Re: [Roll] Security Considerations for useofrplinfo draft
Ines Robles <mariainesrobles@googlemail.com> Sun, 10 February 2019 18:22 UTC
Return-Path: <mariainesrobles@googlemail.com>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADF5F1200ED for <roll@ietfa.amsl.com>; Sun, 10 Feb 2019 10:22:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=googlemail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LpGUa2mBtbCh for <roll@ietfa.amsl.com>; Sun, 10 Feb 2019 10:22:00 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E0F81200D7 for <roll@ietf.org>; Sun, 10 Feb 2019 10:22:00 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id b14so6919061edt.6 for <roll@ietf.org>; Sun, 10 Feb 2019 10:22:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pF3lAaff5UiFug3EeGRmM+z1/1/0XbqcgeM4Jy3///A=; b=G44nwq9hk5rGIpPD5pu/arDFxMTugUDCS/ZxbAtWkKnQYOyc+UDJCCyFRMrNgiA9hk 9YpNqaS+FmGqc8LsIFEpNMb212z8MGYDtfXB0gsUmbk7SSEeS/B+ke3Lbp5HvhhqRzJ/ 33lKnLXXJPyYkuCDDAIcRp44TTiu29p9oKmGhNAMYj8H+feS6PgdvXOj9Zmqsm1lRil9 LPs3HhbJ0KQUeMowAYBYHDf6jMdbGQ56YhBHVkamrNk2T7tpyAVga+DurOaBTi4nXqfy uUl8h6Pb+tkVPxwFH8Kl79a91UTQzTx+LJgTcGSkLJC1gwvJdz1AZH0BiKMZiWF5GRDM v/WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pF3lAaff5UiFug3EeGRmM+z1/1/0XbqcgeM4Jy3///A=; b=OAkf/q10eIgDjbAUPEMScJEyYVg2b3O7iiTzqygZ7uJ3EWD4utL6fJvizSpWpYJa51 Yxxe0rUXhvFbHHBcFPcAq0ycoVWF8NLuhh6fEhB2/NEWHAgF0WS0V0pGgeydp1ykTXFk McYFz2FnMQjCDo8HAs+S4E+CWE7iPX1Q7UiFXKEn59x+SEMwqKiJwooz8zgTvKG8bBsY 7L3NlKYYhfiMYCnzG1fryIr8EkwZFjTMXAIwOaZwmor3FPlHNTGwKLOS4mLYqTUmkj5F szW3uXTufPfu08nEslvSkTX5QQikcnjgZBYDt6nG9aqdt5J604G05GJ6qc6qxK5sJeL4 9R+w==
X-Gm-Message-State: AHQUAua/ReZRQatwo0HgIHcxVPnXiyMtcqhDx3i5hsRiQ9aTqIMlRCBM Wdzze+dUi0ubInA8VwmK5byGRow91Xwk6fPRORQ=
X-Google-Smtp-Source: AHgI3IZNS4LW7oYUiOtTChxuj4zt+KMT1d8/bWm3A8HHQUaUXQOSfvodfDhShf3bPQosI0NYQ/iv8vkyoe+/T1h0FKc=
X-Received: by 2002:a17:906:4344:: with SMTP id z4mr23859191ejm.27.1549822918312; Sun, 10 Feb 2019 10:21:58 -0800 (PST)
MIME-Version: 1.0
References: <CAP+sJUeGoYDwJ=RHs80Og6WszT3=OTk_Ohfy9BuzKwubZxW4TQ@mail.gmail.com> <SN6PR11MB347140FE3032D19E7F202331D86E0@SN6PR11MB3471.namprd11.prod.outlook.com>
In-Reply-To: <SN6PR11MB347140FE3032D19E7F202331D86E0@SN6PR11MB3471.namprd11.prod.outlook.com>
From: Ines Robles <mariainesrobles@googlemail.com>
Date: Sun, 10 Feb 2019 20:21:46 +0200
Message-ID: <CAP+sJUeDXt+8=pmW8+cLAQn76KBjibnmsnuPnC_x9ds4oKuvYQ@mail.gmail.com>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
Cc: roll <roll@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: multipart/alternative; boundary="00000000000082caaa05818e44f0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/roll/U9tGpWUpEKlOULYY7iOq7LYHHBs>
Subject: Re: [Roll] Security Considerations for useofrplinfo draft
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/roll/>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Feb 2019 18:22:04 -0000
Thank you very much Pascal On Tue, Feb 5, 2019 at 2:52 PM Pascal Thubert (pthubert) <pthubert@cisco.com> wrote: > Hello Ines > > > > Please see below: > > > > I used > > - To make my comments > > > > All the best, > > > > Pascal > > > > *From:* Ines Robles <mariainesrobles@googlemail.com> > *Sent:* mercredi 30 janvier 2019 21:55 > *To:* roll <roll@ietf.org> > *Cc:* Michael Richardson <mcr+ietf@sandelman.ca>; Pascal Thubert > (pthubert) <pthubert@cisco.com> > *Subject:* Security Considerations for useofrplinfo draft > > > > Dear all, > > > > Please, we would like to have your opinion to address the following major > comments/questions: > > > > Ticket: 191 https://trac.ietf.org/trac/roll/ticket/191 > > > > "Nodes within the LLN can use the IPv6-in-IPv6 mechanism to mount an > > attack on another part of the LLN, while disguising the origin of the > > attack. The mechanism can even be abused to make it appear that the > > attack is coming from outside the LLN, and unless countered, this > > could be used to mount a Distributed Denial Of Service attack upon > nodes elsewhere in the Internet. See [DDOS-KREBS] for an example of > > such attacks already seen in the real world." > > > > [major] Is there any possible mitigation to this inside-the-LLN > attack? > > Would authentication help -- is it even possible? > > > > > > - There is an L2 authentication in most any cases. But if a rogue > manages to get in then many attacks are possible – there is no zero trust. > This is just one. Another is sending DAOs on behalf of the device. > - What can be done to alleviate this particular attack is SAVI, using > RFC 8505 + https://tools.ietf.org/html/draft-ietf-6lo-ap-nd. The rogue > will not be able to source with an address that is not registered, and the > registration checks for topological correctness. > > > > > > Ticket 192: https://trac.ietf.org/trac/roll/ticket/192 > > > > " Blocking or careful filtering of IPv6-in-IPv6 traffic entering the > > LLN as described above will make sure that any attack that is mounted > > must originate from compromised nodes within the LLN. The use of > > BCP38 filtering at the RPL root on egress traffic will both alert the > > operator to the existence of the attack, as well as drop the attack > > traffic. As the RPL network is typically numbered from a single > > prefix, which is itself assigned by RPL, BCP38 filtering involves a > > single prefix comparison and should be trivial to automatically > > configure." > > > > [major] BCP38 will stop an attack, but only if the source addresses are > spoofed. What if they're not? Given that the attack may be hidden, and > assuming that nodes are compromised across multiple LLNs, an attacker may > not care enough to spoof the origins. > > > > - Same answer as above for an attack originated inside the network. > For an attack originated outside, IP in IP can be used to hide inner > routing headers, but RH3 is protected by its definition. Otherwise, e.g., > DoS, IP in IP seems of little value. > > > > Ticket 193: https://trac.ietf.org/trac/roll/ticket/193 > > > > "The RH3 header usage described here can be abused in equivalent ways > > with an IPv6-in-IPv6 header to add the needed RH3 header. As such, > > the attacker's RH3 header will not be seen by the network until it > > reaches the end host, which will decapsulate it. An end-host SHOULD > > be suspicious about a RH3 header which has additional hops which have > > not yet been processed, and SHOULD ignore such a second RH3 header." > > > > [major] What does "SHOULD be suspicious" mean? How is that a Normative > behavior? Would being suspicious include dropping the packet or some other > similar action? When would the router *not* be suspicious? Why is that > not a "MUST"? > > > > The presence of the second RH3 means that there is a configuration > mistake somewhere else in the network. It would be reasonable to increment > a counter in a MIB (if we had a MIB) when this occurs. Based upon the > Postel doctrine, ignoring the extra header (not acting on it), is the best > policy. An RH3 header was not completely consumed is discussed in RFC > > > > https://tools.ietf.org/html/rfc6554#section-4.2 says that an RH3 > header with additional “non-zero Segments Left value, if the IPv6 > Destination Address is not on-link” should be dropped. In this case, the > RH3 header is *inside* the outer IPv6-in-IPv6 header, which has then been > forwarded. > > We think that this header should simply be ignored in processing the > packet. To do otherwise (such as forwarding) would permit external > attackers to send traffic that appears to originate inside the LLN. > > > > - The rule of RH3 only allows strict source route operation. This is > true even if an IP in IP hides an inner RH3. This does not constitute a > breach. Note that IP in IP in IP in IP could be a breach that reproduces > the problem of a RH0. But then, that is general to all IPv6 and not > specific to this document > > > > > > > > Thank you very much in advance, > > > > The authors. >
- [Roll] Security Considerations for useofrplinfo d… Ines Robles
- Re: [Roll] Security Considerations for useofrplin… Pascal Thubert (pthubert)
- Re: [Roll] Security Considerations for useofrplin… Ines Robles