Network Working Group                                            F. Gont
Internet-Draft                                    SI6 Networks / UTN-FRH
Intended status: Informational                                   I. Arce
Expires: January 9, 2017                               Fundacion Sadosky
                                                            July 8, 2016

          Unfortunate History of Transient Numeric Identifiers


   This document performs an analysis of the security and privacy
   implications of different types of "numeric identifiers" used in IETF
   protocols, and tries to categorize them based on their
   interoperability requirements and the associated failure severity
   when such requirements are not met.  It describes a number of
   algorithms that have been employed in real implementations to meet
   such requirements and analyzes their security and privacy properties.
   Additionally, it provides advice on possible algorithms that could be
   employed to satisfy the interoperability requirements of each
   identifier type, while minimizing the security and privacy
   implications, thus providing guidance to protocol designers and
   protocol implementers.  Finally, it provides recommendations for
   future protocol specifications regarding the specification of the
   aforementioned numeric identifiers.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 9, 2017.

Gont & Arce              Expires January 9, 2017                [Page 1]

Internet-Draft           Predictable Numeric IDs               July 2016

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

   This document may not be modified, and derivative works of it may not
   be created, and it may not be published except as an Internet-Draft.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Threat Model  . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  IPv4/IPv6 Identification  . . . . . . . . . . . . . . . . . .   5
   5.  TCP Initial Sequence Numbers (ISNs) . . . . . . . . . . . . .   6
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  12

1.  Introduction

   Network protocols employ a variety of numeric identifiers for
   different protocol entities, ranging from DNS Transaction IDs (TxIDs)
   to transport protocol numbers (e.g.  TCP ports) or IPv6 Interface
   Identifiers (IIDs).  These identifiers usually have specific
   properties that must be satisfied such that they do not result in
   negative interoperability implications (e.g. uniqueness during a
   specified period of time), and associated failure severities when
   such properties are not met, ranging from soft to hard failures.

   For more than 30 years, a large number of implementations of the TCP/
   IP protocol suite have been subject to a variety of attacks, with
   effects ranging from Denial of Service (DoS) or data injection, to
   information leakage that could be exploited for pervasive monitoring

Gont & Arce              Expires January 9, 2017                [Page 2]

Internet-Draft           Predictable Numeric IDs               July 2016

   [RFC7528].  The root of these issues has been, in many cases, the
   poor selection of identifiers in such protocols, usually as a result
   of an insufficient or misleading specification.  While it is
   generally trivial to identify an algorithm that can satisfy the
   interoperability requirements for a given identifier, there exists
   practical evidence that doing so without negatively affecting the
   security and/or privacy properties of the aforementioned protocols is
   prone to error.

   For example, implementations have been subject to security and/or
   privacy issues resulting from:

   o  Predictable TCP Initial Sequence Numbers (ISNs) (see e.g.

   o  Predictable ephemeral transport protocol numbers (see e.g.
      [RFC6056] and [Silbersack2005])

   o  Predictable IPv4 or IPv6 Fragment Identifiers (see e.g.
      [RFC5722], [RFC6274], and [RFC7739])

   o  Predictable IPv6 IIDs (see e.g.  [RFC7721] and [RFC7707])

   o  Predictable DNS TxIDs

   Recent history indicate that when new protocols are standardized or
   new protocol implementations are produced, the security and privacy
   properties of the associated identifiers tend to be overlooked and
   inappropriate algorithms to generate identifier values are either
   suggested in the specification or selected by implementers.

   This document contains a non-exhaustive timeline of vulnerability
   disclosures related to some sample transient numeric identifiers and
   other work that has led to advances in this area, with the goal of
   illustrating that:

   o  Vulnerabilities related to how the values for some identifiers are
      generated and assigned have affected implementations for an
      extremely long period of time.

   o  Such vulnerabilities, even when addressed for a given protocol
      version, were later reintroduced in new versions or new
      implementations of the same protocol.

   o  Standardization efforts that discuss and provide advice in this
      area can have a positive effect on protocol specifications and
      protocol implementations.

Gont & Arce              Expires January 9, 2017                [Page 3]

Internet-Draft           Predictable Numeric IDs               July 2016

   Other related documents (such as
   [I-D.gont-numeric-ids-sec-considerations]) provide guidance in this

2.  Terminology

      A data object in a protocol specification that can be used to
      definitely distinguish a protocol object (a datagram, network
      interface, transport protocol endpoint, session, etc) from all
      other objects of the same type, in a given context.  Identifiers
      are usually defined as a series of bits and represented using
      integer values.  We note that different identifiers may have
      additional requirements or properties depending on their specific
      use in a protocol.  We use the term "identifier" as a generic term
      to refer to any data object in a protocol specification that
      satisfies the identification property stated above.

   Failure Severity:
      The consequences of a failure to comply with the interoperability
      requirements of a given identifier.  Severity considers the worst
      potential consequence of a failure, determined by the system
      damage and/or time lost to repair the failure.  In this document
      we define two types of failure severity: "soft" and "hard".

   Hard Failure:
      A hard failure is a non-recoverable condition in which a protocol
      does not operate in the prescribed manner or it operates with
      excessive degradation of service.  For example, an established TCP
      connection that is aborted due to an error condition constitutes,
      from the point of view of the transport protocol, a hard failure,
      since it enters a state from which normal operation cannot be

   Soft Failure:
      A soft failure is a recoverable condition in which a protocol does
      not operate in the prescribed manner but normal operation can be
      resumed automatically in a short period of time.  For example, a
      simple packet-loss event that is subsequently recovered with a
      retransmission can be considered a soft failure.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119 [RFC2119].

Gont & Arce              Expires January 9, 2017                [Page 4]

Internet-Draft           Predictable Numeric IDs               July 2016

3.  Threat Model

   Throughout this document, we assume an attacker does not have
   physical or logical device to the device(s) being attacked.  We
   assume the attacker can simply send any traffic to the target
   devices, to e.g. sample identifiers employed by such devices.

4.  IPv4/IPv6 Identification

   December 1998:
      [Sanfilippo1998a] finds that predictable IPv4 Identification
      values can be leveraged to count the number of packets sent by a
      target node.  [Sanfilippo1998b] explains how to leverage the same
      vulnerability to implement a port-scanning technique known as
      dumb/idle scan.  A tool that implements this attack is publicly

   November 1999:
      [Sanfilippo1999] discusses how to leverage predictable IPv4
      Identification to uncover the rules of a number of firewalls.

   November 1999:
      [Bellovin2002] explains how the IPv4 Identification field can be
      exploited to count the number of systems behind a NAT.

   December 2003:
      [Zalewski2003] explains a technique to perform TCP data injection
      attack based on predictable IPv4 identification values which
      requires less effort than TCP injection attacks performed with
      bare TCP packets.

   November 2005:
      [Silbersack2005] discusses shortcoming in a number of techniques
      to mitigate predictable IPv4 Identification values.

   October 2007:
      [Klein2007] describes a weakness in the pseudo random number
      generator (PRNG) in use for the generation of the IP
      Identification by a number of operating systems.

   June 2011:
      [Gont2011] describes how to perform idle scan attacks in IPv6.

   November 2011:
      Linux mitigates predictable IPv6 Identification values
      [RedHat2011] [SUSE2011] [Ubuntu2011].

   December 2011:

Gont & Arce              Expires January 9, 2017                [Page 5]

Internet-Draft           Predictable Numeric IDs               July 2016

      [I-D.ietf-6man-predictable-fragment-id-08] describes the security
      implications of predictable IPv6 Identification values, and
      possible mitigations.

   May 2012:
      [Gont2012] notes that some major IPv6 implementations still employ
      predictable IPv6 Identification values.

   June 2015:
      [I-D.ietf-6man-predictable-fragment-id-08] notes that some popular
      host and router implementations still employ predictable IPv6
      Identification values.

5.  TCP Initial Sequence Numbers (ISNs)

   September 1981:
      [RFC0793], suggests the use of a global 32-bit ISN generator,
      whose lower bit is incremented roughly every 4 microseconds.
      However, such an ISN generator makes it trivial to predict the ISN
      that a TCP will use for new connections, thus allowing a variety
      of attacks against TCP.

   February 1985:
      [Morris1985] was the first to describe how to exploit predictable
      TCP ISNs for forging TCP connections that could then be leveraged
      for trust relationship exploitation.

   April 1989:
      [Bellovin1989] discussed the security implications of predictable
      ISNs (along with a range of other protocol-based vulnerabilities).

   February 1995:
      [Shimomura1995] reported a real-world exploitation of the attack
      described in 1985 (ten years before) in [Morris1985].

   May 1996:
      [RFC1948] was the first IETF effort, authored by Steven Bellovin,
      to address predictable TCP ISNs.  The same concept specified in
      this document for TCP ISNs was later proposed for TCP ephemeral
      ports [RFC6056], TCP Timestamps, and eventually even IPv6
      Interface Identifiers [RFC7217].

   March 2001:
      [Zalewski2001] provides a detailed analysis of statistical
      weaknesses in some ISN generators, and includes a survey of the
      algorithms in use by popular TCP implementations.

   May 2001:

Gont & Arce              Expires January 9, 2017                [Page 6]

Internet-Draft           Predictable Numeric IDs               July 2016

      Vulnerability advisories [CERT2001] [USCERT2001] are released
      regarding statistical weaknesses in some ISN generators, affecting
      popular TCP/IP implementations.

   March 2002:
      [Zalewski2002] updates and complements [Zalewski2001].  It
      concludes that "while some vendors [...] reacted promptly and
      tested their solutions properly, many still either ignored the
      issue and never evaluated their implementations, or implemented a
      flawed solution that apparently was not tested using a known
      approach" [Zalewski2002].

   February 2012:
      [RFC6528], after 27 years of Morris' original work [Morris1985],
      formally updates [RFC0793] to mitigate predictable TCP ISNs.

   August 2014:
      [I-D.eddy-rfc793bis-04], the upcoming revision of the core TCP
      protocol specification, incorporates the algorithm specified in
      [RFC6528] as the recommended algorithm for TCP ISN generation.

6.  IANA Considerations

   There are no IANA registries within this document.  The RFC-Editor
   can remove this section before publication of this document as an

7.  Security Considerations

   The entire document is about the security and privacy implications of

8.  Acknowledgements

   The authors would like to thank (in alphabetical order) Steven
   Bellovin, Joseph Lorenzo Hall, Gre Norcie, and Martin Thomson, for
   providing valuable comments on [I-D.gont-predictable-numeric-ids], on
   which this document is based.

9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

Gont & Arce              Expires January 9, 2017                [Page 7]

Internet-Draft           Predictable Numeric IDs               July 2016

   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
              RFC 793, DOI 10.17487/RFC0793, September 1981,

   [RFC6528]  Gont, F. and S. Bellovin, "Defending against Sequence
              Number Attacks", RFC 6528, DOI 10.17487/RFC6528, February
              2012, <>.

   [RFC4086]  Eastlake 3rd, D., Schiller, J., and S. Crocker,
              "Randomness Requirements for Security", BCP 106, RFC 4086,
              DOI 10.17487/RFC4086, June 2005,

   [RFC5722]  Krishnan, S., "Handling of Overlapping IPv6 Fragments",
              RFC 5722, DOI 10.17487/RFC5722, December 2009,

   [RFC6151]  Turner, S. and L. Chen, "Updated Security Considerations
              for the MD5 Message-Digest and the HMAC-MD5 Algorithms",
              RFC 6151, DOI 10.17487/RFC6151, March 2011,

   [RFC7217]  Gont, F., "A Method for Generating Semantically Opaque
              Interface Identifiers with IPv6 Stateless Address
              Autoconfiguration (SLAAC)", RFC 7217,
              DOI 10.17487/RFC7217, April 2014,

9.2.  Informative References

   [RFC6274]  Gont, F., "Security Assessment of the Internet Protocol
              Version 4", RFC 6274, DOI 10.17487/RFC6274, July 2011,

   [RFC7528]  Higgs, P. and J. Piesing, "A Uniform Resource Name (URN)
              Namespace for the Hybrid Broadcast Broadband TV (HbbTV)
              Association", RFC 7528, DOI 10.17487/RFC7528, April 2015,

   [RFC1948]  Bellovin, S., "Defending Against Sequence Number Attacks",
              RFC 1948, DOI 10.17487/RFC1948, May 1996,

Gont & Arce              Expires January 9, 2017                [Page 8]

Internet-Draft           Predictable Numeric IDs               July 2016

              Gont, F., "Security Assessment of the Transmission Control
              Protocol (TCP)",  United Kingdom's Centre for the
              Protection of National Infrastructure (CPNI) Technical
              Report, 2009, <

              Zalewski, M., "Strange Attractors and TCP/IP Sequence
              Number Analysis", 2001,

              Zalewski, M., "Strange Attractors and TCP/IP Sequence
              Number Analysis - One Year Later", 2001,

              Bellovin, S., "Security Problems in the TCP/IP Protocol
              Suite", Computer Communications Review, vol. 19, no. 2,
              pp. 32-48, 1989, <

              Joncheray, L., "A Simple Active Attack Against TCP", Proc.
              Fifth Usenix UNIX Security Symposium, 1995.

              Morris, R., "A Weakness in the 4.2BSD UNIX TCP/IP
              Software", CSTR 117, AT&T Bell Laboratories, Murray Hill,
              NJ, 1985, <

              US-CERT, , "US-CERT Vulnerability Note VU#498440: Multiple
              TCP/IP implementations may use statistically predictable
              initial sequence numbers", 2001,

              CERT, , "CERT Advisory CA-2001-09: Statistical Weaknesses
              in TCP/IP Initial Sequence Numbers", 2001,

Gont & Arce              Expires January 9, 2017                [Page 9]

Internet-Draft           Predictable Numeric IDs               July 2016

              Shimomura, T., "Technical details of the attack described
              by Markoff in NYT", Message posted in USENET's
     newsgroup  Message-ID:
              <3g5gkl$>, 1995,

              Eddy, W., "Transmission Control Protocol Specification",
              draft-eddy-rfc793bis-04 (work in progress), August 2014.

   [RFC6056]  Larsen, M. and F. Gont, "Recommendations for Transport-
              Protocol Port Randomization", BCP 156, RFC 6056,
              DOI 10.17487/RFC6056, January 2011,

   [RFC1035]  Mockapetris, P., "Domain names - implementation and
              specification", STD 13, RFC 1035, DOI 10.17487/RFC1035,
              November 1987, <>.

   [RFC7739]  Gont, F., "Security Implications of Predictable Fragment
              Identification Values", RFC 7739, DOI 10.17487/RFC7739,
              February 2016, <>.

   [RFC4963]  Heffner, J., Mathis, M., and B. Chandler, "IPv4 Reassembly
              Errors at High Data Rates", RFC 4963,
              DOI 10.17487/RFC4963, July 2007,

              Bellovin, S., "A Technique for Counting NATted Hosts",
              IMW'02 Nov. 6-8, 2002, Marseille, France, 2002.

              Fyodor, , "Idle scanning and related IP ID games", 2004,

              Sanfilippo, S., "about the ip header id", Post to Bugtraq
              mailing-list, Mon Dec 14 1998,

              Sanfilippo, S., "Idle scan", Post to Bugtraq mailing-list,
              1998, <>.

Gont & Arce              Expires January 9, 2017               [Page 10]

Internet-Draft           Predictable Numeric IDs               July 2016

              Sanfilippo, S., "more ip id", Post to Bugtraq mailing-
              list, 1999,

              Silbersack, M., "Improving TCP/IP security through
              randomization without sacrificing interoperability",
              EuroBSDCon 2005 Conference, 2005,

              Zalewski, M., "A new TCP/IP blind data injection
              technique?", 2003,

              Klein, A., "OpenBSD DNS Cache Poisoning and Multiple O/S
              Predictable IP ID Vulnerability", 2007,

              Gont, F., "Hacking IPv6 Networks (training course)", Hack
              In Paris 2011 Conference Paris, France, June 2011.

              RedHat, , "RedHat Security Advisory RHSA-2011:1465-1:
              Important: kernel security and bug fix update", 2011,

              Ubuntu, , "Ubuntu: USN-1253-1: Linux kernel
              vulnerabilities", 2011,

              SUSE, , "SUSE Security Announcement: Linux kernel security
              update (SUSE-SA:2011:046)", 2011,

              Gont, F., "Recent Advances in IPv6 Security", BSDCan 2012
              Conference Ottawa, Canada. May 11-12, 2012, May 2012.

Gont & Arce              Expires January 9, 2017               [Page 11]

Internet-Draft           Predictable Numeric IDs               July 2016

              Gont, F., "Security Implications of Predictable Fragment
              Identification Values", draft-ietf-6man-predictable-
              fragment-id-08 (work in progress), June 2015.

              Gont, F., Cooper, A., Thaler, D., and S. (Will),
              "Recommendation on Stable IPv6 Interface Identifiers",
              draft-ietf-6man-default-iids-11 (work in progress), April

   [RFC7721]  Cooper, A., Gont, F., and D. Thaler, "Security and Privacy
              Considerations for IPv6 Address Generation Mechanisms",
              RFC 7721, DOI 10.17487/RFC7721, March 2016,

   [RFC7707]  Gont, F. and T. Chown, "Network Reconnaissance in IPv6
              Networks", RFC 7707, DOI 10.17487/RFC7707, March 2016,

              Gont, F. and I. Arce, "Security and Privacy Implications
              of Numeric Identifiers Employed in Network Protocols",
              draft-gont-predictable-numeric-ids-00 (work in progress),
              February 2016.

              Gont, F. and I. Arce, "Security Considerations for
              Transient Numeric Identifiers Employed in Network
              Protocols", draft-gont-numeric-ids-sec-considerations-00
              (work in progress), June 2016.

Authors' Addresses

   Fernando Gont
   SI6 Networks / UTN-FRH
   Evaristo Carriego 2644
   Haedo, Provincia de Buenos Aires  1706

   Phone: +54 11 4650 8472

Gont & Arce              Expires January 9, 2017               [Page 12]

Internet-Draft           Predictable Numeric IDs               July 2016

   Ivan Arce
   Fundacion Dr. Manuel Sadosky
   Av. Cordoba 744 Piso 5 Oficina I
   Ciudad Autonoma de Buenos Aires, Buenos Aires  C1054AAT

   Phone: +54 11 4328 5164

Gont & Arce              Expires January 9, 2017               [Page 13]