datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

Threats Relating to IPv6 Multihoming Solutions
RFC 4218

Document type: RFC - Informational (October 2005)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4218 (Informational)
Responsible AD: David Kessens
Send notices to: brc@zurich.ibm.com, kurtis@kurtis.pp.se

Network Working Group                                        E. Nordmark
Request for Comments: 4218                              Sun Microsystems
Category: Informational                                            T. Li
                                                            October 2005

             Threats Relating to IPv6 Multihoming Solutions

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document lists security threats related to IPv6 multihoming.
   Multihoming can introduce new opportunities to redirect packets to
   different, unintended IP addresses.

   The intent is to look at how IPv6 multihoming solutions might make
   the Internet less secure; we examine threats that are inherent to all
   IPv6 multihoming solutions rather than study any specific proposed
   solution.  The threats in this document build upon the threats
   discovered and discussed as part of the Mobile IPv6 work.

Table of Contents

   1. Introduction ....................................................2
      1.1. Assumptions ................................................3
      1.2. Authentication, Authorization, and Identifier Ownership ....4
   2. Terminology .....................................................5
   3. Today's Assumptions and Attacks .................................6
      3.1. Application Assumptions ....................................6
      3.2. Redirection Attacks Today ..................................8
      3.3. Packet Injection Attacks Today .............................9
      3.4. Flooding Attacks Today ....................................10
      3.5. Address Privacy Today .....................................11
   4. Potential New Attacks ..........................................13
      4.1. Cause Packets to Be Sent to the Attacker ..................13
           4.1.1. Once Packets Are Flowing ...........................13
           4.1.2. Time-Shifting Attack ...............................14
           4.1.3. Premeditated Redirection ...........................14
           4.1.4. Using Replay Attacks ...............................15

Nordmark & Li                Informational                      [Page 1]
RFC 4218         Threats to IPv6 Multihoming Solutions      October 2005

      4.2. Cause Packets to Be Sent to a Black Hole ..................15
      4.3. Third Party Denial-of-Service Attacks .....................16
           4.3.1. Basic Third Party DoS ..............................17
           4.3.2. Third Party DoS with On-Path Help ..................18
      4.4. Accepting Packets from Unknown Locators ...................19
      4.5. New Privacy Considerations ................................20
   5. Granularity of Redirection .....................................20
   6. Movement Implications? .........................................22
   7. Other Security Concerns ........................................23
   8. Security Considerations ........................................24
   9. Acknowledgements ...............................................24
   10. Informative References ........................................25
   Appendix A: Some Security Analysis ................................27

1.  Introduction

   The goal of the IPv6 multihoming work is to allow a site to take
   advantage of multiple attachments to the global Internet, without
   having a specific entry for the site visible in the global routing
   table.  Specifically, a solution should allow hosts to use multiple
   attachments in parallel, or to switch between these attachment points
   dynamically in the case of failures, without an impact on the
   transport and application layer protocols.

   At the highest level, the concerns about allowing such "rehoming" of
   packet flows can be called "redirection attacks"; the ability to
   cause packets to be sent to a place that isn't tied to the transport
   and/or application layer protocol's notion of the peer.  These
   attacks pose threats against confidentiality, integrity, and
   availability.  That is, an attacker might learn the contents of a
   particular flow by redirecting it to a location where the attacker
   has a packet recorder.  If, instead of a recorder, the attacker
   changes the packets and then forwards them to the ultimate
   destination, the integrity of the data stream would be compromised.
   Finally, the attacker can simply use the redirection of a flow as a
   denial of service attack.

   This document has been developed while considering multihoming
   solutions architected around a separation of network identity and

[include full document text]