PowerPoint Presentation - IPv6 Benchmarking Methodology
Download
Report
Transcript PowerPoint Presentation - IPv6 Benchmarking Methodology
Rogue IPv6
Router Advertisement
Problem Statement
Tim Chown
[email protected]
Stig Venaas
[email protected]
IETF 72, 27 July – 1 August 2008
Dublin
draft-chown-v6ops-rogue-ra-01
Structure of the -01 draft
The issue
Scenarios
Administrator misconfiguration
User misconfiguration
Malicious activity
Methods to mitigate
Additional ‘bad’ RAs causing problems
Varying degrees of complexity/practicality
Other considerations
Discussion
draft-chown-v6ops-rogue-ra-01
Some possible solutions
(In no particular order)
Manually configure the default router
Use SeND
Not always available
Implement RA ‘snooping’ in switches
Perceived as complex; might not be deployable in all
scenarios; limited implementations
Use manually configured ACLs on switches
Liable to introduce mistakes and management complexity
RA Guard solution proposed; may not always be available
Use router preference option (RFC4191)
Optional feature, can be used by attacker anyway
draft-chown-v6ops-rogue-ra-01
… solutions continued
Use L2 admission control (e.g. 802.1x)
Use host-based packet filters
e.g. rafixd… automatically if problem can be detected
Limit changes in hosts
Needs to be configured; possible issue with updates
Use some auto-deprecate tool
Denies attacker access to IP layer
e.g. 2 hour timer before new observed RA acted upon
Change DHCPv6 to add default router support
Radical change; DHCP vulnerable without authentication
draft-chown-v6ops-rogue-ra-01
Where we’re at…
Issues presented since at least IETF69
Various potential solutions proposed
Problem still there today
SeND
RA Guard
+ some others, e.g. switch ACLs
No clear solution for all scenarios
Switches may be too dumb, or hosts limited in some way
More input on observed causes and mitigations from
the field would be useful
draft-chown-v6ops-rogue-ra-01
Changes since -00
Added between -00 and -01:
RA Guard text, noted it may complement SeND
Note on Rogues RAs compared to Rogue DHCP servers
Windows ICS and host firewall note
ACL note
Note on possible rogue RA impact on an otherwise ‘IPv4only’ network
2 hour limit on changes suggestion
Input has all been of the form of additions or
clarifications; no objections to content as such
draft-chown-v6ops-rogue-ra-01
Moving forward
Things to check/test?
Agree recommendations?
Rogue RA detection by management/monitoring tools
Rapid correction of rogue RA effect in an enterprise
Concerns of possible impact on IPv4-only network?
Is SeND + RA Guard enough for all scenarios?
Or will there always be problem corner cases?
The problem certainly still exists today in enterprises
Possible WG adoption of problem draft
Or just leave it as a discussion point
draft-chown-v6ops-rogue-ra-01