Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops
Jeroen Massar <jeroen@massar.ch> Tue, 19 August 2014 16:48 UTC
Return-Path: <jeroen@massar.ch>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC221A04F1; Tue, 19 Aug 2014 09:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAnihqUR5A0D; Tue, 19 Aug 2014 09:48:57 -0700 (PDT)
Received: from bastion.ch.unfix.org (bastion.ch.unfix.org [IPv6:2a02:2528:503:2::4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A5C01A0650; Tue, 19 Aug 2014 09:48:56 -0700 (PDT)
Received: from yomi.ch.unfix.org (84-73-144-213.dclient.hispeed.ch [84.73.144.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jeroen) by bastion.ch.unfix.org (Postfix) with ESMTPSA id 09FC810034BE7; Tue, 19 Aug 2014 16:48:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=massar.ch; s=DKIM2009; t=1408466933; bh=2Y7S/GVTibKjrrPfWqWxatouUSki6OGtN8+4knEk414=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=fsZY1T0DG1StynpMHM0iO9Ti/2tcWD1Jl9wabtyX9eoJUKk3duAdqno9iL/CsemOS Z3NLEBvWQumPJKNWEPydTmj4mWMGIWbT4/u1dfIH9cEC5jbj9v16NSNi4H5216QsqZ FCOyEF5ffYV+0pG3eMvyCTAEOv7uD0kcumC6PmtI6ebcR3ctJtQxtkp4/q6GFdhdjS Po7IXzI34GcPnipGWYv/LnQ9opUzz8LtOWHiHc96p3djBhcA96hme6TZLp6qsLdk2u GRdAIgeHsOxgmxurgXXOkNWLhFd3LLQLzCwYWRpMjluGZtB2d83FTCf5PaXydY6fKi 8qvC/uKr5SQGQ==
Message-ID: <53F37FE6.6080306@massar.ch>
Date: Tue, 19 Aug 2014 18:48:38 +0200
From: Jeroen Massar <jeroen@massar.ch>
Organization: Massar
MIME-Version: 1.0
To: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>
References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> <53F37C72.6040406@si6networks.com>
In-Reply-To: <53F37C72.6040406@si6networks.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/yP_WppkUAgGvAA-OmvpC_tuYYfs
Cc: "'opsec@ietf.org'" <opsec@ietf.org>
Subject: Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 16:48:58 -0000
[merging two different replies back into one] On 2014-08-19 18:33, Fernando Gont wrote: > Hello, Jeroen, > > On 08/19/2014 10:18 AM, Jeroen Massar wrote: >> Hence we should formulate text a bit like: >> >> 8<------------------------ >> When forwarding or receiving an ICMP error packet: >> - The IP destination of the packet MUST match the source address >> represented in the ICMP error packet. >> >> - The ICMP error packet's destination address must qualify uRPF rules >> for the same interface as the source address.[1] >> >> As the verified packets are ICMP errors, when the verification fails the >> packet MUST be dropped, logging is recommended. >> >> Due to the checking inside the ICMP portion of a packet: >> Access-routers, firewalls and hosts MUST perform these checks. >> Core-routers SHOULD perform these checks >> >> [1] When ICMP-dst address matches IP-src the check should already have >> been performed by the standard uRPF check. >> ------------------------>8 > > Should we include something alng this lines to the countermeasures > listed in draft-gont-v6ops-ipv6-ehs-in-real-world, or were you thinking > about something else? While it kind-of has a place there, (ipv6-ehs-in-real-world) is a "current state of the Internet" regarding this problem, it thus introduces the problem. Hence, a short, separate document which updates ICMPv4 + ICMPv6 referencing that draft would be more appropriate IMHO. Especially as then it is quicker for implementers to see what they need to get done to solve the issue. Hence, a short intro with "this is the problem: ....; for more detail see draft-X + RFC5927" + "do this in your ICMPv4/v6 stacks" would be a good start. Then we might be able to get it quickly into at least Linux and BSD kernels which is what most access-router/firewalls are being built upon. On 2014-08-19 18:25, Fernando Gont wrote: > On 08/19/2014 01:17 PM, Jeroen Massar wrote: >> >> While that specific fragmented attack won't work, one can still spoof >> return ICMPs and give wrong answers. >> >> Anyone remember Rotorouter[1] ? :) >> >> Hence, why it is a good idea to do the same checks for IPv4 too >> and why I avoid mentioning what kind of attack it was solving. >> It is just good hygiene to check validity of things. > > FWIW, I had posted this thingy a while ago: > <http://www.gont.com.ar/papers/filtering-of-icmp-error-messages.pdf> > -- essentially BCP38 on the ICMPv4 payload.. aka RFC 5927, though only informational even though it went through WG review it seems. That indeed touches upon the subject quite a bit too, and would be a good thing to reference from a draft dubbed: "ICMPv4 + ICMPv6 Address Verification" Greets, Jeroen
- [v6ops] DoS attacks (ICMPv6-based) resulting from… Fernando Gont
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Nick Hilliard
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Fernando Gont
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Jeroen Massar
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Fernando Gont
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Simon Perreault
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Jeroen Massar
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Roland Dobbins
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Jeroen Massar
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Nick Hilliard
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Philip Homburg
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Fernando Gont
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Fernando Gont
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Jeroen Massar
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Fernando Gont
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Fernando Gont
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Jeroen Massar
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Fernando Gont
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … 神明達哉
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Fernando Gont
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Lorenzo Colitti
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Mark Andrews
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Brian E Carpenter
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Lorenzo Colitti
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Fernando Gont
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Fernando Gont
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Brian E Carpenter
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Brian E Carpenter
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Mark Andrews
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Brian E Carpenter
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Lorenzo Colitti
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Brian E Carpenter
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Fernando Gont
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Tore Anderson
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Tore Anderson
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Fernando Gont
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … 神明達哉
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Fernando Gont
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Joe Touch
- Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) re… Roland Dobbins
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … 神明達哉
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Fernando Gont
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Alejandro Acosta
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … 神明達哉
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … Tore Anderson
- Re: [v6ops] DoS attacks (ICMPv6-based) resulting … 神明達哉