpcULuNZxnRWJa3NQBBVTbdRvls747bCBNOG3XbGKTw84qvcnLDfJG/x0dV++/HI eboNcw66I3cenZ3b4H2RAB8twYmExdLOOkK8UiyEDUZQg6cRmvasQfOKzMTTtksumkJb TQrYSjBTkkcswi+LKjUzEGs8cYtbibV5x145JimImgqhAGl1z3g+YLviIQyL46pV8OJw NlNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=iIzlfGCXVgp2JdBaozQodx27QFhhCtbt2o5tvvkAtLo=; b=X0I2Vwcvm4UD9DQkiNKmotqOb/wYrCQk6lOG4zWRW3GOKNlBdm7vH/aW5YnQgBQ27m h+aT6HVq5oMA/wpQ4YJVeocwOv3xv0TrH/5aXSzutN/TOWHzAV3l+hYze+bFsK0H+KMD OQMCOBbtKs8Xtb9JEfuKRw4qEwLztzcSjORbY0AojmCvWD0QyNYq7pG7kMwAALtM6Lbt P9OXBn/jNwh1olFRVLZqLMMlt6ZpX9Vh7REuyzePZmHupo7TUWeT/rCkqidJTyg7+chD 6GVheMvlUM4XRejQYIknbwZ+Fvelz90xq8d02RGheuWLTF7xnuie9JYz068h1CaSjsgr LlVQ==
X-Gm-Message-State: AJcUukeOF+W/yEubONUDrBR5GsXaYUF23AoAEMxg8Ka2mzkncVurlFu9 njyEvfyViIxFKkhWfkqvv17DclwTUH1Hph21aQ7hWP/Y
X-Google-Smtp-Source: ALg8bN5cNOADHyHPHv1RGwZrsT+OTgyIZDnTqDVdCKKsQARcK1C+1xpZ06qL3RVOoqU/GF4as8QSKYbEyXYAO7ieEs0=
X-Received: by 2002:a17:906:4b4c:: with SMTP id j12mr27706340ejv.185.1548881735971; Wed, 30 Jan 2019 12:55:35 -0800 (PST)
MIME-Version: 1.0
From: Ines Robles <mariainesrobles@googlemail.com>
Date: Wed, 30 Jan 2019 22:55:24 +0200
Message-ID: <CAP+sJUeGoYDwJ=RHs80Og6WszT3=OTk_Ohfy9BuzKwubZxW4TQ@mail.gmail.com>
To: roll <roll@ietf.org>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "Pascal Thubert (pthubert)" <pthubert@cisco.com>
Content-Type: multipart/alternative; boundary="000000000000abfecb0580b321fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/roll/Iz3hauzSYpRCtkWTBGz2bVOSFWg>
Subject: [Roll] Security Considerations for useofrplinfo draft
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/roll/>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jan 2019 20:55:43 -0000
Dear all, Please, we would like to have your opinion to address the following major comments/questions: Ticket: 191 https://trac.ietf.org/trac/roll/ticket/191 "Nodes within the LLN can use the IPv6-in-IPv6 mechanism to mount an attack on another part of the LLN, while disguising the origin of the attack. The mechanism can even be abused to make it appear that the attack is coming from outside the LLN, and unless countered, this could be used to mount a Distributed Denial Of Service attack upon nodes elsewhere in the Internet. See [DDOS-KREBS] for an example of such attacks already seen in the real world." [major] Is there any possible mitigation to this inside-the-LLN attack? Would authentication help -- is it even possible? Ticket 192: https://trac.ietf.org/trac/roll/ticket/192 " Blocking or careful filtering of IPv6-in-IPv6 traffic entering the LLN as described above will make sure that any attack that is mounted must originate from compromised nodes within the LLN. The use of BCP38 filtering at the RPL root on egress traffic will both alert the operator to the existence of the attack, as well as drop the attack traffic. As the RPL network is typically numbered from a single prefix, which is itself assigned by RPL, BCP38 filtering involves a single prefix comparison and should be trivial to automatically configure." [major] BCP38 will stop an attack, but only if the source addresses are spoofed. What if they're not? Given that the attack may be hidden, and assuming that nodes are compromised across multiple LLNs, an attacker may not care enough to spoof the origins. Ticket 193: https://trac.ietf.org/trac/roll/ticket/193 "The RH3 header usage described here can be abused in equivalent ways with an IPv6-in-IPv6 header to add the needed RH3 header. As such, the attacker's RH3 header will not be seen by the network until it reaches the end host, which will decapsulate it. An end-host SHOULD be suspicious about a RH3 header which has additional hops which have not yet been processed, and SHOULD ignore such a second RH3 header." [major] What does "SHOULD be suspicious" mean? How is that a Normative behavior? Would being suspicious include dropping the packet or some other similar action? When would the router *not* be suspicious? Why is that not a "MUST"? The presence of the second RH3 means that there is a configuration mistake somewhere else in the network. It would be reasonable to increment a counter in a MIB (if we had a MIB) when this occurs. Based upon the Postel doctrine, ignoring the extra header (not acting on it), is the best policy. An RH3 header was not completely consumed is discussed in RFC https://tools.ietf.org/html/rfc6554#section-4.2 says that an RH3 header with additional “non-zero Segments Left value, if the IPv6 Destination Address is not on-link” should be dropped. In this case, the RH3 header is *inside* the outer IPv6-in-IPv6 header, which has then been forwarded. We think that this header should simply be ignored in processing the packet. To do otherwise (such as forwarding) would permit external attackers to send traffic that appears to originate inside the LLN. What do you think? Thank you very much in advance, The authors.
- [Roll] Security Considerations for useofrplinfo d… Ines Robles
- Re: [Roll] Security Considerations for useofrplin… Pascal Thubert (pthubert)
- Re: [Roll] Security Considerations for useofrplin… Ines Robles