Internet Engineering Task Force (IETF) G. Nakibly
Request for Comments: 6324 NEWRSC
Category: Informational F. Templin
ISSN: 2070-1721 Boeing Research & Technology
August 2011
Internet Engineering Task Force (IETF) G. Nakibly
Request for Comments: 6324 NEWRSC
Category: Informational F. Templin
ISSN: 2070-1721 Boeing Research & Technology
August 2011
Routing Loop Attack Using IPv6 Automatic Tunnels: Problem Statement and Proposed Mitigations
使用IPv6自动隧道的路由环路攻击:问题陈述和建议的缓解措施
Abstract
摘要
This document is concerned with security vulnerabilities in IPv6-in-IPv4 automatic tunnels. These vulnerabilities allow an attacker to take advantage of inconsistencies between the IPv4 routing state and the IPv6 routing state. The attack forms a routing loop that can be abused as a vehicle for traffic amplification to facilitate denial-of-service (DoS) attacks. The first aim of this document is to inform on this attack and its root causes. The second aim is to present some possible mitigation measures. It should be noted that at the time of this writing there are no known reports of malicious attacks exploiting these vulnerabilities. Nonetheless, these vulnerabilities can be activated by accidental misconfiguration.
本文档涉及IPv6-in-IPv4自动隧道中的安全漏洞。这些漏洞允许攻击者利用IPv4路由状态和IPv6路由状态之间的不一致性。该攻击形成一个路由环路,可被滥用为流量放大的载体,以促进拒绝服务(DoS)攻击。本文件的第一个目的是通报这次攻击及其根源。第二个目的是提出一些可能的缓解措施。应该注意的是,在撰写本文时,还没有已知的关于利用这些漏洞进行恶意攻击的报告。尽管如此,这些漏洞可能会因意外的错误配置而激活。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6324.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6324.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................2
2. A Detailed Description of the Attack ............................4
3. Proposed Mitigation Measures ....................................6
3.1. Verification of Endpoint Existence .........................6
3.1.1. Neighbor Cache Check ................................6
3.1.2. Known IPv4 Address Check ............................7
3.2. Operational Measures .......................................7
3.2.1. Avoiding a Shared IPv4 Link .........................7
3.2.2. A Single Border Router ..............................8
3.2.3. A Comprehensive List of Tunnel Routers ..............9
3.2.4. Avoidance of On-Link Prefixes .......................9
3.3. Destination and Source Address Checks .....................15
3.3.1. Known IPv6 Prefix Check ............................16
4. Recommendations ................................................17
5. Security Considerations ........................................17
6. Acknowledgments ................................................18
7. References .....................................................18
7.1. Normative References ......................................18
7.2. Informative References ....................................19
1. Introduction ....................................................2
2. A Detailed Description of the Attack ............................4
3. Proposed Mitigation Measures ....................................6
3.1. Verification of Endpoint Existence .........................6
3.1.1. Neighbor Cache Check ................................6
3.1.2. Known IPv4 Address Check ............................7
3.2. Operational Measures .......................................7
3.2.1. Avoiding a Shared IPv4 Link .........................7
3.2.2. A Single Border Router ..............................8
3.2.3. A Comprehensive List of Tunnel Routers ..............9
3.2.4. Avoidance of On-Link Prefixes .......................9
3.3. Destination and Source Address Checks .....................15
3.3.1. Known IPv6 Prefix Check ............................16
4. Recommendations ................................................17
5. Security Considerations ........................................17
6. Acknowledgments ................................................18
7. References .....................................................18
7.1. Normative References ......................................18
7.2. Informative References ....................................19
IPv6-in-IPv4 tunnels are an essential part of many migration plans for IPv6. They allow two IPv6 nodes to communicate over an IPv4-only network. Automatic tunnels that assign IPv6 prefixes with stateless address mapping properties (hereafter called "automatic tunnels") are a category of tunnels in which a tunneled packet's egress IPv4 address is embedded within the destination IPv6 address of the packet. An automatic tunnel's router is a router that respectively encapsulates and decapsulates the IPv6 packets into and out of the tunnel.
IPv4隧道中的IPv6是许多IPv6迁移计划的重要组成部分。它们允许两个IPv6节点通过仅IPv4的网络进行通信。分配具有无状态地址映射属性的IPv6前缀的自动隧道(以下称为“自动隧道”)是一类隧道,其中隧道数据包的出口IPv4地址嵌入到数据包的目标IPv6地址中。自动隧道路由器是一种路由器,它分别将IPv6数据包封装和解封到隧道内外。
Reference [USENIX09] pointed out the existence of a vulnerability in the design of IPv6 automatic tunnels. Tunnel routers operate on the implicit assumption that the destination address of an incoming IPv6 packet is always an address of a valid node that can be reached via the tunnel. The assumption of path validity can introduce routing loops as the inconsistency between the IPv4 routing state and the IPv6 routing state allows a routing loop to be formed. Although those loops will not trap normal data, they will catch traffic targeted at addresses that have become unavailable, and misconfigured traffic can enter the loop.
参考文献[Usenix 09]指出IPv6自动隧道设计中存在漏洞。隧道路由器在隐式假设下运行,即传入IPv6数据包的目标地址始终是可通过隧道到达的有效节点的地址。路径有效性的假设可能会引入路由循环,因为IPv4路由状态和IPv6路由状态之间的不一致允许形成路由循环。尽管这些循环不会捕获正常数据,但它们会捕获针对已不可用地址的流量,并且配置错误的流量可能会进入循环。
The looping vulnerability can be triggered accidentally, or exploited maliciously by an attacker crafting a packet that is routed over a tunnel to a node that is not associated with the packet's destination. This node may forward the packet out of the tunnel to the native IPv6 network. There, the packet is routed back to the ingress point, which forwards it back into the tunnel. Consequently, the packet loops in and out of the tunnel. The loop terminates only when the Hop Limit field in the IPv6 header of the packet is decremented to zero. This vulnerability can be abused as a vehicle for traffic amplification to facilitate DoS attacks [RFC4732].
该循环漏洞可能会意外触发,或被攻击者恶意利用,攻击者通过隧道将数据包路由到与数据包目的地无关的节点。该节点可以将数据包从隧道转发到本机IPv6网络。在那里,数据包被路由回入口点,入口点将数据包转发回隧道。因此,数据包循环进出隧道。只有当数据包的IPv6报头中的跃点限制字段减少到零时,循环才会终止。此漏洞可被滥用为流量放大工具,以促进DoS攻击[RFC4732]。
Without compensating security measures in place, all IPv6 automatic tunnels that are based on protocol-41 encapsulation [RFC4213] are vulnerable to such an attack, including the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) [RFC5214], 6to4 [RFC3056], and 6rd (IPv6 Rapid Deployment on IPv4 Infrastructures) [RFC5969]. It should be noted that this document does not consider non-protocol-41 encapsulation attacks. In particular, we do not address the Teredo [RFC4380] attacks described in [USENIX09]. These attacks are considered in [TEREDO-LOOPS].
如果没有适当的补偿安全措施,所有基于协议41封装[RFC4213]的IPv6自动隧道都容易受到此类攻击,包括站点内自动隧道寻址协议(ISATAP)[RFC5214]、6to4[RFC3056]和6rd(IPv4基础设施上的IPv6快速部署)[RFC5969]。应该注意的是,该文档不考虑非协议-41封装攻击。特别是,我们不处理[Usenix 09]中描述的Teredo[RFC4380]攻击。这些攻击在[TEREDO-LOOPS]中考虑。
The aim of this document is to shed light on the routing loop attack and describe possible mitigation measures that should be considered by operators of current IPv6 automatic tunnels and by designers of future ones. We note that tunnels may be deployed in various operational environments, e.g., service provider networks, enterprise networks, etc. Specific issues related to the attack that are derived from the operational environment are not considered in this document.
本文档旨在阐明路由环路攻击,并描述当前IPv6自动隧道运营商和未来自动隧道设计师应考虑的可能缓解措施。我们注意到,隧道可以部署在各种操作环境中,例如,服务提供商网络、企业网络等。本文档不考虑与来自操作环境的攻击相关的特定问题。
Routing loops pose a risk to the stability of a network. Furthermore, they provide an opening for denial-of-service attacks that exploit the existence of the loop to increase the traffic load in the network. Section 3 of this document discusses a number of mitigation measures. The most desirable mitigation, however, is to operate the network in such a way that routing loops cannot take place (see Section 3.2).
路由环路对网络的稳定性构成风险。此外,它们还为拒绝服务攻击提供了机会,这些攻击利用环路的存在来增加网络中的流量负载。本文件第3节讨论了一些缓解措施。然而,最理想的缓解措施是以不会发生路由环路的方式运行网络(见第3.2节)。
In this section, we shall denote an IPv6 address of a node by an IPv6 prefix assigned to the tunnel and an IPv4 address of the tunnel endpoint, i.e., Addr(Prefix, IPv4). Note that the IPv4 address may or may not be part of the prefix (depending on the specification of the tunnel's protocol). The IPv6 address may be dependent on additional bits in the interface ID; however, for our discussion their exact value is not important.
在本节中,我们将通过分配给隧道的IPv6前缀和隧道端点的IPv4地址来表示节点的IPv6地址,即Addr(前缀,IPv4)。请注意,IPv4地址可能是前缀的一部分,也可能不是前缀的一部分(取决于隧道协议的规范)。IPv6地址可能依赖于接口ID中的附加位;然而,对于我们的讨论,它们的确切价值并不重要。
The two victims of this attack are routers -- R1 and R2 -- that service two different tunnel prefixes -- Prf1 and Prf2. Both routers have the capability to forward IPv6 packets in and out of their respective tunnels. The two tunnels need not be based on the same tunnel protocol. The only condition is that the two tunnel protocols be based on protocol-41 encapsulation. The IPv4 address of R1 is IP1, while the prefix of its tunnel is Prf1. IP2 and Prf2 are the respective values for R2. We assume that IP1 and IP2 belong to the same address realm, i.e., they are either both public, or both private and belong to the same internal network. The following network diagram depicts the locations of the two routers. The numbers indicate the packets of the attack and the path they traverse, as described below.
这次攻击的两个受害者是路由器R1和R2,它们为两个不同的隧道前缀Prf1和Prf2提供服务。这两个路由器都能够在各自的隧道内外转发IPv6数据包。这两个隧道不需要基于相同的隧道协议。唯一的条件是这两个隧道协议基于协议-41封装。R1的IPv4地址为IP1,而其隧道的前缀为Prf1。IP2和Prf2分别是R2的值。我们假设IP1和IP2属于同一个地址域,即它们要么都是公共的,要么都是私有的,并且属于同一个内部网络。下面的网络图描述了两个路由器的位置。这些数字表示攻击的数据包及其经过的路径,如下所述。
[ Packet 1 ]
v6src = Addr(Prf1, IP2) [ Packet 2 ]
v6dst = Addr(Prf2, IP1) v6src = Addr(Prf1, IP2)
v4src = IP2; v4dst = IP1 +----------+ v6dst = Addr(Prf2, IP1)
//===========>| Router |-----------------\
|| | R1 | |
|| +----------+ v
.-. .-.
,-( _)-. ,-( _)-.
.-(_ IPv4 )-. .-(_ IPv6 )-.
(__ Network ) (__ Network )
`-(______)-' `-(______)-'
^^ |
|| +----------+ |
\\============| Router |<----------------/
[ Packet 1 ] | R2 | [ Packets 0 and 2 ]
v6src = Addr(Prf1, IP2) +----------+ v6src = Addr(Prf1, IP2)
v6dst = Addr(Prf2, IP1) v6dst = Addr(Prf2, IP1)
v4src = IP2; v4dst = IP1
[ Packet 1 ]
v6src = Addr(Prf1, IP2) [ Packet 2 ]
v6dst = Addr(Prf2, IP1) v6src = Addr(Prf1, IP2)
v4src = IP2; v4dst = IP1 +----------+ v6dst = Addr(Prf2, IP1)
//===========>| Router |-----------------\
|| | R1 | |
|| +----------+ v
.-. .-.
,-( _)-. ,-( _)-.
.-(_ IPv4 )-. .-(_ IPv6 )-.
(__ Network ) (__ Network )
`-(______)-' `-(______)-'
^^ |
|| +----------+ |
\\============| Router |<----------------/
[ Packet 1 ] | R2 | [ Packets 0 and 2 ]
v6src = Addr(Prf1, IP2) +----------+ v6src = Addr(Prf1, IP2)
v6dst = Addr(Prf2, IP1) v6dst = Addr(Prf2, IP1)
v4src = IP2; v4dst = IP1
Legend: ====> - tunneled IPv6, ---> - native IPv6
Legend: ====> - tunneled IPv6, ---> - native IPv6
Figure 1: The Network Setting of the Attack
图1:攻击的网络设置
The attack is initiated by an accidentally or maliciously produced IPv6 packet (packet 0 in Figure 1) destined to a fictitious endpoint that appears to be reached via Prf2 and has IP1 as its IPv4 address, i.e., Addr(Prf2, IP1). The source address of the packet is an address with Prf1 as the prefix and IP2 as the embedded IPv4 address, i.e., Addr(Prf1, IP2). As the prefix of the destination address is Prf2, the packet will be routed over the IPv6 network to R2.
该攻击是由意外或恶意生成的IPv6数据包(图1中的数据包0)发起的,该数据包指向一个虚构的端点,该端点似乎通过Prf2到达,并将IP1作为其IPv4地址,即Addr(Prf2,IP1)。数据包的源地址是以Prf1为前缀,IP2为嵌入IPv4地址的地址,即Addr(Prf1,IP2)。由于目标地址的前缀为Prf2,数据包将通过IPv6网络路由到R2。
R2 receives the packet through its IPv6 interface and forwards it into the tunnel with an IPv4 header having a destination address derived from the IPv6 destination, i.e., IP1. The source address is the address of R2, i.e., IP2. The packet (packet 1 in Figure 1) is routed over the IPv4 network to R1, which receives the packet on its IPv4 interface. It processes the packet as a packet that originates from one of the end nodes of Prf1.
R2通过其IPv6接口接收数据包,并使用IPv4报头将其转发到隧道中,该报头具有从IPv6目的地派生的目的地地址,即IP1。源地址是R2的地址,即IP2。数据包(图1中的数据包1)通过IPv4网络路由到R1,R1通过其IPv4接口接收数据包。它将数据包作为源自Prf1的一个终端节点的数据包进行处理。
Since the IPv4 source address corresponds to the IPv6 source address, R1 will decapsulate the packet. Since the packet's IPv6 destination is outside of Prf1, R1 will forward the packet onto a native IPv6 interface. The forwarded packet (packet 2 in Figure 1) is identical to the original attack packet. Hence, it is routed back to R2, in which the loop starts again. Note that the packet may not necessarily be transported from R1 over the native IPv6 network. R1 may be connected to the IPv6 network through another tunnel.
由于IPv4源地址与IPv6源地址相对应,R1将解除数据包的封装。由于数据包的IPv6目标位于Prf1之外,R1将数据包转发到本机IPv6接口。转发的数据包(图1中的数据包2)与原始攻击数据包相同。因此,它被路由回R2,在R2中循环再次开始。注意,数据包不一定是通过本机IPv6网络从R1传输的。R1可以通过另一个隧道连接到IPv6网络。
The crux of the attack is as follows. The attacker exploits the fact that R2 does not know that R1 does not configure addresses from Prf2 and that R1 does not know that R2 does not configure addresses from Prf1. The IPv4 network acts as a shared link layer for the two tunnels. Hence, the packet is repeatedly forwarded by both routers. It is noted that the attack will fail when the IPv4 network cannot transport packets between the tunnels, for example, when the two routers belong to different IPv4 address realms or when ingress/ egress filtering is exercised between the routers.
攻击的关键如下。攻击者利用以下事实进行攻击:R2不知道R1不从Prf2配置地址,R1不知道R2不从Prf1配置地址。IPv4网络充当两个隧道的共享链路层。因此,包由两个路由器重复转发。请注意,当IPv4网络无法在隧道之间传输数据包时,例如,当两个路由器属于不同的IPv4地址域时,或者当在路由器之间执行入口/出口过滤时,攻击将失败。
The loop will stop when the Hop Limit field of the packet reaches zero. After a single loop, the Hop Limit field is decreased by the number of IPv6 routers on the path from R1 to R2. Therefore, the number of loops is inversely proportional to the number of IPv6 hops between R1 and R2.
当数据包的跃点限制字段达到零时,循环将停止。在单循环之后,跃点限制字段将减少R1到R2路径上IPv6路由器的数量。因此,循环的数量与R1和R2之间的IPv6跳数成反比。
The tunnels used by R1 and R2 may be any combination of automatic tunnel types, e.g., ISATAP, 6to4, and 6rd. This has the exception that both tunnels cannot be of type 6to4, since two 6to4 routers share the same IPv6 prefix, i.e., there is only one 6to4 prefix (2002::/16) in the Internet. For example, if the attack were to be
R1和R2使用的隧道可以是自动隧道类型的任意组合,例如ISATAP、6to4和6rd。这有一个例外,即两个隧道不能都是6to4类型,因为两个6to4路由器共享相同的IPv6前缀,即Internet中只有一个6to4前缀(2002::/16)。例如,如果攻击是
launched on an ISATAP router (R1) and 6to4 relay (R2), then the destination and source addresses of the attack packet would be 2002:IP1:* and Prf1::0200:5efe:IP2, respectively.
在ISATAP路由器(R1)和6to4中继(R2)上启动,则攻击数据包的目标地址和源地址分别为2002:IP1:*和Prf1::0200:5efe:IP2。
This section presents some possible mitigation measures for the attack described above. We shall discuss the advantages and disadvantages of each measure.
本节介绍了上述攻击的一些可能缓解措施。我们将讨论每种措施的优缺点。
The proposed measures fall under the following three categories:
拟议措施分为以下三类:
o Verification of endpoint existence
o 端点存在性的验证
o Operational measures
o 操作措施
o Destination and source address checks
o 目标和源地址检查
The routing loop attack relies on the fact that a router does not know whether there is an endpoint that can be reached via its tunnel that has the source or destination address of the packet. This category includes mitigation measures that aim to verify that there is a node that participates in the tunnel and that its address corresponds to the packet's destination or source addresses, as appropriate.
路由循环攻击依赖于这样一个事实,即路由器不知道是否存在可以通过其隧道到达的端点,该端点具有数据包的源地址或目标地址。此类包括旨在验证是否存在参与隧道的节点以及其地址是否对应于数据包的目的地或源地址(视情况而定)的缓解措施。
One way that the router can verify that an end host exists and can be reached via the tunnel is by checking whether a valid entry exists for it in the neighbor cache of the corresponding tunnel interface. The neighbor cache entry can be populated through, e.g., an initial reachability check, receipt of neighbor discovery messages, administrative configuration, etc.
路由器验证终端主机是否存在以及是否可以通过隧道访问的一种方法是,检查相应隧道接口的邻居缓存中是否存在有效条目。邻居缓存条目可以通过(例如)初始可达性检查、邻居发现消息的接收、管理配置等来填充。
When the router has a packet to send to a potential tunnel host for which there is no neighbor cache entry, it can perform an initial reachability check on the packet's destination address, e.g., as specified in the second paragraph of Section 8.4 of [RFC5214]. (The router can similarly perform a "reverse reachability" check on the packet's source address when it receives a packet from a potential tunnel host for which there is no neighbor cache entry.) This reachability check parallels the address resolution specifications in Section 7.2 of [RFC4861], i.e., the router maintains a small queue of packets waiting for reachability confirmation to complete. If confirmation succeeds, the router discovers that a legitimate tunnel
当路由器有一个数据包要发送到没有邻居缓存条目的潜在隧道主机时,它可以对该数据包的目的地址执行初始可达性检查,例如,如[RFC5214]第8.4节第二段所述。(当路由器从没有邻居缓存条目的潜在隧道主机接收数据包时,同样可以对数据包的源地址执行“反向可达性”检查。)此可达性检查与[RFC4861]第7.2节中的地址解析规范平行,即。,路由器维护一小队等待可达性确认完成的数据包。如果确认成功,路由器会发现一个合法的隧道
host responds to the address. Otherwise, the router discards subsequent packets and returns ICMP destination unreachable indications as specified in Section 7.2.2 of [RFC4861].
主机响应地址。否则,路由器将丢弃后续数据包并返回[RFC4861]第7.2.2节中规定的ICMP目的地不可到达指示。
Note that this approach assumes that the neighbor cache will remain coherent and not be subject to malicious attack, which must be confirmed based on specific deployment scenarios. One possible way for an attacker to subvert the neighbor cache is to send false neighbor discovery messages with a spoofed source address.
请注意,此方法假定邻居缓存将保持一致,并且不会受到恶意攻击,这必须根据特定部署场景进行确认。攻击者破坏邻居缓存的一种可能方式是使用伪造的源地址发送虚假的邻居发现消息。
Another approach that enables a router to verify that an end host exists and can be reached via the tunnel is simply by pre-configuring the router with the set of IPv4 addresses and prefixes that are authorized to use the tunnel. Upon this configuration, the router can perform the following simple checks:
另一种使路由器能够验证终端主机是否存在以及是否可以通过隧道访问的方法是,只需使用授权使用隧道的一组IPv4地址和前缀对路由器进行预配置。根据此配置,路由器可以执行以下简单检查:
o When the router forwards an IPv6 packet into the tunnel interface with a destination address that matches an on-link prefix and that embeds the IPv4 address IP1, it discards the packet if IP1 does not belong to the configured list of IPv4 addresses.
o 当路由器将IPv6数据包转发到隧道接口中时,其目标地址与链路前缀匹配并嵌入IPv4地址IP1,如果IP1不属于已配置的IPv4地址列表,路由器将丢弃该数据包。
o When the router receives an IPv6 packet on the tunnel's interface with a source address that matches an on-link prefix and that embeds the IPv4 address IP2, it discards the packet if IP2 does not belong to the configured list of IPv4 addresses.
o 当路由器在隧道接口上接收到一个IPv6数据包,该数据包的源地址与链路前缀匹配,并且嵌入了IPv4地址IP2时,如果IP2不属于已配置的IPv4地址列表,路由器将丢弃该数据包。
The following measures can be taken by the network operator. Their aim is to configure the network in such a way that the attacks cannot take place.
网络运营商可采取以下措施。他们的目标是以一种不会发生攻击的方式配置网络。
As noted above, the attack relies on having an IPv4 network as a shared link layer between more than one tunnel. From this, the following two mitigation measures arise:
如上所述,攻击依赖于将IPv4网络作为多个隧道之间的共享链路层。由此产生以下两种缓解措施:
In this measure, a tunnel router may drop all IPv4 protocol-41 packets received or sent over interfaces that are attached to an untrusted IPv4 network. This will cut off any IPv4 network as a shared link. This measure has the advantage of simplicity. However, such a measure may not always be suitable for scenarios where IPv4 connectivity is essential on all interfaces. Most notably, filtering
在此措施中,隧道路由器可以丢弃通过连接到不受信任的IPv4网络的接口接收或发送的所有IPv4协议-41数据包。这将切断作为共享链路的任何IPv4网络。这一措施的优点是简单。但是,这样的措施可能并不总是适用于IPv4连接对所有接口都至关重要的情况。最显著的是过滤
of IPv4 protocol-41 packets that belong to a 6to4 tunnel can have adverse effects on unsuspecting users [RFC6343].
属于6to4隧道的IPv4协议-41数据包可能会对不知情的用户产生不利影响[RFC6343]。
This measure mitigates the attack by simply allowing for a single IPv6 tunnel to operate in a bounded IPv4 network. For example, the attack cannot take place in broadband home networks. In such cases, there is a small home network having a single residential gateway that serves as a tunnel router. A tunnel router is vulnerable to the attack only if it has at least two interfaces with a path to the Internet: a tunnel interface and a native IPv6 interface (as depicted in Figure 1). However, a residential gateway usually has only a single interface to the Internet; therefore, the attack cannot take place. Moreover, if there are only one or a few tunnel routers in the IPv4 network and all participate in the same tunnel, then there is no opportunity for perpetuating the loop.
此措施仅允许单个IPv6隧道在有界IPv4网络中运行,从而减轻了攻击。例如,攻击不能发生在宽带家庭网络中。在这种情况下,有一个小型家庭网络,它有一个作为隧道路由器的单一住宅网关。只有当隧道路由器至少有两个接口与Internet路径相连时,它才容易受到攻击:隧道接口和本机IPv6接口(如图1所示)。然而,住宅网关通常只有一个单一的互联网接口;因此,攻击无法发生。此外,如果IPv4网络中只有一个或几个隧道路由器,并且所有路由器都参与同一个隧道,那么就没有机会使循环永久化。
This approach has the advantage that it avoids the attack profile altogether without need for explicit mitigations. However, it requires careful configuration management, which may not be tenable in large and/or unbounded IPv4 networks.
这种方法的优点是,它完全避免了攻击模式,而不需要明确的缓解措施。但是,它需要仔细的配置管理,这在大型和/或无界IPv4网络中可能无法成立。
It is reasonable to assume that a tunnel router shall accept or forward tunneled packets only over its tunnel interface. It is also reasonable to assume that a tunnel router shall accept or forward IPv6 packets only over its IPv6 interface. If these two interfaces are physically different, then the network operator can mitigate the attack by ensuring that the following condition holds: there is no path between these two interfaces that does not go through the tunnel router.
可以合理地假设隧道路由器只能通过其隧道接口接受或转发隧道包。还可以合理地假设隧道路由器只能通过其IPv6接口接受或转发IPv6数据包。如果这两个接口在物理上不同,则网络运营商可以通过确保以下条件成立来减轻攻击:这两个接口之间没有不通过隧道路由器的路径。
The above condition ensures that an encapsulated packet that is transmitted over the tunnel interface will not get to another tunnel router and from there to the IPv6 interface of the first router. The condition also ensures the reverse direction, i.e., an IPv6 packet that is transmitted over the IPv6 interface will not get to another tunnel router and from there to the tunnel interface of the first router. This condition is essentially translated to a scenario in which the tunnel router is the only border router between the IPv6 network and the IPv4 network to which it is attached (as in the broadband home network scenario mentioned above).
上述条件确保通过隧道接口传输的封装数据包不会到达另一个隧道路由器,也不会从那里到达第一个路由器的IPv6接口。该条件还确保反向,即通过IPv6接口传输的IPv6数据包不会到达另一个隧道路由器,也不会从那里到达第一个路由器的隧道接口。这种情况本质上被转化为这样一种情况,即隧道路由器是IPv6网络与其所连接的IPv4网络之间的唯一边界路由器(如上文提到的宽带家庭网络情况)。
If a tunnel router can be configured with a comprehensive list of IPv4 addresses of all other tunnel routers in the network, then the router can use the list as a filter to discard any tunneled packets coming from or destined to other routers. For example, a tunnel router can use the network's ISATAP Potential Router List (PRL) [RFC5214] as a filter as long as there is operational assurance that all ISATAP routers are listed and that no other types of tunnel routers are present in the network.
如果可以使用网络中所有其他隧道路由器的IPv4地址的综合列表来配置隧道路由器,那么路由器可以使用该列表作为过滤器来丢弃来自或目的地为其他路由器的任何隧道包。例如,隧道路由器可以使用网络的ISATAP潜在路由器列表(PRL)[RFC5214]作为过滤器,只要操作保证列出了所有ISATAP路由器,并且网络中不存在其他类型的隧道路由器。
This measure parallels the one proposed for 6rd in [RFC5969] where the 6rd Border Relay filters all known relay addresses of other tunnels inside the ISP's network.
该措施与[RFC5969]中第六条建议的措施类似,第六条边界中继过滤ISP网络内其他隧道的所有已知中继地址。
This measure is especially useful for intra-site tunneling mechanisms, such as ISATAP and 6rd, since filtering can be exercised on well-defined site borders. A specific ISATAP operational scenario for which this mitigation applies is described in Section 3 of [ISATAP-OPS].
此度量对于站点内隧道机制(如ISATAP和6rd)特别有用,因为可以在定义良好的站点边界上执行过滤。[ISATAP-OPS]第3节描述了本缓解措施适用的特定ISATAP运行场景。
The looping attack exploits the fact that a router is permitted to assign non-link-local IPv6 prefixes on its tunnel interfaces, which could cause it to send tunneled packets to other routers that do not configure an address from the prefix. Therefore, if the router does not assign non-link-local IPv6 prefixes on its tunnel interfaces, there is no opportunity for it to initiate the loop. If the router further ensures that the routing state is consistent for the packets it receives on its tunnel interfaces, there is no opportunity for it to propagate a loop initiated by a different router.
循环攻击利用允许路由器在其隧道接口上分配非链路本地IPv6前缀这一事实,这可能导致路由器将隧道数据包发送到其他未配置前缀地址的路由器。因此,如果路由器没有在其隧道接口上分配非链路本地IPv6前缀,那么它就没有机会启动循环。如果路由器进一步确保其在其隧道接口上接收的包的路由状态是一致的,则它没有机会传播由不同路由器发起的循环。
This mitigation measure is available only to ISATAP routers, since the ISATAP stateless address mapping operates only on the Interface Identifier portion of the IPv6 address, and not on the IPv6 prefix. This measure is also only applicable on ISATAP links on which IPv4 source address spoofing is disabled. Finally, the measure is only applicable on ISATAP links on which nodes support the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) [RFC3315]. The following sections discuss the operational configurations necessary to implement the measure.
此缓解措施仅适用于ISATAP路由器,因为ISATAP无状态地址映射仅在IPv6地址的接口标识符部分操作,而不在IPv6前缀上操作。此措施也仅适用于禁用IPv4源地址欺骗的ISATAP链路。最后,该措施仅适用于节点支持IPv6动态主机配置协议(DHCPv6)[RFC3315]的ISATAP链路。以下各节讨论了实施该措施所需的操作配置。
ISATAP provides a Potential Router List (PRL) to further ensure a loop-free topology. Routers that are members of the PRL for the site configure their site-facing ISATAP interfaces as advertising router
ISATAP提供了一个潜在的路由器列表(PRL),以进一步确保无环路拓扑。作为站点PRL成员的路由器将其面向站点的ISATAP接口配置为广告路由器
interfaces (see [RFC4861], Section 6.2.2), and therefore may send Router Advertisement (RA) messages that include non-zero Router Lifetimes. Routers that are not members of the PRL for the site configure their site-facing ISATAP interfaces as non-advertising router interfaces.
接口(参见[RFC4861],第6.2.2节),因此可能会发送包括非零路由器寿命的路由器公告(RA)消息。不是站点PRL成员的路由器将其面向站点的ISATAP接口配置为非广告路由器接口。
ISATAP nodes employ the source address verification checks specified in Section 7.3 of [RFC5214] as a prerequisite for decapsulation of packets received on an ISATAP interface. To enable the on-link prefix avoidance procedures outlined in this section, ISATAP nodes must employ an additional source address verification check; namely, the node also considers the outer IPv4 source address correct for the inner IPv6 source address if:
ISATAP节点采用[RFC5214]第7.3节中规定的源地址验证检查作为ISATAP接口上接收的数据包解除封装的先决条件。为了启用本节中概述的链路上前缀避免程序,ISATAP节点必须采用额外的源地址验证检查;即,在以下情况下,节点还认为外部IPv4源地址与内部IPv6源地址正确:
o a forwarding table entry exists that lists the packet's IPv4 source address as the link-layer address corresponding to the inner IPv6 source address via the ISATAP interface.
o 存在一个转发表条目,该条目通过ISATAP接口将数据包的IPv4源地址列为与内部IPv6源地址相对应的链路层地址。
ISATAP hosts send Router Solicitation (RS) messages to obtain RA messages from an advertising ISATAP router as specified in [RFC4861] and [RFC5214]. When stateful address autoconfiguration services are available, the host can acquire IPv6 addresses using DHCPv6 [RFC3315].
ISATAP主机发送路由器请求(RS)消息,以从[RFC4861]和[RFC5214]中指定的广告ISATAP路由器获取RA消息。当有状态地址自动配置服务可用时,主机可以使用DHCPv6[RFC3315]获取IPv6地址。
To acquire addresses, the host performs standard DHCPv6 exchanges while mapping the IPv6 "All_DHCP_Relay_Agents_and_Servers" link-scoped multicast address to the IPv4 address of the advertising router. The host should also use DHCPv6 Authentication in environments where authentication of the DHCPv6 exchanges is required.
为了获取地址,主机执行标准DHCPv6交换,同时将IPv6“所有DHCP_中继_代理_和_服务器”链接范围的多播地址映射到播发路由器的IPv4地址。在需要对DHCPv6交换进行身份验证的环境中,主机还应使用DHCPv6身份验证。
After the host receives IPv6 addresses, it assigns them to its ISATAP interface and forwards any of its outbound IPv6 packets via the advertising router as a default router. The advertising router in turn maintains IPv6 forwarding table entries that list the IPv4 address of the host as the link-layer address of the delegated IPv6 addresses.
主机接收到IPv6地址后,会将其分配给其ISATAP接口,并将其任何出站IPv6数据包作为默认路由器通过播发路由器转发。广告路由器依次维护IPv6转发表条目,这些条目将主机的IPv4地址列为代理IPv6地址的链路层地址。
In many use case scenarios (e.g., enterprise networks, Mobile Ad Hoc Networks (MANETs), etc.), advertising and non-advertising ISATAP routers can engage in a proactive dynamic IPv6 routing protocol (e.g., OSPFv3, the Routing Information Protocol Next Generation
在许多用例场景(例如,企业网络、移动自组织网络(MANET)等)中,广告和非广告ISATAP路由器可以采用主动式动态IPv6路由协议(例如,OSPFv3,下一代路由信息协议)
(RIPng), etc.) over their ISATAP interfaces so that IPv6 routing/ forwarding tables can be populated and standard IPv6 forwarding between ISATAP routers can be used. In other scenarios (e.g., large enterprise networks, etc.), this might be impractical due to scaling issues. When a proactive dynamic routing protocol cannot be used, non-advertising ISATAP routers send RS messages to obtain RA messages from an advertising ISATAP router; i.e., they act as "hosts" on their non-advertising ISATAP interfaces.
(RIPng)等),以便可以填充IPv6路由/转发表,并且可以使用ISATAP路由器之间的标准IPv6转发。在其他场景中(例如,大型企业网络等),由于扩展问题,这可能是不切实际的。当不能使用主动动态路由协议时,非广告ISATAP路由器发送RS消息以从广告ISATAP路由器获取RA消息;i、 例如,它们在其非广告ISATAP接口上充当“主机”。
Non-advertising ISATAP routers can also acquire IPv6 prefixes, e.g., through the use of DHCPv6 Prefix Delegation [RFC3633] via an advertising router in the same fashion as described above for host-based DHCPv6 stateful address autoconfiguration. The advertising router in turn maintains IPv6 forwarding table entries that list the IPv4 address of the non-advertising router as the link-layer address of the next hop toward the delegated IPv6 prefixes.
非广告ISATAP路由器还可以获取IPv6前缀,例如,通过广告路由器使用DHCPv6前缀委派[RFC3633],方式与上述基于主机的DHCPv6有状态地址自动配置相同。广告路由器依次维护IPv6转发表条目,这些条目将非广告路由器的IPv4地址列为下一跳到委派IPv6前缀的链路层地址。
After the non-advertising router acquires IPv6 prefixes, it can sub-delegate them to routers and links within its attached IPv6 edge networks, then can forward any outbound IPv6 packets coming from its edge networks via other ISATAP nodes on the link.
在非广告路由器获取IPv6前缀后,它可以将它们再委托给其连接的IPv6边缘网络内的路由器和链路,然后可以通过链路上的其他ISATAP节点转发来自其边缘网络的任何出站IPv6数据包。
Figure 2 depicts a reference ISATAP network topology for operational avoidance of on-link non-link-local IPv6 prefixes. The scenario shows two advertising ISATAP routers ('A', 'B'), two non-advertising ISATAP routers ('C', 'E'), an ISATAP host ('G'), and three ordinary IPv6 hosts ('D', 'F', 'H') in a typical deployment configuration:
图2描述了一个参考ISATAP网络拓扑,用于避免在链路上使用非链路本地IPv6前缀。该场景显示了典型部署配置中的两个广告ISATAP路由器('A','B')、两个非广告ISATAP路由器('C','E')、一个ISATAP主机('G')和三个普通IPv6主机('D','F','H'):
.-(::::::::) 2001:db8:3::1
.-(::: IPv6 :::)-. +-------------+
(:::: Internet ::::) | IPv6 Host H |
`-(::::::::::::)-' +-------------+
`-(::::::)-'
,~~~~~~~~~~~~~~~~~,
,----|companion gateway|--.
/ '~~~~~~~~~~~~~~~~~' :
/ |.
,-' `.
; +------------+ +------------+ )
: | Router A | | Router B | / fe80::*192.0.2.5
: | (ISATAP) | | (ISATAP) | ; 2001:db8:2::1
+ +------------+ +------------+ \ +--------------+
; fe80::*192.0.2.1 fe80::*192.0.2.2 : | (ISATAP) |
| ; | Host G |
: IPv4 Site -+-' +--------------+
`-. (PRL: 192.0.2.1, 192.0.2.2) .)
\ _)
`-----+--------)----+'----'
fe80::*192.0.2.3 fe80::*192.0.2.4 .-.
+--------------+ +--------------+ ,-( _)-.
| (ISATAP) | | (ISATAP) | .-(_ IPv6 )-.
| Router C | | Router E |--(__Edge Network )
+--------------+ +--------------+ `-(______)-'
2001:db8:0::/48 2001:db8:1::/48 |
| 2001:db8:1::1
.-. +-------------+
,-( _)-. 2001:db8:0::1 | IPv6 Host F |
.-(_ IPv6 )-. +-------------+ +-------------+
(__Edge Network )--| IPv6 Host D |
`-(______)-' +-------------+
.-(::::::::) 2001:db8:3::1
.-(::: IPv6 :::)-. +-------------+
(:::: Internet ::::) | IPv6 Host H |
`-(::::::::::::)-' +-------------+
`-(::::::)-'
,~~~~~~~~~~~~~~~~~,
,----|companion gateway|--.
/ '~~~~~~~~~~~~~~~~~' :
/ |.
,-' `.
; +------------+ +------------+ )
: | Router A | | Router B | / fe80::*192.0.2.5
: | (ISATAP) | | (ISATAP) | ; 2001:db8:2::1
+ +------------+ +------------+ \ +--------------+
; fe80::*192.0.2.1 fe80::*192.0.2.2 : | (ISATAP) |
| ; | Host G |
: IPv4 Site -+-' +--------------+
`-. (PRL: 192.0.2.1, 192.0.2.2) .)
\ _)
`-----+--------)----+'----'
fe80::*192.0.2.3 fe80::*192.0.2.4 .-.
+--------------+ +--------------+ ,-( _)-.
| (ISATAP) | | (ISATAP) | .-(_ IPv6 )-.
| Router C | | Router E |--(__Edge Network )
+--------------+ +--------------+ `-(______)-'
2001:db8:0::/48 2001:db8:1::/48 |
| 2001:db8:1::1
.-. +-------------+
,-( _)-. 2001:db8:0::1 | IPv6 Host F |
.-(_ IPv6 )-. +-------------+ +-------------+
(__Edge Network )--| IPv6 Host D |
`-(______)-' +-------------+
(* == "5efe:")
(* == "5efe:")
Figure 2: Reference ISATAP Network Topology
图2:参考ISATAP网络拓扑
In Figure 2, advertising ISATAP routers 'A' and 'B' within the IPv4 site connect to the IPv6 Internet, either directly or via a companion gateway. 'A' configures a provider network IPv4 interface with address 192.0.2.1 and arranges to add the address to the provider network PRL. 'A' next configures an advertising ISATAP router interface with link-local IPv6 address fe80::5efe:192.0.2.1 over the IPv4 interface. In the same fashion, 'B' configures the IPv4 interface address 192.0.2.2, adds the address to the PRL, then configures the IPv6 ISATAP interface link-local address fe80::5efe:192.0.2.2.
在图2中,IPv4站点内的路由器“A”和“B”直接或通过伴随网关连接到IPv6 Internet“配置地址为192.0.2.1的提供商网络IPv4接口,并安排将该地址添加到提供商网络PRL。”A'next通过IPv4接口配置一个带有链路本地IPv6地址fe80::5efe:192.0.2.1的ISATAP路由器接口。以相同的方式,“B”配置IPv4接口地址192.0.2.2,将地址添加到PRL,然后配置IPv6 ISATAP接口链路本地地址fe80::5efe:192.0.2.2。
Non-advertising ISATAP router 'C' connects to one or more IPv6 edge networks and also connects to the site via an IPv4 interface with address 192.0.2.3, but it does not add the IPv4 address to the site's PRL. 'C' next configures a non-advertising ISATAP router interface with link-local address fe80::5efe:192.0.2.3, then receives the IPv6 prefix 2001:db8:0::/48 through a DHCPv6 prefix delegation exchange via one of 'A' or 'B'. 'C' then engages in an IPv6 routing protocol over its ISATAP interface and announces the delegated IPv6 prefix. 'C' finally sub-delegates the prefix to its attached edge networks, where IPv6 host 'D' autoconfigures the address 2001:db8:0::1.
非广告ISATAP路由器“C”连接到一个或多个IPv6边缘网络,还通过地址为192.0.2.3的IPv4接口连接到站点,但它不会将IPv4地址添加到站点的PRLC'接下来使用链路本地地址fe80::5efe:192.0.2.3配置非广告ISATAP路由器接口,然后通过DHCPv6前缀委派交换通过'a'或'B'之一接收IPv6前缀2001:db8:0::/48'C'然后通过其ISATAP接口参与IPv6路由协议,并宣布委派的IPv6前缀。'C'最后将前缀再委托给其连接的边缘网络,其中IPv6主机'D'自动配置地址2001:db8:0::1。
Non-advertising ISATAP router 'E' connects to the site, configures its ISATAP interface, receives a DHCPv6 prefix delegation, and engages in the IPv6 routing protocol the same as for router 'C'. In particular, 'E' configures the IPv4 address 192.0.2.4, the ISATAP link-local address fe80::5efe:192.0.2.4, and the delegated IPv6 prefix 2001:db8:1::/48. 'E' finally sub-delegates the prefix to its attached edge networks, where IPv6 host 'F' autoconfigures IPv6 address 2001:db8:1::1.
非广告ISATAP路由器“E”连接到站点,配置其ISATAP接口,接收DHCPv6前缀委派,并使用与路由器“C”相同的IPv6路由协议。特别是,“E”配置IPv4地址192.0.2.4、ISATAP链路本地地址fe80::5efe:192.0.2.4和委派的IPv6前缀2001:db8:1::/48最后,E'将前缀再委托给其连接的边缘网络,其中IPv6主机“F”自动配置IPv6地址2001:db8:1::1。
ISATAP host 'G' connects to the site via an IPv4 interface with address 192.0.2.5, and also configures an ISATAP host interface with link-local address fe80::5efe:192.0.2.5 over the IPv4 interface. 'G' next configures a default IPv6 route with next-hop address fe80::5efe:192.0.2.2 via the ISATAP interface, then receives the IPv6 address 2001:db8:2::1 from a DHCPv6 address configuration exchange via 'B'. When 'G' receives the IPv6 address, it assigns the address to the ISATAP interface but does not assign a non-link-local IPv6 prefix to the interface.
ISATAP主机“G”通过地址为192.0.2.5的IPv4接口连接到站点,并通过IPv4接口配置链接本地地址为fe80::5efe:192.0.2.5的ISATAP主机接口。”G'next通过ISATAP接口使用下一跳地址fe80::5efe:192.0.2.2配置默认IPv6路由,然后通过'B'从DHCPv6地址配置交换接收IPv6地址2001:db8:2::1。当“G”收到IPv6地址时,它会将地址分配给ISATAP接口,但不会将非链路本地IPv6前缀分配给接口。
Finally, IPv6 host 'H' connects to an IPv6 network outside of the ISATAP domain. 'H' configures its IPv6 interface in a manner specific to its attached IPv6 link, and autoconfigures the IPv6 address 2001:db8:3::1.
最后,IPv6主机“H”连接到ISATAP域之外的IPv6网络H'以特定于其连接的IPv6链路的方式配置其IPv6接口,并自动配置IPv6地址2001:db8:3::1。
Following this autoconfiguration, when host 'D' has an IPv6 packet to send to host 'F', it prepares the packet with source address 2001:db8:0::1 and destination address 2001:db8:1::1, then sends the packet into the edge network where it will eventually be forwarded to router 'C'. 'C' then uses ISATAP encapsulation to forward the packet to router 'E', since it has discovered a route to 2001:db8:1::/48 with next hop 'E' via dynamic routing over the ISATAP interface. Router 'E' finally forwards the packet to host 'F'.
按照此自动配置,当主机“D”有一个IPv6数据包要发送到主机“F”时,它准备具有源地址2001:db8:0::1和目标地址2001:db8:1::1的数据包,然后将该数据包发送到边缘网络,在那里它将最终转发到路由器“C”然后,C'使用ISATAP封装将数据包转发到路由器“E”,因为它通过ISATAP接口上的动态路由发现了到下一跳“E”的2001:db8:1::/48的路由。路由器“E”最终将数据包转发给主机“F”。
In a second scenario, when 'D' has a packet to send to ISATAP host
'G', it prepares the packet with source address 2001:db8:0::1 and
destination address 2001:db8:2::1, then sends the packet into the
edge network where it will eventually be forwarded to router 'C' the
In a second scenario, when 'D' has a packet to send to ISATAP host
'G', it prepares the packet with source address 2001:db8:0::1 and
destination address 2001:db8:2::1, then sends the packet into the
edge network where it will eventually be forwarded to router 'C' the
same as above. 'C' then uses ISATAP encapsulation to forward the packet to router 'A' (i.e., a router that advertises "default"), which in turn forwards the packet to 'G'. Note that this operation entails two hops across the ISATAP link (i.e., one from 'C' to 'A', and a second from 'A' to 'G'). If 'G' also participates in the dynamic IPv6 routing protocol, however, 'C' could instead forward the packet directly to 'G' without involving 'A'.
同上。”然后,C'使用ISATAP封装将数据包转发给路由器'A'(即,播发“默认值”的路由器),路由器又将数据包转发给'G'。请注意,此操作需要跨越ISATAP链路的两个跃点(即,一个从“C”跳到“A”,另一个从“A”跳到“G”)。但是,如果“G”也参与了动态IPv6路由协议,则“C”可以直接将数据包转发给“G”,而不涉及“A”。
In a third scenario, when 'D' has a packet to send to host 'H' in the IPv6 Internet, the packet is forwarded to 'C' the same as above. 'C' then forwards the packet to 'A', which forwards the packet into the IPv6 Internet.
在第三种情况下,当“D”有一个数据包要发送到IPv6 Internet中的主机“H”时,该数据包被转发到“C”,如上所述然后,C'将数据包转发给A',A将数据包转发到IPv6 Internet。
In a final scenario, when 'G' has a packet to send to host 'H' in the IPv6 Internet, the packet is forwarded directly to 'B', which forwards the packet into the IPv6 Internet.
在最后一个场景中,当“G”有一个数据包要发送到IPv6 Internet中的主机“H”时,该数据包直接转发到“B”,后者将数据包转发到IPv6 Internet。
Figure 2 depicts an ISATAP network topology with only two advertising ISATAP routers within the provider network. In order to support larger numbers of non-advertising ISATAP routers and ISATAP hosts, the provider network can deploy more advertising ISATAP routers to support load balancing and generally shortest-path routing.
图2描述了一个ISATAP网络拓扑,在提供商网络中只有两个ISATAP路由器。为了支持更多的非广告ISATAP路由器和ISATAP主机,提供商网络可以部署更多广告ISATAP路由器以支持负载平衡和通常最短路径路由。
Such an arrangement requires that the advertising ISATAP routers participate in an IPv6 routing protocol instance so that IPv6 address/prefix delegations can be mapped to the correct router. The routing protocol instance can be configured as either a full mesh topology involving all advertising ISATAP routers, or as a partial mesh topology with each advertising ISATAP router associating with one or more companion gateways. Each such companion gateway would in turn participate in a full mesh between all companion gateways.
这种安排要求路由器参与IPv6路由协议实例,以便IPv6地址/前缀委托可以映射到正确的路由器。路由协议实例可以配置为涉及所有广告ISATAP路由器的全网状拓扑,或者配置为每个广告ISATAP路由器与一个或多个伙伴网关关联的部分网状拓扑。每个这样的伙伴网关将依次参与所有伙伴网关之间的完整网格。
With respect to the reference operational scenario depicted in Figure 2, there will be many use cases in which a proactive dynamic IPv6 routing protocol cannot be used. For example, in large enterprise network deployments it would be impractical for all routers to engage in a common routing protocol instance, due to scaling considerations.
关于图2中描述的参考操作场景,将有许多无法使用主动式动态IPv6路由协议的用例。例如,在大型企业网络部署中,由于可伸缩性的考虑,所有路由器都不可能参与公共路由协议实例。
In those cases, an on-demand routing capability can be enabled in which ISATAP nodes send initial packets via an advertising ISATAP router and receive redirection messages back. For example, when a non-advertising ISATAP router 'B' has a packet to send to a host located behind non-advertising ISATAP router 'D', it can send the
在这些情况下,可以启用按需路由功能,其中ISATAP节点通过广告ISATAP路由器发送初始数据包,并接收回重定向消息。例如,当非广告ISATAP路由器“B”有一个数据包要发送到位于非广告ISATAP路由器“D”后面的主机时,它可以发送
initial packets via advertising router 'A', which will return redirection messages to inform 'B' that 'D' is a better first hop. Protocol details for this ISATAP redirection are specified in [AERO].
通过广告路由器“A”发送初始数据包,该路由器将返回重定向消息,通知“B”D是更好的第一跳。[AERO]中指定了此ISATAP重定向的协议详细信息。
Tunnel routers can use a source address check mitigation measure when they forward an IPv6 packet into a tunnel interface with an IPv6 source address that embeds one of the router's configured IPv4 addresses. Similarly, tunnel routers can use a destination address check mitigation measure when they receive an IPv6 packet on a tunnel interface with an IPv6 destination address that embeds one of the router's configured IPv4 addresses. These checks should correspond to both tunnels' IPv6 address formats, regardless of the type of tunnel the router employs.
隧道路由器在将IPv6数据包转发到具有嵌入路由器配置的IPv4地址之一的IPv6源地址的隧道接口时,可以使用源地址检查缓解措施。类似地,当隧道路由器在隧道接口上接收到IPv6数据包时,可以使用目标地址检查缓解措施,其中IPv6目标地址嵌入了路由器配置的IPv4地址之一。这些检查应该对应于两个隧道的IPv6地址格式,而不管路由器使用的隧道类型如何。
For example, if tunnel router R1 (of any tunnel protocol) forwards a packet into a tunnel interface with an IPv6 source address that matches the 6to4 prefix 2002:IP1::/48, the router discards the packet if IP1 is one of its own IPv4 addresses. In a second example, if tunnel router R2 receives an IPv6 packet on a tunnel interface with an IPv6 destination address with an off-link prefix but with an interface identifier that matches the ISATAP address suffix ::0200:5efe:IP2, the router discards the packet if IP2 is one of its own IPv4 addresses.
例如,如果隧道路由器R1(任何隧道协议的)将数据包转发到具有与6to4前缀2002:IP1::/48匹配的IPv6源地址的隧道接口中,则如果IP1是其自己的IPv4地址之一,路由器将丢弃该数据包。在第二个示例中,如果隧道路由器R2在隧道接口上接收到IPv6数据包,该数据包的IPv6目标地址具有断开链接前缀,但接口标识符与ISATAP地址后缀::0200:5efe:IP2匹配,则如果IP2是路由器自己的IPv4地址之一,则路由器将丢弃该数据包。
Hence, a tunnel router can avoid the attack by performing the following checks:
因此,隧道路由器可以通过执行以下检查来避免攻击:
o When the router forwards an IPv6 packet into a tunnel interface, it discards the packet if the IPv6 source address has an off-link prefix but embeds one of the router's configured IPv4 addresses.
o 当路由器将IPv6数据包转发到隧道接口时,如果IPv6源地址具有断开链接前缀,但嵌入了路由器配置的IPv4地址之一,则路由器将丢弃该数据包。
o When the router receives an IPv6 packet on a tunnel interface, it discards the packet if the IPv6 destination address has an off-link prefix but embeds one of the router's configured IPv4 addresses.
o 当路由器在隧道接口上接收到IPv6数据包时,如果IPv6目标地址具有断开链接前缀,但嵌入了路由器配置的IPv4地址之一,则路由器将丢弃该数据包。
This approach has the advantage that no ancillary state is required, since checking is through static lookup in the lists of IPv4 and IPv6 addresses belonging to the router. However, this approach has some inherent limitations:
这种方法的优点是不需要辅助状态,因为检查是通过静态查找属于路由器的IPv4和IPv6地址列表。然而,这种方法有一些固有的局限性:
o The checks incur an overhead that is proportional to the number of IPv4 addresses assigned to the router. If a router is assigned many addresses, the additional processing overhead for each packet may be considerable. Note that an unmitigated attack packet would be repetitively processed by the router until the Hop Limit
o 这些检查产生的开销与分配给路由器的IPv4地址数量成正比。如果一个路由器被分配了许多地址,那么每个包的额外处理开销可能相当大。请注意,未缓解的攻击数据包将由路由器重复处理,直到达到跳数限制
expires, which may require as many as 255 iterations. Hence, an unmitigated attack will consume far more aggregate processing overhead than per-packet address checks even if the router assigns a large number of addresses.
过期,这可能需要多达255次迭代。因此,即使路由器分配了大量地址,未缓解的攻击也会比每包地址检查消耗更多的聚合处理开销。
o The checks should be performed for the IPv6 address formats of every existing automatic IPv6 tunnel protocol (that uses protocol-41 encapsulation). Hence, the checks must be updated as new protocols are defined.
o 应检查每个现有自动IPv6隧道协议(使用协议-41封装)的IPv6地址格式。因此,必须在定义新协议时更新检查。
o Before the checks can be performed, the format of the address must be recognized. There is no guarantee that this can be generally done. For example, one cannot determine if an IPv6 address is a 6rd one; hence, the router would need to be configured with a list of all applicable 6rd prefixes (which may be prohibitively large) in order to unambiguously apply the checks.
o 在执行检查之前,必须识别地址的格式。不能保证这一点可以普遍做到。例如,无法确定IPv6地址是否为第6个地址;因此,路由器需要配置所有适用的第6个前缀的列表(可能非常大),以便明确地应用检查。
o The checks cannot be performed if the embedded IPv4 address is a private one [RFC1918], since it is ambiguous in scope. Namely, the private address may be legitimately allocated to another node in another routing region.
o 如果嵌入的IPv4地址是私有地址[RFC1918],则无法执行检查,因为它的作用域不明确。即,私有地址可以合法地分配给另一路由区域中的另一节点。
The last limitation may be relieved if the router has some information that allows it to unambiguously determine the scope of the address. The check in the following subsection is one example for this.
最后一个限制可能会被解除,如果路由器有一些信息,允许它明确地确定地址的范围。下面小节中的检查就是一个例子。
A router may be configured with the full list of IPv6 subnet prefixes assigned to the tunnels attached to its current IPv4 routing region. In such a case, it can use the list to determine when static destination and source address checks are possible. By keeping track of the list of IPv6 prefixes assigned to the tunnels in the IPv4 routing region, a router can perform the following checks on an address that embeds a private IPv4 address:
路由器可以配置为具有分配给连接到其当前IPv4路由区域的隧道的IPv6子网前缀的完整列表。在这种情况下,它可以使用列表来确定何时可以进行静态目标地址和源地址检查。通过跟踪分配给IPv4路由区域中隧道的IPv6前缀列表,路由器可以对嵌入专用IPv4地址的地址执行以下检查:
o When the router forwards an IPv6 packet into its tunnel with a source address that embeds a private IPv4 address and matches an IPv6 prefix in the prefix list, it determines whether the packet should be discarded or forwarded by performing the source address check specified in Section 3.3.
o 当路由器将带有嵌入专用IPv4地址并与前缀列表中的IPv6前缀匹配的源地址的IPv6数据包转发到其隧道中时,它通过执行第3.3节中指定的源地址检查来确定是否应丢弃或转发该数据包。
o When the router receives an IPv6 packet on its tunnel interface with a destination address that embeds a private IPv4 address and matches an IPv6 prefix in the prefix list, it determines whether the packet should be discarded or forwarded by performing the destination address check specified in Section 3.3.
o 当路由器在其隧道接口上接收到IPv6数据包时,其目标地址嵌入了专用IPv4地址并与前缀列表中的IPv6前缀相匹配,路由器通过执行第3.3节中指定的目标地址检查来确定是否应丢弃或转发该数据包。
The disadvantage of this approach is that the administrative overhead for maintaining the list of IPv6 subnet prefixes associated with an IPv4 routing region may become unwieldy should that list be long and/or frequently updated.
这种方法的缺点是,如果与IPv4路由区域相关联的IPv6子网前缀列表很长和/或经常更新,则维护该列表的管理开销可能会变得很难处理。
In light of the mitigation measures proposed above, we make the following recommendations in decreasing order of importance:
根据上述建议的缓解措施,我们按重要性递减顺序提出以下建议:
1. When possible, it is recommended that the attacks be operationally eliminated (as per the measures proposed in Section 3.2).
1. 如果可能,建议在操作上消除攻击(根据第3.2节中提出的措施)。
2. For tunnel routers that keep a coherent and trusted neighbor cache that includes all legitimate endpoints of the tunnel, we recommend exercising the neighbor cache check.
2. 对于保持一致且可信的邻居缓存(包括隧道的所有合法端点)的隧道路由器,我们建议执行邻居缓存检查。
3. For tunnel routers that can implement the Neighbor Reachability Check, we recommend exercising it.
3. 对于能够实现邻居可达性检查的隧道路由器,我们建议使用它。
4. For tunnels having a small and static list of endpoints, we recommend exercising the known IPv4 address check.
4. 对于具有小型静态端点列表的隧道,我们建议执行已知IPv4地址检查。
5. We generally do not recommend using the destination and source address checks, since they cannot mitigate routing loops with 6rd routers. Therefore, these checks should not be used alone unless there is operational assurance that other measures are exercised to prevent routing loops with 6rd routers.
5. 我们通常不建议使用目的地和源地址检查,因为它们不能缓解第六路由器的路由循环。因此,这些检查不应单独使用,除非有运行保证,即采取其他措施防止第六路由器的路由循环。
As noted earlier, tunnels may be deployed in various operational environments. There is a possibility that other mitigation measures may be feasible in specific deployment scenarios. The above recommendations are general and do not attempt to cover such scenarios.
如前所述,隧道可部署在各种操作环境中。其他缓解措施可能在特定部署场景中可行。上述建议是一般性的,并不试图涵盖此类情况。
This document aims at presenting possible solutions to the routing loop attack that involves automatic tunnels' routers. It contains various checks that aim to recognize and drop specific packets that have strong potential to cause a routing loop. These checks do not introduce new security threats.
本文档旨在介绍涉及自动隧道路由器的路由环路攻击的可能解决方案。它包含各种检查,旨在识别和丢弃可能导致路由循环的特定数据包。这些检查不会带来新的安全威胁。
This work has benefited from discussions on the V6OPS, 6MAN, and SECDIR mailing lists. The document has further benefited from comments received from members of the IESG during their review. Dmitry Anipko, Fred Baker, Stewart Bryant, Remi Despres, Adrian Farrell, Fernando Gont, Christian Huitema, Joel Jaeggli, and Dave Thaler are acknowledged for their contributions.
这项工作得益于对V6OPS、6MAN和SECDIR邮件列表的讨论。该文件还得益于IESG成员在审查期间提出的意见。德米特里·阿尼普科、弗雷德·贝克、斯图尔特·布莱恩特、雷米·德斯普雷斯、阿德里安·法雷尔、费尔南多·冈特、克里斯蒂安·惠特马、乔尔·贾格利和戴夫·泰勒都对他们的贡献表示感谢。
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996.
[RFC1918]Rekhter,Y.,Moskowitz,B.,Karrenberg,D.,de Groot,G.,和E.Lear,“私人互联网地址分配”,BCP 5,RFC 1918,1996年2月。
[RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains via IPv4 Clouds", RFC 3056, February 2001.
[RFC3056]Carpenter,B.和K.Moore,“通过IPv4云连接IPv6域”,RFC 3056,2001年2月。
[RFC3315] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3315]Droms,R.,Ed.,Bound,J.,Volz,B.,Lemon,T.,Perkins,C.,和M.Carney,“IPv6的动态主机配置协议(DHCPv6)”,RFC3315,2003年7月。
[RFC3633] Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6", RFC 3633, December 2003.
[RFC3633]Troan,O.和R.Droms,“动态主机配置协议(DHCP)版本6的IPv6前缀选项”,RFC 3633,2003年12月。
[RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms for IPv6 Hosts and Routers", RFC 4213, October 2005.
[RFC4213]Nordmark,E.和R.Gilligan,“IPv6主机和路由器的基本转换机制”,RFC 4213,2005年10月。
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, September 2007.
[RFC4861]Narten,T.,Nordmark,E.,Simpson,W.,和H.Soliman,“IP版本6(IPv6)的邻居发现”,RFC 48612007年9月。
[RFC5214] Templin, F., Gleeson, T., and D. Thaler, "Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214, March 2008.
[RFC5214]Templin,F.,Gleeson,T.,和D.Thaler,“站点内自动隧道寻址协议(ISATAP)”,RFC 52142008年3月。
[RFC5969] Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4 Infrastructures (6rd) -- Protocol Specification", RFC 5969, August 2010.
[RFC5969]Townsley,W.和O.Troan,“IPv4基础设施上的IPv6快速部署(第6条)——协议规范”,RFC 5969,2010年8月。
[AERO] Templin, F., Ed., "Asymmetric Extended Route Optimization (AERO)", Work in Progress, June 2011.
[AERO]Templin,F.,Ed.,“非对称扩展路线优化(AERO)”,正在进行的工作,2011年6月。
[ISATAP-OPS] Templin, F., "Operational Guidance for IPv6 Deployment in IPv4 Sites using ISATAP", Work in Progress, July 2011.
[ISATAP-OPS]Templin,F.,“使用ISATAP在IPv4站点部署IPv6的操作指南”,正在进行的工作,2011年7月。
[RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)", RFC 4380, February 2006.
[RFC4380]Huitema,C.,“Teredo:通过网络地址转换(NAT)通过UDP传输IPv6”,RFC 43802006年2月。
[RFC4732] Handley, M., Ed., Rescorla, E., Ed., and IAB, "Internet Denial-of-Service Considerations", RFC 4732, December 2006.
[RFC4732]Handley,M.,Ed.,Rescorla,E.,Ed.,和IAB,“互联网拒绝服务注意事项”,RFC 47322006年12月。
[RFC6343] Carpenter, B., "Advisory Guidelines for 6to4 Deployment", RFC 6343, August 2011.
[RFC6343]Carpenter,B.,“6to4部署咨询指南”,RFC 63432011年8月。
[TEREDO-LOOPS] Gont, F., "Mitigating Teredo Rooting Loop Attacks", Work in Progress, September 2010.
[TEREDO-LOOPS]Gont,F.,“缓解TEREDO根循环攻击”,正在进行的工作,2010年9月。
[USENIX09] Nakibly, G. and M. Arov, "Routing Loop Attacks using IPv6 Tunnels", USENIX WOOT, August 2009.
[USENIX 09]Nakbly,G.和M.Arov,“使用IPv6隧道路由循环攻击”,USENIX WOOT,2009年8月。
Authors' Addresses
作者地址
Gabi Nakibly National EW Research & Simulation Center Rafael - Advanced Defense Systems P.O. Box 2250 (630) Haifa 31021 Israel
以色列海法31021 Gabi Nakibly国家电子战研究与仿真中心Rafael-高级防御系统邮政信箱2250(630)
EMail: gnakibly@yahoo.com
EMail: gnakibly@yahoo.com
Fred L. Templin Boeing Research & Technology P.O. Box 3707 MC 7L-49 Seattle, WA 98124 USA
Fred L.Templin波音研究与技术公司美国华盛顿州西雅图3707 MC 7L-49邮政信箱98124
EMail: fltemplin@acm.org
EMail: fltemplin@acm.org