Re: [secdir] Routing loop attacks using IPv6 tunnels
"Templin, Fred L" <Fred.L.Templin@boeing.com> Fri, 04 September 2009 18:56 UTC
Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C5E9B3A6926; Fri, 4 Sep 2009 11:56:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.515
X-Spam-Level:
X-Spam-Status: No, score=-5.515 tagged_above=-999 required=5 tests=[AWL=0.184, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B6yowFGhWYxl; Fri, 4 Sep 2009 11:56:03 -0700 (PDT)
Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com [130.76.64.48]) by core3.amsl.com (Postfix) with ESMTP id D3B8B3A6403; Fri, 4 Sep 2009 11:56:03 -0700 (PDT)
Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by slb-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n84Iso9S028040 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 4 Sep 2009 11:54:51 -0700 (PDT)
Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n84IsoG1012365; Fri, 4 Sep 2009 13:54:50 -0500 (CDT)
Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n84Ism5s012332; Fri, 4 Sep 2009 13:54:50 -0500 (CDT)
Received: from XCH-NW-7V2.nw.nos.boeing.com ([130.247.54.35]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 4 Sep 2009 11:54:40 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 04 Sep 2009 11:54:39 -0700
Message-ID: <39C363776A4E8C4A94691D2BD9D1C9A1065D7C40@XCH-NW-7V2.nw.nos.boeing.com>
In-Reply-To: <021A8F28-173E-471C-98E6-1E9A313E9715@free.fr>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Routing loop attacks using IPv6 tunnels
Thread-Index: Acotgesrx7/Syg7JTN6fCheWJl28eAADc+mg
References: <31484.26522.qm@web45503.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106555B38@XCH-NW-7V2.nw.nos.boeing.com> <373420.97768.qm@web45509.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A106599177@XCH-NW-7V2.nw.nos.boeing.com> <342868.34354.qm@web45502.mail.sp1.yahoo.com> <39C363776A4E8C4A94691D2BD9D1C9A1065D7539@XCH-NW-7V2.nw.nos.boeing.com> <021A8F28-173E-471C-98E6-1E9A313E9715@free.fr>
From: "Templin, Fred L" <Fred.L.Templin@boeing.com>
To: Rémi Després <remi.despres@free.fr>
X-OriginalArrivalTime: 04 Sep 2009 18:54:40.0674 (UTC) FILETIME=[28843020:01CA2D91]
Cc: Gabi Nakibly <gnakibly@yahoo.com>, v6ops <v6ops@ops.ietf.org>, 6man 6man <ipv6@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] Routing loop attacks using IPv6 tunnels
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Sep 2009 18:56:04 -0000
Hi Remi, I couldn't parse most of your message; there is no such thing as a /96 prefix. Fred fred.l.templin@boeing.com > -----Original Message----- > From: Rémi Després [mailto:remi.despres@free.fr] > Sent: Friday, September 04, 2009 10:05 AM > To: Templin, Fred L > Cc: Gabi Nakibly; v6ops; 6man 6man; secdir@ietf.org > Subject: Re: Routing loop attacks using IPv6 tunnels > > Comment below > > Le 3 sept. 09 à 17:59, Templin, Fred L a écrit : > > > Gabi, > > > >> -----Original Message----- > >> From: Gabi Nakibly [mailto:gnakibly@yahoo.com] > >> Sent: Thursday, September 03, 2009 8:00 AM > >> To: Templin, Fred L; v6ops > >> Cc: ipv6@ietf.org; secdir@ietf.org > >> Subject: Re: Routing loop attacks using IPv6 tunnels > >> > >> Hi Fred, > >> see inline. > >> > >> Gabi > >> > >> ----- Original Message ---- > >>> From: "Templin, Fred L" <Fred.L.Templin@boeing.com> > >>> To: Gabi Nakibly <gnakibly@yahoo.com>; v6ops <v6ops@ops.ietf.org> > >>> Cc: ipv6@ietf.org; secdir@ietf.org > >>> Sent: Tuesday, September 1, 2009 6:49:56 PM > >>> Subject: RE: Routing loop attacks using IPv6 tunnels > >>> > >>> Gabi, > >>> > >>>> -----Original Message----- > >>>> From: Gabi Nakibly [mailto:gnakibly@yahoo.com] > >>>> Sent: Monday, August 31, 2009 12:41 PM > >>>> To: Templin, Fred L; v6ops > >>>> Cc: ipv6@ietf.org; secdir@ietf.org > >>>> Subject: Re: Routing loop attacks using IPv6 tunnels > >>>> > >>>> Fred, > >>>> > >>>> I agree that the source address check discussed below should be > >>>> made. I would > >>> also add a forth > >>>> check to mitigate attack #3 as a second layer of defense in case > >>>> the opposite > >>> ISATAP router does not > >>>> make the proper check on the destination address. > >>>> > >>>> isatap_xmt() { > >>>> ... > >>>> if (src == "<foreign prefix>::0200:5efe:<my IP address>") > >>>> drop_pkt(); /* attack #3 mitigation */ > >>>> ... > >>>> } > >>> > >>> Having thought about it a bit, I agree but for ISATAP I see > >>> the source address check as a MAY and the destination address > >>> check as a SHOULD. > > > The two following scenarios show in my understanding that ISATAP > routers SHOULD check Source addresses of packets they receive in IPv6: > > SCENARIO 1: between two ISATAP routers A and B > > ISATAP router A receives in IPv6: > Dst6 = </96 prefix of ISATAP router A> . <IPv4 address of ISATAP > router B> > Src6 = </96 prefix of ISATAP router B> . <IPv4 address of ISATAP > router A> > > If ISATAP router A doesn't discard the packet because of its > source address, it will encapsulate it with: > Dst4 = <IPv4 address of ISATAP router B> > Src4 = <IPv4 address of ISATAP router A> > > Then, ISATAP router B finds that Src6 and Src4 are consistent, and > forwards the IPv6 packet to ISATAP router A. > The routing loop is in place. > > SCENARIO 2: between an ISATAP router and a 6to4 relay router > > The ISATAP router receives in IPv6: > > Dst6 = </96 prefix of the ISATAP router> . <IPv4 address of the > 6to4 relay> > Src6 = 2002::/16 . <IPv4 address of the ISATAP router> > > If it doesn't discard the packet because of its source address, it > will encapsulate it with: > Dst4 = <IPv4 address of the 6to4 relay> > Src4 = <IPv4 address of the ISATAP router> > > Then, the 6to4 relay finds that Src6 and Src4 are consistent, and > forwards the IPv6 packet to the ISATAP router. > The routing loop is in place. > > Anything missing? > > Regards, > RD >
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- [secdir] Routing loop attacks using IPv6 tunnels Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Denis-Courmont
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Denis-Courmont
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Després
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Després
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Rémi Després
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Christian Huitema
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dong Zhang
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Hesham Soliman
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Brian E Carpenter
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dong Zhang
- Re: [secdir] Routing loop attacks using IPv6 tunn… Gabi Nakibly
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dmitry Anipko
- Re: [secdir] Routing loop attacks using IPv6 tunn… Templin, Fred L
- Re: [secdir] Routing loop attacks using IPv6 tunn… Dmitry Anipko