Defeating Attacks which employ Forged ICMPv4/ICMPv6 Error Messages
draft-gont-opsec-icmp-ingress-filtering-03

Document Type Active Internet-Draft (individual)
Last updated 2017-07-03
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
opsec                                                            F. Gont
Internet-Draft                                    UTN-FRH / SI6 Networks
Intended status: Best Current Practice                         R. Hunter
Expires: January 4, 2018                            Globis Consulting BV
                                                               J. Massar
                                                       Massar Networking
                                                                  W. Liu
                                                     Huawei Technologies
                                                            July 3, 2017

   Defeating Attacks which employ Forged ICMPv4/ICMPv6 Error Messages
             draft-gont-opsec-icmp-ingress-filtering-03.txt

Abstract

   Over the years, a number of attack vectors that employ forged ICMPv4/
   ICMPv6 error messages have been disclosed and exploited in the wild.
   The aforementioned attack vectors do not require that the source
   address of the packets be forged, but do require that the addresses
   of the IPv4/IPv6 packet embedded in the ICMPv4/ICMPv6 payload be
   forged.  This document discusses a simple, effective, and
   straightforward method for using ingress traffic filtering to
   mitigate attacks that use forged addresses in the IPv4/IPv6 packet
   embedded in an ICMPv4/ICMPv6 payload.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 4, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Gont, et al.             Expires January 4, 2018                [Page 1]
Internet-Draft           ICMP Ingress Filtering                July 2017

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Applicability Statement . . . . . . . . . . . . . . . . . . .   3
   4.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
     4.1.  Generation of ICMP Error Messages in Legitimate Scenarios   4
     4.2.  Attack Scenario . . . . . . . . . . . . . . . . . . . . .   5
   5.  ICMPv4/ICMPv6 Network Ingress Filtering . . . . . . . . . . .   7
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   8
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   Over the years, a number of attack vectors that employ forged ICMPv4/
   ICMPv6 error messages have been disclosed and exploited in the wild.
   The effects of these attack vectors have ranged from Denial of
   Service (DoS) to performance degradation [US-CERT] [RFC5927]
   [I-D.gont-v6ops-ipv6-ehs-packet-drops].

   The aforementioned attack vectors do not require that the Source
   Address of the ICMP [RFC0792] or ICMPv6 [RFC4443] attack packets to
   be forged, but do require that the Destination Address of the IPv4
   [RFC0791] (in the case of ICMPv4) or IPv6 (in the case of ICMPv6)
   packet embedded in the ICMPv4/ICMPv6 payload be forged.  Thus,
   performing ingress filtering (ala BCP38 [RFC2827]) on the Destination
   Address of the embedded IPv4/IPv6 packet results in a simple,
Show full document text