On Tue, 20 Nov 2001, James Kempf wrote:
> I submitted draft-kempf-ipng-netaccess-threats-00.txt last week on Tues.
> but got email from odin.isi.edu on Wed. that the mail had been delayed,
> so I am not sure whether it got in on time. The actual email from the
> Internet Drafts saying it was received arrived on Thurs. I have not seen
> an announcement of the draft yet.
>
> In any event, I put the draft on my Geocities web site. Here is the URL:
>
> http://www.geocities.com/kempf42/draft-kempf-ipng-netaccess-threats-00.t
> xt
>
> I still hope we can get some discussion prior to the meeting.
I believe this is a very important document.
As with IPv4 and ARP (e.g. gratuituous ARP), it may be that the most
issues cannot be solved, at least without resorting to IPSEC. But that is
perhaps not necessary -- in my book, it's good to identify problems even
though no proper "solution" can be found.
Comment on 3.3 Neighbor Solicitation/Advertisement Spoofing
--8<--
An attacking node can cause packets for legitimate nodes, both hosts
and routers, to be sent to some other link-layer address. This can
be done by either sending a Neighbor Solicitation with a different
source link-layer address option, or sending a Neighbor
Advertisement with a different target link-layer address option.
If the spoofed link-layer address is a valid one, as long as the
attacker responds to the unicast Neighbor Solicitation messages sent
as part of the Neighbor Unreachability Detection, packets will
continue to be redirected. This is a redirect attack.
[...]
--8<--
Here, it could be elaborated that NS messages with different link-local
source address should overwrite the cached one [RFC2461 7.2.3]; the
mechanism on how this attack works may not be self-evident.
Comment on 3.5 Bogus On-Link Prefix:
--8<--
An attacking node can send a Router Advertisement message specifying
that some prefix of arbitrary length is on-link. If a sending host
thinks the prefix is on-link, it will never send a packet for that
prefix to the router. Instead, the host will try to perform address
resolution by sending Neighbor Solicitations, but the Neighbor
Solicitations will not result in a response, denying service to the
attacked host. This is a DoS attack.
The attacker can use an arbitrary lifetime on the bogus prefix
advertisement. If the lifetime is infinity, the sending host will be
denied service until it loses the state in its prefix list e.g. by
rebooting, or the same prefix is advertised with a zero lifetime.
The attack could also be perpetrated selectively for packets
destined to a particular prefix by using 128 bit prefixes, i.e. full
addresses.
This threat involves Router Advertisement messages.
--8<--
It appears to me this is more than DoS. This could be extremely evil --
what prevents the attacker from listening to all on-link traffic and
responding posivitely to Neighbour Solicitations? That way, it could act
as a man-in-the-middle attacker for all destinations.. Scary..
Possible additional threat:
- attacker assigns the subnet-router anycast address to itself. With
various methods (like 3.3) it could capture the traffic meant to the
address to itself. Depending whether the anycast address is used for e.g.
selecting the exit router, or being contacted by outside parties wishing
to talk to the router of the subnet.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
