Hi Zied, This is discussed in “IPv6 ND Trust Models and Threats [RFC3756]”. Under Section 4.2.4 it says: “This attack is not a concern if access to the link is restricted to trusted nodes”. SEND [RFC3971] provides one possible mitigation in other cases.
Thanks - Fred From: Zied Bouziri [mailto:[email protected]] Sent: Wednesday, January 11, 2017 1:48 PM To: Templin, Fred L <[email protected]> Cc: Christian Huitema <[email protected]>; Brian E Carpenter <[email protected]>; 6man WG <[email protected]>; INT Area <[email protected]> Subject: Re: [Int-area] Route Information Options in Redirect Messages Hi Fred In section 6 : "Namely, the protocol must take measures to secure IPv6 ND messages on links where spoofing attacks are possible » By reading this passage, I have the impression that there are links where attack spoofing is possible and others not ! How can we know if this attack is possible or not in a specified link ? Thank you Zied Le 10 janv. 2017 à 22:52, Templin, Fred L <[email protected]<mailto:[email protected]>> a écrit : Hi Christian, -----Original Message----- From: Christian Huitema [mailto:[email protected]] Sent: Tuesday, January 10, 2017 11:34 AM To: Templin, Fred L <[email protected]<mailto:[email protected]>>; 'Brian E Carpenter' <[email protected]<mailto:[email protected]>>; '6man WG' <[email protected]<mailto:[email protected]>>; 'INT Area' <[email protected]<mailto:[email protected]>> Subject: RE: [Int-area] Route Information Options in Redirect Messages On Tuesday, January 10, 2017 9:55 AM, Fred Templin wrote: ... What is being proposed in the document I submitted is the inclusion of RIOs in Redirect messages for a *prefix* that is not on-link, as opposed to a singleton destination. So, the same SHOULD in the paragraph above would seem to apply also to prefix redirection the same as for ordinary destination redirection. Fred, I am reading the security section of your draft. I think it needs a bit more work. Currently, the RIO are only expected in router advertisements. RA are somewhat special, and there is often specific code in switches to check RA and prevent RA spoofing -- e.g., RA-Guard. Allowing the option in Redirect messages could very well bypass the RA specific checks. Doesn't that open the path for new attacks? Should you not say something about that in the security section? How about specific mitigations, such as sanity checks when processing redirect messages? Since IP will still operate correctly if transmission of Redirect messages is somehow suppressed (i.e., denial of Redirect service), the more serious threat to be considered is spoofing. Here is what currently appears under Security Considerations: "Security considerations for Redirect messages that include RIOs are the same as for any IPv6 ND messages as specified in Section 11 of [RFC4861]. Namely, the protocol must take measures to secure IPv6 ND messages on links where spoofing attacks are possible. A spoofed Redirect message containing no RIOs could cause corruption in the host's destination cache while a spoofed Redirect message containing RIOs could corrupt the host's routing tables. While the latter would seem to be a more onerous result, the possibility for corruption is unacceptable in either case." So, from the first paragraph, we can see that the protocol must take measures to secure IPv6 ND messages on links where spoofing attacks are possible. The second paragraph then analyzes the consequences of what could happen if a spoofing attack were successful and we see that there are unacceptable negative consequences for both traditional Redirects and Redirects that include RIOs. The text stops short of saying that "no Redirects of any kind should be used on links where spoofing attacks are possible". Would adding a statement such as this address the concern? Thanks - Fred [email protected]<mailto:[email protected]> -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected]<mailto:[email protected]> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 -------------------------------------------------------------------- Best Regards, مع تحياتي Zied BOUZIRI، زياد بوزيري ISET Charguia, Tunisie www.bouziri.tn<http://www.bouziri.tn/>
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
