Re: [secdir] secdir review of draft-ietf-behave-turn-ipv6-09
"Richard L. Barnes" <rbarnes@bbn.com> Fri, 25 June 2010 18:49 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3B103A6897; Fri, 25 Jun 2010 11:49:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.533
X-Spam-Level:
X-Spam-Status: No, score=-0.533 tagged_above=-999 required=5 tests=[AWL=-0.534, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id coYONAXV-LL1; Fri, 25 Jun 2010 11:49:02 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id DF15A3A683D; Fri, 25 Jun 2010 11:49:01 -0700 (PDT)
Received: from ros-dhcp192-1-51-71.bbn.com ([192.1.51.71]:50812) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1OSDxd-000NrT-7O; Fri, 25 Jun 2010 14:49:10 -0400
Message-Id: <47C35048-FF47-4E92-821B-6EB21343B9B1@bbn.com>
From: "Richard L. Barnes" <rbarnes@bbn.com>
To: Simon Perreault <simon.perreault@viagenie.ca>
In-Reply-To: <4BBBD185.7090606@viagenie.ca>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 25 Jun 2010 14:49:07 -0400
References: <188D3671-05E9-40A2-9498-24BAE91B269E@bbn.com> <4BBBD185.7090606@viagenie.ca>
X-Mailer: Apple Mail (2.936)
Cc: draft-ietf-behave-turn-ipv6@tools.ietf.org, "behave@ietf.org" <behave@ietf.org>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-behave-turn-ipv6-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2010 18:49:07 -0000
Hi Simon,
Just following up, since this draft is up for telechat next week.
Still waiting to see a revision with the agreed comments.
>> Section 9,
>> Might some of the Teredo / 6to4 loop attacks apply as well? If
>> not, why
>> not?
>> -- Spoof 4-to-6 allocate request from relay's v4 address
>> -- Spoof authorization relay's v6 address
>> -- Spoof packet from either of relay's addresses
>
> Sure, these are ways of spoofing IPv6 packets that are enabled by
> Teredo
> and 6to4. There are many others. Is there a reference we can cite?
> Would
> citing the Usenix paper be OK?
I think it makes sense to describe the attack here, because it's not
the same as the Usenix attack. Here's how it works. Consider the
following setup:
+--------------------------------+
| |
| 2001:DB8::1 2001:DB8::2 |
+-----------------+ +------------+
| Tunnel Endpoint | | TURN Relay |
+-----------------+ +------------+
| 192.0.2.1 192.0.2.2 |
| |
+--------------------------------+
Suppose an attacker knows that a tunnel endpoint will forward
encapsulated packets from a given IPv6 address (this doesn't
necessarily need to be the tunnel endpoint's address). Suppose he
then spoofs two packets from this address:
1. An allocate request asking for a v4 address, and
2. A ChannelBind request establishing a channel to the IPv4 address of
the tunnel endpoint
Then he has set up an amplification attack:
-- The TURN relay will re-encapsulate IPv6 UDP data in v4 and send it
to the tunnel endpoint
-- The tunnel endpoint will decapsulate packets from the v4 interface
and send them to v6
So if the attacker sends a packet of the following form...
IPv6: src=2001:DB9::1 dst=2001:DB8::2
UDP: <ports>
TURN: <channel id>
IPv6: src=2001:DB9::1 dst=2001:DB8::2
UDP: <ports>
TURN: <channel id>
IPv6: src=2001:DB9::1 dst=2001:DB8::2
UDP: <ports>
TURN: <channel id>
...
Then the TURN relay and the tunnel endpoint will send it back and
forth until the last TURN header is consumed, at which point the TURN
relay will send an empty packet, which the tunnel endpoint will drop.
The amplification potential here is limited by the MTU, so it's not
huge: IPv6+UDP+TURN takes 334 bytes, so you could get a four-to-one
amplification out of a 1500-byte packet. But the attacker could still
increase traffic volume by sending multiple packets or by establishing
multiple channels spoofed from different addresses behind the same
tunnel endpoint.
This attack is kind of like the TURN loop attack in RFC 5766 (which
definitely still applies here!), but nicer for the attacker, since the
attacker never needs to see the response to a spoofed packet, since he
doesn't care about the relayed-transport address.
I think the moral here is that TURN relays shouldn't be involved in
tunnels -- no need for two v4/v6 compatibility measures at once. So I
would suggest the document say something like:
"
It is RECOMMENDED that TURN relays not accept allocation or channel
binding requests from addresses known to be tunneled, and that they
not forward data to such addresses. In particular, a TURN relay MUST
NOT accept Teredo or 6to4 addresses in these requests.
"
- [secdir] secdir review of draft-ietf-behave-turn-… Richard Barnes
- Re: [secdir] secdir review of draft-ietf-behave-t… Simon Perreault
- Re: [secdir] secdir review of draft-ietf-behave-t… Richard L. Barnes
- Re: [secdir] secdir review of draft-ietf-behave-t… Simon Perreault
- [secdir] secdir review of draft-ietf-isis-ieee-aq… Richard L. Barnes