IETF Logo Mail Archive

Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops

Jeroen Massar <jeroen@massar.ch> Tue, 19 August 2014 16:48 UTC

Return-Path: <jeroen@massar.ch>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC221A04F1; Tue, 19 Aug 2014 09:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAnihqUR5A0D; Tue, 19 Aug 2014 09:48:57 -0700 (PDT)
Received: from bastion.ch.unfix.org (bastion.ch.unfix.org [IPv6:2a02:2528:503:2::4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A5C01A0650; Tue, 19 Aug 2014 09:48:56 -0700 (PDT)
Received: from yomi.ch.unfix.org (84-73-144-213.dclient.hispeed.ch [84.73.144.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jeroen) by bastion.ch.unfix.org (Postfix) with ESMTPSA id 09FC810034BE7; Tue, 19 Aug 2014 16:48:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=massar.ch; s=DKIM2009; t=1408466933; bh=2Y7S/GVTibKjrrPfWqWxatouUSki6OGtN8+4knEk414=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=fsZY1T0DG1StynpMHM0iO9Ti/2tcWD1Jl9wabtyX9eoJUKk3duAdqno9iL/CsemOS Z3NLEBvWQumPJKNWEPydTmj4mWMGIWbT4/u1dfIH9cEC5jbj9v16NSNi4H5216QsqZ FCOyEF5ffYV+0pG3eMvyCTAEOv7uD0kcumC6PmtI6ebcR3ctJtQxtkp4/q6GFdhdjS Po7IXzI34GcPnipGWYv/LnQ9opUzz8LtOWHiHc96p3djBhcA96hme6TZLp6qsLdk2u GRdAIgeHsOxgmxurgXXOkNWLhFd3LLQLzCwYWRpMjluGZtB2d83FTCf5PaXydY6fKi 8qvC/uKr5SQGQ==
Message-ID: <53F37FE6.6080306@massar.ch>
Date: Tue, 19 Aug 2014 18:48:38 +0200
From: Jeroen Massar <jeroen@massar.ch>
Organization: Massar
MIME-Version: 1.0
To: Fernando Gont <fgont@si6networks.com>, IPv6 Operations <v6ops@ietf.org>
References: <53F33C4F.2070807@si6networks.com> <53F343A3.1070505@massar.ch> <53F34486.7010903@si6networks.com> <53F34EC0.30400@massar.ch> <53F37C72.6040406@si6networks.com>
In-Reply-To: <53F37C72.6040406@si6networks.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/v6ops/yP_WppkUAgGvAA-OmvpC_tuYYfs
Cc: "'opsec@ietf.org'" <opsec@ietf.org>
Subject: Re: [v6ops] [OPSEC] DoS attacks (ICMPv6-based) resulting from IPv6 EH drops
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 16:48:58 -0000

[merging two different replies back into one]

On 2014-08-19 18:33, Fernando Gont wrote:
> Hello, Jeroen,
> 
> On 08/19/2014 10:18 AM, Jeroen Massar wrote:
>> Hence we should formulate text a bit like:
>>
>> 8<------------------------
>> When forwarding or receiving an ICMP error packet:
>>  - The IP destination of the packet MUST match the source address
>>    represented in the ICMP error packet.
>>
>>  - The ICMP error packet's destination address must qualify uRPF rules
>>    for the same interface as the source address.[1]
>>
>> As the verified packets are ICMP errors, when the verification fails the
>> packet MUST be dropped, logging is recommended.
>>
>> Due to the checking inside the ICMP portion of a packet:
>>   Access-routers, firewalls and hosts MUST perform these checks.
>>   Core-routers SHOULD perform these checks
>>
>> [1] When ICMP-dst address matches IP-src the check should already have
>> been performed by the standard uRPF check.
>> ------------------------>8
> 
> Should we include something alng this lines to the countermeasures
> listed in draft-gont-v6ops-ipv6-ehs-in-real-world, or were you thinking
> about something else?

While it kind-of has a place there, (ipv6-ehs-in-real-world) is a
"current state of the Internet" regarding this problem, it thus
introduces the problem.

Hence, a short, separate document which updates ICMPv4 + ICMPv6
referencing that draft would be more appropriate IMHO.

Especially as then it is quicker for implementers to see what they need
to get done to solve the issue. Hence, a short intro with "this is the
problem: ....; for more detail see draft-X + RFC5927" + "do this in your
ICMPv4/v6 stacks" would be a good start.

Then we might be able to get it quickly into at least Linux and BSD
kernels which is what most access-router/firewalls are being built upon.


On 2014-08-19 18:25, Fernando Gont wrote:
> On 08/19/2014 01:17 PM, Jeroen Massar wrote:
>>
>> While that specific fragmented attack won't work, one can still spoof
>> return ICMPs and give wrong answers.
>>
>> Anyone remember Rotorouter[1] ? :)
>>
>> Hence, why it is a good idea to do the same checks for IPv4 too
>> and why I avoid mentioning what kind of attack it was solving.
>> It is just good hygiene to check validity of things.
>
> FWIW, I had posted this thingy a while ago:
> <http://www.gont.com.ar/papers/filtering-of-icmp-error-messages.pdf>
> -- essentially BCP38 on the ICMPv4 payload..

aka RFC 5927, though only informational even though it went through WG
review it seems.

That indeed touches upon the subject quite a bit too, and would be a
good thing to reference from a draft dubbed:
 "ICMPv4 + ICMPv6 Address Verification"

Greets,
 Jeroen

v2.23.0 | Report a Bug | By Email