IPv6 maintenance Working Group (6man)                            F. Gont
Internet-Draft                                    SI6 Networks / UTN-FRH
Updates: 4861 (if approved)                                    R. Bonica
Intended status: Standards Track                        Juniper Networks
Expires: August 18, 2014                                          W. Liu
                                                     Huawei Technologies
                                                       February 14, 2014


 Validation of Neighbor Discovery Source Link-Layer Address (SLLA) and
                Target Link-layer Address (TLLA) options
                 draft-gont-6man-lla-opt-validation-00

Abstract

   This memo documents two scenarios in which an on-link attacker emits
   a crafted IPv6 Neighbor Discovery (ND) packet that poisons its
   victim's neighbor cache.  In the first scenario, the attacker causes
   a victim to map a local IPv6 address to a local router's own link-
   layer address.  In the second scenario, the attacker causes the
   victim to map a unicast IP address to a link layer broadcast address.
   In both scenarios, the attacker can exploit the poisoned neighbor
   cache to perform a subsequent forwording-loop attack, thus
   potentially causing a Denial of Service.

   Finally, this memo specifies simple validations that the recipient of
   an ND message can execute in order to protect itself against the
   above-mentioned threats.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 18, 2014.






Gont, et al.             Expires August 18, 2014                [Page 1]


Internet-Draft       Validation of SLLA/TLLA options       February 2014


Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  ND-based Forwarding-Loop Attacks  . . . . . . . . . . . . . .   3
     3.1.  Mapping an IPv6 Address to a Local Router's Own Link-
           layer Address . . . . . . . . . . . . . . . . . . . . . .   3
     3.2.  Mapping a Unicast IPv6 Address to A Broadcast Link-Layer
           Address . . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Implications of Malicious Link-layer Address Options  . . . .   6
   5.  Validation Checks for the Source Link-Layer Address Option  .   7
   6.  Validation Checks for the Target Link-Layer Address Option  .   8
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     10.1.  Normative References . . . . . . . . . . . . . . . . . .   9
     10.2.  Informative References . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   IPv6 [RFC2460] nodes use a Neighbor Discovery (ND) [RFC4861]
   mechanism to discover on-link neighbors and learn their link layer
   addresses.  Having discovered an on-link neighbor and learned its
   link layer address, an IPv6 node stores that information in a local
   data structure, called the "neighbor cache".

   ND defines the following ICMPv6 [RFC4443] messages:

   o  Router Solicitation (RS)

   o  Router Advertisement (RA)



Gont, et al.             Expires August 18, 2014                [Page 2]


Internet-Draft       Validation of SLLA/TLLA options       February 2014


   o  Neighbor Solicitation (NS)

   o  Neighbor Advertisement (NA)

   o  Redirect

   ND also defines a Source Link-Layer Address (SLLA) option and a
   Target Link-Layer Address (TLLA) option.  The RS, RA, and NS messages
   all typically contain the SLLA option, that contains the link layer
   address of the node sending the message.  The NA and Redirect
   messages contain the TLLA option, that maps a target IPv6 address
   that is contained by the NA or Redirect message to a link layer
   address.

   This memo documents two scenarios in which an on-link attacker emits
   a crafted ND packet that poisons its victim's neighbor cache.  In the
   first scenario, the attacker causes a victim to map an IPv6 address
   to a the victim router's own link-layer address.  In the second
   scenario, the attacker causes the victim to map a unicast IP address
   to the link layer broadcast or multicast address.  In both scenarios,
   the attacker can subsequently exploit the poisoned neighbor cache to
   perform a forwording-loop attack, thus potentially causing a Denial
   of Service (DoS).

   Finally, this memo specifies simple validations that the recipient of
   an ND message can execute in order to protect itself against the
   above-mentioned threats.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  ND-based Forwarding-Loop Attacks

3.1.  Mapping an IPv6 Address to a Local Router's Own Link-layer Address














Gont, et al.             Expires August 18, 2014                [Page 3]


Internet-Draft       Validation of SLLA/TLLA options       February 2014


                         +----------+      +--------+
                    ...==| Router A |      | Host C |
                         +----------+      +--------+
                              ||               ||
                         =============================
                                  ||
                                  ||          Network 1
                             +----------+
                             | Attacker |
                             +----------+

                     Figure 1: Unicast Forwarding Loop

   In Figure 1, the Attacker sends Router A a crafted ND message.  The
   aforementioned ND message contains the Target Addres set to Host C's
   IPv6 address, and a TLLA option set to Router A's link-layer address.
   The ND message causes Router A to map Host C's IPv6 address to the
   link layer address of Router A's interface to Network 1.  This sets
   up the scenario for a subsequent attack.

   A packet is sent to Router A with the IPv6 Destination Address set to
   that of Host C. Router A forwards the packet on Network 1, specifying
   its own Network 1 interface as the link layer destination.  Because
   Router A specified itself as the link layer destination, Router A
   receives the packet and forwards it again.  This process repeats
   until the IPv6 Hop Limit is decremented to 0 (and hence the packet is
   discarded).  In this scenario, the amplification factor is equal to
   the Hop Limit minus one.

   An attacker can realize this attack by sending either of the
   following:

   o  An ND message whose SLLA maps an IPv6 address to the link layer
      address of the victim router's (Router A's in our case) interface
      to the local network (Network 1 in our case)

   o  An ND message whose TLLA maps an IPv6 address to the link layer
      address of the victim router's (Router A's in our case) interface
      to the local network (Network 1 in our case)

3.2.  Mapping a Unicast IPv6 Address to A Broadcast Link-Layer Address










Gont, et al.             Expires August 18, 2014                [Page 4]


Internet-Draft       Validation of SLLA/TLLA options       February 2014


             +----------+      +--------+         +----------+
             | Router A |      | Host C |         | Router B |
             +----------+      +--------+         +----------+
                  ||               ||                  ||
              =================================================
                                ||
                                ||
                           +----------+
                           | Attacker |
                           +----------+

                    Figure 2: Broadcast Forwarding Loop

   In Figure 2, the Attacker sends one crafted ND message to Router A,
   and one crafted ND message to Router B. Each crafted ND message
   contains the Target Addres set to Host C's IPv6 address, and a TLLA
   option set to the Ethernet broadcast address (ff:ff:ff:ff:ff:ff).
   These ND messages causes each router to map Host C's IPv6 address to
   the Ethernet broadcast address.  This sets up the scenario for a
   subsequent attack.

   Subsequently, the Attacker sends a packet to the Ethernet broadcast
   address (ff:ff:ff:ff:ff:ff), with an IPv6 Destination Address equal
   to the IPv6 address of Host C. Upon receipt, both Router A and Router
   C decrement the Hop Limit of the packet, and resend it to the
   Ethernet broadcast address.  As a result, both Router A and Router B
   receive two copies of the same packet (one sent by Router A, and
   another sent by Router B).  This would result in a "chain reaction"
   that would only disappear once the Hop Limit of each of the packets
   is decremented to 0.  The equation in Figure 3 describes the
   amplification factor for this scenario :

                                   HopLimit-1
                                      ---
                                      \          x
                         Packets =    /   Routers
                                      ---
                                      x=0

                  Figure 3: Maximum amplification factor

   This equation does not take into account ICMPv6 Redirect messages
   that each of the Routers could send, nor the possible ICMPv6 "time
   exceeded in transit" error messages that each of the routers could
   send to the Source Address of the packet when each of the "copies" of
   the original packet is discarded as a result of their Hop Limit being
   decremented to 0.




Gont, et al.             Expires August 18, 2014                [Page 5]


Internet-Draft       Validation of SLLA/TLLA options       February 2014


   An attacker can realize this attack by sending either of the
   following:

   o  An ND message whose SLLA maps an IPv6 address not belonging to the
      victim routers to the broadcast link-layer address

   o  An ND message whose TLLA maps an IPv6 address not belonging to the
      victim routers to the broadcast link-layer address

      NOTE: the IPv6 Destination Address of the attack packet should not
      belong to any of the victim routers, such that they forward the
      packet rather than "consume" it.

   An additional mitigation would be for routers to not forward IPv6
   packets on the same interface if the link-layer destination address
   of the received packet was a broadcast or multicast address.

4.  Implications of Malicious Link-layer Address Options

   If SLLA or TLLA options are allowed to contain broadcast (e.g., the
   IEEE 802 "ff:ff:ff:ff:ff:ff") or multicast (e.g., the IEEE 802
   "33:33:00:00:00:01") addresses, traffic directed to the corresponding
   IPv6 address would be sent to the broadcast or multicast address
   specified in the SLLA or TLLA option.  This could have multiple
   implications:

   o  It would have a negative impact on the performance of the nodes
      attached to the network and on the network itself, as packets sent
      to these addresses would need to be delivered to multiple nodes
      (and processed by them) unnecessarily.

   o  An attacker could easily capture traffic on a switched network,
      without the need to forward packets to their intended
      destinations, as the corresponding packets would be delivered to
      all (in the case of broadcast) or multiple (in the case of
      multicast) nodes.

   o  Packets could result in forwarding loops at routers, as a router
      forwarding a packet to the corresponding address would receive
      itself a copy of the forwarded packet.  The loop would end only
      when the Hop Limit is eventually decremented to 0.  The problem
      would be exacerbated if multiple routers are present on the same
      link.  Section 3 of this document contains further analysis of
      this vulnerability.

   Additionally, if SLLA or TLLA options are allowed to contain the
   receiving router's own link-layer address, the victim router would




Gont, et al.             Expires August 18, 2014                [Page 6]


Internet-Draft       Validation of SLLA/TLLA options       February 2014


   receive a copy of the very same packets it means to forward to other
   destinations.  This could have the following implications:

   o  It would have a negative impact on the performance of the victim
      router and of the network itself, as a single packet would be sent
      multiple times (up to 255) on the local network, thus serving as
      an amplification vector.

5.  Validation Checks for the Source Link-Layer Address Option

   The Source link-layer address option contains the link-layer address
   of the sender of the packet.  It is used by Neighbor Solicitation,
   Router Solicitation, and Router Advertisement messages.

   The following figure illustrates the syntax of the source link-layer
   address:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Type      |    Length     |    Link-Layer Address ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

               Figure 4: ND Source link-layer address option

   The Type field is set to 1.  The Length field specifies the length of
   the option (including the Type and Length octets) in units of 8
   octets.  A node that receives an ICMPv6 message with this option MUST
   verify that the Length field is valid for the underlying link layer.
   For example, for IEEE 802 addresses the Length field MUST be 1
   [RFC2464].  If the packet does not pass this check, it MUST be
   silently dropped.

      NOTE: The Link-Layer Address field contains the link-layer
      address.  The length, contents, and format of this field varies
      from one link layer to another, and is specified in specific
      documents that describes how IPv6 operates over different link
      layers.

   Additionally, the SLLA option MUST NOT not contain a broadcast or
   multicast address.  If the option does not pass this check, the
   Neighbor Discovery message carrying the option MUST be discarded.
   Finally, nodes MUST NOT allow the SLLA option to contain one of the
   receiving node's link-layer addresses.  If the option does not pass
   this check, the Neighbor Discovery message carrying the option MUST
   discarded.





Gont, et al.             Expires August 18, 2014                [Page 7]


Internet-Draft       Validation of SLLA/TLLA options       February 2014


6.  Validation Checks for the Target Link-Layer Address Option

   The Target link-layer address option contains the link-layer address
   of the Target of the packet.  It is used by Neighbor Advertisement
   and Redirect messages.

   The following figure illustrates the syntax of the Target link-layer
   address:

      0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |     Type      |    Length     |    Link-Layer Address ...
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

           Figure 5: ND Target link-layer address option format

   The Type field is set to 2.  The Length field specifies the length of
   the option (including the Type and Length octets) in units of 8
   octets.  A node that receives a ND message with this option MUST
   verify that the Length field is valid for the underlying link-layer.
   For example, for IEEE 802 addresses the Length field MUST be 1
   [RFC2464].  If the packet does not pass this check, it MUST be
   silently dropped.

   A node that receives a ND message with this option MUST verify that
   the Length field is valid for the underlying link layer.  For
   example, for IEEE 802 addresses the Length field MUST be 1 [RFC2464].
   If the packet does not pass this check, it MUST be silently dropped.

   The TLLA option MUST NOT not contain a broadcast or multicast
   address.  If the option does not pass this check, the Neighbor
   Discovery message carrying the option MUST be discarded.  Finally,
   nodes MUST NOT allow the source link-layer address to contain one of
   the receiving node's link-layer addresses.  If the option does not
   pass this check, the Neighbor Discovery message carrying the option
   MUST discarded.

7.  IANA Considerations

   There are no IANA registries within this document.  The RFC-Editor
   can remove this section before publication of this document as an
   RFC.








Gont, et al.             Expires August 18, 2014                [Page 8]


Internet-Draft       Validation of SLLA/TLLA options       February 2014


8.  Security Considerations

   This document discusses how the Neighbor DIscovery SLLA and TLLA
   options can be leveraged to perform a number of attacks, and
   specifies sanity checks to be enforced by Neighbor Discovery
   implementations, such that these vulnerabilities are eliminated.

9.  Acknowledgements

   This document is based on the technical report "Security Assessment
   of the Internet Protocol version 6 (IPv6)" [CPNI-IPv6] authored by
   Fernando Gont on behalf of the UK Centre for the Protection of
   National Infrastructure (CPNI).

10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2464]  Crawford, M., "Transmission of IPv6 Packets over Ethernet
              Networks", RFC 2464, December 1998.

   [RFC4861]  Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
              "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
              September 2007.

   [RFC4443]  Conta, A., Deering, S., and M. Gupta, "Internet Control
              Message Protocol (ICMPv6) for the Internet Protocol
              Version 6 (IPv6) Specification", RFC 4443, March 2006.

   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
              (IPv6) Specification", RFC 2460, December 1998.

10.2.  Informative References

   [CPNI-IPv6]
              Gont, F., "Security Assessment of the Internet Protocol
              version 6 (IPv6)", UK Centre for the Protection of
              National Infrastructure, (available on request).

Authors' Addresses








Gont, et al.             Expires August 18, 2014                [Page 9]


Internet-Draft       Validation of SLLA/TLLA options       February 2014


   Fernando Gont
   SI6 Networks / UTN-FRH
   Evaristo Carriego 2644
   Haedo, Provincia de Buenos Aires  1706
   Argentina

   Phone: +54 11 4650 8472
   Email: fgont@si6networks.com
   URI:   http://www.si6networks.com


   Ronald P. Bonica
   Juniper Networks
   2251 Corporate Park Drive
   Herndon, VA  20171
   US

   Phone: 571 250 5819
   Email: rbonica@juniper.net


   Will (Shucheng) Liu
   Huawei Technologies
   Bantian, Longgang District
   Shenzhen  518129
   P.R. China

   Email: liushucheng@huawei.com























Gont, et al.             Expires August 18, 2014               [Page 10]