Re: draft-jiang-v6ops-nc-protection-01.txt
Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org> Wed, 07 April 2010 21:47 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5548F3A69A8 for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 7 Apr 2010 14:47:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.671
X-Spam-Level:
X-Spam-Status: No, score=-1.671 tagged_above=-999 required=5 tests=[AWL=-1.000, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_AU=0.377, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CjeTuuAPSv+L for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 7 Apr 2010 14:46:59 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id BC2F93A69C1 for <v6ops-archive@lists.ietf.org>; Wed, 7 Apr 2010 14:46:58 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Nzd3b-0000DA-A7 for v6ops-data0@psg.com; Wed, 07 Apr 2010 21:45:07 +0000
Received: from [202.136.110.247] (helo=smtp4.adam.net.au) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.71 (FreeBSD)) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1Nzd3W-0000CO-Di for v6ops@ops.ietf.org; Wed, 07 Apr 2010 21:45:02 +0000
Received: from 219-90-224-227.ip.adam.com.au ([219.90.224.227] helo=opy.nosense.org) by smtp4.adam.net.au with esmtp (Exim 4.63) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1Nzd3P-0005Wu-MQ; Thu, 08 Apr 2010 07:14:55 +0930
Received: from opy.nosense.org (localhost.localdomain [IPv6:::1]) by opy.nosense.org (Postfix) with ESMTP id E328C4922C; Thu, 8 Apr 2010 07:14:54 +0930 (CST)
Date: Thu, 08 Apr 2010 07:14:54 +0930
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
To: "Hemant Singh (shemant)" <shemant@cisco.com>
Cc: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: draft-jiang-v6ops-nc-protection-01.txt
Message-ID: <20100408071454.40517170@opy.nosense.org>
In-Reply-To: <AF742F21C1FCEE4DAB7F4842ABDC511C012F4784@XMB-RCD-114.cisco.com>
References: <AF742F21C1FCEE4DAB7F4842ABDC511C012F4784@XMB-RCD-114.cisco.com>
X-Mailer: Claws Mail 3.7.5 (GTK+ 2.20.0; x86_64-unknown-linux-gnu)
X-Location: Lower Mitcham, South Australia, 5062
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
On Fri, 26 Mar 2010 12:24:38 -0500 "Hemant Singh (shemant)" <shemant@cisco.com> wrote: > The problem this document is trying to solve and any other ND related > security problem can be solved by use of SEND. It seems to me that SEND is protecting against illegitimate ND traffic. The specific problem as I see it is that SEND won't protect against illegitimate _non-ND_ traffic i.e. offlink traffic to non-existent onlink destinations (i.e. enters router on interface A (Internet), exits on interface B (LAN /64), triggers ND on subnet attached to interface B), that then triggers legitimate ND traffic. So SEND will ensure the router's NS is a legitimate one, but SEND doesn't verify that the destination address in the NS exists, without creating state in the router to allow the SEND ND transaction to complete. The attack is about remotely being able to utilise outstanding NS state in the router to trigger the DoS. > If SEND is not used, as > I said on the mike, read section 5.3 of the RFC 4861 which will purge > bogus entries due to NUD timeout. This document is of no use at all. > I've had a look at that section of 4861, and I don't think what is stated there will prevent this issue. Firstly it says that there is no need for active garbage collection under normal circumstances, as NUD will purge entries that become stale. However, the specific issue occurs before NUD kicks in - NUD fundamentally detects a neighbor disappearing, after it has existed. This attack is taking advantage of a neighbor never existing in the first place. The vulnerability is in the state that is kept while the initial ND NS is outstanding, for an address that doesn't exist. Secondly, it says that if there is a need to limit the size of the Neighbor Cache, then a least recently used policy should be used to purge entries, with a period of use up to 10 minutes. So it seems to me that there are potentially three types of entries in the Neighbor Cache: (1) Valid entries i.e. NS/NA has completed, and NUD will detect if and when the neighbor disappears. (2) Incomplete entries for valid addresses. NS has been issued, waiting for a corresponding NA to arrive. (3) Incomplete entries for non-existent addresses. NS has been issued, waiting for an NA that will never arrive. This is the attacker's traffic, generated by incrementing through the /64 (LAN or P2P link) If the attacker fills up the neighbor cache with (3) entries, then presumably the LRU garbage collection routine will kick in straight away. If it's as simple as that described in RFC4861, then I think it's probable that it'll start purging (1) and (2) entries, because the attacker is both creating and therefore keeping the (3) entries most recently used. By removing (1) and (2) entries, it creates a DoS for existing nodes for which the router has already completed the NS/NA transaction, and for existing nodes for with the router has an outstanding NS. The neighbor cache can end up with no completed entries, only (2)s and (3)s, resulting in a complete DoS for legitimate offlink sources trying to access the link. If the garbage routine is more selective that what is specified in RFC4861, and restricts it's LRU purging to Incomplete NS/NA transactions, then it still causes a DoS for existing nodes that haven't completed their NS/NA transaction. This is certainly significantly better than the simple garbage collection routine, however it still facilitates a remotely triggered DoS for nodes that may have recently become available. If the draft you are commenting on provides a mechanism that closes this vulnerability, or there are other effective methods that prevent remote attackers being able to create traffic triggered state in routers, I think they're well worth pursing. Regards, Mark.
- draft-jiang-v6ops-nc-protection-01.txt Hemant Singh (shemant)
- Re: draft-jiang-v6ops-nc-protection-01.txt Mark Smith
- RE: draft-jiang-v6ops-nc-protection-01.txt Sheng Jiang
- Re: draft-jiang-v6ops-nc-protection-01.txt Ole Troan