RFC 3964Security Considerations for 6to4

Speaker: Chungyi Wang

Adviser: Quincy Wu

Date: 2007.6.25

Outline

Abstract Introduction 6to4 Router & Relay Router

6to4 Router 6to4 Relay Router

Threat Analysis Attacks with Neighbor Discovery (ND) Messages Spoofing traffic to 6to4 nodes Reflecting traffic from 6to4 nodes Local IPv4 broadcast attack

Reference

Abstract

The IPv6 interim mechanism 6to4 (RFC3056) uses automatic IPv6-over-IPv4 tunneling to interconnect IPv6 networks

This characteristic enables a number of security threats, mainly Denial of Service

It also makes it easier for nodes to spoof IPv6 addresses

This document discusses these issues in more detail and suggests enhancements to alleviate the problems.

Introduction (1/3)

Introduction (2/3)

All 6to4 routers must accept and decapsulate IPv4 packets from every other 6to4 router, and from 6to4 relays.

6to4 relay routers must accept traffic from any native IPv6 node.

The IPv4 and IPv6 headers may be spoofed => Denial of Service attacks

Introduction (3/3)

2001:db8::1

9.0.0.2 Spoofed Address

Who!?

6to4 Router & Relay Router (1/2)

6to4 Router The 6to4 routers act as the border routers of a 6to

4 domain 6to4 Relay Router

The 6to4 relay router acts as a relay between all 6to4 domains and native IPv6 networks

6to4 Router & Relay Router (2/2)

6to4 relay router 6to4 router

6to4 Router (1/6) Provide IPv6 connectivity to local clients and routers. Forward packets sent to locally configured 6to4 address

es to the 6to4 network. Tunnel packets sent to foreign 6to4 addresses to the des

tination 6to4 router using IPv4. Tunnel packets sent to non-6to4 addresses to the config

ured/ closest-by-anycast 6to4 relay router.

6to4 addresses

6to4 router

6to4 relay router

6to4 Router (2/6)

Decapsulate directly received IPv4 packets from foreign 6to4 addresses.

Decapsulate IPv4 packets received via the relay closest to the native IPv6 sources.

Note that it is not easily distinguishable whether the packet was received from a 6to4 relay router or from a spoofing third party.

Foreign

Relay

6to4 Router (3/6)Security Checks

Disallow traffic: The private, broadcast, reserved IPv4 addresses From 6to4 routers in which IPv4 tunnel source

does not match the 6to4 prefix The destination (IPv6) is not a global address Other 6to4 domains through 6to4 relay router or

via some third party 6to4 router

6to4 Router (4/6)Security Checks

IPv4 0.0.0.0/8(the system has no address assigned yet) 10.0.0.0/8 (private) 127.0.0.0/8 (loopback) 172.16.0.0/12 (private) 192.168.0.0/16 (private) 169.254.0.0/16 (IANA Assigned DHCP link-local) o

224.0.0.0/4 (multicast) 240.0.0.0/4 (reserved and broadcast)

6to4 Router (5/6)Security Checks

IPv6 0::/16(compatible, mapped addresses, loopback,

unspecified, ...) fe80::/10 (link-local) fec0::/10 (site-local) ff00::/8 (any multicast)

6to4 Router (6/6)Security Checks

Discard traffic received: From other 6to4 domain via a 6to4 relay router For other prefixes other than one’s own 6to4

prefix.

6to4 Relay Router (1/2)

Decapsulates and forwards packets received from 6to4 addresses through tunneling, by using normal IPv6 routing (IPv6) [Relay Router] (6to4 address)

Tunnels packets received through normal IPv6 routing from native addresses (IPn6) [Relay Router] (6to4 address)

6to4 Relay Router (2/2)Security Checks

Disallow traffic: The private, broadcast, reserved IPv4 addresses From 6to4 routers in which IPv4 tunnel source do

es not match the 6to4 prefix The destination (IPv6) is not a global address

Discard traffic received: From from 6to4 routers with the destination as a 6

to4 prefix (IPv6) [Relay Router] [6to4 Router]

Threat Analysis (1/2)

Types of threats Denial-of-Service (DoS)

A malicious node prevents communication between the node under attack and other nodes

Reflection Dos A malicious node reflects the traffic off unsuspecting n

odes to a particular node (node under attack) Service theft

A malicious node/site/operator may make unauthorized use of service

Threat Analysis (2/2)

Type of attacks based on target Attacks on 6to4 networks. Attacks on IPv6 networks. Attacks on IPv4 networks.

Attacks on the 6to4 nodes Attacks with Neighbor Discovery (ND) Messages Spoofing traffic to 6to4 nodes Reflecting traffic from 6to4 nodes Local IPv4 broadcast attack

Spoofing traffic to 6to4 nodes (1/3)

The attacker - a malicious IPv4 or IPv6 node can send packets that are difficult to trace to a 6to4 node

2001:db8::1

9.0.0.2 Spoofed Address

Who!?

8.0.0.1

Spoofing traffic to 6to4 nodes (2/3)

EXTENSIONS - Reflection DoS

9.0.0.2

2001:db8::1

Spoofed Address

8.0.0.1

2001:db8::2

2001:db8::1

TCP SYN ACK, TCP RST, ICMPv6 Echo Reply, input sent to UDP echo service, ICMPv6 Destination Unreachable …

Spoofing traffic to 6to4 nodes (3/3)

MITIGATION METHODS Ingress filtering in the native IPv6 networks to

prevent packets with spoofed IPv6 sources from being transmitted Unfortunately, it would depend on significant (or even

complete) ingress filtering everywhere in other networks

Security checks in the 6to4 relay This has very little cost

Reflecting Traffic to 6to4 nodes (1/3)

Reflection DoS Spoof source Traffic off target node Relay router seem to be a attacker

Reflecting Traffic to 6to4 nodes (2/3)

EXTENSIONS - distributed Reflection DoS A large number of nodes are involved in sending

spoofed traffic with the same src_v6

Spoofing traffic to 6to4 nodes (3/3)

MITIGATION METHODS Implementation of ingress filtering by the IPv4 service provi

ders Distributed Reflection DoS Legitimate user to be a illegitimate user Many IPv4 service providers don’t implement

Implementation of ingress filtering by all IPv6 Expecting this to happen may not be practical

Security Checks It would eliminate an attack launched from an IPv4 node, ex

cept when the IPv4 source address was also spoofed Rate limiting traffic at the 6to4 relays

Local IPv4 broadcast attack (1/5)First kind of attack

2002:0900:00ff::bbbb

If 9.0.0.255 is the router’s broadcast address

Local IPv4 broadcast attack (2/5)First kind of attack

Broadcast!

Response!

Local IPv4 broadcast attack (3/5)Second kind of attack

2002:0900:00ff::bbbb

Local IPv4 broadcast attack (4/5)Second kind of attack

Broadcast!

Local IPv4 broadcast attack (5/5)Second kind of attack

The attack is based on the premise that the 6to4 router has to send a packet that embeds an invalid IPv4 address to an IPv6 address

Such an attack is easily thwarted by ensuring that the 6to4 router does not transmit packets to invalid IPv4 addresses.

Specifically, traffic should not be sent to broadcast or multicast IPv4 addresses

Reference

RFC 3056 DoS

http://en.wikipedia.org/wiki/Denial_of_service DRDos

http://en.wikipedia.org/wiki/Distributed_Reflection_Denial_of_Service