ND improvement to prevent Man-in-the-middle attack
draft-vasilenko-6man-nd-mitm-protection-00

Document Type Active Internet-Draft (individual)
Authors Eduard V  , XiPeng Xiao 
Last updated 2020-09-24
Stream (None)
Intended RFC status (None)
Formats plain text pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
IPv6 Maintenance (6man) Working Group                      E. Vasilenko
Internet Draft                                                  X. Xiao
Updates: 4861, 4862 (if approved)                   Huawei Technologies
Intended status: Standards Track                     September 24, 2020
Expires: March 2021

            ND improvement to prevent Man-in-the-middle attack
                draft-vasilenko-6man-nd-mitm-protection-00

Abstract

   Privacy protection is the bigger and bigger concern of many
   governments and public in general. ND has a few open man-in-the-
   middle attack vectors. MITM is considered among the most dangerous
   attack types because of information leakage. This document proposes
   minimal modifications for ND to protect IPv6 nodes against still
   open MITM attacks. It could be implemented gradually on any nodes,
   with the biggest benefit from support on routers.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 2021.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of

Vasilenko               Expires March 24, 2021                 [Page 1]
Internet-Draft            ND-MITM-protection             September 2020

   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.

Table of Contents

   1. Terminology and pre-requisite..................................2
   2. Introduction...................................................3
   3. Security vulnerabilities.......................................4
      3.1. Rewrite by unsolicited NA.................................4
      3.2. Be the first and suppress DAD.............................5
      3.3. Win the race just after DAD...............................6
      3.4. Implications for off-link nodes...........................6
      3.5. Speed up by [Gratuitous ND]...............................6
   4. Solution - Security DAD........................................7
      4.1. Standards modifications...................................8
         4.1.1. Modifications to [ND]................................8
         4.1.2. Modifications to [SLAAC]............................11
      4.2. Interoperability analysis................................11
   5. Applicability analysis........................................13
      5.1. Performance analysis.....................................13
      5.2. Usability analysis.......................................15
      5.3. DoS level analysis.......................................16
   6. Security Considerations.......................................16
   7. IANA Considerations...........................................16
   8. References....................................................17
      8.1. Normative References.....................................17
      8.2. Informative References...................................18
   9. Acknowledgments...............................................18

1. Terminology and pre-requisite

   Good knowledge and frequent references to [ND] is assumed. Many
   terms are inherited from [ND]. Additional terms are introduced:

  Security DAD: Duplicated Address Detection for security check
            at the time to write or rewrite for Link Layer Address

  Intruder: The Node under control of malicious 3rd party

Vasilenko               Expires March 24, 2021                 [Page 2]
Internet-Draft            ND-MITM-protection             September 2020

  Intercepted Victim: The node that could lose the privacy of
            communication

  Poisoned Victim: The node that could suffer an unauthorized
            modification of Neighbor Cache entry; depending on the
            scenario, it could additionally lose the privacy of
Show full document text