MIPv6 Internet Draft Sachin Dutta Document: draft-dutta-mip6-ra-00.txt Deshbandhu Sinha Expires: January 2006 Suraj Shetty Mao Shanxiang Huawei Technologies. July 2005 Securing Home Agent List in MIP6 Status of this Memo This document is a submission by the IETF MIPv6 Working Group Working Group of the Internet Engineering Task Force (IETF). Comments should be submitted to the mip6@ietf.org mailing list. This document is an Internet-Draft and is subject to all provisions of section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document identifies one type of the denial of service attack which can be possible in Mobile IP6 and tries to propose a solution for same. Currently in MIP6 each Home Agent is required to maintain a home agent list. This home agent list is generated by receiving RA Dutta , et al. Expires - January 2006 [Page 1] Internet Draft Securing Home Agent List in MIP6 July 2005 messages on the home link and the addresses learned are sent to Mobile node when it does Home Agent discovery. On learning this list MN tries to register with addresses in this list one by one in order of preference. Now if the home network is flooded with spurious RA packets having high preference value the home agent list is populated with non reachable addresses and no mobile node is able to register from that home network This document proposes to first carry out reachability confirmation for each home agent entry before adding to Home Agent list Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [1]. Table of Contents 1. Introduction...................................................2 2. Problem........................................................3 3. Solution.......................................................3 3.1 Receiving RA messages......................................3 3.2 Success of Neighbor reachability detection.................4 3.3 Failure of Neighbor reachability detection.................4 3.4 Receiving Dynamic Home Agent Discovery Request Message.....4 3.5 Interface seize to act as a Home Agent Interface...........5 4. Changes required in MIP6.......................................5 5. Formal Syntax..................................................5 Security Considerations...........................................5 References........................................................5 Acknowledgments...................................................5 Author's Addresses................................................6 1. Introduction In Mobile IPv6 each home agent is required to maintain a Home Agent List, which contain the list of all Home Agents in the network along with the global addresses In dynamic home agent discovery mechanism Home Agent replies to Home Agent discovery request with the addresses present in this home Agent list. This Home Agent list is populated on receiving RA messages on the home link. This document identifies the Denial of service attack due to spurious RAs and also proposes solution for the same. Dutta, et al. Expires - January 2006 [Page 2] Internet Draft Securing Home Agent List in MIP6 July 2005 2. Problem The on-link home Agent list is maintained by each home agent by getting the information from RA messages If some malicious node is flooding RA messages on behalf of non- existent nodes, the Home Agent list will be populated with incorrect entries. This is because no verification of RA is done by Home Agent before updating its home agent list. On receiving the spurious packet, Home Agent list is updated with these addresses. When any mobile node goes in foreign network and start the dynamic home agent discovery process, the Home Agent will return the list of address that it has learnt through the above mentioned process. Mobile node will start registering with each of these addresses with minimum interval of initialBindackTimeoutFirstReg (1.5 Seconds) since these addresses do not belong to any node, they may not be reachable. If the first valid address in the list follows after a number of invalid addresses, the mobile node will get service after a very long time. If there are no valid addresses in the list, then Mobile Node will never get the service at all. 3. Solution In order to control the spurious Home Agent addresses in the list, we can deploy a mechanism that shall ensure that Addresses learnt are reachable belonging to on link Home Agent. A state needs to be associated for each entry in Home Agent list The state can either be in STALE or REACHABLE state. The transition of these states is mentioned in subsequent sub-sections. 3.1 Receiving RA messages Whenever RA is received on the Home Agent interface with H bit set, Home Agent SHOULD do the following processing o If entry already exists with same Link Local address and its state is REACHABLE then directly update the existing entry o If entry is not present in Home Agent List then Dutta, et al. Expires - January 2006 [Page 3] Internet Draft Securing Home Agent List in MIP6 July 2005 o Add the entry in Home Agent list and make the state of that entry as STALE (same as ND, when entry is added in Neighbor cache through RA, it is added in STALE state). o After adding the entry start the neighbor reachability detection as per RFC-2461 [2] for that link local address o If the entry exists and it state is STALE then simply ignore this RA message. Apart from doing existing checks as mentioned by RFC 3775 [4] following addition check SHOULD be done o If in the RA H bit is set but it does not contains any global address then this RA MUST be discarded ( i.e. R flag is not set in any of the prefix options received ) o If the preference value in received RA is out of range as mentioned by RFC 3775 [4] then this received RA SHOULD be discarded 3.2 Success of Neighbor reachability detection Processing NA messages: Whenever NA is received and home agent functionality is enabled then Home Agent SHOULD do the following processing o ON receiving NA after checking neighbor cache , Home Agent list is also queried and if the entry exist in Home Agent list and the state is STALE , it state is changed to REACHABLE state 3.3 Failure of Neighbor reachability detection If no reply is received for Link layer address and neighbor reachability detection fails then the corresponding Stale entry MUST be deleted Home Agent List. 3.4 Receiving Dynamic Home Agent Discovery Request Message Whenever DHAAD message HA will prepare the DHAAD reply message adhering to following rules o HA SHOULD only send back the global addresses from Home Agent list whose state is REACHABLE o In case the DHAAD reply message becomes more then PMTU then HA must include self Home Agent address. This will ensure at least one valid reachable home agent address Dutta, et al. Expires - January 2006 [Page 4] Internet Draft Securing Home Agent List in MIP6 July 2005 3.5 Interface cease to act as a Home Agent Interface As the home agent functionality is configurable so by configuration or otherwise if the interface seize to act as a Home Agent interface then Home Agent SHOULD send a final RA message with H bit set as 0 to indicate the other home agents on the link to update there home agent list and delete the entry corresponding to this home agent. 4. Changes required in MIP6 o Additional Flag is required in Home Agent list entry to maintain the state of Entry 5. Formal Syntax The following syntax specification uses the augmented Backus-Naur Form (BNF) as described in RFC-2234. Security Considerations This draft enhances the security of RA packets by confirming the Link Layer address of sender. Further improvement to this solution can be to carry out NUD for each of this global address received in RA and maintain the state corresponding to each of those global addresses References [1] S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. Request for Comments (Best Current Practice) 2119, Internet Engineering Task Force, March 1997 [2] Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. [3] Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6) Addressing Architecture", RFC 3513, April 2003. [4] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004. Dutta, et al. Expires - January 2006 [Page 5] Internet Draft Securing Home Agent List in MIP6 July 2005 All references are normative. Acknowledgments Our sincere thanks to Saurabh Rastogi for his constant encouragement and Keshava A.K. for his guidance and review during the development of this specification. Author's Addresses Sachin Dutta Huawei Technologies India Pvt, Ltd. Level-3, Leela Galleria The Leela Palace, Airport Road Bangalore-India Phone: +91-080-25217152 Email: sachind@huawei.com Deshbandhu Sinha Huawei Technologies India Pvt, Ltd. Level-3, Leela Galleria The Leela Palace, Airport Road Bangalore-India Phone: +91-080-25217152 Email: deshbandhus@huawei.com Suraj Shetty Huawei Technologies India Pvt, Ltd. Level-3, Leela Galleria The Leela Palace, Airport Road Bangalore-India Phone: +91-080-25217152 Email: surajs@huawei.com Mao Shanxiang Huawei Technologies Co., Ltd. Shenzhen, China Email: maoshx@huawei.com Disclaimer of Validity "This document and the information contained herein are provided on Dutta, et al. Expires - January 2006 [Page 6] Internet Draft Securing Home Agent List in MIP6 July 2005 an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. APPENDIX A: Home Agent State Machine State Event Action New state - RA and H bit set Create entry. STALE - Any other message then RA No relationship - STALE Reachability Timeout Delete the corresponding - Home Agent Entry STALE RA and H bit set Discard RA STALE for that local address STALE NA for that link Update the state REACHABLE local address REACHABLE RA and H bit set Update the global REACHABLE for that local address addresses and timers Dutta, et al. Expires - January 2006 [Page 7]