ND improvement to prevent Man-in-the-middle attack
draft-vasilenko-6man-nd-mitm-protection-00
|
Document |
Type |
|
Active Internet-Draft (individual)
|
|
Authors |
|
Eduard V
,
XiPeng Xiao
|
|
Last updated |
|
2020-09-24
|
|
Stream |
|
(None)
|
|
Intended RFC status |
|
(None)
|
|
Formats |
|
plain text
pdf
htmlized (tools)
htmlized
bibtex
|
Stream |
Stream state |
|
(No stream defined) |
|
Consensus Boilerplate |
|
Unknown
|
|
RFC Editor Note |
|
(None)
|
IESG |
IESG state |
|
I-D Exists
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
(None)
|
IPv6 Maintenance (6man) Working Group E. Vasilenko
Internet Draft X. Xiao
Updates: 4861, 4862 (if approved) Huawei Technologies
Intended status: Standards Track September 24, 2020
Expires: March 2021
ND improvement to prevent Man-in-the-middle attack
draft-vasilenko-6man-nd-mitm-protection-00
Abstract
Privacy protection is the bigger and bigger concern of many
governments and public in general. ND has a few open man-in-the-
middle attack vectors. MITM is considered among the most dangerous
attack types because of information leakage. This document proposes
minimal modifications for ND to protect IPv6 nodes against still
open MITM attacks. It could be implemented gradually on any nodes,
with the biggest benefit from support on routers.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 2021.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Vasilenko Expires March 24, 2021 [Page 1]
Internet-Draft ND-MITM-protection September 2020
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
1. Terminology and pre-requisite..................................2
2. Introduction...................................................3
3. Security vulnerabilities.......................................4
3.1. Rewrite by unsolicited NA.................................4
3.2. Be the first and suppress DAD.............................5
3.3. Win the race just after DAD...............................6
3.4. Implications for off-link nodes...........................6
3.5. Speed up by [Gratuitous ND]...............................6
4. Solution - Security DAD........................................7
4.1. Standards modifications...................................8
4.1.1. Modifications to [ND]................................8
4.1.2. Modifications to [SLAAC]............................11
4.2. Interoperability analysis................................11
5. Applicability analysis........................................13
5.1. Performance analysis.....................................13
5.2. Usability analysis.......................................15
5.3. DoS level analysis.......................................16
6. Security Considerations.......................................16
7. IANA Considerations...........................................16
8. References....................................................17
8.1. Normative References.....................................17
8.2. Informative References...................................18
9. Acknowledgments...............................................18
1. Terminology and pre-requisite
Good knowledge and frequent references to [ND] is assumed. Many
terms are inherited from [ND]. Additional terms are introduced:
Security DAD: Duplicated Address Detection for security check
at the time to write or rewrite for Link Layer Address
Intruder: The Node under control of malicious 3rd party
Vasilenko Expires March 24, 2021 [Page 2]
Internet-Draft ND-MITM-protection September 2020
Intercepted Victim: The node that could lose the privacy of
communication
Poisoned Victim: The node that could suffer an unauthorized
modification of Neighbor Cache entry; depending on the
scenario, it could additionally lose the privacy of
Show full document text