Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Andrew Alston <Andrew.Alston@liquidtelecom.com> Thu, 21 October 2021 17:30 UTC

Return-Path: <andrew.alston@liquidtelecom.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D2F23A095F for <v6ops@ietfa.amsl.com>; Thu, 21 Oct 2021 10:30:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=liquidtelecom.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id naiXn6oe3eAO for <v6ops@ietfa.amsl.com>; Thu, 21 Oct 2021 10:30:28 -0700 (PDT)
Received: from eu-smtp-delivery-182.mimecast.com (eu-smtp-delivery-182.mimecast.com [185.58.85.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF57D3A08E3 for <v6ops@ietf.org>; Thu, 21 Oct 2021 10:30:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=liquidtelecom.com; s=mimecast20210406; t=1634837425; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=+XrRDafSiHBC2CUu/sQlKSeEr1jd4CpkAzcSAbCMp4w=; b=PLgDe82powYqwjEacbylx9NfLR2xCwrjFYpigyO23vXKZQp4PeeE/YHDKJzYQa+obnblaI eB+mhRmorwX+ty2z5nO2rRGv8rSN22VwL/ZGFRlG8fJHS0zxim9uNlG1h0pUdNVtl+8pdx rsTW/ueBYPG8Gh6PmuDmqBQf07MTH5s=
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-am5eur03lp2054.outbound.protection.outlook.com [104.47.8.54]) (Using TLS) by relay.mimecast.com with ESMTP id uk-mta-116-TmVc88MlMcehJ1foe_g8Gg-1; Thu, 21 Oct 2021 18:30:23 +0100
X-MC-Unique: TmVc88MlMcehJ1foe_g8Gg-1
Received: from AS8PR03MB7622.eurprd03.prod.outlook.com (2603:10a6:20b:346::6) by AS8PR03MB7921.eurprd03.prod.outlook.com (2603:10a6:20b:424::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.16; Thu, 21 Oct 2021 17:30:21 +0000
Received: from AS8PR03MB7622.eurprd03.prod.outlook.com ([fe80::90ec:90d5:59c4:fef9]) by AS8PR03MB7622.eurprd03.prod.outlook.com ([fe80::90ec:90d5:59c4:fef9%6]) with mapi id 15.20.4628.018; Thu, 21 Oct 2021 17:30:21 +0000
From: Andrew Alston <Andrew.Alston@liquidtelecom.com>
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>, Andrew Alston <Andrew.Alston=40liquidtelecom.com@dmarc.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Thread-Topic: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
Thread-Index: AQHXxqFSX3AgIXBZj0K+NG8z7LIwRw==
Date: Thu, 21 Oct 2021 17:30:21 +0000
Message-ID: <C4D64963-B881-422A-B01D-6AE634A0050F@liquidtelecom.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.53.21091200
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7b310943-2de8-4fe1-88d2-08d994b87558
x-ms-traffictypediagnostic: AS8PR03MB7921:
x-microsoft-antispam-prvs: <AS8PR03MB7921244148FC1964DB111147EEBF9@AS8PR03MB7921.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: boQzxp8iEyYS6kzhk484MDgbLB3Hy12Lm6S3MNKigsdl3s6bAbHLb9n8yztjaU4Fg4LGjInV2ihcggfD6g5oC3M6cilOSTdqgfygoGM5Qw163x7eqzDDgnzUncuLvYnT/kzDI2dfbWhMyyPSeKigimLx78tl8qSb2dbRcMogAgYfQL95646NHb2y7oNOXoS3Kr4AqI1B8YEXp2NHSoa6mRY45m8Le6NEyMtc5oOWe3Zqb1pwp9BwWW6GlBHhPv9a51WlyZEBBb81EHrboOZY3hJgGti/xTPxmfB5NrsAdIVgrIvzfdJpMW/EsAGoSfL0xKuzNYcyrAi58yzdTTKnsmhvZwqO/tbelhFMtoUS0hFc2gEJmQfa8glPu0fyvUoWQ+6Jk4uss1VB3F+KM9gFjt6qgvid5WaJ1964/lmKHN8rWLQ8Scuj+o0QBSCL7k+8Y4hnczQ1j46vsuWtLmrC+LaQy3jxHQ1f1C27K4kYrUHE3jNFvn8ELERtphsFYsW/Bas371UxLzpb6drvSgo6EZJsXuSGBFFmc4AGbqlw8PnrIVYJVgG4kYQXkTRU1kRxkYHpC95ffwPHlAhlpSBXqC6bNpW7pObR1bqejWVvjmmNM/GloBdJpF5aoYF1WXosJYiD85QkEOxbz3plERpywOSgk4+YwX4Ib8ErhW6HJrnhK2NQBD990s33hOLCmGZ8+cvtaiVjNzkdq80ZV15KRNebEJEMiRWZ4f6zVFGooclQqOg2BVgd1aNuPh4iL27u
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR03MB7622.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(33656002)(8936002)(508600001)(186003)(110136005)(5660300002)(2906002)(8676002)(83380400001)(66446008)(86362001)(64756008)(66556008)(2616005)(53546011)(66574015)(6506007)(316002)(66946007)(6486002)(6512007)(38100700002)(15650500001)(38070700005)(36756003)(122000001)(76116006)(91956017)(66476007)(71200400001)(45980500001); DIR:OUT; SFP:1102
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oG6btY6vIuoS1+jfVPaUqLETIJpbAmLSUcTlyzLNJe1cx1sIju3jIxSiDb2R0Ej7+T2qtFcjEtohNn1TbiYlbfGDdLcneGCNgBXW6XwHYHoEhOkrO671z/H0LqEdxPQBaXp04AkbZQAb0JrHqXn3eGw8sAJ+2/egomU05RonBfQCp5CW9WmsloaM1Z9oXKb3WH8TyJCSTFppSRS2b3aoZv4Qh+5goQmWHgYZaLQ/NFCSWZV+ucBVkKANalmWTBfuagZ2svipr0O0mi4lnLc+D/ZjCpkLMLPy7cJi14SN7YJudC2y7Xa0kcsavr0bXZFQnabSlWgoHk9CVik9pp5Zgwb6N1wM4Spw6pmgTl0my52iFDA+5yuJ4aFEM00FEH7jBeitduv0Nr9+ovgvgC76GIslLR7M/SS5+nY6zwDA8fUWjDqdjlGpUXXcuSODEt7/4eSAc8S/ArkkzNgDXU+ZEeqXZmAjcj+YPPwY8C8vCvAtOgdDwb4LCEtrCJ7fiQ+TK1B+zCFyFm0wQOUx9+oDnVUy5ue+sxgGmYepQMxT4/ujeDEW4flxe/UHBbLDpNTc/m4Nc8lr1TimgLibkMj7Dk+RcPy56GQE1dMMQTVQGzbQmUB5ZKgjR2Q8flbRWer44nGq38kuTI2CxWQsOGiSBm1qgr7cwrmcP1hMScc+BhNXNY7BwlW1DL0bec9LIk+wg6AgkA3WvaAxXhHGJtas7z0UWf+VKbbZVHBPz5H9gq98yR3F0vH/jmGRFLP9+QWTMxZFl5yrn1Nmnc0t7tmnIJSD1QBy6Vb8yjc4dCYcrSEz3u4oKB+sou0+GDZbjrI8E/aNvtxgCGaKvzUpMAOPL63WAyDcQk3mlFx2DzHI1edRjacHXAcwHSurDSSjCZYZq7LpyjlNHWZJfFJHBm1cakU4lIRvJziD1Weg9Jv8T+vEk8BL5LbWzHBqqOn4bt+FR7gybtAE4SlJdB2VCbKtDuM+R6t+ytJCwv0sG4AXPdAxglLXC3imDEymYF11qAE85teeGpiW5x0mWvQrcF3I5yINsqcDexRULq6QF4dqDQWa+JS2gtE4vqzGcloEQ0k03300ZHJGhifMXJc5+fa38hhso3/g8LuuVhocb3hXsC3WBvB6xs5Rh2v1EKuLfELxW7hZgKhsbgRGd13C7nTghyfRbRpktxrgyTSLKQJxvC+Ox7+6FiViCbHbd7lcpvugaG7nt2ozdPdg88Ejfhl2/lXMf2ekI8uSEPlOWnW7aJy8n31zI4Oq/3F18kQiQJ15fGDPfsTIe7QWpeIIrjphasVuA+ry4SMNSa+oCWZbZu4DA4Sq3TVgIkNWxiHC8v+7dG83kfzXKXH0tjJozch7VYhLdxgIsTYRDYD2883ISNE4ROx6Lkm8uZO5NYXBU9sNGtj73soK6grijhy5W3nF1cvqND4zqhgzGCTn55EeQikQB1vBxDtHFz4NsE+4xNrgQ6nGfN98dsrY5knnM11eARblqSVpbpcSoZ0Y99u1kGnCXecSLQrFQmLS4h006G+g9gWxFdYV51zX/T2t5sEiDA==
MIME-Version: 1.0
X-OriginatorOrg: liquidtelecom.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR03MB7622.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7b310943-2de8-4fe1-88d2-08d994b87558
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2021 17:30:21.2737 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 68792612-0f0e-46cb-b16a-fcb82fd80cb1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Andrew.Alston@liquidtelecom.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR03MB7921
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=C82A168 smtp.mailfrom=andrew.alston@liquidtelecom.com
X-Mimecast-Spam-Score: 1
X-Mimecast-Originator: liquidtelecom.com
Content-Language: en-GB
Content-Type: multipart/alternative; boundary="_000_C4D64963B881422AB01D6AE634A0050Fliquidtelecomcom_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/91qwFkEK7jHHpylrb1JyOP53rrU>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2021 17:30:49 -0000

Ok,

Lets ask the question about when this is applied in the absence of an SRH – applied in IPv6oIPv6 – similar scenario applies does it not?

And – please see note about applying filters on thousands of interfaces – for example – let’s look at the case of pseudowire headend devices – or – cloud VM’s.

A large portion of SRv6 and NP was about extending this down to the host level – how do you plan to filter this to shared cloud systems?

Andrew


From: v6ops <v6ops-bounces@ietf.org> on behalf of Vasilenko Eduard <vasilenko.eduard@huawei.com>
Date: Thursday, 21 October 2021 at 20:24
To: Andrew Alston <Andrew.Alston=40liquidtelecom.com@dmarc.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

All router’s ports should have RH type 4 (SRH) filtered out by default.
Network Admin should activate RH#4 support only for NNI ports.
Problem solved.
Ed/
From: v6ops [mailto:v6ops-bounces@ietf.org] On Behalf Of Andrew Alston
Sent: Thursday, October 21, 2021 8:08 PM
To: v6ops@ietf.org
Subject: [v6ops] Security issues in RFC8754 and related/subsequent drafts?

Hi V6Ops,

I thought I would raise the issues that follow here – and perhaps we can look and if these issues are real – and if so – what the solutions are.

During a close review of the compression proposals for SRv6 (CRH/G-Srv6/USID etc etc) I noticed some potential very real vulnerabilities in SRv6 itself – which by extensions would affect srv6, srv6 network programming and all the compression flavors – including CRH on which I am a co-author.  Having raised these issues with my CRH co-authors it was agreed that I raise these issues here so we could discuss them.

So a little background – SRrv6 is typically considered as something that should run in the confines of a  “limited-domain” – the question I started with is – can we actually define and maintain the boundaries of a limited-domain – and if so – how.  The conclusion I came to was that the concept of limited-domain in regards to SRv6 was an extremely fuzzy thing.

Now to understand this – we need first to look at the typical methods of protecting things


  *   In the case of MPLS – we have what I will loosely refer to as a “fail-closed” scenario – that is to say – unless MPLS is enabled explicitly on an interface – ingress packets will not be processed – this works because of a separate ether-type
  *   In the case of SR-MPLS – an identical situation occurs
  *   In the case of dodgy IGP traffic – again, we have a fail-closed scenario
  *   In the case of standard IPv6 – we have the option of utilizing BCP38 and ingress filtering – and the same thing in regards to IPv4.

Now – lets examine SRv6 for a second.

In a scenario of Host A (A linux box) with address 2001:db8:1:1::10/64   utilizing a gateway of 2001:db8:1:1::fefe – packets from 2001:db8:1:1::10 flowing towards that gateway would pass ingress filter checks based on BCP38 since the source address was legitimate, unless we explicitly filtered out where that packet could be destined for based on its DA (More on this in a bit)

Now, lets imagine for a second that Host A gets compromised – and an attack encapsulates a packet that has an entirely different source address – and whatever random DA address inside an SRH.  That SRH has a SID list in it – be it via a direct SID or via compression mechanisms, and a DA towards the SID itself.  The packet then routes – passing the ingress checks – and landing up at the router with the first SID.  Since this was the only SID in the list – the packet outer SRH is removed – and the inner packet is forwarded to the FIB – and you just bypassed BCP38.

In a similar mechanism, if the SRH states that the next protocol header is an IPv4 packet – when the de-encapsulation happens at last SID – the payload (the inner v4 packet) will then be forwarded via the FIB – and off you go.

Now, normally to protect against this as stated – an access list would be placed on the networks borders to prevent encapsulated packets and packets containing SID destinations from entering the network.  However – if we consider the above scenario where the attack is coming from a compromised server inside the traditional borders – we have a problem.  The application of access lists to every port containing a server is also potentially unrealistic and unmaintainable (not to mention could potentially on certain devices overload the TCAMs)

We also have an even more potentially deadly issue – and this is entirely theoretical at this point since I haven’t had time to really investigate and test it with real code.  Let us presume in the above that the same host A is compromised.  It encapsulates a packet with an SRH – the internal packet is an Ipv4 packet – and its destined at a broadcast address of an IP subnet that is bound to the same network as the de-encapsulating router.  The source of the internal v4 packet is spoofed – we’ve now managed to – through a use of the tunneling mechanism, effectively created a version of an old tool called smurf – in a manner that is going to be pretty hard to trace.

Another potential scenario – would be for an attacker in host A to jit some ebpf code – that matches – modifies and re-encapsulates incoming return packets and retransmits then. Each time applying the same SRH.  The inner packet could be pretty much anything – so long as the internal DA is set back to host A that is sending the packet.  The packet would then flow out as an SRH encapsulated packet, the outer header would get popped, the inner packet would flow back towards the original compromised host, which would match it modify it re-encapsulate it and start the loop again.  Doing this with ebpf and a kernel jit – would be pretty difficult to spot if you didn’t know what you are doing because you wouldn’t potentially see any obvious userland code.

As a final thought – consider a hypervisor based system – that has multiple VM’s on it – and the filtering implications of all of the above – and the filtering becomes even more difficult to maintain and more complex.

Again – the filtering per every port that may contains a server or a desktop – that may not be realistic – especially when we could be running multiple ports that are handing out source addresses via RA – so – how do we solve this – or is this a major flaw in srv6 itself – that needs some other solution (give srv6 its own protocol code and acknowledge that it isn’t ipv6 at all, allowing for a “fail-closed” scenario maybe?)

As an operator that runs extensive IPv6 – I’d really like to hear thoughts and comments and potentially we can find a way to address these issues.

Thanks

Andrew