Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Vasilenko Eduard <vasilenko.eduard@huawei.com> Thu, 21 October 2021 17:41 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DB603A090F for <v6ops@ietfa.amsl.com>; Thu, 21 Oct 2021 10:41:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xw_7NZWMBH68 for <v6ops@ietfa.amsl.com>; Thu, 21 Oct 2021 10:41:03 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F14E3A0901 for <v6ops@ietf.org>; Thu, 21 Oct 2021 10:41:03 -0700 (PDT)
Received: from fraeml711-chm.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4HZvmV69BMz67gYP for <v6ops@ietf.org>; Fri, 22 Oct 2021 01:36:42 +0800 (CST)
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by fraeml711-chm.china.huawei.com (10.206.15.60) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.15; Thu, 21 Oct 2021 19:41:00 +0200
Received: from mscpeml500001.china.huawei.com (7.188.26.142) by mscpeml500001.china.huawei.com (7.188.26.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.15; Thu, 21 Oct 2021 20:40:59 +0300
Received: from mscpeml500001.china.huawei.com ([7.188.26.142]) by mscpeml500001.china.huawei.com ([7.188.26.142]) with mapi id 15.01.2308.015; Thu, 21 Oct 2021 20:40:59 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: Andrew Alston <Andrew.Alston@liquidtelecom.com>, Andrew Alston <Andrew.Alston=40liquidtelecom.com@dmarc.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Thread-Topic: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
Thread-Index: AQHXxqFSX3AgIXBZj0K+NG8z7LIwR6vdtgSg
Date: Thu, 21 Oct 2021 17:40:59 +0000
Message-ID: <79c8fbb5ab9e4f04a6ff85929fd3d128@huawei.com>
References: <C4D64963-B881-422A-B01D-6AE634A0050F@liquidtelecom.com>
In-Reply-To: <C4D64963-B881-422A-B01D-6AE634A0050F@liquidtelecom.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.81.209.125]
Content-Type: multipart/alternative; boundary="_000_79c8fbb5ab9e4f04a6ff85929fd3d128huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/2KUQebK73vvhksF6EhJtMxtBtII>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2021 17:41:09 -0000

Ordinary router does not have thousands of interfaces. BNG and Packet Core have.
I did deep design for a few BNG implementations. It was the case (on the vendor that you could not guess looking to my email) when 173 filters was the maximum in particular situation that was possible for every subscriber (marketing department was too active on the “multi-play” promotion).
1 additional entry from 173 is 0.6% of BNG resources wasted.
Is it what you are worried about?
PS: it was many years ago, situation could be better now.
Eduard
From: Andrew Alston [mailto:Andrew.Alston@liquidtelecom.com]
Sent: Thursday, October 21, 2021 8:30 PM
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>om>; Andrew Alston <Andrew.Alston=40liquidtelecom.com@dmarc.ietf.org>rg>; v6ops@ietf.org
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Ok,

Lets ask the question about when this is applied in the absence of an SRH – applied in IPv6oIPv6 – similar scenario applies does it not?

And – please see note about applying filters on thousands of interfaces – for example – let’s look at the case of pseudowire headend devices – or – cloud VM’s.

A large portion of SRv6 and NP was about extending this down to the host level – how do you plan to filter this to shared cloud systems?

Andrew


From: v6ops <v6ops-bounces@ietf.org<mailto:v6ops-bounces@ietf.org>> on behalf of Vasilenko Eduard <vasilenko.eduard@huawei.com<mailto:vasilenko.eduard@huawei.com>>
Date: Thursday, 21 October 2021 at 20:24
To: Andrew Alston <Andrew.Alston=40liquidtelecom.com@dmarc.ietf.org<mailto:Andrew.Alston=40liquidtelecom.com@dmarc.ietf.org>>, "v6ops@ietf.org<mailto:v6ops@ietf.org>" <v6ops@ietf.org<mailto:v6ops@ietf.org>>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

All router’s ports should have RH type 4 (SRH) filtered out by default.
Network Admin should activate RH#4 support only for NNI ports.
Problem solved.
Ed/
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Andrew Alston
Sent: Thursday, October 21, 2021 8:08 PM
To: v6ops@ietf.org<mailto:v6ops@ietf.org>
Subject: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Hi V6Ops,

I thought I would raise the issues that follow here – and perhaps we can look and if these issues are real – and if so – what the solutions are.

During a close review of the compression proposals for SRv6 (CRH/G-Srv6/USID etc etc) I noticed some potential very real vulnerabilities in SRv6 itself – which by extensions would affect srv6, srv6 network programming and all the compression flavors – including CRH on which I am a co-author.  Having raised these issues with my CRH co-authors it was agreed that I raise these issues here so we could discuss them.

So a little background – SRrv6 is typically considered as something that should run in the confines of a  “limited-domain” – the question I started with is – can we actually define and maintain the boundaries of a limited-domain – and if so – how.  The conclusion I came to was that the concept of limited-domain in regards to SRv6 was an extremely fuzzy thing.

Now to understand this – we need first to look at the typical methods of protecting things

-          In the case of MPLS – we have what I will loosely refer to as a “fail-closed” scenario – that is to say – unless MPLS is enabled explicitly on an interface – ingress packets will not be processed – this works because of a separate ether-type
-          In the case of SR-MPLS – an identical situation occurs
-          In the case of dodgy IGP traffic – again, we have a fail-closed scenario
-          In the case of standard IPv6 – we have the option of utilizing BCP38 and ingress filtering – and the same thing in regards to IPv4.

Now – lets examine SRv6 for a second.

In a scenario of Host A (A linux box) with address 2001:db8:1:1::10/64   utilizing a gateway of 2001:db8:1:1::fefe – packets from 2001:db8:1:1::10 flowing towards that gateway would pass ingress filter checks based on BCP38 since the source address was legitimate, unless we explicitly filtered out where that packet could be destined for based on its DA (More on this in a bit)

Now, lets imagine for a second that Host A gets compromised – and an attack encapsulates a packet that has an entirely different source address – and whatever random DA address inside an SRH.  That SRH has a SID list in it – be it via a direct SID or via compression mechanisms, and a DA towards the SID itself.  The packet then routes – passing the ingress checks – and landing up at the router with the first SID.  Since this was the only SID in the list – the packet outer SRH is removed – and the inner packet is forwarded to the FIB – and you just bypassed BCP38.

In a similar mechanism, if the SRH states that the next protocol header is an IPv4 packet – when the de-encapsulation happens at last SID – the payload (the inner v4 packet) will then be forwarded via the FIB – and off you go.

Now, normally to protect against this as stated – an access list would be placed on the networks borders to prevent encapsulated packets and packets containing SID destinations from entering the network.  However – if we consider the above scenario where the attack is coming from a compromised server inside the traditional borders – we have a problem.  The application of access lists to every port containing a server is also potentially unrealistic and unmaintainable (not to mention could potentially on certain devices overload the TCAMs)

We also have an even more potentially deadly issue – and this is entirely theoretical at this point since I haven’t had time to really investigate and test it with real code.  Let us presume in the above that the same host A is compromised.  It encapsulates a packet with an SRH – the internal packet is an Ipv4 packet – and its destined at a broadcast address of an IP subnet that is bound to the same network as the de-encapsulating router.  The source of the internal v4 packet is spoofed – we’ve now managed to – through a use of the tunneling mechanism, effectively created a version of an old tool called smurf – in a manner that is going to be pretty hard to trace.

Another potential scenario – would be for an attacker in host A to jit some ebpf code – that matches – modifies and re-encapsulates incoming return packets and retransmits then. Each time applying the same SRH.  The inner packet could be pretty much anything – so long as the internal DA is set back to host A that is sending the packet.  The packet would then flow out as an SRH encapsulated packet, the outer header would get popped, the inner packet would flow back towards the original compromised host, which would match it modify it re-encapsulate it and start the loop again.  Doing this with ebpf and a kernel jit – would be pretty difficult to spot if you didn’t know what you are doing because you wouldn’t potentially see any obvious userland code.

As a final thought – consider a hypervisor based system – that has multiple VM’s on it – and the filtering implications of all of the above – and the filtering becomes even more difficult to maintain and more complex.

Again – the filtering per every port that may contains a server or a desktop – that may not be realistic – especially when we could be running multiple ports that are handing out source addresses via RA – so – how do we solve this – or is this a major flaw in srv6 itself – that needs some other solution (give srv6 its own protocol code and acknowledge that it isn’t ipv6 at all, allowing for a “fail-closed” scenario maybe?)

As an operator that runs extensive IPv6 – I’d really like to hear thoughts and comments and potentially we can find a way to address these issues.

Thanks

Andrew