Transcript PowerPoint Presentation - IPv6 Benchmarking Methodology

Rogue IPv6
Router Advertisement
Problem Statement
Tim Chown
[email protected]
Stig Venaas
[email protected]
IETF 72, 27 July – 1 August 2008
Dublin
draft-chown-v6ops-rogue-ra-01
Structure of the -01 draft

The issue


Scenarios





Administrator misconfiguration
User misconfiguration
Malicious activity
Methods to mitigate


Additional ‘bad’ RAs causing problems
Varying degrees of complexity/practicality
Other considerations
Discussion
draft-chown-v6ops-rogue-ra-01
Some possible solutions

(In no particular order)
Manually configure the default router


Use SeND


Not always available
Implement RA ‘snooping’ in switches


Perceived as complex; might not be deployable in all
scenarios; limited implementations
Use manually configured ACLs on switches


Liable to introduce mistakes and management complexity
RA Guard solution proposed; may not always be available
Use router preference option (RFC4191)

Optional feature, can be used by attacker anyway
draft-chown-v6ops-rogue-ra-01
… solutions continued

Use L2 admission control (e.g. 802.1x)


Use host-based packet filters


e.g. rafixd… automatically if problem can be detected
Limit changes in hosts


Needs to be configured; possible issue with updates
Use some auto-deprecate tool


Denies attacker access to IP layer
e.g. 2 hour timer before new observed RA acted upon
Change DHCPv6 to add default router support

Radical change; DHCP vulnerable without authentication
draft-chown-v6ops-rogue-ra-01
Where we’re at…


Issues presented since at least IETF69
Various potential solutions proposed




Problem still there today



SeND
RA Guard
+ some others, e.g. switch ACLs
No clear solution for all scenarios
Switches may be too dumb, or hosts limited in some way
More input on observed causes and mitigations from
the field would be useful
draft-chown-v6ops-rogue-ra-01
Changes since -00

Added between -00 and -01:







RA Guard text, noted it may complement SeND
Note on Rogues RAs compared to Rogue DHCP servers
Windows ICS and host firewall note
ACL note
Note on possible rogue RA impact on an otherwise ‘IPv4only’ network
2 hour limit on changes suggestion
Input has all been of the form of additions or
clarifications; no objections to content as such
draft-chown-v6ops-rogue-ra-01
Moving forward

Things to check/test?




Agree recommendations?




Rogue RA detection by management/monitoring tools
Rapid correction of rogue RA effect in an enterprise
Concerns of possible impact on IPv4-only network?
Is SeND + RA Guard enough for all scenarios?
Or will there always be problem corner cases?
The problem certainly still exists today in enterprises
Possible WG adoption of problem draft

Or just leave it as a discussion point
draft-chown-v6ops-rogue-ra-01