RE: draft-jiang-v6ops-nc-protection-01.txt
Sheng Jiang <shengjiang@huawei.com> Fri, 09 April 2010 06:30 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2947B3A67EB for <ietfarch-v6ops-archive@core3.amsl.com>; Thu, 8 Apr 2010 23:30:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.435
X-Spam-Level:
X-Spam-Status: No, score=0.435 tagged_above=-999 required=5 tests=[AWL=-0.929, BAYES_20=-0.74, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ww3Gg74ssqqE for <ietfarch-v6ops-archive@core3.amsl.com>; Thu, 8 Apr 2010 23:30:06 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 34FF63A67EC for <v6ops-archive@lists.ietf.org>; Thu, 8 Apr 2010 23:30:05 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1O07c9-0006iI-Hy for v6ops-data0@psg.com; Fri, 09 Apr 2010 06:22:49 +0000
Received: from [119.145.14.67] (helo=szxga04-in.huawei.com) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <shengjiang@huawei.com>) id 1O07c5-0006hJ-SX for v6ops@ops.ietf.org; Fri, 09 Apr 2010 06:22:47 +0000
Received: from huawei.com (szxga04-in [172.24.2.12]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0L0L00JNCJ1BZW@szxga04-in.huawei.com> for v6ops@ops.ietf.org; Fri, 09 Apr 2010 14:22:23 +0800 (CST)
Received: from huawei.com ([172.24.2.119]) by szxga04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0L0L00A7EJ1A5T@szxga04-in.huawei.com> for v6ops@ops.ietf.org; Fri, 09 Apr 2010 14:22:22 +0800 (CST)
Received: from j66104a ([10.111.12.115]) by szxml04-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0L0L00GH2J1ATA@szxml04-in.huawei.com> for v6ops@ops.ietf.org; Fri, 09 Apr 2010 14:22:22 +0800 (CST)
Date: Fri, 09 Apr 2010 14:22:22 +0800
From: Sheng Jiang <shengjiang@huawei.com>
Subject: RE: draft-jiang-v6ops-nc-protection-01.txt
In-reply-to: <20100408071454.40517170@opy.nosense.org>
To: 'Mark Smith' <ipng@69706e6720323030352d30312d31340a.nosense.org>, "'Hemant Singh (shemant)'" <shemant@cisco.com>
Cc: 'IPv6 Operations' <v6ops@ops.ietf.org>
Message-id: <00eb01cad7ad$041b6a20$730c6f0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Thread-index: AcrWnSJ49iTgsMjtS8iJSfpGJNIgYABD06sg
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
> -----Original Message----- > From: owner-v6ops@ops.ietf.org > [mailto:owner-v6ops@ops.ietf.org] On Behalf Of Mark Smith > Sent: Thursday, April 08, 2010 5:45 AM > To: Hemant Singh (shemant) > Cc: IPv6 Operations > Subject: Re: draft-jiang-v6ops-nc-protection-01.txt > > On Fri, 26 Mar 2010 12:24:38 -0500 > "Hemant Singh (shemant)" <shemant@cisco.com> wrote: > > > The problem this document is trying to solve and any other > ND related > > security problem can be solved by use of SEND. > > It seems to me that SEND is protecting against illegitimate > ND traffic. > The specific problem as I see it is that SEND won't protect > against illegitimate _non-ND_ traffic i.e. offlink traffic to > non-existent onlink destinations (i.e. enters router on > interface A (Internet), exits on interface B (LAN /64), > triggers ND on subnet attached to interface B), that then > triggers legitimate ND traffic. So SEND will ensure the > router's NS is a legitimate one, but SEND doesn't verify that > the destination address in the NS exists, without creating > state in the router to allow the SEND ND transaction to > complete. The attack is about remotely being able to utilise > outstanding NS state in the router to trigger the DoS. > > > If SEND is not used, as > > I said on the mike, read section 5.3 of the RFC 4861 which > will purge > > bogus entries due to NUD timeout. This document is of no > use at all. > > > > I've had a look at that section of 4861, and I don't think what is > stated there will prevent this issue. > > Firstly it says that there is no need for active garbage collection > under normal circumstances, as NUD will purge entries that become > stale. However, the specific issue occurs before NUD kicks in - NUD > fundamentally detects a neighbor disappearing, after it has existed. > > This attack is taking advantage of a neighbor never existing in the > first place. The vulnerability is in the state that is kept while the > initial ND NS is outstanding, for an address that doesn't exist. > > Secondly, it says that if there is a need to limit the size of the > Neighbor Cache, then a least recently used policy should be used to > purge entries, with a period of use up to 10 minutes. > > So it seems to me that there are potentially three types of entries in > the Neighbor Cache: > > (1) Valid entries i.e. NS/NA has completed, and NUD will detect if > and when the neighbor disappears. > > (2) Incomplete entries for valid addresses. NS has been issued, > waiting for a corresponding NA to arrive. > > (3) Incomplete entries for non-existent addresses. NS has been issued, > waiting for an NA that will never arrive. This is the attacker's > traffic, generated by incrementing through the /64 (LAN or P2P link) > > > If the attacker fills up the neighbor cache with (3) entries, then > presumably the LRU garbage collection routine will kick in straight > away. If it's as simple as that described in RFC4861, then I > think it's > probable that it'll start purging (1) and (2) entries, because the > attacker is both creating and therefore keeping the (3) entries most > recently used. By removing (1) and (2) entries, it creates a DoS for > existing nodes for which the router has already completed the NS/NA > transaction, and for existing nodes for with the router has an > outstanding NS. The neighbor cache can end up with no completed > entries, only (2)s and (3)s, resulting in a complete DoS for > legitimate > offlink sources trying to access the link. > > If the garbage routine is more selective that what is specified in > RFC4861, and restricts it's LRU purging to Incomplete NS/NA > transactions, then it still causes a DoS for existing nodes that > haven't completed their NS/NA transaction. This is certainly > significantly better than the simple garbage collection routine, > however it still facilitates a remotely triggered DoS for nodes that > may have recently become available. > > If the draft you are commenting on provides a mechanism that closes > this vulnerability, or there are other effective methods that prevent > remote attackers being able to create traffic triggered state in > routers, I think they're well worth pursing. That's exactly what we are aiming to. We admit that our mechanism may not be able to solve this vulnerability totally. But it reduces the rish very largely. Quantitatively, it reduces the attack frequency to a level less that 1% before. Regards, Sheng > Regards, > Mark. > > > >
- draft-jiang-v6ops-nc-protection-01.txt Hemant Singh (shemant)
- Re: draft-jiang-v6ops-nc-protection-01.txt Mark Smith
- RE: draft-jiang-v6ops-nc-protection-01.txt Sheng Jiang
- Re: draft-jiang-v6ops-nc-protection-01.txt Ole Troan