Re: [secdir] secdir review of draft-ietf-behave-turn-ipv6-09
Simon Perreault <simon.perreault@viagenie.ca> Wed, 30 June 2010 21:33 UTC
Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4EAE13A696B; Wed, 30 Jun 2010 14:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.274
X-Spam-Level:
X-Spam-Status: No, score=-2.274 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bNCBXMhXIgz5; Wed, 30 Jun 2010 14:33:31 -0700 (PDT)
Received: from jazz.viagenie.ca (unknown [IPv6:2620:0:230:8000:226:55ff:fe57:14db]) by core3.amsl.com (Postfix) with ESMTP id 281433A6873; Wed, 30 Jun 2010 14:33:31 -0700 (PDT)
Received: from balaise.nomis80.org (modemcable245.152-21-96.mc.videotron.ca [96.21.152.245]) by jazz.viagenie.ca (Postfix) with ESMTPSA id D428920D1B; Wed, 30 Jun 2010 17:33:41 -0400 (EDT)
Message-ID: <4C2BB835.5070601@viagenie.ca>
Date: Wed, 30 Jun 2010 17:33:41 -0400
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100430 Fedora/3.0.4-3.fc13 Thunderbird/3.0.4
MIME-Version: 1.0
To: "Richard L. Barnes" <rbarnes@bbn.com>
References: <188D3671-05E9-40A2-9498-24BAE91B269E@bbn.com> <4BBBD185.7090606@viagenie.ca> <47C35048-FF47-4E92-821B-6EB21343B9B1@bbn.com>
In-Reply-To: <47C35048-FF47-4E92-821B-6EB21343B9B1@bbn.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 01 Jul 2010 06:04:23 -0700
Cc: draft-ietf-behave-turn-ipv6@tools.ietf.org, "behave@ietf.org" <behave@ietf.org>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-behave-turn-ipv6-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 21:33:33 -0000
On 06/25/2010 02:49 PM, Richard L. Barnes wrote: > I think it makes sense to describe the attack here, because it's not the > same as the Usenix attack. Here's how it works. Consider the following > setup: > > +--------------------------------+ > | | > | 2001:DB8::1 2001:DB8::2 | > +-----------------+ +------------+ > | Tunnel Endpoint | | TURN Relay | > +-----------------+ +------------+ > | 192.0.2.1 192.0.2.2 | > | | > +--------------------------------+ > > Suppose an attacker knows that a tunnel endpoint will forward > encapsulated packets from a given IPv6 address (this doesn't necessarily > need to be the tunnel endpoint's address). Suppose he then spoofs two > packets from this address: > 1. An allocate request asking for a v4 address, and > 2. A ChannelBind request establishing a channel to the IPv4 address of > the tunnel endpoint > > Then he has set up an amplification attack: > -- The TURN relay will re-encapsulate IPv6 UDP data in v4 and send it to > the tunnel endpoint > -- The tunnel endpoint will decapsulate packets from the v4 interface > and send them to v6 > So if the attacker sends a packet of the following form... > > IPv6: src=2001:DB9::1 dst=2001:DB8::2 > UDP: <ports> > TURN: <channel id> > IPv6: src=2001:DB9::1 dst=2001:DB8::2 > UDP: <ports> > TURN: <channel id> > IPv6: src=2001:DB9::1 dst=2001:DB8::2 > UDP: <ports> > TURN: <channel id> > ... > > Then the TURN relay and the tunnel endpoint will send it back and forth > until the last TURN header is consumed, at which point the TURN relay > will send an empty packet, which the tunnel endpoint will drop. > > The amplification potential here is limited by the MTU, so it's not > huge: IPv6+UDP+TURN takes 334 bytes, so you could get a four-to-one > amplification out of a 1500-byte packet. But the attacker could still > increase traffic volume by sending multiple packets or by establishing > multiple channels spoofed from different addresses behind the same > tunnel endpoint. > > This attack is kind of like the TURN loop attack in RFC 5766 (which > definitely still applies here!), but nicer for the attacker, since the > attacker never needs to see the response to a spoofed packet, since he > doesn't care about the relayed-transport address. Thanks, I understand now. I'll include a summary of the attack in the text. > I think the moral here is that TURN relays shouldn't be involved in > tunnels -- no need for two v4/v6 compatibility measures at once. So I > would suggest the document say something like: > " > It is RECOMMENDED that TURN relays not accept allocation or channel > binding requests from addresses known to be tunneled, and that they not > forward data to such addresses. In particular, a TURN relay MUST NOT > accept Teredo or 6to4 addresses in these requests. > " Agreed. Thanks, Simon -- NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca vCard 4.0 --> http://www.vcarddav.org
- [secdir] secdir review of draft-ietf-behave-turn-… Richard Barnes
- Re: [secdir] secdir review of draft-ietf-behave-t… Simon Perreault
- Re: [secdir] secdir review of draft-ietf-behave-t… Richard L. Barnes
- Re: [secdir] secdir review of draft-ietf-behave-t… Simon Perreault
- [secdir] secdir review of draft-ietf-isis-ieee-aq… Richard L. Barnes