Une attaque par rejeu sur le protocole SEND Tony Cheneau mail: - PowerPoint PPT Presentation

Une attaque par rejeu sur le protocole SEND Tony Cheneau mail: tony.cheneau@it-sudparis.eu (Télécom SudParis) & Jean-Michel Combes mail: jeanmichel.combes@orange-ftgroup.com (FT R&D) October 17, 2008 SAR-SSI'2008

Summary ● Quick IPv6 Introduction ● Neighbor Discovery Protocol ● Attacks on the Neighbor Discovery Protocol ● Crytographically Generated Addresses ● Secure Neighbor Discovery Protocol ● The attack on the SEND protocol ● Solutions to mitigate/avoid the attack ● Conclusion October 19, 2008 Tony Cheneau & Jean-Michel Combes 2

Quick IPv6 introduction (1/3) Facts everyone knows: ● 2 128 addresses available ● Less work on routers ● Stateless Address Autoconfiguration October 19, 2008 Tony Cheneau & Jean-Michel Combes 3

Quick IPv6 introduction (2/3) How to compute a IPv6 address ? October 19, 2008 Tony Cheneau & Jean-Michel Combes 4

Quick IPv6 introduction (3/3) October 19, 2008 Tony Cheneau & Jean-Michel Combes 5

Neighbor Discovery Protocol (1/4) ● NDP offers: – Router Discovery – Prefix Discovery – Parameter Discovery – Stateless Address Autoconfiguration – Address Resolution (similar to ARP in IPv4) – Next Hop Determination – Neighbor Unreachability Detection – Duplicate Address Detection (useful for Stateless Autoconfiguration, also called DAD) – Redirection (equivalent to ICMPv4 redirect) October 19, 2008 Tony Cheneau & Jean-Michel Combes 6

Neighbor Discovery Protocol (2/4) ● 5 types of messages: – Neighbour Solicitation (NS) – Neighbour Advertisement (NA) – Router Solicitation – Router Advertisement – Redirect October 19, 2008 Tony Cheneau & Jean-Michel Combes 7

Neighbor Discovery Protocol (3/4) Address Resolution October 19, 2008 Tony Cheneau & Jean-Michel Combes 8

Neighbor Discovery Protocol (4/4) Duplicate Address Detection Failure when: ● a node already posses the address ● a node is willing to obtain the same address Success when: ● no node currently owns the address October 19, 2008 Tony Cheneau & Jean-Michel Combes 9

Attacks on the Neighbor Discovery Protocol 3 kind of attacks: ● routing related ● not routing related – Neighbor Solicitation/Advertisement Spoofing – Neighbor Unreachability Detection Failure – Duplicate Address Detection DoS Attack ● replay attacks (not really useful) or attacks outside a network (much more interesting) October 19, 2008 Tony Cheneau & Jean-Michel Combes 10

Cryptographically Generated Addresses (1/3) ● Main principles: – bind a public key to an IPv6 address with an hash algorithm (but this everybody can do it) – the public key can be generated on connection – and so does the CGA (it allows autoconfiguration) ● Details: – a whole set of parameters is bound to the address October 19, 2008 Tony Cheneau & Jean-Michel Combes 11

Cryptographically Generated Addresses (2/3) CGA parameter structure: ● a part of the Hash of this structure will form the interface identifier ● this structure will also be used in SEND October 19, 2008 Tony Cheneau & Jean-Michel Combes 12

Cryptographically Generated Addresses (3/3) October 19, 2008 Tony Cheneau & Jean-Michel Combes 13

Secure Neighbor Discovery Protocol (1/2) ● Rely heavily on CGA ● Secure ICMPv6 message used in the NDP ● Protect against address spoofing ● Introduce option: – Timestamp (prevent replay attacks) – Nonce (supposedly prevent replay attacks) – CGA option – RSA signature option (actually proves the ownership of the address) October 19, 2008 Tony Cheneau & Jean-Michel Combes 14

Secure Neighbor Discovery Protocol (2/2) October 19, 2008 Tony Cheneau & Jean-Michel Combes 15

The attack on SEND (1/3) ● Attacker: send back the NS it receives during victim's DAD process. ● Effect of the attack: victim's node can't get an address October 19, 2008 Tony Cheneau & Jean-Michel Combes 16

The attack on SEND (2/3) ● Requirement on the link: – can listen to the DAD procedure of other nodes: ● hub ● non protected Wireless interface ● ... ● Requirement on the timing of the replay attack: – packet is replayed within 1 second October 19, 2008 Tony Cheneau & Jean-Michel Combes 17

The attack on SEND (3/3) Why does it work ? ● signature option/CGA are correct (only a replay) ● unspecified address as source of the packet ● timestamp is valid, victim compare its own clock ● nonce option has no semantic in this case... October 19, 2008 Tony Cheneau & Jean-Michel Combes 18

Proof of Concept Using scapy6 1 : # network interface on which we will listen packets conf.iface = 'eth0' I would be pleased to know # listen to an interface sniff (store=0, filter ="ip6" , if anyone in this room has a # listen only to NS used for DAD complete implementation of lfilter = lambda x : x.haslayer(ICMPv6ND_NS) \ and x.getlayer(IPv6).src== " : : " , SEND to test this code. # replay the packet prn = lambda x : sendp ( x ) , count =0) 1 : http://namabiiru.hongo.wide.ad.jp/scapy6/ October 19, 2008 Tony Cheneau & Jean-Michel Combes 19

Solutions to mitigate/avoid the attack ● Disable the DAD procedure: – fairly easy – not backward compatible and not recommended ● Try 3 different address generation and ignore last NS: – three collision with the same node has low probability – backward compatible ● Give semantic to Nonce option: – in received NS during a DAD process, Nonce value has to be different. – backward compatible – no (known) side effect October 19, 2008 Tony Cheneau & Jean-Michel Combes 20

Conclusion ● National Institute of Standards and Technology (NIST) to advise the use of SEND in IPv6 deployment ● New working group reforming in IETF (CSI), we will advise them to correct the flaw in the next specification Any questions ? October 19, 2008 Tony Cheneau & Jean-Michel Combes 21

SEND daemon Details on NTT Docomo implementation: October 19, 2008 Tony Cheneau & Jean-Michel Combes 22

SEND Deployment October 19, 2008 Tony Cheneau & Jean-Michel Combes 23

Certification Path in SEND October 19, 2008 Tony Cheneau & Jean-Michel Combes 24