summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7123.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc7123.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc7123.txt')
-rw-r--r--doc/rfc/rfc7123.txt1067
1 files changed, 1067 insertions, 0 deletions
diff --git a/doc/rfc/rfc7123.txt b/doc/rfc/rfc7123.txt
new file mode 100644
index 0000000..530d83f
--- /dev/null
+++ b/doc/rfc/rfc7123.txt
@@ -0,0 +1,1067 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) F. Gont
+Request for Comments: 7123 SI6 Networks/UTN-FRH
+Category: Informational W. Liu
+ISSN: 2070-1721 Huawei Technologies
+ February 2014
+
+
+ Security Implications of IPv6 on IPv4 Networks
+
+Abstract
+
+ This document discusses the security implications of native IPv6
+ support and IPv6 transition/coexistence technologies on "IPv4-only"
+ networks and describes possible mitigations for the aforementioned
+ issues.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7123.
+
+Copyright Notice
+
+ Copyright (c) 2014 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+Gont & Liu Informational [Page 1]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. Security Implications of Native IPv6 Support . . . . . . . . 4
+ 2.1. Filtering Native IPv6 Traffic . . . . . . . . . . . . . . 4
+ 3. Security Implications of Tunneling Mechanisms . . . . . . . . 5
+ 3.1. Filtering 6in4 . . . . . . . . . . . . . . . . . . . . . 6
+ 3.2. Filtering 6over4 . . . . . . . . . . . . . . . . . . . . 7
+ 3.3. Filtering 6rd . . . . . . . . . . . . . . . . . . . . . . 7
+ 3.4. Filtering 6to4 . . . . . . . . . . . . . . . . . . . . . 8
+ 3.5. Filtering ISATAP . . . . . . . . . . . . . . . . . . . . 9
+ 3.6. Filtering Teredo . . . . . . . . . . . . . . . . . . . . 9
+ 3.7. Filtering Tunnel Broker with Tunnel Setup Protocol (TSP) 11
+ 3.8. Filtering AYIYA . . . . . . . . . . . . . . . . . . . . . 11
+ 4. Additional Considerations when Filtering IPv6 Traffic . . . . 12
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13
+ 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
+ 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 7.1. Normative References . . . . . . . . . . . . . . . . . . 13
+ 7.2. Informative References . . . . . . . . . . . . . . . . . 14
+ Appendix A. Summary of Filtering Rules . . . . . . . . . . . . . 18
+
+1. Introduction
+
+ Most general-purpose operating systems implement and enable native
+ IPv6 [RFC2460] support and a number of transition/coexistence
+ technologies by default. Support of IPv6 by all nodes is intended to
+ become best current practice [RFC6540]. Some enterprise networks
+ might, however, choose to delay active use of IPv6.
+
+ This document describes operational practices to prevent security
+ exposure in enterprise networks resulting from unplanned use of IPv6
+ on such networks. This document is only applicable to enterprise
+ networks: networks where the network operator is not providing a
+ general-purpose internet, but rather a business-specific network.
+ The solutions proposed here are not practical for home networks, nor
+ are they appropriate for provider networks such as ISPs, mobile
+ providers, WiFi hotspot providers, or any other public internet
+ service.
+
+ In scenarios in which IPv6-enabled devices are deployed on enterprise
+ networks that are intended to be IPv4-only, native IPv6 support and/
+ or IPv6 transition/coexistence technologies could be leveraged by
+ local or remote attackers for a number of (illegitimate) purposes.
+ For example,
+
+
+
+
+
+
+Gont & Liu Informational [Page 2]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ o A Network Intrusion Detection System (NIDS) might be prepared to
+ detect attack patterns for IPv4 traffic, but might be unable to
+ detect the same attack patterns when a transition/coexistence
+ technology is leveraged for that purpose.
+
+ o An IPv4 firewall might enforce a specific security policy in IPv4,
+ but might be unable to enforce the same policy in IPv6.
+
+ o A NIDS or firewall might support both IPv4 and IPv6, but might not
+ be configured to enforce on IPv6 traffic the same controls/
+ policies it enforces on IPv4 traffic.
+
+ o Some transition/coexistence mechanisms could cause an internal
+ host with otherwise limited IPv4 connectivity to become globally
+ reachable over IPv6, therefore resulting in increased (and
+ possibly unexpected) host exposure.
+
+ NOTE: Some transition/coexistence mechanisms (notably Teredo)
+ are designed to traverse Network Address Port Translation
+ (NAPT) [RFC2663] devices, allowing incoming IPv6 connections
+ from the Internet to hosts behind the organizational firewall
+ or NAPT (which in many deployments provides a minimum level of
+ protection by only allowing those instances of communication
+ that have been initiated from the internal network).
+
+ o IPv6 support could, either inadvertently or as a result of a
+ deliberate attack, result in Virtual Private Network (VPN) traffic
+ leaks if IPv6-unaware VPN software is employed by dual-stacked
+ hosts [VPN-LEAKS].
+
+ In general, most of the aforementioned security implications can be
+ mitigated by enforcing security controls on native IPv6 traffic and
+ on IPv4-tunneled IPv6 traffic. Among such controls, is the
+ enforcement of filtering policies to block undesirable traffic.
+ While IPv6 widespread/global IPv6 deployment has been slower than
+ expected, it is nevertheless happening; and thus, filtering IPv6
+ traffic (whether native or transition/coexistence) to mitigate IPv6
+ security implications on IPv4 networks should (generally) only be
+ considered as a temporary measure until IPv6 is deployed.
+
+ NOTE: The aforementioned security controls should contemplate not
+ only network-based solutions, but also host-based solutions (such
+ as, e.g., personal firewalls).
+
+
+
+
+
+
+
+
+Gont & Liu Informational [Page 3]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+2. Security Implications of Native IPv6 Support
+
+ Most popular operating systems include IPv6 support that is enabled
+ by default. This means that even if a network is expected to be
+ IPv4-only, much of its infrastructure is nevertheless likely to be
+ IPv6-enabled. For example, hosts are likely to have at least link-
+ local IPv6 connectivity, which might be exploited by attackers with
+ access to the local network.
+
+ Additionally, unless appropriate measures are taken, an attacker with
+ access to an "IPv4-only" local network could impersonate a local
+ router and cause local hosts to enable their 'non-link-local' IPv6
+ connectivity (e.g., by sending Router Advertisement messages),
+ possibly circumventing security controls that were enforced only on
+ IPv4 communications.
+
+ NOTE: [THC-IPV6] and [IPv6-Toolkit] include tools that implement
+ this attack vector (along with many others). [Waters2011]
+ provides an example of how this could be achieved using publicly
+ available tools.
+
+ Native IPv6 support could also possibly lead to VPN-traffic leakages
+ when hosts employ VPN software that, not only does not support IPv6,
+ but does nothing about IPv6 traffic. [VPN-LEAKS] describes this
+ issue, along with possible mitigations.
+
+ In general, networks should enforce on native IPv6 traffic the same
+ security policies currently enforced on IPv4 traffic. However, in
+ those networks in which IPv6 has not yet been deployed and enforcing
+ the aforementioned policies is deemed as infeasible, a network
+ administrator might mitigate IPv6-based attack vectors by means of
+ appropriate packet filtering.
+
+2.1. Filtering Native IPv6 Traffic
+
+ Some layer-2 devices might have the ability to selectively filter
+ packets based on the type of layer-2 payload. When such
+ functionality is available, IPv6 traffic could be blocked at those
+ layer-2 devices by blocking, for example, Ethernet frames with the
+ Protocol Type field set to 0x86dd [IANA-ETHER]. We note, however,
+ that blocking IPv6 at layer-2 might create problems that are
+ difficult to diagnose, inclusive of intentional or incidental use of
+ link-local addressing (as in Multicast DNS/DNS-based Service
+ Discovery [RFC6762] [RFC6763]); sites that enforce such a filtering
+ policy should keep that possibility in mind when debugging the
+ network.
+
+
+
+
+
+Gont & Liu Informational [Page 4]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ Attacks based on Stateless Address Autoconfiguration (SLAAC)
+ [RFC3756] can be mitigated with technologies such as Router
+ Advertisement Guard (RA-Guard) [RFC6105] [RA-GRD-IMP]. In a similar
+ way, DHCPv6-based attacks can be mitigated with technologies such as
+ DHCPv6-Shield [SHIELD]. However, both RA-Guard and DHCPv6-Shield are
+ incapable of mitigating attack vectors that employ IPv6 link-local
+ addresses, since configuration of such addresses does not rely on
+ Router Advertisement messages or DHCPv6-server messages.
+
+ Administrators considering the filtering of native IPv6 traffic at
+ layer-3 devices are urged to pay attention to the general
+ considerations for IPv6 traffic filtering discussed in Section 4.
+
+ NOTE: If native IPv6 traffic is filtered at layer-2, local IPv6
+ nodes would only get to configure IPv6 link-local addresses.
+
+ In order to mitigate attacks based on native IPv6 traffic, IPv6
+ security controls should be enforced on both IPv4 and IPv6 networks.
+ The aforementioned controls might include: deploying IPv6-enabled
+ NIDS, implementing IPv6 firewalling, etc.
+
+ NOTE: In some very specific scenarios (e.g., military operations
+ networks) in which only IPv4 service might be desired, a network
+ administrator might want to disable IPv6 support in all the
+ communicating devices.
+
+3. Security Implications of Tunneling Mechanisms
+
+ Unless properly managed, tunneling mechanisms might result in
+ negative security implications. For example, they might increase
+ host exposure, might be leveraged to evade security controls, might
+ contain protocol-based vulnerabilities, and/or the corresponding code
+ might contain bugs with security implications.
+
+ NOTE: [RFC6169] describes the security implications of tunneling
+ mechanisms in detail. Of the plethora of tunneling mechanisms
+ that have so far been standardized and widely implemented, the so-
+ called "automatic tunneling" mechanisms (such as Teredo, Intra-
+ Site Automatic Tunnel Addressing Protocol (ISATAP), and 6to4) are
+ of particular interest from a security standpoint, since they
+ might be employed without prior consent or action of the user or
+ network administrator.
+
+ Tunneling mechanisms should be a concern not only to network
+ administrators that have consciously deployed them, but also to those
+ who have not deployed them, as these mechanisms might be leveraged to
+ bypass their security policies.
+
+
+
+
+Gont & Liu Informational [Page 5]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ NOTE: [CERT2009] contains some examples of how tunnels can be
+ leveraged to bypass firewall rules.
+
+ The aforementioned issues could be mitigated by applying the common
+ security practice of only allowing traffic deemed as "necessary"
+ (i.e., the so-called "default deny" policy). Thus, when such policy
+ is enforced, IPv6 transition/coexistence traffic would be blocked by
+ default and would only be allowed as a result of an explicit
+ decision.
+
+ NOTE: It should be noted that this type of policy is usually
+ enforced on a network that is the target of such traffic (such as
+ an enterprise network). IPv6 transition traffic should generally
+ never be filtered, e.g., by an ISP when it is transit traffic.
+
+ In those scenarios in which transition/coexistence traffic is meant
+ to be blocked, it is highly recommended that, in addition to the
+ enforcement of filtering policies at the organizational perimeter,
+ the corresponding transition/coexistence mechanisms be disabled on
+ each node connected to the organizational network. This would not
+ only prevent security breaches resulting from accidental use of these
+ mechanisms, but would also disable this functionality altogether,
+ possibly mitigating vulnerabilities that might be present in the host
+ implementation of these transition/coexistence mechanisms.
+
+ IPv6-in-IPv4 tunneling mechanisms (such as 6to4 or configured
+ tunnels) can generally be blocked by dropping IPv4 packets that
+ contain a Protocol field set to 41. Security devices such as NIDS
+ might also include signatures that detect such transition/coexistence
+ traffic.
+
+ Administrators considering the filtering of transition/coexistence
+ traffic are urged to pay attention to the general considerations for
+ IPv6 traffic filtering discussed in Section 4.
+
+ We note that this document only covers standardized IPv6 tunneling
+ mechanisms; it does not aim to cover non-standard tunneling
+ mechanisms or tunneling based on IPsec [RFC4301] or on SSL/TLS
+ [RFC5246] [RFC6101].
+
+3.1. Filtering 6in4
+
+ Probably the most basic type of tunnel employed for connecting IPv6
+ "islands" is the so-called "6in4", in which IPv6 packets are
+ encapsulated within IPv4 packets. These tunnels typically result
+ from manual configuration at the two tunnel endpoints.
+
+
+
+
+
+Gont & Liu Informational [Page 6]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ 6in4 tunnels can be blocked by blocking IPv4 packets with a Protocol
+ field of 41.
+
+3.2. Filtering 6over4
+
+ [RFC2529] specifies a mechanism known as 6over4 or 'IPv6 over IPv4'
+ (or colloquially as 'virtual Ethernet'), which comprises a set of
+ mechanisms and policies to allow isolated IPv6 hosts located on
+ physical links with no directly connected IPv6 router to become fully
+ functional IPv6 hosts by using an IPv4 domain that supports IPv4
+ multicast as their virtual local link.
+
+ NOTE: This transition technology has never been widely deployed
+ because of the low level of deployment of multicast in most
+ networks.
+
+ 6over4 encapsulates IPv6 packets in IPv4 packets with their Protocol
+ field set to 41. As a result, simply filtering all IPv4 packets that
+ have a Protocol field equal to 41 will filter 6over4 (along with many
+ other transition technologies).
+
+ A more selective filtering could be enforced such that 6over4 traffic
+ is filtered while other transition traffic is still allowed. Such a
+ filtering policy would block all IPv4 packets that have their
+ Protocol field set to 41, and that have a Destination Address that
+ belongs to the prefix 239.0.0.0/8.
+
+ This filtering policy basically blocks 6over4 Neighbor Discovery
+ traffic directed to multicast addresses, thus preventing SLAAC,
+ address resolution, etc. Additionally, it would prevent the 6over4
+ multicast addresses from being leveraged for the purpose of network
+ reconnaissance.
+
+3.3. Filtering 6rd
+
+ 6rd builds upon the mechanisms of 6to4 to enable the rapid deployment
+ of IPv6 on IPv4 infrastructures, while avoiding some downsides of
+ 6to4. Usage of 6rd was originally documented in [RFC5569], and the
+ mechanism was generalized to other access technologies and formally
+ standardized in [RFC5969].
+
+ 6rd can be blocked by blocking IPv4 packets with the Protocol field
+ set to 41.
+
+
+
+
+
+
+
+
+Gont & Liu Informational [Page 7]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+3.4. Filtering 6to4
+
+ 6to4 [RFC3056] is an address assignment and router-to-router, host-
+ to-router, and router-to-host automatic tunneling mechanism that is
+ meant to provide IPv6 connectivity between IPv6 sites and hosts
+ across the IPv4 Internet.
+
+ NOTE: The security considerations for 6to4 are discussed in detail
+ in [RFC3964]. [RFC6343] provides advice to network operators
+ about 6to4 (some of which relates to security mitigations).
+
+ As discussed in Section 3, all IPv6-in-IPv4 traffic, including 6to4,
+ could be easily blocked by filtering IPv4 packets that contain their
+ Protocol field set to 41. This is the most effective way of
+ filtering such traffic.
+
+ If 6to4 traffic is meant to be filtered while other IPv6-in-IPv4
+ traffic is allowed, then more finer-grained filtering rules could be
+ applied. For example, 6to4 traffic could be filtered by applying
+ filtering rules such as:
+
+ o Filter outgoing IPv4 packets that have the Destination Address set
+ to an address that belongs to the prefix 192.88.99.0/24.
+
+ o Filter incoming IPv4 packets that have the Source Address set to
+ an address that belongs to the prefix 192.88.99.0/24.
+
+ NOTE: These rules assume that the corresponding nodes employ
+ the "Anycast Prefix for 6to4 Relay Routers" [RFC3068]. It has
+ been suggested that 6to4 relays send their packets with their
+ IPv4 Source Address set to 192.88.99.1.
+
+ o Filter outgoing IPv4 packets that have the Destination Address set
+ to the IPv4 address of well-known 6to4 relays.
+
+ o Filter incoming IPv4 packets that have the Source Address set to
+ the IPv4 address of well-known 6to4 relays.
+
+ These last two filtering policies will generally be unnecessary,
+ and possibly infeasible to enforce (given the number of potential
+ 6to4 relays, and the fact that many relays might remain unknown to
+ the network administrator). If anything, they should be applied
+ with the additional requirement that such IPv4 packets have their
+ Protocol field set to 41 to avoid the case where other services
+ available at the same IPv4 address as a 6to4 relay are mistakenly
+ made inaccessible.
+
+
+
+
+
+Gont & Liu Informational [Page 8]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ If the filtering device has capabilities to inspect the payload of
+ IPv4 packets, then the following filtering rules could be enforced:
+
+ o Filter outgoing IPv4 packets that have their Protocol field set to
+ 41, and that have an IPv6 Source Address (embedded in the IPv4
+ payload) that belongs to the prefix 2002::/16.
+
+ o Filter incoming IPv4 packets that have their Protocol field set to
+ 41, and that have an IPv6 Destination address (embedded in the
+ IPv4 payload) that belongs to the prefix 2002::/16.
+
+3.5. Filtering ISATAP
+
+ ISATAP [RFC5214] is an Intra-site tunneling protocol, and thus it is
+ generally expected that such traffic will not traverse the
+ organizational firewall of an IPv4-only network. Nevertheless,
+ ISATAP can be easily blocked by blocking IPv4 packets with a Protocol
+ field of 41.
+
+ The most popular operating system that includes an implementation of
+ ISATAP in the default installation is Microsoft Windows. Microsoft
+ Windows obtains the ISATAP router address by resolving the domain
+ name isatap.<localdomain> to DNS A resource records. Additionally,
+ it tries to learn the ISATAP router address by employing Link-Local
+ Multicast Name Resolution (LLMNR) [RFC4795] to resolve the name
+ "isatap". As a result, blocking ISATAP by preventing hosts from
+ successfully performing name resolution for the aforementioned names
+ and/or by filtering packets with specific IPv4 destination addresses
+ is both difficult and undesirable.
+
+3.6. Filtering Teredo
+
+ Teredo [RFC4380] is an address assignment and automatic tunneling
+ technology that provides IPv6 connectivity to dual-stack nodes that
+ are behind one or more Network Address Port Translation (NAPT)
+ [RFC2663] devices, by encapsulating IPv6 packets in IPv4-based UDP
+ datagrams. Teredo is meant to be a 'last-resort' IPv6 connectivity
+ technology, to be used only when other technologies such as 6to4
+ cannot be deployed (e.g., because the edge device has not been
+ assigned a public IPv4 address).
+
+ As noted in [RFC4380], in order for a Teredo client to configure its
+ Teredo IPv6 address, it must contact a Teredo server through the
+ Teredo service port (UDP port number 3544).
+
+ To prevent the Teredo initialization process from succeeding, and
+ hence prevent the use of Teredo, an organizational firewall could
+ filter outgoing UDP packets with a Destination Port of 3544.
+
+
+
+Gont & Liu Informational [Page 9]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ NOTE: It is clear that such a filtering policy does not prevent an
+ attacker from running its own Teredo server in the public
+ Internet, using a non-standard UDP port for the Teredo service
+ port (i.e., a port number other than 3544).
+
+ If the filtering device has capabilities to inspect the payload of
+ IPv4 packets, the following (additional) filtering policy could be
+ enforced:
+
+ o Filter outgoing IPv4/UDP packets that embed an IPv6 packet with
+ the "Version" field set to 6, and an IPv6 Source Address that
+ belongs to the prefix 2001::/32.
+
+ o Filter incoming IPv4/UDP packets that embed an IPv6 packet with
+ the "Version" field set to 6, and an IPv6 Destination Address that
+ belongs to the prefix 2001::/32.
+
+ NOTE: These two filtering rules could, at least in theory, result
+ in false positives. Additionally, they would generally require
+ the filtering device to reassemble fragments prior to enforcing
+ filtering rules, since the information required to enforce them
+ might be missing in the received fragments (which should be
+ expected if Teredo is being employed for malicious purposes).
+
+ The most popular operating system that includes an implementation of
+ Teredo in the default installation is Microsoft Windows. Microsoft
+ Windows obtains the Teredo server addresses (primary and secondary)
+ by resolving the domain name teredo.ipv6.microsoft.com into DNS A
+ records. A network administrator might want to prevent Microsoft
+ Windows hosts from obtaining Teredo service by filtering, at the
+ organizational firewall, outgoing UDP datagrams (i.e., IPv4 packets
+ with the Protocol field set to 17) that contain in the IPv4
+ Destination Address any of the IPv4 addresses that the domain name
+ teredo.ipv6.microsoft.com maps to (or the IPv4 address of any well-
+ known Teredo server). Additionally, the firewall would filter
+ incoming UDP datagrams from any of the IPv4 addresses to which the
+ domain names of well-known Teredo servers (such as
+ teredo.ipv6.microsoft.com) resolve.
+
+ NOTE: As these IPv4 addresses might change over time, an
+ administrator should obtain these addresses when implementing the
+ filtering policy, and should also be prepared to keep this list up
+ to date. The corresponding addresses can be easily obtained from
+ a UNIX host by issuing the command 'dig teredo.ipv6.microsoft.com
+ a' (without quotes), where dig(1) is a free-software tool (part of
+ the "dnsutils" package) produced by the Internet Software
+ Consortium (ISC).
+
+
+
+
+Gont & Liu Informational [Page 10]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ It should be noted that even with all these filtering policies in
+ place, a node in the internal network might still be able to
+ communicate with some Teredo clients. That is, it could configure an
+ IPv6 address itself (without even contacting a Teredo server), and it
+ might send Teredo traffic to those peers for which intervention of
+ the host's Teredo server is not required (e.g., Teredo clients behind
+ a cone NAT).
+
+3.7. Filtering Tunnel Broker with Tunnel Setup Protocol (TSP)
+
+ The tunnel broker model enables dynamic configuration of tunnels
+ between a tunnel client and a tunnel server. The tunnel broker
+ provides a control channel for creating, deleting, or updating a
+ tunnel between the tunnel client and the tunnel server.
+ Additionally, the tunnel broker may register the user's IPv6 address
+ and name in the DNS. Once the tunnel is configured, data can flow
+ between the tunnel client and the tunnel server. [RFC3053] describes
+ the tunnel broker model, while [RFC5572] specifies the Tunnel Setup
+ Protocol (TSP), which can be used by clients to communicate with the
+ Tunnel Broker.
+
+ TSP can use either TCP or UDP as the transport protocol. In both
+ cases, TSP uses port number 3653, which has been assigned by the IANA
+ for this purpose. As a result, TSP (the Tunnel Broker control
+ channel) can be blocked by blocking TCP and UDP packets originating
+ from the local network and destined to UDP port 3653 or TCP port
+ 3653. Additionally, the data channel can be blocked by blocking UDP
+ packets originated from the local network and destined to UDP port
+ 3653, and IPv4 packets with a Protocol field set to 41.
+
+3.8. Filtering AYIYA
+
+ AYIYA ("Anything In Anything") [AYIYA] allows the tunneling of
+ packets across Network Address Port Translation (NAPT) [RFC2663]
+ devices. While the specification of this tunneling mechanism was
+ never published as an RFC, it is nevertheless widely deployed
+ [SixXS-stats].
+
+ AYIYA can be blocked by blocking TCP and UDP packets originating from
+ the local network and destined to UDP port 5072 or TCP port 5072.
+
+
+
+
+
+
+
+
+
+
+
+Gont & Liu Informational [Page 11]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+4. Additional Considerations when Filtering IPv6 Traffic
+
+ IPv6 deployments in the Internet are continually increasing, and some
+ hosts default to preferring IPv6 connectivity whenever it is
+ available. This is likely to cause IPv6-capable hosts to attempt to
+ reach an ever-increasing number of popular destinations via IPv6,
+ even if this IPv6 connectivity relies on a transition technology over
+ an "IPv4-only" network.
+
+ A large source of IPv6 brokenness today comes from nodes that believe
+ that they have functional IPv6 connectivity, but the path to their
+ destination fails somewhere upstream [Anderson2010] [Anderson2011]
+ [Huston2010b] [Huston2012]. Upstream filtering of transition
+ technologies or situations where a misconfigured node attempts to
+ "provide" native IPv6 service on a given network without proper
+ upstream IPv6 connectivity may result in hosts attempting to reach
+ remote nodes via IPv6, and depending on the absence or presence and
+ specific implementation details of "Happy Eyeballs" [RFC6555], there
+ might be a non-trivial timeout period before the host falls back to
+ IPv4 [Huston2010a] [Huston2012].
+
+ For this reason, networks attempting to prevent IPv6 traffic from
+ traversing their devices should consider configuring their local
+ recursive DNS servers to respond to queries for AAAA DNS records with
+ a DNS RCODE of 0 (NOERROR) [RFC1035] or to silently ignore such
+ queries, and should even consider filtering AAAA records at the
+ network ingress point to prevent the internal hosts from attempting
+ their own DNS resolution. This will ensure that hosts that are on an
+ "IPv4-only" network will only receive DNS A records, and they will be
+ unlikely to attempt to use (likely broken) IPv6 connectivity to reach
+ their desired destinations.
+
+ We note that in scenarios where DNSSEC [RFC4033] is deployed,
+ stripping AAAA records from DNS responses would lead to DNS responses
+ elicited by queries with the DO and CD bits set [RFC4035] to be
+ considered invalid, and hence discarded. This situation is similar
+ to that of DNS64 [RFC6147] in the presence of DNSSEC and should be
+ considered a drawback associated with this approach.
+
+ Additionally, it should be noted that when filtering IPv6 traffic, it
+ is good practice to signal the packet drop to the source node, such
+ that it is able to react to the packet drop in a more appropriate and
+ timely way. For example, a firewall could signal the packet drop by
+ means of an ICMPv6 error message (or TCP [RFC0793] RST segment if
+ appropriate), such that the source node can, e.g., quickly react as
+ described in [RFC5461]. For obvious reasons, if the traffic being
+
+
+
+
+
+Gont & Liu Informational [Page 12]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ filtered is IPv6 transition/coexistence traffic, the signaling packet
+ should be sent by means of the corresponding IPv6 transition/
+ coexistence technology.
+
+5. Security Considerations
+
+ This document discusses the security implications of IPv6 on IPv4
+ networks and describes a number of techniques to mitigate the
+ aforementioned issues. In general, the possible mitigations boil
+ down to enforcing on native IPv6 and IPv6 transition/coexistence
+ traffic the same security policies currently enforced for IPv4
+ traffic and/or blocking the aforementioned traffic when it is deemed
+ as undesirable.
+
+6. Acknowledgements
+
+ The authors would like to thank Wes George, who contributed most of
+ the text that comprises Section 4 of this document.
+
+ The authors would like to thank (in alphabetical order) Ran Atkinson,
+ Brian Carpenter, Stephen Farrell, Guillermo Gont, Joel Jaeggli, Panos
+ Kampanakis, Warren Kumari, Ted Lemon, David Malone, Joseph Salowey,
+ Arturo Servin, Donald Smith, Tina Tsou, and Eric Vyncke for providing
+ valuable comments on earlier versions of this document.
+
+ This document is based on the results of the project "Security
+ Assessment of the Internet Protocol version 6 (IPv6)" [CPNI-IPv6],
+ carried out by Fernando Gont on behalf of the UK Centre for the
+ Protection of National Infrastructure (CPNI). Fernando Gont would
+ like to thank the UK CPNI for their continued support.
+
+7. References
+
+7.1. Normative References
+
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
+ specification", STD 13, RFC 1035, November 1987.
+
+ [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
+ (IPv6) Specification", RFC 2460, December 1998.
+
+ [RFC2529] Carpenter, B. and C. Jung, "Transmission of IPv6 over IPv4
+ Domains without Explicit Tunnels", RFC 2529, March 1999.
+
+ [RFC3053] Durand, A., Fasano, P., Guardini, I., and D. Lento, "IPv6
+ Tunnel Broker", RFC 3053, January 2001.
+
+
+
+
+
+Gont & Liu Informational [Page 13]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains
+ via IPv4 Clouds", RFC 3056, February 2001.
+
+ [RFC3068] Huitema, C., "An Anycast Prefix for 6to4 Relay Routers",
+ RFC 3068, June 2001.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements", RFC
+ 4033, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+ [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through
+ Network Address Translations (NATs)", RFC 4380, February
+ 2006.
+
+ [RFC4795] Aboba, B., Thaler, D., and L. Esibov, "Link-local
+ Multicast Name Resolution (LLMNR)", RFC 4795, January
+ 2007.
+
+ [RFC5214] Templin, F., Gleeson, T., and D. Thaler, "Intra-Site
+ Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214,
+ March 2008.
+
+ [RFC5569] Despres, R., "IPv6 Rapid Deployment on IPv4
+ Infrastructures (6rd)", RFC 5569, January 2010.
+
+ [RFC5969] Townsley, W. and O. Troan, "IPv6 Rapid Deployment on IPv4
+ Infrastructures (6rd) -- Protocol Specification", RFC
+ 5969, August 2010.
+
+ [RFC5572] Blanchet, M. and F. Parent, "IPv6 Tunnel Broker with the
+ Tunnel Setup Protocol (TSP)", RFC 5572, February 2010.
+
+ [RFC6147] Bagnulo, M., Sullivan, A., Matthews, P., and I. van
+ Beijnum, "DNS64: DNS Extensions for Network Address
+ Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
+ April 2011.
+
+7.2. Informative References
+
+ [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC
+ 793, September 1981.
+
+
+
+
+
+
+Gont & Liu Informational [Page 14]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
+ Translator (NAT) Terminology and Considerations", RFC
+ 2663, August 1999.
+
+ [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor
+ Discovery (ND) Trust Models and Threats", RFC 3756, May
+ 2004.
+
+ [RFC3964] Savola, P. and C. Patel, "Security Considerations for
+ 6to4", RFC 3964, December 2004.
+
+ [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
+ Internet Protocol", RFC 4301, December 2005.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.2", RFC 5246, August 2008.
+
+ [RFC5461] Gont, F., "TCP's Reaction to Soft Errors", RFC 5461,
+ February 2009.
+
+ [RFC6101] Freier, A., Karlton, P., and P. Kocher, "The Secure
+ Sockets Layer (SSL) Protocol Version 3.0", RFC 6101,
+ August 2011.
+
+ [RFC6105] Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
+ Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
+ February 2011.
+
+ [RFC6169] Krishnan, S., Thaler, D., and J. Hoagland, "Security
+ Concerns with IP Tunneling", RFC 6169, April 2011.
+
+ [RFC6343] Carpenter, B., "Advisory Guidelines for 6to4 Deployment",
+ RFC 6343, August 2011.
+
+ [RFC6540] George, W., Donley, C., Liljenstolpe, C., and L. Howard,
+ "IPv6 Support Required for All IP-Capable Nodes", BCP 177,
+ RFC 6540, April 2012.
+
+ [RFC6555] Wing, D. and A. Yourtchenko, "Happy Eyeballs: Success with
+ Dual-Stack Hosts", RFC 6555, April 2012.
+
+ [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
+ February 2013.
+
+ [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
+ Discovery", RFC 6763, February 2013.
+
+
+
+
+
+Gont & Liu Informational [Page 15]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ [RA-GRD-IMP]
+ Gont, F., "Implementation Advice for IPv6 Router
+ Advertisement Guard (RA-Guard)", Work in Progress,
+ November 2012.
+
+ [VPN-LEAKS]
+ Gont, F., "Virtual Private Network (VPN) traffic leakages
+ in dual-stack hosts/ networks", Work in Progress, August
+ 2013.
+
+ [SHIELD] Gont, F., Liu, W., and G. Van de Velde, "DHCPv6-Shield:
+ Protecting Against Rogue DHCPv6 Servers", Work in
+ Progress, October 2013.
+
+ [AYIYA] Massar, J., "AYIYA: Anything In Anything", Work in
+ Progress, July 2004.
+
+ [IANA-ETHER]
+ IANA, "Ethernet Numbers",
+ <http://www.iana.org/assignments/ethernet-numbers>.
+
+ [CERT2009] Giobbi, R., "Bypassing Firewalls with IPv6 Tunnels", CERT/
+ CC Blog, April 2009, <http://www.cert.org/blogs/vuls/2009/
+ 04/bypassing_firewalls_with_ipv6.html>.
+
+ [Huston2010a]
+ Huston, G., "IPv6 Measurements", 2010,
+ <http://www.potaroo.net/stats/1x1/>.
+
+ [Huston2010b]
+ Huston, G., "Flailing IPv6", The ISP Column: A monthly
+ column on things Internet, December 2010,
+ <http://www.potaroo.net/ispcol/2010-12/6to4fail.pdf>.
+
+ [Huston2012]
+ Huston, G., "Bemused Eyeballs: Tailoring Dual Stack
+ Applications in a CGN Environment", The ISP Column: A
+ monthly column on things Internet, May 2012,
+ <http://www.potaroo.net/ispcol/2012-05/notquite.pdf>.
+
+ [Anderson2010]
+ Anderson, T., "Measuring and combating IPv6 brokenness",
+ RIPE 61, Roma, November 2010,
+ <http://ripe61.ripe.net/presentations/162-ripe61.pdf>.
+
+ [Anderson2011]
+ Anderson, T., "IPv6 dual-stack client loss in Norway",
+ 2011, <http://www.fud.no/ipv6/>.
+
+
+
+Gont & Liu Informational [Page 16]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+ [CPNI-IPv6]
+ Gont, F., "Security Assessment of the Internet Protocol
+ version 6 (IPv6)", UK Centre for the Protection of
+ National Infrastructure, (available on request), .
+
+ [IPv6-Toolkit]
+ SI6 Networks, "SI6 Networks' IPv6 Toolkit",
+ <http://www.si6networks.com/tools/ipv6toolkit>.
+
+ [THC-IPV6] The Hacker's Choice, "THC-IPV6 - attacking the IPV6
+ protocol suite", December 2013,
+ <http://www.thc.org/thc-ipv6/>.
+
+ [Waters2011]
+ Waters, A., "The SLAAC Attack - using IPv6 as a weapon
+ against IPv4", April 2011,
+ <http://wirewatcher.wordpress.com/2011/04/04/
+ the-slaac-attack-using-ipv6-as-a-weapon-against-ipv4/>.
+
+ [SixXS-stats]
+ SixXS, , "SixXS - IPv6 Deployment & Tunnel Broker ::
+ Statistics", 2013, <http://www.sixxs.net/misc/usage/>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gont & Liu Informational [Page 17]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+Appendix A. Summary of Filtering Rules
+
+ +-------------+-----------------------------------------------------+
+ | Technology | Filtering rules |
+ +-------------+-----------------------------------------------------+
+ | Native IPv6 | EtherType 0x86DD |
+ +-------------+-----------------------------------------------------+
+ | 6in4 | IP proto 41 |
+ +-------------+-----------------------------------------------------+
+ | 6over4 | IP proto 41 |
+ +-------------+-----------------------------------------------------+
+ | 6rd | IP proto 41 |
+ +-------------+-----------------------------------------------------+
+ | 6to4 | IP proto 41 |
+ +-------------+-----------------------------------------------------+
+ | ISATAP | IP proto 41 |
+ +-------------+-----------------------------------------------------+
+ | Teredo | UDP Dest Port 3544 |
+ +-------------+-----------------------------------------------------+
+ | TB with TSP | (IP proto 41) || (UDP Dest Port 3653 || TCP Dest |
+ | | Port 3653) |
+ +-------------+-----------------------------------------------------+
+ | AYIYA | UDP Dest Port 5072 || TCP Dest Port 5072 |
+ +-------------+-----------------------------------------------------+
+
+ Table 1: Summary of filtering rules
+
+ NOTE: the table above describes general and simple filtering rules
+ for blocking the corresponding traffic. More finer-grained rules
+ might be available in each of the corresponding sections of this
+ document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gont & Liu Informational [Page 18]
+
+RFC 7123 Sec. Impl. of IPv6 on IPv4 Networks February 2014
+
+
+Authors' Addresses
+
+ Fernando Gont
+ SI6 Networks / UTN-FRH
+ Evaristo Carriego 2644
+ Haedo, Provincia de Buenos Aires 1706
+ Argentina
+
+ Phone: +54 11 4650 8472
+ EMail: fgont@si6networks.com
+ URI: http://www.si6networks.com
+
+
+ Will (Shucheng) Liu
+ Huawei Technologies
+ Bantian, Longgang District
+ Shenzhen 518129
+ P.R. China
+
+ EMail: liushucheng@huawei.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gont & Liu Informational [Page 19]
+