IETF Logo Mail Archive

Re: [Roll] Security Considerations for useofrplinfo draft

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Tue, 05 February 2019 12:52 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C263130E46 for <roll@ietfa.amsl.com>; Tue, 5 Feb 2019 04:52:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.641
X-Spam-Level:
X-Spam-Status: No, score=-14.641 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=O7uxIEfJ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=lfVHjXUp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHbxOQKj8wOC for <roll@ietfa.amsl.com>; Tue, 5 Feb 2019 04:52:20 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8D14130F4C for <roll@ietf.org>; Tue, 5 Feb 2019 04:52:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=31192; q=dns/txt; s=iport; t=1549371139; x=1550580739; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Uz7CER4gXm2epfl4DvMMczHQctilCrMG2Rzb8bl7j7E=; b=O7uxIEfJq0yh+zZwlTxHMGF8BrdnK0Qa/1dcKEFcAXJLVtIL+3d8ivAr gQTMV+JEZaZCJ1GQ+5EOE+PEpKqAZAOm8yirQ6QLuRXLw6eGULF7hOvSk 1bqlc+RlXPjDE6BFLb5sgffgLV094puuyOZu44825ZwoDD3XJ8vbiMY9m 0=;
IronPort-PHdr: 9a23:0HMRSxyQMVnCLpnXCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5YhWN/u1j2VnOW4iTq+lJjebbqejBYSQB+t7A1RJKa5lQT1kAgMQSkRYnBZudFU3mJvPwcwQxHd9JUxlu+HToeUU=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAAAOhllc/4oNJK1lGQEBAQEBAQEBAQEBAQcBAQEBAQGBUQQBAQEBAQsBgQ0jJSsDZ3QECyeEA4NHA4RQiytKgg2YEBSBEANUCwEBIwmEQAIXgnsiNAkNAQMBAQIBAQJtHAyFSgEBAQQjChMBATcBDwIBCA4DBAEBIQoCAgIwHQgCBAENBQiDG4EdTAMVAQIMoDMCihRxgS+CeAEBBYEwAYNaDQuCCwMFiXl2KIEqF4FAP4ERRoJMgldHAQECAYEmJgISK4JcMYImkBeHBotjCQKHNIVDhV+BbIVDiAmDD4oqhTGMCwIEAgQFAg0BAQWBRjiBVnAVgyeCHINuhRSFP3IBgSeNUgEB
X-IronPort-AV: E=Sophos;i="5.56,564,1539648000"; d="scan'208,217";a="510986832"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Feb 2019 12:52:18 +0000
Received: from XCH-RCD-013.cisco.com (xch-rcd-013.cisco.com [173.37.102.23]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x15CqIAb024152 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 5 Feb 2019 12:52:18 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-RCD-013.cisco.com (173.37.102.23) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 5 Feb 2019 06:52:17 -0600
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 5 Feb 2019 06:52:16 -0600
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Tue, 5 Feb 2019 07:52:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector1-cisco-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Uz7CER4gXm2epfl4DvMMczHQctilCrMG2Rzb8bl7j7E=; b=lfVHjXUpzMTbga47OBjMvZA8MFpcEU/vm9XZ9agvzh36VHbrNeN2Ra2GrImtTduaT5rowv4EzyoxNiBQCYZ/he2a7GIn6i3Njk9gRglfzdD8er9bthWL3JnIG2S3bQ8V/lazbXR9DyO5x4SiMKNrkPou886N4uAiiw/iTSaRsz4=
Received: from SN6PR11MB3471.namprd11.prod.outlook.com (52.135.112.221) by SN6PR11MB3405.namprd11.prod.outlook.com (52.135.110.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.20; Tue, 5 Feb 2019 12:52:14 +0000
Received: from SN6PR11MB3471.namprd11.prod.outlook.com ([fe80::1c9f:935:667b:8957]) by SN6PR11MB3471.namprd11.prod.outlook.com ([fe80::1c9f:935:667b:8957%3]) with mapi id 15.20.1580.019; Tue, 5 Feb 2019 12:52:15 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Ines Robles <mariainesrobles@googlemail.com>, roll <roll@ietf.org>
CC: Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: Security Considerations for useofrplinfo draft
Thread-Index: AQHUuN4npKdToAw+/E6+cODB9wdI16XQ7IqQ
Date: Tue, 05 Feb 2019 12:52:05 +0000
Deferred-Delivery: Tue, 5 Feb 2019 12:51:25 +0000
Message-ID: <SN6PR11MB347140FE3032D19E7F202331D86E0@SN6PR11MB3471.namprd11.prod.outlook.com>
References: <CAP+sJUeGoYDwJ=RHs80Og6WszT3=OTk_Ohfy9BuzKwubZxW4TQ@mail.gmail.com>
In-Reply-To: <CAP+sJUeGoYDwJ=RHs80Og6WszT3=OTk_Ohfy9BuzKwubZxW4TQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2001:420:44f3:1300:dd25:e359:77ae:dc51]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR11MB3405; 6:SbhR1RbXVqBhDqHyk5VGfnwOUhs/rl39XnEnc9q6NeAcdlDpPTnVjpKr/SMJBlkDejToWFtpDoWM98C5mygi1jGcQAR/31mR6CYZbQmxaadUDbvbKxUvBWTA14LPcwb5tS23RTYBT2ire4/WMMAriRwWGOCBTMsvpLuD8BkLXgM22abUxXWXQQQ2Uk7urOWbKetXvnvhPZYwk4yiUCdosSig1d7tRS3oKIu95eyOShoUGbcYf85Y6MXI5wI6PfxMFZLIA3I0EL1LvEcEKvqjMRrg2g2Kb4OzZZ+89B2zXepfK5W/JxlY6HuHc2VkxzUgz4R/hiwDM+Ic46jG9JXdGs2QfZApVZTm5BGItWzOZtXfcH2iAern3cP7/GuXuNA9ZdNGHe8bgKdlFbub93z54Ex2V5fdYV3Hl+wVOdf2fpYg+oqZjaD5tmlyeGaHVmtKRTh/4JCgFXj4a83LWiploA==; 5:wZ0KONBGhQrJsMIYXHlreGg6+FsFYwvz0tVji3DhdoZjMOhdRyQxY0Io5wOIDzCRVGzvF1ciVp6t4Z9axSuWCeoSoAaYtE4EeKKFgrruoBiHERfr8XWhfwPYiXKhX6P5BAXZKHDGJ1eXbE75hIXlp8tj8XVBMVRAZddZDP3Kgdp+jQy9FjoZl+kl6g54+XFYM9d0+ynBhC+YcYGCsCYCQw==; 7:e3Iehfjf3ohoWrZfX7JC69E2HZBVO87e1woL/X9UWqWZ8ogpQlbclEjVWxh7ETB8rgroMaGYZD67iw9Ztwrwyt4HPsc85Kngw+dfZ6L8APuLW1TtbbE8VttJPqSsFEJ7bAkAzNoTgDj56CGqGQIrHQ==
x-ms-office365-filtering-correlation-id: 8dc67365-64bd-4b27-13a7-08d68b68c0fb
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7153060)(7193020); SRVR:SN6PR11MB3405;
x-ms-traffictypediagnostic: SN6PR11MB3405:
x-microsoft-antispam-prvs: <SN6PR11MB34058D2F0AFE224A243287FAD86E0@SN6PR11MB3405.namprd11.prod.outlook.com>
x-forefront-prvs: 0939529DE2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(396003)(346002)(136003)(376002)(366004)(189003)(199004)(186003)(66574012)(2420400007)(606006)(110136005)(229853002)(446003)(236005)(6306002)(46003)(316002)(55016002)(11346002)(476003)(25786009)(54896002)(9686003)(86362001)(6436002)(76176011)(7696005)(71190400001)(14454004)(71200400001)(478600001)(97736004)(7736002)(8676002)(14444005)(6246003)(486006)(15650500001)(7110500001)(966005)(53936002)(99286004)(790700001)(6116002)(8936002)(74316002)(106356001)(6506007)(81156014)(81166006)(105586002)(102836004)(68736007)(53546011)(4326008)(2906002)(6666004)(33656002)(10710500007)(256004); DIR:OUT; SFP:1101; SCL:1; SRVR:SN6PR11MB3405; H:SN6PR11MB3471.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ZrOnO6LFzYfuTittqMTQ6F4FW7hngNR3OS90qVwnSi3gvOAz70q+zrSj/O9JAr8Mir3Dh4D/AgjxgqMLlOMyIuDvzn3Te07GkluaMDEPDcElqlVnLICQBYTj4S6p9dwqiOQb3su6q4mlxehBr22/hLLgZspw6oPzFmkziOdrrdb7Hq0VRrFlXgzK6bB0XDXdl37+2KCSvu0wTWkkpBCP1PV5kX5IjEi7O3YjL+Vs7I95N0zgBHIGoppBQlVsC0xKbs3v1snN658oxFo36/ggarppkvUDTJ4GKl0sxW4nNH+p/rcx4a2klj/uXa4iz41FWuaQQzhYkhcqhUNCUkHqXuseXSMbJ3B5MJs3HZD5OaHfBN/HrzaKp7h8Ufpdkb+vpgjmJOmeU0UwXs/xVwJuqSqb6d4X4IpjhQRR6Jwj5DQ=
Content-Type: multipart/alternative; boundary="_000_SN6PR11MB347140FE3032D19E7F202331D86E0SN6PR11MB3471namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 8dc67365-64bd-4b27-13a7-08d68b68c0fb
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Feb 2019 12:52:14.8432 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB3405
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.23, xch-rcd-013.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/roll/M6TDtyFDnKNxEX2EVKNb7zgy0zU>
Subject: Re: [Roll] Security Considerations for useofrplinfo draft
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/roll/>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Feb 2019 12:52:24 -0000

Hello Ines

Please see below:

I used

  *   To make my comments


All the best,

Pascal

From: Ines Robles <mariainesrobles@googlemail.com>
Sent: mercredi 30 janvier 2019 21:55
To: roll <roll@ietf.org>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Pascal Thubert (pthubert) <pthubert@cisco.com>
Subject: Security Considerations for useofrplinfo draft

Dear all,

Please, we would like to have your opinion to address the following major comments/questions:

Ticket: 191 https://trac.ietf.org/trac/roll/ticket/191

"Nodes within the LLN can use the IPv6-in-IPv6 mechanism to mount an
   attack on another part of the LLN, while disguising the origin of the
   attack.  The mechanism can even be abused to make it appear that the
   attack is coming from outside the LLN, and unless countered, this
   could be used to mount a Distributed Denial Of Service attack upon nodes elsewhere in the Internet.  See [DDOS-KREBS] for an example of
   such attacks already seen in the real world."

   [major] Is there any possible mitigation to this inside-the-LLN attack?
   Would authentication help -- is it even possible?



  *   There is an L2 authentication in most any cases. But if a rogue manages to get in then many attacks are possible – there is no zero trust. This is just one. Another is sending DAOs on behalf of the device.
  *   What can be done to alleviate this particular attack is SAVI, using RFC 8505 + https://tools.ietf.org/html/draft-ietf-6lo-ap-nd. The rogue will not be able to source with an address that is not registered, and the registration checks for topological correctness.


Ticket 192: https://trac.ietf.org/trac/roll/ticket/192

   " Blocking or careful filtering of IPv6-in-IPv6 traffic entering the
   LLN as described above will make sure that any attack that is mounted
   must originate from compromised nodes within the LLN.  The use of
   BCP38 filtering at the RPL root on egress traffic will both alert the
   operator to the existence of the attack, as well as drop the attack
   traffic.  As the RPL network is typically numbered from a single
   prefix, which is itself assigned by RPL, BCP38 filtering involves a
   single prefix comparison and should be trivial to automatically
   configure."

   [major] BCP38 will stop an attack, but only if the source addresses are spoofed.  What if they're not?  Given that the attack may be hidden, and assuming that nodes are compromised across multiple LLNs, an attacker may not care enough to spoof the origins.


  *   Same answer as above for an attack originated inside the network. For an attack originated outside, IP in IP can be used to hide inner routing headers, but RH3 is protected by its definition. Otherwise, e.g., DoS, IP in IP seems of little value.

   Ticket 193: https://trac.ietf.org/trac/roll/ticket/193

   "The RH3 header usage described here can be abused in equivalent ways
   with an IPv6-in-IPv6 header to add the needed RH3 header.  As such,
   the attacker's RH3 header will not be seen by the network until it
   reaches the end host, which will decapsulate it.  An end-host SHOULD
   be suspicious about a RH3 header which has additional hops which have
   not yet been processed, and SHOULD ignore such a second RH3 header."

   [major] What does "SHOULD be suspicious" mean?  How is that a Normative behavior?  Would being suspicious include dropping the packet or some other similar action?  When would the router *not* be suspicious?  Why is that not a "MUST"?

   The presence of the second RH3 means that there is a configuration mistake somewhere else in the network.  It would be reasonable to increment a counter in a MIB (if we had a MIB) when this occurs.  Based upon the Postel doctrine, ignoring the extra header (not acting on it), is the best policy. An RH3 header was not completely consumed is discussed in RFC

   https://tools.ietf.org/html/rfc6554#section-4.2 says that an RH3 header with additional “non-zero Segments Left value, if the IPv6 Destination Address is not on-link” should be dropped.  In this case, the RH3 header is *inside* the outer IPv6-in-IPv6 header, which has then been forwarded.
   We think that this header should simply be ignored in processing the packet.  To do otherwise (such as forwarding) would permit external attackers to send traffic that appears to originate inside the LLN.


  *   The rule of RH3 only allows strict source route operation. This is true even if an IP in IP hides an inner RH3. This does not constitute a breach. Note that IP in IP in IP in IP could be a breach that reproduces the problem of a RH0. But then, that is general to all IPv6 and not specific to this document



   Thank you very much in advance,

The authors.

v2.23.0 | Report a Bug | By Email