Internet DRAFT - draft-gont-v6ops-slaac-issues-with-duplicate-macs
draft-gont-v6ops-slaac-issues-with-duplicate-macs
IPv6 Operations Working Group (v6ops) F. Gont
Internet-Draft Huawei Technologies
Intended status: Informational October 15, 2012
Expires: April 18, 2013
Interoperability Problems of StateLess Address Auto-Configuration
(SLAAC) Arising from Duplicate Link-layer Addresses
draft-gont-v6ops-slaac-issues-with-duplicate-macs-00
Abstract
Traditional Stateless Address Auto-Configuration (SLAAC) typically
involves producing a Modified-EU64 format identifier to be employed
as the Interface-ID of the resulting address. In the case of
Ethernet network interface cards, such identifier derived from the
corresponding IEEE 802 address. IEEE 802 addresses are generally
expected to be globally unique, thus resulting in non-duplicate
addresses. However, in many real-world scenarios, these identifiers
fail to be unique, thus resulting in duplicate IPv6 addresses. This
document discusses the interoperability problems arising from
duplicate IEEE 802 addresses with IPv6 Stateless Address Auto-
Configuration (SLAAC), and how some popular implementations react
when the such problems arise. Finally, it discusses possible
mitigations for the aforementioned issue.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. This document may not be modified,
and derivative works of it may not be created, and it may not be
published except as an Internet-Draft.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
Gont Expires April 18, 2013 [Page 1]
Internet-Draft VPN traffic leakages October 2012
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Duplicate IEEE 802 addresses in the real world . . . . . . . . 4
3. IEEE-derived Modified EUI-64 format identifiers . . . . . . . 5
4. Duplicate Address Detection (DAD) implementations . . . . . . 6
5. Mitigations to the problem of SLAAC failures due to
duplicate IEEE 802 addresses . . . . . . . . . . . . . . . . . 7
5.1. Implementing some DAD-failure recovery algorithm . . . . . 7
5.2. Replacing Modified EUI-64 format identifiers based on
IEEE 802 addresses . . . . . . . . . . . . . . . . . . . . 7
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
9.1. Normative References . . . . . . . . . . . . . . . . . . . 11
9.2. Informative References . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
Gont Expires April 18, 2013 [Page 2]
Internet-Draft VPN traffic leakages October 2012
1. Introduction
IPv6 Stateless Address Auto-Configuration (SLAAC) [RFC4862] for
Ethernet network interface cards typically involves generating a
Modified EUI64 format identifier derived from the IEEE 802 address of
the underlying in network interface card. Such Modified EUI-64
format identifier is then employed as the Interface-ID part of the
resulting IPv6 address. Since the IEEE 802 addresses are generally
expected to be globally-unique, the aforementioned algorithm is
expected to result in unique addresses.
In any case, in order to prevent two systems from configuring the
same address on the same network segment, [RFC4862] specifies a
mechanism called "Duplicate Address Detection" (DAD), which employs
Neighbor Solicitation and Neighbor Advertisement messages to detect
whether a candidate IPv6 address is already in use on the local
network. DAD is meant only to *detect* an address conflict: it is up
to the implementation what to do if/once such a conflict is detected
-- and the current SLAAC specification [RFC4862] essentially leaves
possible algorithms to resolve the aforementioned DAD failure
unspecified.
In practice, virtually all implementation do not employ any algorithm
for resolving duplicate address conflicts, and therefore such event
leads to a failure of IPv6 stateless address configuration.
Section 2 discusses the occurrence of duplicate IEEE 802 addresses in
some detail. Section 3 analyzes the pros and cons of generating
Modified EUI-64 format identifiers by essentially embedding a IEEE
802 address in the aforementioned identifier. Section 4 provides
some details regarding how different implementations behave in the
presence of DAD failures. Finally, Section 5 discusses possible
mitigations for the aforementioned issue.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Gont Expires April 18, 2013 [Page 3]
Internet-Draft VPN traffic leakages October 2012
2. Duplicate IEEE 802 addresses in the real world
IEEE 802 addresses are, in principle, not necessarily unique: the U/L
bit the in the IEEE Organizational Unique Identifier (OUI) implies,
when clear, a globally-unique IEEE 802 address, but indicates a non-
unique ("local") address when set. However, most products ship with
IEEE 802 addresses that have the U/L bit set, thus implying globally-
unique IEEE 802 addresses.
However, in practice, even if when the U/L bit is clear, the
corresponding IEEE 802 address might be non-unique. There are a
number of reasons for which duplicate IEEE 802 addresses might exist
in a given network:
o Some vendors have been found to simply "reuse" IEEE 802 addreses
o Virtualization technologies, such as VirtualBox, essentially
select IEEE 802 addresses randomly, from a specific IEEE OUI
[VirtualBox]. This means that it is possible for two virtual
machines to end up employing the same IEEE 802 address for their
respective virtual interfaces.
Besides any assessment of whether duplicate IEEE 802 addresses are
the product of poor engineering choices or not, truth is that
deployed systems might already be employing duplicate addresses, and
hence it is desirable that such scenarios are gracefully handled.
Gont Expires April 18, 2013 [Page 4]
Internet-Draft VPN traffic leakages October 2012
3. IEEE-derived Modified EUI-64 format identifiers
One might argue that the only motivation for producing Modified
EUI-64 format identifiers as specified in [RFC2464] are:
o In theory, it is a simple algorithm to produce globally-unique
Modified EUI-64 format identifiers.
o Until recently, it was the only algorithm to produce stable
Interface-IDs that had so far been standardized.
The privacy extensions specified in [RFC4941] are meant to be
employed *in addition* to traditional SLAAC addresses, while
[I-D.ietf-6man-stable-privacy-addresses] is a recent
standardization effort.
Given that IEEE 802 addresses have been found to fail the uniqueness
criteria assumed above, IEEE-derived Modified EUI-64 format
identifiers will also fail the same uniqueness criteria.
Additionally, IEEE-derived identifiers have been found to result in
addresses that are trivial to scan
[I-D.gont-opsec-ipv6-host-scanning], and that negatively affect the
privacy of users [I-D.ietf-6man-stable-privacy-addresses] [RFC4941].
While it is true producing modified EUI64 format identifiers is the
only scheme that has so far been fully standardized, there is ongoing
work at the 6man wg to standardize an alternative scheme for
producing stable modified EUI-64 format identifiers, which does not
suffer from any of the drawbacks of modified EUI-64 format
identifiers based on IEEE-identifiers.
At lest discussions in IETF circles seem to indicate that the
drawbacks of modified EUI-64 format identifiers based on IEEE-
identifiers are well-understood, and that there seems to be agreement
that "they should be replaced with some alternative scheme".
Gont Expires April 18, 2013 [Page 5]
Internet-Draft VPN traffic leakages October 2012
4. Duplicate Address Detection (DAD) implementations
Different IPv6 stacks differ in some DAD implementations details,
and, most importantly, on how they handle DAD failures. For example,
different IPv6 stacks may send a different number of DAD probes
before DAD is considered to have succeeded. Additionally, they
typically differ on how they handle DAD failures. For example, in
the Linux IPv6 stack, if DAD fails for a link-local address, it
results in a "permanent" SLAAC failure that requires the admin to
reboot the system in order for SLAAC to be re-attempted. On the
other hand, DAD failure for non-link-local addresses is more of a
"soft failure", and hence SLAAC might succeed some time later when a
new Router Advertisement message that triggers SLAAC is received.
Gont Expires April 18, 2013 [Page 6]
Internet-Draft VPN traffic leakages October 2012
5. Mitigations to the problem of SLAAC failures due to duplicate IEEE
802 addresses
5.1. Implementing some DAD-failure recovery algorithm
One simple algorithm to resolve DAD failures could be such that, in
the event of such failures, simply generates a new IPv6 tentative
address by incrementing the Interface-ID of the tentative IPv6
address that previously failed DAD.
5.2. Replacing Modified EUI-64 format identifiers based on IEEE 802
addresses
A different approach to solve the problems arising from DAD failures
would be to realize that there are a number of factors that make
modified EUI64 format identifiers based on IEEE 802 addresses
undesirable, and hence recommend the implementation of
[I-D.ietf-6man-stable-privacy-addresses] in replacement of the IEEE-
derived modified EUI-64 format identifiers.
Gont Expires April 18, 2013 [Page 7]
Internet-Draft VPN traffic leakages October 2012
6. IANA Considerations
This document has no actions for IANA.
Gont Expires April 18, 2013 [Page 8]
Internet-Draft VPN traffic leakages October 2012
7. Security Considerations
This document discusses an interoperability problem that may arise as
a result of employing duplicate IEEE 802 addresses in the same
network segment. Failure to gracefully handle DAD failures may allow
an attacker to perform a Denial of Service attack against the victim
implementation.
Such attacks could be readily performed with packet-crafting tools
such as [SI6-Toolkit] and [THC-IPv6].
A more resilient approach might be to perform DAD for some maximum
number of tentative IPv6 addresses, and to not perform DAD at all for
the last of those address.
Obviously, this might lead to undesirable results if such "last"
address was a real duplicate of an address currently in use at the
local network.
In any case, as noted earlier in this document, IEEE-derived modified
EUI64 format identifiers have undesirable properties in the areas of
host tracking and host privacy, and hence the interoperability
problem discussed in this document could be considered as yet another
reason to replace such identifiers with some alternative scheme, such
as that specified in [I-D.ietf-6man-stable-privacy-addresses]
Gont Expires April 18, 2013 [Page 9]
Internet-Draft VPN traffic leakages October 2012
8. Acknowledgements
This documents has benefited from the input of a number of people in
a discussion of this topic on the v6ops wg mailing-list [V6OPS-LIST].
Gont Expires April 18, 2013 [Page 10]
Internet-Draft VPN traffic leakages October 2012
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2464] Crawford, M., "Transmission of IPv6 Packets over Ethernet
Networks", RFC 2464, December 1998.
[RFC4862] Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
Address Autoconfiguration", RFC 4862, September 2007.
[RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy
Extensions for Stateless Address Autoconfiguration in
IPv6", RFC 4941, September 2007.
9.2. Informative References
[I-D.ietf-6man-stable-privacy-addresses]
Gont, F., "A method for Generating Stable Privacy-Enhanced
Addresses with IPv6 Stateless Address Autoconfiguration
(SLAAC)", draft-ietf-6man-stable-privacy-addresses-01
(work in progress), October 2012.
[I-D.gont-opsec-ipv6-host-scanning]
Gont, F., "Network Reconnaissance in IPv6 Networks",
draft-gont-opsec-ipv6-host-scanning-01 (work in progress),
July 2012.
[VirtualBox]
VirtualBox, "Oracle VM VirtualBox User Manual, version
4.1.2", August 2011, <http://www.virtualbox.org>.
[V6OPS-LIST]
"V6OPS WG mailing-list",
https://www.ietf.org/mailman/listinfo/v6ops.
[SI6-Toolkit]
"SI6 Networks' IPv6 toolkit",
<http://www.si6networks.com/tools/ipv6toolkit>.
[THC-IPv6]
"The Hacker's Choice IPv6 Attack Toolkit",
<http://www.thc.org/thc-ipv6/>.
Gont Expires April 18, 2013 [Page 11]
Internet-Draft VPN traffic leakages October 2012
Author's Address
Fernando Gont
Huawei Technologies
Evaristo Carriego 2644
Haedo, Provincia de Buenos Aires 1706
Argentina
Phone: +54 11 4650 8472
Email: fgont@si6networks.com
URI: http://www.si6networks.com
Gont Expires April 18, 2013 [Page 12]