Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
RFC 7113
Document Type RFC - Informational (February 2014; No errata)
Updates RFC 6105
Last updated 2015-10-14
Replaces draft-gont-v6ops-ra-guard-implementation
Stream IETF
Formats plain text pdf html bibtex
Reviews
GENART Telechat Review: On the Right Track
SECDIR Early Review: Ready
GENART Last Call Review: On the Right Track
GENART Last Call Review
Stream WG state WG Document
Document shepherd Fred Baker
IESG IESG state RFC 7113 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Ron Bonica
IESG note Joel Jaeggli (joelja@bogus.com) is the document shepherd.
Send notices to (None)
Email authors IPR References Referenced by Nits 
Internet Engineering Task Force (IETF)                           F. Gont
Request for Comments: 7113                           Huawei Technologies
Updates: 6105                                              February 2014
Category: Informational
ISSN: 2070-1721

  Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)

Abstract

   The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly
   employed to mitigate attack vectors based on forged ICMPv6 Router
   Advertisement messages.  Many existing IPv6 deployments rely on
   RA-Guard as the first line of defense against the aforementioned
   attack vectors.  However, some implementations of RA-Guard have been
   found to be prone to circumvention by employing IPv6 Extension
   Headers.  This document describes the evasion techniques that affect
   the aforementioned implementations and formally updates RFC 6105,
   such that the aforementioned RA-Guard evasion vectors are eliminated.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7113.

Gont                          Informational                     [Page 1]
RFC 7113             RA-Guard Implementation Advice        February 2014

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Evasion Techniques for Some RA-Guard Implementations . . . . .  3
     2.1.  Attack Vector Based on IPv6 Extension Headers  . . . . . .  3
     2.2.  Attack Vector Based on IPv6 Fragmentation  . . . . . . . .  4
   3.  RA-Guard Implementation Advice . . . . . . . . . . . . . . . .  6
   4.  Other Implications . . . . . . . . . . . . . . . . . . . . . .  9
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     7.1.  Normative References . . . . . . . . . . . . . . . . . . . 10
     7.2.  Informative References . . . . . . . . . . . . . . . . . . 11
   Appendix A.  Assessment Tools  . . . . . . . . . . . . . . . . . . 12

1.  Introduction

   IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique
   for attack vectors based on ICMPv6 Router Advertisement [RFC4861]
   messages.  [RFC6104] describes the problem statement of "Rogue IPv6
   Router Advertisements", and [RFC6105] specifies the "IPv6 Router
   Advertisement Guard" functionality.

   The concept behind RA-Guard is that a Layer-2 (L2) device filters
   ICMPv6 Router Advertisement messages, according to a number of
   different criteria.  The most basic filtering criterion is that
   Router Advertisement messages are discarded by the L2 device unless
   they are received on a specified port of the L2 device.  Clearly, the
   effectiveness of RA-Guard relies on the ability of the L2 device to
   identify ICMPv6 Router Advertisement messages.

   Some popular RA-Guard implementations have been found to be easy to
   circumvent by employing IPv6 Extension Headers [CPNI-IPv6].  This

Gont                          Informational                     [Page 2]
RFC 7113             RA-Guard Implementation Advice        February 2014

   document describes such evasion techniques and provides advice to
   RA-Guard implementers such that the aforementioned evasion vectors
   can be eliminated.

   It should be noted that the previously mentioned techniques could
   also be exploited to evade network monitoring tools such as NDPMon
   [NDPMon], ramond [ramond], and rafixd [rafixd], and could probably be
   exploited to perform stealth DHCPv6 [RFC3315] attacks.

2.  Evasion Techniques for Some RA-Guard Implementations
Show full document text
ISOC IETF Trust RFC Editor IRTF IESG IETF IAB IASA & IAOC IETF Tools IANA