Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
RFC 7113
Document | Type |
RFC - Informational
(February 2014; No errata)
Updates RFC 6105
|
|
---|---|---|---|
Author | Fernando Gont | ||
Last updated | 2015-10-14 | ||
Replaces | draft-gont-v6ops-ra-guard-implementation | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | WG Document | |
Document shepherd | Fred Baker | ||
IESG | IESG state | RFC 7113 (Informational) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Ron Bonica | ||
IESG note | Joel Jaeggli (joelja@bogus.com) is the document shepherd. | ||
Send notices to | (None) |
Internet Engineering Task Force (IETF) F. Gont Request for Comments: 7113 Huawei Technologies Updates: 6105 February 2014 Category: Informational ISSN: 2070-1721 Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard) Abstract The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly employed to mitigate attack vectors based on forged ICMPv6 Router Advertisement messages. Many existing IPv6 deployments rely on RA-Guard as the first line of defense against the aforementioned attack vectors. However, some implementations of RA-Guard have been found to be prone to circumvention by employing IPv6 Extension Headers. This document describes the evasion techniques that affect the aforementioned implementations and formally updates RFC 6105, such that the aforementioned RA-Guard evasion vectors are eliminated. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7113. Gont Informational [Page 1] RFC 7113 RA-Guard Implementation Advice February 2014 Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Evasion Techniques for Some RA-Guard Implementations . . . . . 3 2.1. Attack Vector Based on IPv6 Extension Headers . . . . . . 3 2.2. Attack Vector Based on IPv6 Fragmentation . . . . . . . . 4 3. RA-Guard Implementation Advice . . . . . . . . . . . . . . . . 6 4. Other Implications . . . . . . . . . . . . . . . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 7.2. Informative References . . . . . . . . . . . . . . . . . . 11 Appendix A. Assessment Tools . . . . . . . . . . . . . . . . . . 12 1. Introduction IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique for attack vectors based on ICMPv6 Router Advertisement [RFC4861] messages. [RFC6104] describes the problem statement of "Rogue IPv6 Router Advertisements", and [RFC6105] specifies the "IPv6 Router Advertisement Guard" functionality. The concept behind RA-Guard is that a Layer-2 (L2) device filters ICMPv6 Router Advertisement messages, according to a number of different criteria. The most basic filtering criterion is that Router Advertisement messages are discarded by the L2 device unless they are received on a specified port of the L2 device. Clearly, the effectiveness of RA-Guard relies on the ability of the L2 device to identify ICMPv6 Router Advertisement messages. Some popular RA-Guard implementations have been found to be easy to circumvent by employing IPv6 Extension Headers [CPNI-IPv6]. This Gont Informational [Page 2] RFC 7113 RA-Guard Implementation Advice February 2014 document describes such evasion techniques and provides advice to RA-Guard implementers such that the aforementioned evasion vectors can be eliminated. It should be noted that the previously mentioned techniques could also be exploited to evade network monitoring tools such as NDPMon [NDPMon], ramond [ramond], and rafixd [rafixd], and could probably be exploited to perform stealth DHCPv6 [RFC3315] attacks. 2. Evasion Techniques for Some RA-Guard ImplementationsShow full document text