Re: [secdir] Routing loop attacks using IPv6 tunnels

"Templin, Fred L" <Fred.L.Templin@boeing.com> Fri, 04 September 2009 18:56 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C5E9B3A6926; Fri, 4 Sep 2009 11:56:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.515
X-Spam-Level:
X-Spam-Status: No, score=-5.515 tagged_above=-999 required=5 tests=[AWL=0.184, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B6yowFGhWYxl; Fri, 4 Sep 2009 11:56:03 -0700 (PDT)
Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com [130.76.64.48]) by core3.amsl.com (Postfix) with ESMTP id D3B8B3A6403; Fri, 4 Sep 2009 11:56:03 -0700 (PDT)
Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by slb-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n84Iso9S028040 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 4 Sep 2009 11:54:51 -0700 (PDT)
Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n84IsoG1012365; Fri, 4 Sep 2009 13:54:50 -0500 (CDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n84Ism5s012332; Fri, 4 Sep 2009 13:54:50 -0500 (CDT)
Received: from XCH-NW-7V2.nw.nos.boeing.com ([130.247.54.35]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 4 Sep 2009 11:54:40 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 04 Sep 2009 11:54:39 -0700
Message-ID: <39C363776A4E8C4A94691D2BD9D1C9A1065D7C40@XCH-NW-7V2.nw.nos.boeing.com>
In-Reply-To: <021A8F28-173E-471C-98E6-1E9A313E9715@free.fr>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Routing loop attacks using IPv6 tunnels
Thread-Index: Acotgesrx7/Syg7JTN6fCheWJl28eAADc+mg
References: <31484.26522.qm@web45503.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106555B38@XCH-NW-7V2.nw.nos.boeing.com> <373420.97768.qm@web45509.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106599177@XCH-NW-7V2.nw.nos.boeing.com> <342868.34354.qm@web45502.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D7539@XCH-NW-7V2.nw.nos.boeing.com> <021A8F28-173E-471C-98E6-1E9A313E9715@free.fr>
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Rémi Després <remi.despres@free.fr>
X-OriginalArrivalTime: 04 Sep 2009 18:54:40.0674 (UTC) FILETIME=[28843020:01CA2D91]
Cc: Gabi Nakibly <gnakibly@yahoo.com>, v6ops <v6ops@ops.ietf.org>, 6man 6man <ipv6@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2009 18:56:04 -0000

Hi Remi,

I couldn't parse most of your message; there is no such
thing as a /96 prefix.

Fred
fred.l.templin@boeing.com

> -----Original Message-----
> From: Rémi Després [mailto:remi.despres@free.fr]
> Sent: Friday, September 04, 2009 10:05 AM
> To: Templin, Fred L
> Cc: Gabi Nakibly; v6ops; 6man 6man; secdir@ietf.org
> Subject: Re: Routing loop attacks using IPv6 tunnels
> 
> Comment below
> 
> Le 3 sept. 09 à 17:59, Templin, Fred L a écrit :
> 
> > Gabi,
> >
> >> -----Original Message-----
> >> From: Gabi Nakibly [mailto:gnakibly@yahoo.com]
> >> Sent: Thursday, September 03, 2009 8:00 AM
> >> To: Templin, Fred L; v6ops
> >> Cc: ipv6@ietf.org; secdir@ietf.org
> >> Subject: Re: Routing loop attacks using IPv6 tunnels
> >>
> >> Hi Fred,
> >> see inline.
> >>
> >> Gabi
> >>
> >> ----- Original Message ----
> >>> From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
> >>> To: Gabi Nakibly <gnakibly@yahoo.com>; v6ops <v6ops@ops.ietf.org>
> >>> Cc: ipv6@ietf.org; secdir@ietf.org
> >>> Sent: Tuesday, September 1, 2009 6:49:56 PM
> >>> Subject: RE: Routing loop attacks using IPv6 tunnels
> >>>
> >>> Gabi,
> >>>
> >>>> -----Original Message-----
> >>>> From: Gabi Nakibly [mailto:gnakibly@yahoo.com]
> >>>> Sent: Monday, August 31, 2009 12:41 PM
> >>>> To: Templin, Fred L; v6ops
> >>>> Cc: ipv6@ietf.org; secdir@ietf.org
> >>>> Subject: Re: Routing loop attacks using IPv6 tunnels
> >>>>
> >>>> Fred,
> >>>>
> >>>> I agree that the source address check discussed below should be
> >>>> made. I would
> >>> also add a forth
> >>>> check to mitigate attack #3 as a second layer of defense in case
> >>>> the opposite
> >>> ISATAP router does not
> >>>> make the proper check on the destination address.
> >>>>
> >>>> isatap_xmt() {
> >>>>      ...
> >>>>      if (src == "<foreign prefix>::0200:5efe:<my IP address>")
> >>>>        drop_pkt(); /* attack #3 mitigation */
> >>>>      ...
> >>>>  }
> >>>
> >>> Having thought about it a bit, I agree but for ISATAP I see
> >>> the source address check as a MAY and the destination address
> >>> check as a SHOULD.
> 
> 
> The two following scenarios show in my understanding that ISATAP
> routers SHOULD check Source addresses of packets they receive in IPv6:
> 
> SCENARIO 1: between two ISATAP routers A and B
> 
>    ISATAP router A receives in IPv6:
>    Dst6 = </96 prefix of ISATAP router A> . <IPv4 address of ISATAP
> router B>
>    Src6 = </96 prefix of ISATAP router B> . <IPv4 address of ISATAP
> router A>
> 
>    If ISATAP router A doesn't discard the packet because of its
> source address, it will encapsulate it with:
>    Dst4 = <IPv4 address of ISATAP router B>
>    Src4 = <IPv4 address of ISATAP router A>
> 
>    Then, ISATAP router B finds that Src6 and Src4 are consistent, and
> forwards the IPv6 packet to ISATAP router A.
>    The routing loop is in place.
> 
> SCENARIO 2: between an ISATAP router and a 6to4 relay router
> 
>    The ISATAP router receives in IPv6:
> 
>    Dst6 = </96 prefix of the ISATAP router> . <IPv4 address of the
> 6to4 relay>
>    Src6 = 2002::/16 . <IPv4 address of the ISATAP router>
> 
>    If it doesn't discard the packet because of its source address, it
> will encapsulate it with:
>    Dst4 = <IPv4 address of the 6to4 relay>
>    Src4 = <IPv4 address of the ISATAP router>
> 
>    Then, the 6to4 relay finds that Src6 and Src4 are consistent, and
> forwards the IPv6 packet to the ISATAP router.
>    The routing loop is in place.
> 
> Anything missing?
> 
> Regards,
> RD
>