Une attaque par rejeu sur le protocole SEND

Transcription

1 Une attaque par rejeu sur le protocole SEND Tony Cheneau mail: (Télécom SudParis) & Jean-Michel Combes mail: (FT R&D) October 17, 2008 SAR-SSI'2008

2 Summary Quick IPv6 Introduction Neighbor Discovery Protocol Attacks on the Neighbor Discovery Protocol Crytographically Generated Addresses Secure Neighbor Discovery Protocol The attack on the SEND protocol Solutions to mitigate/avoid the attack Conclusion 2

3 Quick IPv6 introduction (1/3) Facts everyone knows: 2128 addresses available Less work on routers Stateless Address Autoconfiguration 3

4 Quick IPv6 introduction (2/3) How to compute a IPv6 address? 4

5 Quick IPv6 introduction (3/3) 5

6 Neighbor Discovery Protocol (1/4) NDP offers: Router Discovery Prefix Discovery Parameter Discovery Stateless Address Autoconfiguration Address Resolution (similar to ARP in IPv4) Next Hop Determination Neighbor Unreachability Detection Duplicate Address Detection (useful for Stateless Autoconfiguration, also called DAD) Redirection (equivalent to ICMPv4 redirect) 6

7 Neighbor Discovery Protocol (2/4) 5 types of messages: Neighbour Solicitation (NS) Neighbour Advertisement (NA) Router Solicitation Router Advertisement Redirect 7

8 Neighbor Discovery Protocol (3/4) Address Resolution 8

9 Neighbor Discovery Protocol (4/4) Duplicate Address Detection Failure when: a node already posses the address a node is willing to obtain the same address Success when: no node currently owns the address 9

10 Attacks on the Neighbor Discovery Protocol 3 kind of attacks: routing related not routing related Neighbor Solicitation/Advertisement Spoofing Neighbor Unreachability Detection Failure Duplicate Address Detection DoS Attack replay attacks (not really useful) or attacks outside a network (much more interesting) 10

11 Cryptographically Generated Addresses (1/3) Main principles: bind a public key to an IPv6 address with an hash algorithm (but this everybody can do it) the public key can be generated on connection and so does the CGA (it allows autoconfiguration) Details: a whole set of parameters is bound to the address 11

12 Cryptographically Generated Addresses (2/3) CGA parameter structure: a part of the Hash of this structure will form the interface identifier this structure will also be used in SEND 12

13 Cryptographically Generated Addresses (3/3) 13

14 Secure Neighbor Discovery Protocol (1/2) Rely heavily on CGA Secure ICMPv6 message used in the NDP Protect against address spoofing Introduce option: Timestamp (prevent replay attacks) Nonce (supposedly prevent replay attacks) CGA option RSA signature option (actually proves the ownership of the address) 14

15 Secure Neighbor Discovery Protocol (2/2) 15

16 The attack on SEND (1/3) Attacker: send back the NS it receives during victim's DAD process. Effect of the attack: victim's node can't get an address 16

17 The attack on SEND (2/3) Requirement on the link: can listen to the DAD procedure of other nodes: hub non protected Wireless interface... Requirement on the timing of the replay attack: packet is replayed within 1 second 17

18 The attack on SEND (3/3) Why does it work? signature option/cga are correct (only a replay) unspecified address as source of the packet timestamp is valid, victim compare its own clock nonce option has no semantic in this case... 18

19 Proof of Concept Using scapy61: # network interface on which we will listen packets conf.iface = 'eth0' # listen to an interface I would be pleased to know sniff (store=0, filter ="ip6", if anyone this room has a # listen onlyin to NS used for DAD lfilter = lambda x : x.haslayer(icmpv6nd_ns) \ complete implementation of and x.getlayer(ipv6).src== " : : ", SEND topacket test this code. # replay the prn = lambda x : sendp ( x ), count =0) 1 : 19

20 Solutions to mitigate/avoid the attack Disable the DAD procedure: fairly easy not backward compatible and not recommended Try 3 different address generation and ignore last NS: three collision with the same node has low probability backward compatible Give semantic to Nonce option: in received NS during a DAD process, Nonce value has to be different. backward compatible no (known) side effect 20

21 Conclusion National Institute of Standards and Technology (NIST) to advise the use of SEND in IPv6 deployment New working group reforming in IETF (CSI), we will advise them to correct the flaw in the next specification Any questions? 21

22 SEND daemon Details on NTT Docomo implementation: 22

23 SEND Deployment 23

24 Certification Path in SEND 24