PIM Working Group W. Atwood Internet-Draft S. Islam Expires: December 25, 2006 Concordia University/CSE June 23, 2006 Security Issues in PIM-SM Link-local Messages draft-atwood-pim-sm-linklocal-01 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 25, 2006. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document proposes some additions to the specification of the Protocol Independent Multicast - Sparse Mode (PIM-SM) Protocol regarding security issues of its link-local messages. Although the new specifications for IPsec architecture (RFC 4301) and Authorization Header (RFC 4302) permit the use of anti-replay, they counsel against its use for multi-sender, multicast Security Associations. This makes PIM-SM vulnerable to Denial of Service (DoS) attack. In this document, a new proposal is presented to Atwood & Islam Expires December 25, 2006 [Page 1] Internet-Draft PIM-SM Link-local Security June 2006 protect PIM link-local messages while activating the anti-replay mechanism as well. This proposal builds on the new Security Association lookup method that has been specified in RFC 4301 and RFC 4302. Atwood & Islam Expires December 25, 2006 [Page 2] Internet-Draft PIM-SM Link-local Security June 2006 1. Introduction All the PIM-SM [1] control messages have IP protocol number 103. These messages are either unicast, or multicast with TTL = 1. The source address used for unicast messages is a domain-wide reachable address. For the multicast messages, a link-local address of the interface on which the message is being sent is used as the source address and a special multicast address, ALL_PIM_ROUTERS (224.0.0.13 in IPv4 and ff02::d in IPv6) is used as the destination address. These messages are called link-local messages. Hello, Join/Prune and Assert messages are included in this category. A forged link-local message may be sent to the ALL_PIM_ROUTERS multicast address by an attacker. This type of message affects the construction of the distribution tree [1]. The effects of these forged messages are outlined in section 6.1 of [1]. Some of the effects are very severe, whereas some are minor. PIM-SM version 2 was originally specified in RFC 2117, and revised in RFC 2362. A PIM-SM Internet Draft [1] has been approved by the IESG for publication as an RFC. It is intended to obsolete RFC 2362, and to correct a number of deficiencies. The Security Considerations section of the PIM-SM Internet Draft is based primarily on the new Authentication Header (AH) specification described in RFC 4302 [2]. Securing the unicast messages can be achieved by the use of a normal unicast IPsec Security Association between the two communicants. Securing the user data exchanges is covered in RFC 3740 [4]. This document focuses on the security issues of link-local messages. It provides some guidelines to take advantage of the new permitted AH functionality, and to bring the PIM-SM Internet Draft into alignment with the new AH specification. Atwood & Islam Expires December 25, 2006 [Page 3] Internet-Draft PIM-SM Link-local Security June 2006 2. Terminology In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in RFC 2119 and indicate requirement levels for compliant PIM-SM implementations. Atwood & Islam Expires December 25, 2006 [Page 4] Internet-Draft PIM-SM Link-local Security June 2006 3. Authentication according to the PIM-SM Internet-Draft In the PIM-SM Internet Draft, IP Security (IPsec) [[3] transport mode using Authentication Header (AH) [2] is recommended to prevent attacks generated by forged control messages. The Network Administrator will configure the specific AH authentication algorithm and parameters, including the choice of authentication algorithm and the choice of keys. The PIM-SM Internet Draft does not specify protocols for establishing Security Associations. The PIM-SM Internet Draft assumes that manual configuration of Security Associations will be performed, although it does not preclude the use of a negotiation protocol such as the Internet Key Exchange (IKE) [2] to establish Security Associations. Once the Security Associations have been established, all the control messages should go through the IPsec authentication process. A PIM-SM router should authenticate a control message before processing it, and should reject any unauthorized PIM protocol messages. Given that IPsec [3] provides protection against replayed unicast and multicast messages, the PIM-SM Internet Draft further states that the IPsec anti-replay option SHOULD be enabled for these Security Associations. Unfortunately, the AH specification notes as follows: "If the key used to compute an ICV is manually distributed, correct provision of the anti-replay service would require correct maintenance of the counter state at the sender, until the key is replaced, and there would likely be no automated recovery provision if counter overflow were imminent. Thus, a compliant implementation SHOULD NOT provide this service in conjunction with SAs that are manually keyed." All the link-local messages of the PIM-SM protocol are sent to the destination address, ALL_PIM_ROUTERS, which is a multicast address. The Security Policy Database (SPD) within IPsec (see section 4.4.2 of RFC 4301 [3]) is not capable of representing a policy for a multicast Security Association. RFC 4301 provides no specification for an automated way to create SAD entries for a multicast, inbound SA. Only manually configured SAD entries can be created to accomodate inbound, multicast traffic. As a result, the anti-replay option must be disabled while using the IPsec AH protocol for security of link- local messages. Atwood & Islam Expires December 25, 2006 [Page 5] Internet-Draft PIM-SM Link-local Security June 2006 4. Proposed Authentication Technique The authentication mechanism [6][7] for PIM link-local messages presented in this document has following two criteria to achieve: o The anti-replay mechanism of Authetication Header protocol will be activated while sending/receiving any PIM link-local message. o To attain more flexibility, a PIM router will be able to deploy a different authentication method for each directly connected PIM router if necessary. In that case, a PIM router will maintain a separate Security Association per peer PIM router. 4.1. Security Association Lookup For an SA that carries unicast traffic, three parameters (SPI, destination address and security protocol type (AH or ESP)) are used in the Security Association lookup process for inbound packets. The SPI is sufficient to specify an SA. However, an implementation may use the SPI in conjunction with the IPsec protocol type (AH or ESP) for the SA lookup process. According to RFC 4301 [3] and the AH specification [2], for multicast SAs, in conjunction with the SPI, the destination address or the destination address plus the sender address may also be used in the SA lookup. The security protocol field is not employed for a multicast SA lookup. The reason for the various prohibitions in the IPsec RFCs concerning multisender multicast SAs lies in the difficulty of coordinating the multiple senders. However, if the use of multicast for link-local messages is examined, it may be seen that in fact the communication need not be coordinated---from the prospective of a receiving router, each peer router is an independent sender. In effect, link-local communication is an SSM communication that happens to use an ASM address (which is shared among all the routers). Two possibilities may be envisaged: 1. The address ALL_PIM_ROUTERS can be specified to operate as a set of SSM Security Associations, when IPsec is enabled; 2. Secure Link-local communication can be specified to occur on an SSM address, instead of ALL_PIM_ROUTERS. Given that the sender address of an incoming packet will be (globally) unique for a specific sender and in conjunction with the SPI it will be possible for a receiver to sort out the associated SA for that sender from all the SAD entries (even if a single SAD is maintained regardless of the number of interfaces), we propose that the SPI and the sender address MUST be used in the SA lookup process. Atwood & Islam Expires December 25, 2006 [Page 6] Internet-Draft PIM-SM Link-local Security June 2006 4.2. Activating the Anti-replay Mechanism Although link-level messages on a link constitute a multiple-sender, multiple-receiver group, the use of the sender address for SA lookup essentially resolves the communication into a separate SA for each sender/destination pair. Therefore, the statement in the AH RFC (section 2.5 of [2]) that "for a multi-sender SA, the anti-replay features are not available" becomes irrelevant to PIM-SM link-local message exchange. To activate the anti-replay mechanism in a unicast communication, the receiver uses the sliding window protocol and it maintains a sequence number for this protocol. This sequence number starts from zero. Each time the sender sends a new packet, it increments this number by one. In a multi-sender multicast group communication, a single sequence number for the entire group would not be enough. The whole scenario is different for PIM link-local messages. These messages are sent to local links with TTL = 1. A link-local message never propagates through one router to another. Given that the number of peer routers is small, and given that the use of the sender address for SA lookup converts the relationship from a multiple- sender group to multiple single-sender associations, the anti-replay mechanism SHOULD be activated while sending PIM link-local messages, and at that time a PIM router MUST maintain a different sliding window for each directly connected sender. 4.3. Implementing a Security Association Database per Interface According to RFC 2401 [5], there is nominally a different Security Association Database (SAD) for each router interface. However, RFC 4301 explicitly removes this requirement. The PIM-SM Internet Draft, however, notes the possible utility of this feature. The proposal above to use the source address to resolve the SAs implies that the use of an SAD per interface is not necessary. 4.4. Manual Key Configuration To establish the SAs at PIM-SM routers, manual key configuration will be feasible, since the number of peers will be small. The Network Administrator will configure a router manually during its boot up process. At that time, the authentication method and the keys per sender basis for each peer router SHOULD be configured. The SAD entry for each sender connected with this router will be created. The Network Admin will also configure the Security Policy Database of a router to ensure the use of the associated SA while sending a link- local message. Atwood & Islam Expires December 25, 2006 [Page 7] Internet-Draft PIM-SM Link-local Security June 2006 The addition of a new router to the set visible from a particular router will clearly require a re-configuration of that router. A negotiation protocol such as the Internet Key Exchange [2] MAY also be used to negotiate and establish a suitable authentication method and keys for the SA between two routers. However, a PIM router is not expected to join/leave very frequently, so it is doubtful that the overhead of automatic key configuration will be justified. In any case, it will still be necessary to manually configure the basic information that will allow the router to trust its peers. For these reasons, manual key configuration SHOULD be used to establish SAs. Unfortunately, the use of manual keying is called out in RFC 4302 as a specific reason why anit-replay should be prohibited. It will be necessary to either 1. explicitly override RFC 4302, or 2. design a negotiation protocol to deal with the case of counter overrun. Once the WG decides that the present proposal is an acceptable direction to follow, the authors are prepared to work on the development of such a negotiation protocol. 4.5. Extended Sequence Number In the [2], there is a provision for a 64-bit Extended Sequence Number (ESN) as the counter of the sliding window used in the anti- replay protocol. Both the sender and the receiver maintain a 64-bit counter for the sequence number, although only the lower order 32 bits is sent in the transmission. In other words, it will not affect the present header format of AH. If ESN is used, a sender router can send 2^64 -1 packets without any intervention. This number is very large, and from a PIM router's point of view, a PIM router can never exceed this number in its lifetime. This makes it reasonable to permit manual configuration, since the sequence number will never roll over. For this reason, when manual configuration is used, ESN SHOULD be deployed as the sequence number for the sliding window protocol. Atwood & Islam Expires December 25, 2006 [Page 8] Internet-Draft PIM-SM Link-local Security June 2006 5. Security Considerations The whole document considers the security issues of PIM link-local messages and proposes a mechanism to protect them. 6. References [1] Fenner, B., "Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification(Revised), draft-ietf-pim-sm-v2-new-12.txt", March 2006. [2] Kent, S., "IP Authentication Header", RFC 4302, December 2005. [3] Kent, S. and K. Seo, "Security Architechture for the Internet Protocol", RFC 4301, December 2005. [4] Hardjono, T. and B. Weis, "The Multicast Group Security Architecture", RFC 3740, March 2004. [5] Kent, S. and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [6] Islam, S., "Security Issues in PIM-SM Link-local Messages, Master's Thesis, Concordia University", December 2003. [7] Islam, S., "Security Issues in PIM-SM Link-local Messages, Proceedings of LCN 2004", November 2004. Atwood & Islam Expires December 25, 2006 [Page 9] Internet-Draft PIM-SM Link-local Security June 2006 Authors' Addresses J. William Atwood Concordia University/CSE 1455 de Maisonneuve Blvd, West Montreal, QC H3G 1M8 Canada Phone: +1(514)848-2424 ext3046 Email: bill@cse.concordia.ca URI: http://www.cs.concordia.ca/~bill Salekul Islam Concordia University/CSE 1455 de Maisonneuve Blvd, West Montreal, QC H3G 1M8 Canada Atwood & Islam Expires December 25, 2006 [Page 10] Internet-Draft PIM-SM Link-local Security June 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Atwood & Islam Expires December 25, 2006 [Page 11]