Re: [savi] Potential issue for all SAVI mechanisms?
Jean-Michel Combes <jeanmichel.combes@gmail.com> Fri, 09 September 2011 15:03 UTC
Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6106021F8B9F for <savi@ietfa.amsl.com>; Fri, 9 Sep 2011 08:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.01
X-Spam-Level:
X-Spam-Status: No, score=-103.01 tagged_above=-999 required=5 tests=[AWL=-0.011, BAYES_00=-2.599, J_CHICKENPOX_29=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IIFzJOdPyVfb for <savi@ietfa.amsl.com>; Fri, 9 Sep 2011 08:03:38 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id BB49121F8BAE for <savi@ietf.org>; Fri, 9 Sep 2011 08:03:37 -0700 (PDT)
Received: by gyd12 with SMTP id 12so1860621gyd.31 for <savi@ietf.org>; Fri, 09 Sep 2011 08:05:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=aLF/cwLUmDPhlV1pxYolkJUhJAl/gFYFj5iSnPAY5Jg=; b=qFWZeCCb8O2A3T86pEPbrd5jWzdG9a3rKTgcg3RAgdQfBOO7wP6ARzSjx/ognjCO3a fdQRckr/RmWwbfTYVLobmfh2EJxqc0on9WfdWdr85NR7E6AYXJ1jnNHZcMOh2CpWgez4 ySHMHoYcCUAC/rxowfJV5W7dTAXmyFNNXFfQQ=
MIME-Version: 1.0
Received: by 10.236.72.169 with SMTP id t29mr12646064yhd.110.1315580730545; Fri, 09 Sep 2011 08:05:30 -0700 (PDT)
Received: by 10.146.82.14 with HTTP; Fri, 9 Sep 2011 08:05:30 -0700 (PDT)
In-Reply-To: <4E665A4F.9080608@joelhalpern.com>
References: <4E01F2FF.7030108@acm.org> <BANLkTikn45azMHnnduE3BG2o2ttB2Q7syg@mail.gmail.com> <4E0A11D8.5010300@joelhalpern.com> <BANLkTik0fM4xF_iYbZBv6uQ5LwnTS+foyg@mail.gmail.com> <CAA7e52oei4d9A2BcBnpGikreQ575Z1na7U+7oWCwsEvcosQPyg@mail.gmail.com> <000001cc6c8a$a4857c80$ed907580$@it.uc3m.es> <4E662CAF.1010905@joelhalpern.com> <003c01cc6cb7$238670d0$6a935270$@it.uc3m.es> <4E665A4F.9080608@joelhalpern.com>
Date: Fri, 09 Sep 2011 17:05:30 +0200
Message-ID: <CAA7e52o335jshL=aS3pbMfjkE7V8aydcPbKxNFJ-ohMep4-H6A@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: SAVI Mailing List <savi@ietf.org>, Alberto García <alberto@it.uc3m.es>
Subject: Re: [savi] Potential issue for all SAVI mechanisms?
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2011 15:03:39 -0000
Hi Joel, 2011/9/6 Joel M. Halpern <jmh@joelhalpern.com>: [snip] > > It seems to me much better to note this vulnerability in SAVI, and leave it > there. Just a clarification: from your point of view, we have just to mention the issue without adding a potential solution (e.g., http://www.ietf.org/mail-archive/web/savi/current/msg01675.html) to mitigate it, correct? Thanks. Yours, JMC. > If we want it fixed, 6man should simply instruct hosts not to accept RAs or > DHCPs in fragmented packets. > > Yours, > Joel > > On 9/6/2011 1:05 PM, Alberto García wrote: >> >> Hi Joel, >> >> | -----Mensaje original----- >> | De: Joel M. Halpern [mailto:jmh@joelhalpern.com] >> | Enviado el: martes, 06 de septiembre de 2011 16:23 >> | Para: Alberto García; SAVI Mailing List >> | Asunto: Re: [savi] Potential issue for all SAVI mechanisms? >> | >> | There seems to be an assumption in the fragment processing text that >> the >> | next header that points to the ICMP will be in the first packet. >> >> I think the assumption is that the first header after the Fragmentation >> header is ICMP. >> Every fragment has its fragmentation header, and as I have understood from >> RFC 2460, on each of these fragments, the Next header of the Fragmentation >> header will very likely contain the value of the first header after the >> fragmentation one, i.e. ICMP. That is, it is not relevant if the fragments >> are received in order or not, because all will probably have the ICMP >> 'next >> header' value, being this an indication that they have to be reassembled. >> So >> being the first packet does not seem to be relevant. >> Although I think it is very unlikely to expect so, it may be a problem if >> the fragments arrive disordered to the SAVI device and the ICMP header is >> not the first, because the first received fragment (but not the first >> fragment in the fragmentation sequence) would not be identified as >> containing ICMP information. So it is not enough to have the header in the >> first packet, but to have the ICMP header immediately after the >> Fragmentation header. >> Does this make sense? >> >> Do you think that we should process also packets containing ICMP messages >> which are not immediately after the Fragmentation header? >> If so, I think that every fragmented packet should be reassembled, and >> then >> checked, which would be overkill for the SAVI device. >> >> | >> | The reason there is a security threat is that an attacker can carefully >> | compose a packet such that the ICMP header is not in the first packet, >> and >> | even the next-hezader type pointing to the ICMP is not in the first >> | fragment. >> >> If I understand properly, the problem you are stating is that the SAVI >> devices could forward the packet as 'data', with a source address that is >> valid for the sender at the port at which it is validated, but the message >> can convey 'false' ND information (I assume that for a different [source] >> address of that used to send the packet) which may influence in the ND >> caches of the destination nodes, isn’t it? >> >> If this is the case, I still don't figure out which is the security >> problem, >> at least for SEND and ND. First, it seems that it does not affect to the >> Source Address Validation function, which is the main reason for SAVI, >> since >> the packet sent is valid from this point of view (the sender should have >> been able to prove its address ownership before sending this data). SAVI >> is >> now not intended to validate other information, such as the validity of >> the >> contents of ND information. Besides, for SEND deployments, the destination >> is going to check that the message received has been signed with the key >> associated to the address for which the message declares something, >> according to the SEND specification. >> However, I have the feeling that there is something I have not understood, >> sorry. >> >> | >> | That needs to be identified. That is what needs to be identified in >> the >> | security considerations section. >> | >> | As a separate matter, given the complexity of SEND it may be reasonable >> | for SAVI SEND to require parsing all the headers in the first fragment, >> where >> | other SAVI cases probably can not do so. That is up to the WG. >> >> The problem with this is that the first fragment may not arrive in the >> first >> place (as I said before), and other fragments arriving before may not be >> available for reassembling. >> >> Regards, >> Alberto >> >> | >> | Yours, >> | Joel >> | >> | On 9/6/2011 7:46 AM, Alberto García wrote: >> |> Hi, >> |> Caching up - still within the deadline :-) >> |> >> |> | -----Mensaje original----- >> |> | De: savi-bounces@ietf.org [mailto:savi-bounces@ietf.org] En nombre >> |> | de Jean-Michel Combes Enviado el: jueves, 18 de agosto de 2011 >> |> | 19:51 >> |> | Para: SAVI Mailing List >> |> | Asunto: Re: [savi] Potential issue for all SAVI mechanisms? >> |> | >> |> | Hi, >> |> | >> |> | I would like to come back on this point and find a consensus. >> |> | Here is the text I propose to be added in the Security >> |> | Considerations >> |> >> |> I agree that the issue must be considered, although I think that the >> |> corresponding text should not appear in the Security Considerations, >> |> but in the specification of the mechanism. In my opinion, it is not a >> |> security side effect of the deployment of a SAVI mechanism, but part >> |> of the functional specification to address the fragmentation case (and >> |> the case in which there are other headers before). In addition, I >> |> don't like very much to have 'behaviors' being specified in many >> |> different sections. The security considerations should just consider >> |> the case in which this fragmentation processing is used by a malicious >> | user to perform a DoS attack. >> |> >> |> I have made the exercise of try to adapt this to SEND SAVI, and I >> |> ended up with the text I include below (based on Jean-Michel initial >> |> text). The main differences with Jean-Michel's text are >> |> - the approach is to address the general case in which IPv6 extension >> |> headers appear: I think we need to state what should it be done in >> |> this case (for which fragmentation is a particular case). My opinion >> |> is that SAVI devices should jump over the possible headers looking for >> |> ND information (SEND is heavy in terms of processing, so just adding >> |> this processing does not seem to be awkward - may other scenarios >> |> should be dealt with differently). However, for the fragmentation >> |> particular case, I adhere to the idea of only processing if the next >> |> header to the fragmentation header is ICMPv6 (because I think the cost >> |> of reassembling is heavier than just inspecting many headers of a >> packet). >> |> - I have tried to clarify which does 'process the packets' (for the >> |> fragmented packet) mean in this context (whether the fragments should >> |> be forwarded or not, how/when...) >> |> - security considerations deals with DoS attacks exploiting this >> |> behavior >> |> >> |> What do you think? >> |> >> |> ---- >> |> <TEXT: tailored for SEND, can be easily adapted to ND, possibly to >> |> DHCP> >> |> "4.4 Processing messages containing IPv6 extension headers It may >> |> occur that SEND messages relevant for SEND SAVI operation contain >> |> IPv6 extension headers located before the SEND information. To ensure >> |> that these messages are processed, the SEND SAVI device SHOULD inspect >> |> any packet containing IPv6 extension headers until it could determine >> |> whether it includes relevant SEND information for SEND SAVI operation >> or >> | not. >> |> >> |> A particular case of this inspection occurs if the SEND message is >> |> fragmented. In order to process fragmented SEND messages, the SEND >> |> SAVI device SHOULD proceed as follows: >> |> When a SEND SAVI device receives a fragmented packet, it SHOULD >> |> inspect the Next Header value inside the Fragment header to check if >> |> it is an ICMPv6 message. If the Fragment header does not point to an >> |> ICMPv6 message, then the packet MUST be treated as a data packet by >> | the SEND SAVI device. >> |> Fragment packets pointing to ICMPv6 messages SHOULD be reassembled >> | by >> |> the SEND SAVI device according to [RFC2460]. The fragments MUST NOT >> | be >> |> forwarded until the packet is reassembled and processed according to >> |> the SEND SAVI specification (the SEND SAVI specification will >> |> ultimately determine if the message should be forwarded or not, and to >> |> which ports). When the SEND SAVI specification indicates that the >> |> message should be forwarded, the SEND SAVI device MAY forward the >> |> fragments as received originally, or it MAY forward the message >> |> fragmented in a different way, or it MAY forward the reassembled >> | message in a single packet. >> |> >> |> Note that fragmented packets in which the fragment header does not >> |> point to an ICMPv6 message are processed as data packets by the SEND >> |> SAVI device, i.e. they are forwarded if the state associated to the >> |> source address is VALID, TENTATIVE_DAD, TESTING_VP and TESTING_VP', >> | and discarded otherwise. >> |> These packets are not further processed by the SEND SAVI device to >> |> update the SAVI state; this would be the case, for example, for a >> |> fragmented packet containing a Destination option and then a ND >> |> message. The reason for not reassembling such packets is to avoid >> |> incurring in the cost for reassembling packets that are unlikely to >> contain >> | SEND messages." >> |> ---- >> |> [Next paragraph to be added to Security considerations, in the '5.2. >> |> Protection Against Denial of Service Attacks' subsection] The >> |> inclusion of extension headers in any packet, or the fragmentation of >> |> packets containing SEND messages, can be used to stress the SAVI >> |> device by requiring large amount of resources to inspect packets and >> |> reassemble the fragments. A SEND SAVI device MUST limit the amount of >> |> resources used to store and process these packets, for example by >> |> rate-limiting the processing of packets containing extension headers >> |> (or fragmented packets pointing to >> |> ICMPv6 message), in a per-port basis. >> |> <END OF TEXT> >> |> >> |> Regards, >> |> Alberto >> |> >> |> >> |> | section of any SAVI solution document (i.e., FCFS, DHCP, SEND and >> |> | MIX >> |> | documents) as residential threats: >> |> | >> |> |<TEXT: only keep ND for FCFS/SEND SAVI and only keep UDP(DHCP) for >> |> |DHCP >> |> | SAVI> o SAVI limitations In some cases, the SAVI device could not >> |> |be able >> |> to >> |> | process IP packets and so to update correctly the Binding Table. >> |> | For example, this could be the case for encrypted packets (i.e., >> |> | with >> |> IPsec/ESP) >> |> | or fragmented packets. To mitigate this last case, the SAVI device >> |> | SHOULD proceed as >> |> | follows: >> |> | - If the Next Header value inside the Fragment header is >> |> | ND/UDP(DHCP), >> |> the >> |> | packet is processed by the SAVI device, >> |> | - If the Next Header value inside the Fragment header is not >> |> | ND/UDP(DHCP) but there is a binding, the packet is processed by the >> |> |SAVI >> |> | device, >> |> | - Else the packet is dropped and the incident is logged. >> |> |</TEXT> >> |> | >> |> | Comments/alternative text (deadline: 8-september-2011) are welcome! >> |> | >> |> | Thanks in advance. >> |> | >> |> | Best regards. >> |> | >> |> | JMC. >> |> | >> |> | 2011/6/28 Jean-Michel Combes<jeanmichel.combes@gmail.com>: >> |> |> Hi Joel, >> |> |> >> |> |> 2011/6/28 Joel M. Halpern<jmh@joelhalpern.com>: >> |> |>> I don't think this works. >> |> |>> The question is not how often ND packets have that structure, >> but >> |> |>> whether >> |> |>> 1) Hosts will accept ND packets with that structure and >> |> |>> 2) Other protocols will use that structure. >> |> |>> >> |> |>> If both of those are true, which they currently are, then a SAVI >> |> |>> device can not detect an ND packet which is fragmented and hiding >> |> |>> behind destination options. >> |> |>> But, contrary to your resolution below, since other protocols >> use >> |> |>> that construct, SAVI devices can not simply drop all packets that >> |> |>> are fragmented and where the only visible next header is >> |> |>> destination options (or AH, or ESP.) they would be dropping >> |> |>> legitimate data >> |> packets. >> |> |> >> |> |> Yep, I missed this ... So, a new proposal: >> |> |> - if the Next Header value inside the Fragment header is >> |> |> ND/UDP(DHCP), the packet is processed by the SAVI device >> |> |> - if the Next Header value inside the Fragment header is not >> |> |> ND/UDP(DHCP) and there is a binding, the packet is processed by >> |> |> the SAVI device >> |> |> - else the packet is dropped and the incident is logged >> |> |> >> |> |>> >> |> |>> It does not matter whether any legitimate sender of ND messages >> |> |>> would ever use that construct. >> |> |>> >> |> |>> As far as I can tell, the only path to sanity here is for the >> |> |>> hosts not to accept such packets. >> |> |>> And that is a matter for 6man, not for SAVI. We should simply >> |> |>> document this as a residual threat. >> |> |> >> |> |> IMHO, this is a matter for SAVI too, because, if the SAVI device >> |> |> is not able to process fragmented ND/DHCP packets from a node to >> |> |> correctly update the Binding Table, by default, any packet from >> |> |> this node will be dropped by the SAVI device even if hosts accept >> |> |> such packets. >> |> |> >> |> |> Cheers. >> |> |> >> |> |> JMC. >> |> |> >> |> |>> >> |> |>> Yours, >> |> |>> Joel >> |> |>> >> |> |>> >> |> |>> On 6/28/2011 1:26 PM, Jean-Michel Combes wrote: >> |> |>>> Based on RFC 2460: >> |> |>>> (1) the Next Header value inside the Fragment header identifies >> |> |>>> the first header of the Fragmentable Part of the original >> packet >> |> |>>> (2) The Unfragmentable Part consists of the IPv6 header plus >> any >> |> |>>> extension headers that must be processed by nodes en route to >> the >> |> |>>> destination, that is, all headers up to and including the >> Routing >> |> |>>> header if present, else the Hop-by-Hop Options header if >> present, >> |> |>>> else no extension headers. >> |> |>>> (3) Extension header order is: IPv6 header, Hop-by-Hop Options >> |> |>>> header, Destination Options header, Routing header, Fragment >> |> |>>> header, Authentication header, Encapsulating Security Payload >> |> |>>> header, Destination Options header, upper-layer header >> |> |>>> >> |> |>>> So, as far as I can see, there are only 3 scenarios where the >> |> |>>> Next Header value inside the Fragment header is not >> ND(including >> |> |>>> SEND, as this is just ND options)/DHCP: >> |> |>>> (a) AH >> |> |>>> (b) ESP >> |> |>>> (c) Destination Option >> |> |>>> >> |> |>>> IMHO, ND/DHCP messages with such extension headers are not >> |> | common ... >> |> |>>> >> |> |>>> >> |> |>>>> > >> |> |>>>> > Then the SAVI devices can assume and require that the >> known >> | ULP >> |> |>>>> > is >> |> |>>>> > contained in the first fragment, thus they can determine >> | whether >> |> |>>>> > a >> |> |>>>> > packet is ND/DHCP/SEND, and reject any such packets that >> | include >> |> |>>>> > a >> |> |>>>> > fragment header. >> |> |>>> Indeed, we could assume for each SAVI mechanism that: >> |> |>>> - if the Next Header value inside the Fragment header is >> |> |>>> ND/UDP(DHCP), the packet is processed >> |> |>>> - else the packet is dropped and the incident is logged >> |> |>>> >> |> |>>> As SAVI has a site/link scope, with the logs, IMHO, it should >> be >> |> |>>> easier for the SAVI admin to understand/solve the issue. >> |> |>>> >> |> |>>> Best regards. >> |> |>>> >> |> |>>> JMC. >> |> |>>> >> |> |>>> >> |> |>>> >> |> |>> >> |> |> >> |> | _______________________________________________ >> |> | savi mailing list >> |> | savi@ietf.org >> |> | https://www.ietf.org/mailman/listinfo/savi >> |> >> |> _______________________________________________ >> |> savi mailing list >> |> savi@ietf.org >> |> https://www.ietf.org/mailman/listinfo/savi >> |> >> >> > _______________________________________________ > savi mailing list > savi@ietf.org > https://www.ietf.org/mailman/listinfo/savi >
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- [savi] Potential issue for all SAVI mechanisms? Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… marcelo bagnulo braun
- Re: [savi] Potential issue for all SAVI mechanism… marcelo bagnulo braun
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Mikael Abrahamsson
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Eric Levy-Abegnoli
- Re: [savi] Potential issue for all SAVI mechanism… Erik Nordmark
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Guang Yao
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Fred Baker
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Joel M. Halpern
- Re: [savi] Potential issue for all SAVI mechanism… Fred Baker
- Re: [savi] Potential issue for all SAVI mechanism… Jean-Michel Combes
- Re: [savi] Potential issue for all SAVI mechanism… Jun Bi
- Re: [savi] Potential issue for all SAVI mechanism… Alberto García