Download presentation
Presentation is loading. Please wait.
Published byMelvyn Edwards Modified over 9 years ago
1
RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date: 2007.6.25
2
Outline Abstract Introduction 6to4 Router & Relay Router 6to4 Router 6to4 Relay Router Threat Analysis Attacks with Neighbor Discovery (ND) Messages Spoofing traffic to 6to4 nodes Reflecting traffic from 6to4 nodes Local IPv4 broadcast attack Reference
3
Abstract The IPv6 interim mechanism 6to4 (RFC3056) uses automatic IPv6-over-IPv4 tunneling to interconnect IPv6 networks This characteristic enables a number of security threats, mainly Denial of Service It also makes it easier for nodes to spoof IPv6 addresses This document discusses these issues in more detail and suggests enhancements to alleviate the problems.
4
Introduction (1/3)
5
Introduction (2/3) All 6to4 routers must accept and decapsulate IPv4 packets from every other 6to4 router, and from 6to4 relays. 6to4 relay routers must accept traffic from any native IPv6 node. The IPv4 and IPv6 headers may be spoofed => Denial of Service attacks
6
Introduction (3/3) 2001:db8::1 9.0.0.2 Spoofed Address Who!?
7
6to4 Router & Relay Router (1/2) 6to4 Router The 6to4 routers act as the border routers of a 6to4 domain 6to4 Relay Router The 6to4 relay router acts as a relay between all 6to4 domains and native IPv6 networks
8
6to4 Router & Relay Router (2/2) 6to4 relay router 6to4 router
9
6to4 Router (1/6) Provide IPv6 connectivity to local clients and routers. Forward packets sent to locally configured 6to4 addresses to the 6to4 network. Tunnel packets sent to foreign 6to4 addresses to the destination 6to4 router using IPv4. Tunnel packets sent to non-6to4 addresses to the configured/ closest-by-anycast 6to4 relay router. 6to4 addresses 6to4 router 6to4 relay router
10
6to4 Router (2/6) Decapsulate directly received IPv4 packets from foreign 6to4 addresses. Decapsulate IPv4 packets received via the relay closest to the native IPv6 sources. Note that it is not easily distinguishable whether the packet was received from a 6to4 relay router or from a spoofing third party. Foreign Relay
11
6to4 Router (3/6) Security Checks Disallow traffic: The private, broadcast, reserved IPv4 addresses From 6to4 routers in which IPv4 tunnel source does not match the 6to4 prefix The destination (IPv6) is not a global address Other 6to4 domains through 6to4 relay router or via some third party 6to4 router
12
6to4 Router (4/6) Security Checks IPv4 0.0.0.0/8(the system has no address assigned yet) 10.0.0.0/8 (private) 127.0.0.0/8 (loopback) 172.16.0.0/12 (private) 192.168.0.0/16 (private) 169.254.0.0/16 (IANA Assigned DHCP link-local) o 224.0.0.0/4 (multicast) 240.0.0.0/4 (reserved and broadcast)
13
6to4 Router (5/6) Security Checks IPv6 0::/16(compatible, mapped addresses, loopback, unspecified,...) fe80::/10 (link-local) fec0::/10 (site-local) ff00::/8 (any multicast)
14
6to4 Router (6/6) Security Checks Discard traffic received: From other 6to4 domain via a 6to4 relay router For other prefixes other than one’s own 6to4 prefix.
15
6to4 Relay Router (1/2) Decapsulates and forwards packets received from 6to4 addresses through tunneling, by using normal IPv6 routing (IPv6) [Relay Router] (6to4 address) Tunnels packets received through normal IPv6 routing from native addresses (IPn6) [Relay Router] (6to4 address)
16
6to4 Relay Router (2/2) Security Checks Disallow traffic: The private, broadcast, reserved IPv4 addresses From 6to4 routers in which IPv4 tunnel source does not match the 6to4 prefix The destination (IPv6) is not a global address Discard traffic received: From from 6to4 routers with the destination as a 6to4 prefix (IPv6) [Relay Router] [6to4 Router]
17
Threat Analysis (1/2) Types of threats Denial-of-Service (DoS) A malicious node prevents communication between the node under attack and other nodes Reflection Dos A malicious node reflects the traffic off unsuspecting nodes to a particular node (node under attack) Service theft A malicious node/site/operator may make unauthorized use of service
18
Threat Analysis (2/2) Type of attacks based on target Attacks on 6to4 networks. Attacks on IPv6 networks. Attacks on IPv4 networks. Attacks on the 6to4 nodes Attacks with Neighbor Discovery (ND) Messages Spoofing traffic to 6to4 nodes Reflecting traffic from 6to4 nodes Local IPv4 broadcast attack
19
Attacks with Neighbor Discovery (ND) Messages (1/2) ND message Dst_6 (fe80::1)Src_6 (fe80::2) Dst_4 (9.0.0.2)Src_4 (8.0.0.1) forged address 6to4 pseudo-interface
20
Attacks with Neighbor Discovery (ND) Messages (2/2) MITIGATION METHODS The usage of ND messages could be prohibited It would prohibit any sort of ND message and thus close the doors on development and use of other ND options The 6to4 pseudo-interface could be insulated from the other interfaces using a separate neighbor cache If ND messages are needed either IPsec or an extension of SEND could be used to secure packet exchange using the link-local address
21
Spoofing traffic to 6to4 nodes (1/3) The attacker - a malicious IPv4 or IPv6 node can send packets that are difficult to trace to a 6to4 node 2001:db8::1 9.0.0.2 Spoofed Address Who!? 8.0.0.1
22
Spoofing traffic to 6to4 nodes (2/3) EXTENSIONS - Reflection DoS 9.0.0.2 2001:db8::1 Spoofed Address 8.0.0.1 2001:db8::2 2001:db8::1 TCP SYN ACK, TCP RST, ICMPv6 Echo Reply, input sent to UDP echo service, ICMPv6 Destination Unreachable …
23
Spoofing traffic to 6to4 nodes (3/3) MITIGATION METHODS Ingress filtering in the native IPv6 networks to prevent packets with spoofed IPv6 sources from being transmitted Unfortunately, it would depend on significant (or even complete) ingress filtering everywhere in other networks Security checks in the 6to4 relay This has very little cost
24
Reflecting Traffic to 6to4 nodes (1/3) Reflection DoS Spoof source Traffic off target node Relay router seem to be a attacker
25
Reflecting Traffic to 6to4 nodes (2/3) EXTENSIONS - distributed Reflection DoS A large number of nodes are involved in sending spoofed traffic with the same src_v6
26
Spoofing traffic to 6to4 nodes (3/3) MITIGATION METHODS Implementation of ingress filtering by the IPv4 service providers Distributed Reflection DoS Legitimate user to be a illegitimate user Many IPv4 service providers don’t implement Implementation of ingress filtering by all IPv6 Expecting this to happen may not be practical Security Checks It would eliminate an attack launched from an IPv4 node, except when the IPv4 source address was also spoofed Rate limiting traffic at the 6to4 relays
27
Local IPv4 broadcast attack (1/5) First kind of attack 2002:0900:00ff::bbbb If 9.0.0.255 is the router’s broadcast address
28
Local IPv4 broadcast attack (2/5) First kind of attack Broadcast!Response!
29
Local IPv4 broadcast attack (3/5) Second kind of attack 2002:0900:00ff::bbbb
30
Local IPv4 broadcast attack (4/5) Second kind of attack Broadcast!
31
Local IPv4 broadcast attack (5/5) Second kind of attack The attack is based on the premise that the 6to4 router has to send a packet that embeds an invalid IPv4 address to an IPv6 address Such an attack is easily thwarted by ensuring that the 6to4 router does not transmit packets to invalid IPv4 addresses. Specifically, traffic should not be sent to broadcast or multicast IPv4 addresses
32
Reference RFC 3056 DoS http://en.wikipedia.org/wiki/Denial_of_service DRDos http://en.wikipedia.org/wiki/Distributed_Reflection _Denial_of_Service http://en.wikipedia.org/wiki/Distributed_Reflection _Denial_of_Service
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.