Re: [secdir] secdir review of draft-ietf-behave-turn-ipv6-09

Simon Perreault <simon.perreault@viagenie.ca> Wed, 30 June 2010 21:33 UTC

Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4EAE13A696B; Wed, 30 Jun 2010 14:33:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.274
X-Spam-Level:
X-Spam-Status: No, score=-2.274 tagged_above=-999 required=5 tests=[AWL=0.325, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bNCBXMhXIgz5; Wed, 30 Jun 2010 14:33:31 -0700 (PDT)
Received: from jazz.viagenie.ca (unknown [IPv6:2620:0:230:8000:226:55ff:fe57:14db]) by core3.amsl.com (Postfix) with ESMTP id 281433A6873; Wed, 30 Jun 2010 14:33:31 -0700 (PDT)
Received: from balaise.nomis80.org (modemcable245.152-21-96.mc.videotron.ca [96.21.152.245]) by jazz.viagenie.ca (Postfix) with ESMTPSA id D428920D1B; Wed, 30 Jun 2010 17:33:41 -0400 (EDT)
Message-ID: <4C2BB835.5070601@viagenie.ca>
Date: Wed, 30 Jun 2010 17:33:41 -0400
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100430 Fedora/3.0.4-3.fc13 Thunderbird/3.0.4
MIME-Version: 1.0
To: "Richard L. Barnes" <rbarnes@bbn.com>
References: <188D3671-05E9-40A2-9498-24BAE91B269E@bbn.com> <4BBBD185.7090606@viagenie.ca> <47C35048-FF47-4E92-821B-6EB21343B9B1@bbn.com>
In-Reply-To: <47C35048-FF47-4E92-821B-6EB21343B9B1@bbn.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 01 Jul 2010 06:04:23 -0700
Cc: draft-ietf-behave-turn-ipv6@tools.ietf.org, "behave@ietf.org" <behave@ietf.org>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-behave-turn-ipv6-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jun 2010 21:33:33 -0000

On 06/25/2010 02:49 PM, Richard L. Barnes wrote:
> I think it makes sense to describe the attack here, because it's not the
> same as the Usenix attack.  Here's how it works.  Consider the following
> setup:
> 
>               +--------------------------------+
>               |                                |
>               | 2001:DB8::1        2001:DB8::2 |
> +-----------------+                        +------------+
> | Tunnel Endpoint |                        | TURN Relay |
> +-----------------+                        +------------+
>               | 192.0.2.1            192.0.2.2 |
>               |                                |
>               +--------------------------------+
> 
> Suppose an attacker knows that a tunnel endpoint will forward
> encapsulated packets from a given IPv6 address (this doesn't necessarily
> need to be the tunnel endpoint's address).  Suppose he then spoofs two
> packets from this address:
> 1. An allocate request asking for a v4 address, and
> 2. A ChannelBind request establishing a channel to the IPv4 address of
> the tunnel endpoint
> 
> Then he has set up an amplification attack:
> -- The TURN relay will re-encapsulate IPv6 UDP data in v4 and send it to
> the tunnel endpoint
> -- The tunnel endpoint will decapsulate packets from the v4 interface
> and send them to v6
> So if the attacker sends a packet of the following form...
> 
> IPv6: src=2001:DB9::1 dst=2001:DB8::2
> UDP:  <ports>
> TURN: <channel id>
> IPv6: src=2001:DB9::1 dst=2001:DB8::2
> UDP:  <ports>
> TURN: <channel id>
> IPv6: src=2001:DB9::1 dst=2001:DB8::2
> UDP:  <ports>
> TURN: <channel id>
> ...
> 
> Then the TURN relay and the tunnel endpoint will send it back and forth
> until the last TURN header is consumed, at which point the TURN relay
> will send an empty packet, which the tunnel endpoint will drop.
> 
> The amplification potential here is limited by the MTU, so it's not
> huge: IPv6+UDP+TURN takes 334 bytes, so you could get a four-to-one
> amplification out of a 1500-byte packet.  But the attacker could still
> increase traffic volume by sending multiple packets or by establishing
> multiple channels spoofed from different addresses behind the same
> tunnel endpoint.
> 
> This attack is kind of like the TURN loop attack in RFC 5766 (which
> definitely still applies here!), but nicer for the attacker, since the
> attacker never needs to see the response to a spoofed packet, since he
> doesn't care about the relayed-transport address.

Thanks, I understand now. I'll include a summary of the attack in the text.

> I think the moral here is that TURN relays shouldn't be involved in
> tunnels -- no need for two v4/v6 compatibility measures at once.  So I
> would suggest the document say something like:
> "
> It is RECOMMENDED that TURN relays not accept allocation or channel
> binding requests from addresses known to be tunneled, and that they not
> forward data to such addresses.  In particular, a TURN relay MUST NOT
> accept Teredo or 6to4 addresses in these requests.
> "

Agreed.

Thanks,
Simon
-- 
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server        --> http://numb.viagenie.ca
vCard 4.0               --> http://www.vcarddav.org