Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
draft-ietf-v6ops-ra-guard-implementation-04

The information below is for an old version of the document
Document Type Active Internet-Draft (v6ops WG)
Last updated 2012-10-26 (latest revision 2012-05-22)
Replaces draft-gont-v6ops-ra-guard-implementation
Stream IETF
Intended RFC status Best Current Practice
Formats plain text pdf html bibtex
Additional URLs
- Mailing list discussion
Stream WG state WG Document
Document shepherd None
IESG IESG state In Last Call (ends 2012-11-09)
Consensus Boilerplate Unknown
Telechat date
Needs a YES. Needs 9 more YES or NO OBJECTION positions to pass.
Responsible AD Ron Bonica
IESG note Joel Jaeggli (joelja@bogus.com) is the document shepherd.
Send notices to v6ops-chairs@tools.ietf.org, draft-ietf-v6ops-ra-guard-implementation@tools.ietf.org
IPv6 Operations Working Group (v6ops)                            F. Gont
Internet-Draft                                                   UK CPNI
Updates: 6105 (if approved)                                 May 22, 2012
Intended status: BCP
Expires: November 23, 2012

  Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)
              draft-ietf-v6ops-ra-guard-implementation-04

Abstract

   The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly
   employed to mitigate attack vectors based on forged ICMPv6 Router
   Advertisement messages.  Many existing IPv6 deployments rely on RA-
   Guard as the first line of defense against the aforementioned attack
   vectors.  However, some implementations of RA-Guard have been found
   to be prone to circumvention by employing IPv6 Extension Headers.
   This document describes the evasion techniques that affect the
   aforementioned implementations, and formally updates RFC 6105, such
   that the aforementioned RA-Guard evasion vectors are eliminated.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on November 23, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents

Gont                    Expires November 23, 2012               [Page 1]
Internet-Draft       RA-Guard Implementation Advice             May 2012

   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Evasion techniques for some Router Advertisement Guard (RA
       Guard) implementations . . . . . . . . . . . . . . . . . . . .  4
     2.1.  Attack Vector based on IPv6 Extension Headers  . . . . . .  4
     2.2.  Attack vector based on IPv6 fragmentation  . . . . . . . .  4
   3.  RA-Guard implementation advice . . . . . . . . . . . . . . . .  8
   4.  Other Implications . . . . . . . . . . . . . . . . . . . . . . 11
   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
   7.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 15
     8.2.  Informative References . . . . . . . . . . . . . . . . . . 15
   Appendix A.  Assessment tools  . . . . . . . . . . . . . . . . . . 17
   Appendix B.  Advice and guidance to vendors  . . . . . . . . . . . 18
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 19

Gont                    Expires November 23, 2012               [Page 2]
Internet-Draft       RA-Guard Implementation Advice             May 2012

1.  Introduction

   IPv6 Router Advertisement Guard (RA-Guard) is a mitigation technique
   for attack vectors based on ICMPv6 Router Advertisement messages.
   [RFC6104] describes the problem statement of "Rogue IPv6 Router
   Advertisements", and [RFC6105] specifies the "IPv6 Router
   Advertisement Guard" functionality.

   The concept behind RA-Guard is that a layer-2 device filters ICMPv6
   Router Advertisement messages, according to a number of different
   criteria.  The most basic filtering criterion is that Router
   Advertisement messages are discarded by the layer-2 device unless
   they are received on a specified port of the layer-2 device.
   Clearly, the effectiveness of the RA Guard mitigation relies on the
   ability of the layer-2 device to identify ICMPv6 Router Advertisement
   messages.

   Some popular RA-Guard implementations have been found to be easy to
   circumvent by employing IPv6 extension headers [CPNI-IPv6].  This
   document describes such evasion techniques, and provides advice to
Show full document text