PIM Working Group W. Atwood
Internet-Draft S. Islam
Expires: December 25, 2006 Concordia University/CSE
June 23, 2006
Security Issues in PIM-SM Link-local Messages
draft-atwood-pim-sm-linklocal-01
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 25, 2006.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document proposes some additions to the specification of the
Protocol Independent Multicast - Sparse Mode (PIM-SM) Protocol
regarding security issues of its link-local messages. Although the
new specifications for IPsec architecture (RFC 4301) and
Authorization Header (RFC 4302) permit the use of anti-replay, they
counsel against its use for multi-sender, multicast Security
Associations. This makes PIM-SM vulnerable to Denial of Service
(DoS) attack. In this document, a new proposal is presented to
Atwood & Islam Expires December 25, 2006 [Page 1]
Internet-Draft PIM-SM Link-local Security June 2006
protect PIM link-local messages while activating the anti-replay
mechanism as well. This proposal builds on the new Security
Association lookup method that has been specified in RFC 4301 and RFC
4302.
Atwood & Islam Expires December 25, 2006 [Page 2]
Internet-Draft PIM-SM Link-local Security June 2006
1. Introduction
All the PIM-SM [1] control messages have IP protocol number 103.
These messages are either unicast, or multicast with TTL = 1. The
source address used for unicast messages is a domain-wide reachable
address. For the multicast messages, a link-local address of the
interface on which the message is being sent is used as the source
address and a special multicast address, ALL_PIM_ROUTERS (224.0.0.13
in IPv4 and ff02::d in IPv6) is used as the destination address.
These messages are called link-local messages. Hello, Join/Prune and
Assert messages are included in this category. A forged link-local
message may be sent to the ALL_PIM_ROUTERS multicast address by an
attacker. This type of message affects the construction of the
distribution tree [1]. The effects of these forged messages are
outlined in section 6.1 of [1]. Some of the effects are very severe,
whereas some are minor.
PIM-SM version 2 was originally specified in RFC 2117, and revised in
RFC 2362. A PIM-SM Internet Draft [1] has been approved by the IESG
for publication as an RFC. It is intended to obsolete RFC 2362, and
to correct a number of deficiencies. The Security Considerations
section of the PIM-SM Internet Draft is based primarily on the new
Authentication Header (AH) specification described in RFC 4302 [2].
Securing the unicast messages can be achieved by the use of a normal
unicast IPsec Security Association between the two communicants.
Securing the user data exchanges is covered in RFC 3740 [4]. This
document focuses on the security issues of link-local messages. It
provides some guidelines to take advantage of the new permitted AH
functionality, and to bring the PIM-SM Internet Draft into alignment
with the new AH specification.
Atwood & Islam Expires December 25, 2006 [Page 3]
Internet-Draft PIM-SM Link-local Security June 2006
2. Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" are to be interpreted as described in RFC 2119 and
indicate requirement levels for compliant PIM-SM implementations.
Atwood & Islam Expires December 25, 2006 [Page 4]
Internet-Draft PIM-SM Link-local Security June 2006
3. Authentication according to the PIM-SM Internet-Draft
In the PIM-SM Internet Draft, IP Security (IPsec) [[3] transport mode
using Authentication Header (AH) [2] is recommended to prevent
attacks generated by forged control messages. The Network
Administrator will configure the specific AH authentication algorithm
and parameters, including the choice of authentication algorithm and
the choice of keys. The PIM-SM Internet Draft does not specify
protocols for establishing Security Associations. The PIM-SM
Internet Draft assumes that manual configuration of Security
Associations will be performed, although it does not preclude the use
of a negotiation protocol such as the Internet Key Exchange (IKE) [2]
to establish Security Associations. Once the Security Associations
have been established, all the control messages should go through the
IPsec authentication process. A PIM-SM router should authenticate a
control message before processing it, and should reject any
unauthorized PIM protocol messages.
Given that IPsec [3] provides protection against replayed unicast and
multicast messages, the PIM-SM Internet Draft further states that the
IPsec anti-replay option SHOULD be enabled for these Security
Associations. Unfortunately, the AH specification notes as follows:
"If the key used to compute an ICV is manually distributed,
correct provision of the anti-replay service would require correct
maintenance of the counter state at the sender, until the key is
replaced, and there would likely be no automated recovery
provision if counter overflow were imminent. Thus, a compliant
implementation SHOULD NOT provide this service in conjunction with
SAs that are manually keyed."
All the link-local messages of the PIM-SM protocol are sent to the
destination address, ALL_PIM_ROUTERS, which is a multicast address.
The Security Policy Database (SPD) within IPsec (see section 4.4.2 of
RFC 4301 [3]) is not capable of representing a policy for a multicast
Security Association. RFC 4301 provides no specification for an
automated way to create SAD entries for a multicast, inbound SA.
Only manually configured SAD entries can be created to accomodate
inbound, multicast traffic. As a result, the anti-replay option must
be disabled while using the IPsec AH protocol for security of link-
local messages.
Atwood & Islam Expires December 25, 2006 [Page 5]
Internet-Draft PIM-SM Link-local Security June 2006
4. Proposed Authentication Technique
The authentication mechanism [6][7] for PIM link-local messages
presented in this document has following two criteria to achieve:
o The anti-replay mechanism of Authetication Header protocol will be
activated while sending/receiving any PIM link-local message.
o To attain more flexibility, a PIM router will be able to deploy a
different authentication method for each directly connected PIM
router if necessary. In that case, a PIM router will maintain a
separate Security Association per peer PIM router.
4.1. Security Association Lookup
For an SA that carries unicast traffic, three parameters (SPI,
destination address and security protocol type (AH or ESP)) are used
in the Security Association lookup process for inbound packets. The
SPI is sufficient to specify an SA. However, an implementation may
use the SPI in conjunction with the IPsec protocol type (AH or ESP)
for the SA lookup process. According to RFC 4301 [3] and the AH
specification [2], for multicast SAs, in conjunction with the SPI,
the destination address or the destination address plus the sender
address may also be used in the SA lookup. The security protocol
field is not employed for a multicast SA lookup.
The reason for the various prohibitions in the IPsec RFCs concerning
multisender multicast SAs lies in the difficulty of coordinating the
multiple senders. However, if the use of multicast for link-local
messages is examined, it may be seen that in fact the communication
need not be coordinated---from the prospective of a receiving router,
each peer router is an independent sender. In effect, link-local
communication is an SSM communication that happens to use an ASM
address (which is shared among all the routers). Two possibilities
may be envisaged:
1. The address ALL_PIM_ROUTERS can be specified to operate as a set
of SSM Security Associations, when IPsec is enabled;
2. Secure Link-local communication can be specified to occur on an
SSM address, instead of ALL_PIM_ROUTERS.
Given that the sender address of an incoming packet will be
(globally) unique for a specific sender and in conjunction with the
SPI it will be possible for a receiver to sort out the associated SA
for that sender from all the SAD entries (even if a single SAD is
maintained regardless of the number of interfaces), we propose that
the SPI and the sender address MUST be used in the SA lookup process.
Atwood & Islam Expires December 25, 2006 [Page 6]
Internet-Draft PIM-SM Link-local Security June 2006
4.2. Activating the Anti-replay Mechanism
Although link-level messages on a link constitute a multiple-sender,
multiple-receiver group, the use of the sender address for SA lookup
essentially resolves the communication into a separate SA for each
sender/destination pair. Therefore, the statement in the AH RFC
(section 2.5 of [2]) that "for a multi-sender SA, the anti-replay
features are not available" becomes irrelevant to PIM-SM link-local
message exchange.
To activate the anti-replay mechanism in a unicast communication, the
receiver uses the sliding window protocol and it maintains a sequence
number for this protocol. This sequence number starts from zero.
Each time the sender sends a new packet, it increments this number by
one. In a multi-sender multicast group communication, a single
sequence number for the entire group would not be enough.
The whole scenario is different for PIM link-local messages. These
messages are sent to local links with TTL = 1. A link-local message
never propagates through one router to another. Given that the
number of peer routers is small, and given that the use of the sender
address for SA lookup converts the relationship from a multiple-
sender group to multiple single-sender associations, the anti-replay
mechanism SHOULD be activated while sending PIM link-local messages,
and at that time a PIM router MUST maintain a different sliding
window for each directly connected sender.
4.3. Implementing a Security Association Database per Interface
According to RFC 2401 [5], there is nominally a different Security
Association Database (SAD) for each router interface. However, RFC
4301 explicitly removes this requirement. The PIM-SM Internet Draft,
however, notes the possible utility of this feature. The proposal
above to use the source address to resolve the SAs implies that the
use of an SAD per interface is not necessary.
4.4. Manual Key Configuration
To establish the SAs at PIM-SM routers, manual key configuration will
be feasible, since the number of peers will be small. The Network
Administrator will configure a router manually during its boot up
process. At that time, the authentication method and the keys per
sender basis for each peer router SHOULD be configured. The SAD
entry for each sender connected with this router will be created.
The Network Admin will also configure the Security Policy Database of
a router to ensure the use of the associated SA while sending a link-
local message.
Atwood & Islam Expires December 25, 2006 [Page 7]
Internet-Draft PIM-SM Link-local Security June 2006
The addition of a new router to the set visible from a particular
router will clearly require a re-configuration of that router.
A negotiation protocol such as the Internet Key Exchange [2] MAY also
be used to negotiate and establish a suitable authentication method
and keys for the SA between two routers. However, a PIM router is
not expected to join/leave very frequently, so it is doubtful that
the overhead of automatic key configuration will be justified. In
any case, it will still be necessary to manually configure the basic
information that will allow the router to trust its peers. For these
reasons, manual key configuration SHOULD be used to establish SAs.
Unfortunately, the use of manual keying is called out in RFC 4302 as
a specific reason why anit-replay should be prohibited. It will be
necessary to either
1. explicitly override RFC 4302, or
2. design a negotiation protocol to deal with the case of counter
overrun.
Once the WG decides that the present proposal is an acceptable
direction to follow, the authors are prepared to work on the
development of such a negotiation protocol.
4.5. Extended Sequence Number
In the [2], there is a provision for a 64-bit Extended Sequence
Number (ESN) as the counter of the sliding window used in the anti-
replay protocol. Both the sender and the receiver maintain a 64-bit
counter for the sequence number, although only the lower order 32
bits is sent in the transmission. In other words, it will not affect
the present header format of AH. If ESN is used, a sender router can
send 2^64 -1 packets without any intervention. This number is very
large, and from a PIM router's point of view, a PIM router can never
exceed this number in its lifetime. This makes it reasonable to
permit manual configuration, since the sequence number will never
roll over. For this reason, when manual configuration is used, ESN
SHOULD be deployed as the sequence number for the sliding window
protocol.
Atwood & Islam Expires December 25, 2006 [Page 8]
Internet-Draft PIM-SM Link-local Security June 2006
5. Security Considerations
The whole document considers the security issues of PIM link-local
messages and proposes a mechanism to protect them.
6. References
[1] Fenner, B., "Protocol Independent Multicast-Sparse Mode
(PIM-SM): Protocol Specification(Revised),
draft-ietf-pim-sm-v2-new-12.txt", March 2006.
[2] Kent, S., "IP Authentication Header", RFC 4302, December 2005.
[3] Kent, S. and K. Seo, "Security Architechture for the Internet
Protocol", RFC 4301, December 2005.
[4] Hardjono, T. and B. Weis, "The Multicast Group Security
Architecture", RFC 3740, March 2004.
[5] Kent, S. and R. Atkinson, "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[6] Islam, S., "Security Issues in PIM-SM Link-local Messages,
Master's Thesis, Concordia University", December 2003.
[7] Islam, S., "Security Issues in PIM-SM Link-local Messages,
Proceedings of LCN 2004", November 2004.
Atwood & Islam Expires December 25, 2006 [Page 9]
Internet-Draft PIM-SM Link-local Security June 2006
Authors' Addresses
J. William Atwood
Concordia University/CSE
1455 de Maisonneuve Blvd, West
Montreal, QC H3G 1M8
Canada
Phone: +1(514)848-2424 ext3046
Email: bill@cse.concordia.ca
URI: http://www.cs.concordia.ca/~bill
Salekul Islam
Concordia University/CSE
1455 de Maisonneuve Blvd, West
Montreal, QC H3G 1M8
Canada
Atwood & Islam Expires December 25, 2006 [Page 10]
Internet-Draft PIM-SM Link-local Security June 2006
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Atwood & Islam Expires December 25, 2006 [Page 11]