INTERNET-DRAFT N. Elkins Inside Products M. Ackermann Intended Status: Informational BCBS Michigan Expires: March 2015 September 18, 2014 The Effect of Multicast on Virtual Nodes in the Same Subnet draft-elkins-v6ops-multicast-virtual-nodes-00 Abstract When network administrators in an end-user enterprise create subnets for Virtual Machines (VMs) in IPv6, they are not considering what will happen with IPv6 multicast. We will describe how one node can impact its neighbors. For example, multicast Ping Denial of Service (DoS) attacks and other mischief can easily be done. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright and License Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. Elkins Expires March 22, 2015 [Page 1] INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Who is a Neighbor and Why Does it Matter? . . . . . . . . . . . 3 3 Sample Real Situation . . . . . . . . . . . . . . . . . . . . . 3 3.1 Ping to FF02::1 . . . . . . . . . . . . . . . . . . . . . . 4 3.2 Our Test . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3 Other packets generated to multicast addresses . . . . . . . 6 4 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1 Best Practices for Subnet Configuration / Address Allocation . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.2 Should nodes respond to Ping to FF0x::1 . . . . . . . . . . 6 5 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 6 Security Considerations . . . . . . . . . . . . . . . . . . . . 6 7 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 7.1 Normative References . . . . . . . . . . . . . . . . . . . . 6 7.2 Informative References . . . . . . . . . . . . . . . . . . . 7 8 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 7 Appendix 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Neigbor Cache Before Ping . . . . . . . . . . . . . . . . . . . . 8 Neighbor Cache After Ping . . . . . . . . . . . . . . . . . . . . 8 1 Introduction When network administrators in an end-user enterprise create subnets for Virtual Machines (VMs) in IPv6, they are not considering what will happen with IPv6 multicast. "IPv4 thinking" may be done in that addresses are rationed. We will describe how one node can impact its neighbors. For example, multicast Ping Denial of Service (DoS) attacks and other mischief can easily be done. How Neigbor Discovery may impact IPv6 subnets was covered in "Operational Neighbor Discovery Problems [RFC6583]. Elkins Expires March 22, 2015 [Page 2] INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014 From [RFC6583]: "In IPv4, subnets are generally small, made just large enough to cover the actual number of machines on the subnet. In contrast, the default IPv6 subnet size is a /64, a number so large it covers trillions of addresses, the overwhelming number of which will be unassigned. Consequently, simplistic implementations of Neighbor Discovery (ND) can be vulnerable to deliberate or accidental denial of service (DoS), whereby they attempt to perform address resolution for large numbers of unassigned addresses. Such denial-of-service attacks can be launched intentionally (by an attacker) or result from legitimate operational tools or accident conditions." 1.1 Terminology From "Neighbor Discovery for IP version 6 (IPv6)" [RFC4861], we have: neighbors - nodes attached to the same link. interface - a node's attachment to a link. link - a communication facility or medium over which nodes can communicate at the link layer, i.e., the layer immediately below IP. Examples are Ethernets (simple or bridged), PPP links, X.25, Frame Relay, or ATM networks as well as Internet-layer (or higher-layer) 2 Who is a Neighbor and Why Does it Matter? A neighbor is anyone that you can talk to with a link-local address. When you have a very large subnet, it can be a great many nodes, indeed. IPv6 multicast packets are seen by nodes who are "on-link". Again, this may be a great many neighbors. 3 Sample Real Situation We got two IPv6 enabled virtual servers from a commercial hosting company. One was a Windows server. The other, a Linux server. The addresses we received for the Windows server were: Here are the IPs: nnnn:abcd:123::31da:4b3b nnnn:abcd:123::df8d:8198 nnnn:abcd:123::797e:5ec Elkins Expires March 22, 2015 [Page 3] INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014 nnnn:abcd:123::6512:b2c3 nnnn:abcd:123::2563:4d17 nnnn:abcd:123::30b2:7a05 nnnn:abcd:123::9d90:8e24 nnnn:abcd:123::9ada:3f3c nnnn:abcd:123::bf53:d3d3 nnnn:abcd:123::4515:bc5e They told us that the gateway is nnnn:abcd:123::1. The subnet is a /64. On the Linux machine, we received: nnnn:abcd:123::3fed:2e56 nnnn:abcd:123::90bf:fb81 nnnn:abcd:123::5d40:cb6e nnnn:abcd:123::bc8:512a nnnn:abcd:123::d93b:164c nnnn:abcd:123::f4fd:4c9c nnnn:abcd:123::91dc:f23 nnnn:abcd:123::4c5d:6ac8 nnnn:abcd:123::6170:ec48 nnnn:abcd:123::bfd9:b68a Again, they told us that the gateway is nnnn:abcd:123::1. The subnet is a /64. Clearly both sets of addresses were in the same IPv6 subnet thus "neighbors" in a link-local sense. The hosting companies policy for global unicast address allocation appears to be random. At least, the allocations were not via an algorithm that was readily apparent to us. Clearly, also, these machines were virtual servers. That is, not real physical nodes. We feel that this situation illustrates a scenario causing a number of problems that are likely to happen when IPv6 addresses start being allocated at end user enterprise sites. 3.1 Ping to FF02::1 When we did a Ping to FF02::1 (multicast all nodes), we were able to impact an entirely separate virtual server. By the way, we also impacted all the other clients of that hosting company. (We only did this once or twice for proof of concept!) Elkins Expires March 22, 2015 [Page 4] INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014 3.2 Our Test The command we issued was: Ping FF02::1 -n 10 The result was: Pinging ff02::1 with 32 bytes of data: Reply from ff02::1: time=6ms Reply from ff02::1: time=2ms Reply from ff02::1: time=3ms Reply from ff02::1: time=2ms Reply from ff02::1: time=4ms Reply from ff02::1: time=3ms Reply from ff02::1: time=2ms Reply from ff02::1: time=2ms Reply from ff02::1: time=2ms Reply from ff02::1: time=2ms Ping statistics for ff02::1: Packets: Sent = 10, Received = 10, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 6ms, Average = 2ms We did a WireShark packet trace at the same time. We could see that indeed Pings and Ping replies were done. Neighbor discovery packets were done as well. In fact, this is what we see: ICMP Type Packet Number ------------------------------------------------ 128 Echo Request 10 129 Echo Reply 2,840 135 Neighbor Solicitation 578 136 Neighbor Advertisement 568 In a second test, when we sent 4 packets for the Ping request, we see: ICMP Type Packet Number ------------------------------------------------ 128 Echo Request 4 129 Echo Reply 1,140 135 Neighbor Solicitation 574 Elkins Expires March 22, 2015 [Page 5] INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014 136 Neighbor Advertisement 570 143 V2 Multicast Listener Report 4 What was happening is that the Echo Replies were coming from all our neighbors. To confirm what we are seeing, we interrogated the neighbor cache before and after the commands. The neighbor cache had 4 unicast addresses before the Ping. After the Ping, the neighbor cache has grown to 127 unicast addresses. This confirms what we see with the packet trace. See Appendix A for results of the neighbor cache. So, it is clear that one virtual node on an IPv6 subnet can impact others. Potentially, all nodes on a subnet can be impacted. 3.3 Other packets generated to multicast addresses Clearly other packets can be generated to do Denial of Service attacks on virtual (and real) nodes, including MLD. But, we consider this out of scope for this document. 4 Recommendations 4.1 Best Practices for Subnet Configuration / Address Allocation Guidance for how to allocate addresses and create subnets for Virtual Machines should be provided. 4.2 Should nodes respond to Ping to FF0x::1 This question needs to be discussed. Is there a need for this functionality? Or should it be deprecated? 5 IANA Considerations There are no IANA considerations. 6 Security Considerations There are no security considerations. 7 References 7.1 Normative References Elkins Expires March 22, 2015 [Page 6] INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014 [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 4861, September 2007 [RFC6583] Gashinsky, I., Jaeggli, J., Kumari, W., "Operational Neighbor Discovery Problems", March 2012 Elkins Expires March 22, 2015 [Page 6] INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014 (IPv6) Specification", RFC 2460, December 1998. 7.2 Informative References 8 Acknowledgments The authors would like to thank Rob Hamilton for his comments. Authors' Addresses Nalini Elkins Inside Products, Inc. 36A Upper Circle Carmel Valley, CA 93924 United States Phone: +1 831 659 8360 Email: nalini.elkins@insidethestack.com http://www.insidethestack.com Michael S. Ackermann Blue Cross Blue Shield of Michigan P.O. Box 2888 Detroit, Michigan 48231 United States Phone: +1 310 460 4080 Email: mackermann@bcbsmi.com http://www.bcbsmi.com Appendix 1 Elkins Expires March 22, 2015 [Page 7] INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014 Neigbor Cache Before Ping C:\Users\Administrator>netsh int ipv6 show nei int=11 Interface 11: Local Area Connection Internet Address Physical Address Type --------------------------- ----------------- ----------- nnnn:abcd:123::1 00-1b-21-d4-45-ea Stale (Router) fe80::88e8:228f:f0de:d028 00-00-00-00-00-00 Unreachable fe80::a089:f460:ad2b:6723 00-16-3e-c6-d4-df Stale fe80::b479:2679:b663:4470 00-16-3e-84-1b-1d Stale fe80::cc18:c232:74cb:d08c 00-00-00-00-00-00 Unreachable ff02::1:2 33-33-00-01-00-02 Permanent ff02::1:3 33-33-00-01-00-03 Permanent Neighbor Cache After Ping C:\Users\Administrator>netsh int ipv6 show nei int=11 Interface 11: Local Area Connection Internet Address Physical Address Type ------------------------------- --------------- -------- nnnn:abcd:123::1 00-1b-21-d4-45-ea Stale (Router) fe80::216:3eff:fe03:498 00-16-3e-03-04-98 Stale fe80::216:3eff:fe03:dc6c 00-16-3e-03-dc-6c Stale fe80::216:3eff:fe05:3f71 00-16-3e-05-3f-71 Stale fe80::216:3eff:fe05:f2af 00-16-3e-05-f2-af Stale fe80::216:3eff:fe07:c08a 00-16-3e-07-c0-8a Stale fe80::216:3eff:fe0c:f25 00-16-3e-0c-0f-25 Stale fe80::216:3eff:fe0d:3143 00-16-3e-0d-31-43 Stale fe80::216:3eff:fe0d:db6e 00-16-3e-0d-db-6e Stale fe80::216:3eff:fe15:2029 00-16-3e-15-20-29 Stale fe80::216:3eff:fe16:3fe4 00-16-3e-16-3f-e4 Stale fe80::216:3eff:fe17:c9b7 00-16-3e-17-c9-b7 Stale fe80::216:3eff:fe17:ea46 00-16-3e-17-ea-46 Stale fe80::216:3eff:fe18:ceac 00-16-3e-18-ce-ac Stale fe80::216:3eff:fe18:d6f5 00-16-3e-18-d6-f5 Stale fe80::216:3eff:fe1b:7297 00-16-3e-1b-72-97 Stale fe80::216:3eff:fe21:3a58 00-16-3e-21-3a-58 Stale fe80::216:3eff:fe2b:9fb0 00-16-3e-2b-9f-b0 Stale fe80::216:3eff:fe2c:1451 00-16-3e-2c-14-51 Stale fe80::216:3eff:fe2e:8ed7 00-16-3e-2e-8e-d7 Stale fe80::216:3eff:fe30:469c 00-16-3e-30-46-9c Stale fe80::216:3eff:fe31:8972 00-16-3e-31-89-72 Stale fe80::216:3eff:fe34:689 00-16-3e-34-06-89 Stale fe80::216:3eff:fe34:6259 00-16-3e-34-62-59 Stale Elkins Expires March 22, 2015 [Page 8] INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014 fe80::216:3eff:fe34:c4c1 00-16-3e-34-c4-c1 Stale fe80::216:3eff:fe37:3e86 00-16-3e-37-3e-86 Stale fe80::216:3eff:fe38:20b2 00-16-3e-38-20-b2 Stale fe80::216:3eff:fe38:4db4 00-16-3e-38-4d-b4 Stale fe80::216:3eff:fe38:9676 00-16-3e-38-96-76 Stale fe80::216:3eff:fe3a:475b 00-16-3e-3a-47-5b Stale (Router) fe80::216:3eff:fe3a:8258 00-16-3e-3a-82-58 Stale fe80::216:3eff:fe3a:d904 00-16-3e-3a-d9-04 Stale fe80::216:3eff:fe41:c9d2 00-16-3e-41-c9-d2 Stale fe80::216:3eff:fe46:c18e 00-16-3e-46-c1-8e Stale fe80::216:3eff:fe47:a56d 00-16-3e-48-d9-07 Stale fe80::216:3eff:fe4b:40f 00-16-3e-4b-04-0f Stale fe80::216:3eff:fe4e:2b15 00-16-3e-4e-2b-15 Stale fe80::216:3eff:fe4e:3023 00-16-3e-4e-30-23 Stale fe80::216:3eff:fe51:f64f 00-16-3e-51-f6-4f Stale fe80::216:3eff:fe53:5ae 00-16-3e-53-05-ae Stale fe80::216:3eff:fe5a:12d1 00-16-3e-5a-12-d1 Stale fe80::216:3eff:fe60:ed08 00-16-3e-60-ed-08 Stale fe80::216:3eff:fe61:6d64 00-16-3e-61-6d-64 Stale fe80::216:3eff:fe64:6cb2 00-16-3e-64-6c-b2 Stale fe80::216:3eff:fe67:7fa3 00-16-3e-67-7f-a3 Stale fe80::216:3eff:fe6f:a61b 00-16-3e-6f-a6-1b Stale fe80::216:3eff:fe70:2513 00-16-3e-70-25-13 Stale fe80::216:3eff:fe71:5c07 00-16-3e-71-5c-07 Stale fe80::216:3eff:fe72:21ed 00-16-3e-72-21-ed Stale fe80::216:3eff:fe7e:5f13 00-16-3e-7e-5f-13 Stale fe80::216:3eff:fe7e:ea7a 00-16-3e-7e-ea-7a Stale fe80::216:3eff:fe80:43cf 00-16-3e-80-43-cf Stale fe80::216:3eff:fe81:18e2 00-16-3e-81-18-e2 Stale fe80::216:3eff:fe81:9024 00-16-3e-81-90-24 Stale fe80::216:3eff:fe82:abe 00-16-3e-82-0a-be Stale fe80::216:3eff:fe82:a76d 00-16-3e-82-a7-6d Stale fe80::216:3eff:fe85:db2b 00-16-3e-85-db-2b Stale fe80::216:3eff:fe8a:26c 00-16-3e-8a-02-6c Stale fe80::216:3eff:fe8c:ab98 00-16-3e-8c-ab-98 Stale fe80::216:3eff:fe8e:49e6 00-16-3e-8e-49-e6 Stale fe80::216:3eff:fe90:5b1 00-16-3e-90-05-b1 Stale fe80::216:3eff:fe94:68ab 00-16-3e-94-68-ab Stale fe80::216:3eff:fe95:2bd8 00-16-3e-95-2b-d8 Stale fe80::216:3eff:fe95:e1dc 00-16-3e-95-e1-dc Stale fe80::216:3eff:fe97:2b92 00-16-3e-97-2b-92 Stale fe80::216:3eff:fe97:601f 00-16-3e-97-60-1f Stale fe80::216:3eff:fe98:afe2 00-16-3e-98-af-e2 Stale fe80::216:3eff:fe9c:bcf3 00-16-3e-9c-bc-f3 Stale fe80::216:3eff:fe9f:28ef 00-16-3e-9f-28-ef Stale fe80::216:3eff:fea0:40e4 00-16-3e-a0-40-e4 Stale fe80::216:3eff:fea4:cbf1 00-16-3e-a4-cb-f1 Stale fe80::216:3eff:fea4:ed6b 00-16-3e-a4-ed-6b Stale Elkins Expires March 22, 2015 [Page 9] INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014 fe80::216:3eff:fea5:d79f 00-16-3e-a5-d7-9f Stale fe80::216:3eff:fea6:81f7 00-16-3e-a6-81-f7 Stale fe80::216:3eff:fea7:8c7c 00-16-3e-a7-8c-7c Stale fe80::216:3eff:fea7:a574 00-16-3e-a7-a5-74 Stale fe80::216:3eff:feac:de47 00-16-3e-ac-de-47 Stale fe80::216:3eff:feaf:8a0a 00-16-3e-af-8a-0a Stale fe80::216:3eff:feb2:94e9 00-16-3e-b2-94-e9 Stale fe80::216:3eff:feb2:9636 00-16-3e-b2-96-36 Stale fe80::216:3eff:feb3:3fbf 00-16-3e-b3-3f-bf Stale fe80::216:3eff:feb5:83e4 00-16-3e-b5-83-e4 Stale fe80::216:3eff:feb8:39d1 00-16-3e-b8-39-d1 Stale fe80::216:3eff:feba:897b 00-16-3e-ba-89-7b Stale fe80::216:3eff:febc:37e1 00-16-3e-bc-37-e1 Stale fe80::216:3eff:febd:1a89 00-16-3e-bd-1a-89 Stale fe80::216:3eff:febd:2c86 00-16-3e-bd-2c-86 Stale fe80::216:3eff:febe:65b1 00-16-3e-be-65-b1 Stale fe80::216:3eff:febe:d7d8 00-16-3e-be-d7-d8 Stale fe80::216:3eff:fec0:bcad 00-16-3e-c0-bc-ad Stale fe80::216:3eff:fec2:530 00-16-3e-c2-05-30 Stale fe80::216:3eff:fec2:79c3 00-16-3e-c2-79-c3 Stale fe80::216:3eff:fec3:5c89 00-16-3e-c3-5c-89 Stale fe80::216:3eff:fec5:4d6c 00-16-3e-c5-4d-6c Stale fe80::216:3eff:fec5:69d0 00-16-3e-c5-69-d0 Stale fe80::216:3eff:fec7:31f8 00-16-3e-c7-31-f8 Stale fe80::216:3eff:fec8:6138 00-16-3e-c8-61-38 Stale fe80::216:3eff:fec8:b7ec 00-16-3e-c8-b7-ec Stale fe80::216:3eff:feca:a1c6 00-16-3e-ca-a1-c6 Stale fe80::216:3eff:fed1:2a2a 00-16-3e-d1-2a-2a Stale fe80::216:3eff:fed1:d33c 00-16-3e-d1-d3-3c Stale fe80::216:3eff:fed2:802c 00-16-3e-d2-80-2c Stale fe80::216:3eff:fed2:f770 00-16-3e-d2-f7-70 Stale fe80::216:3eff:fed6:211a 00-16-3e-d6-21-1a Stale fe80::216:3eff:fed9:850 00-16-3e-d9-08-50 Stale fe80::216:3eff:fedb:5ec 00-16-3e-db-05-ec Stale fe80::216:3eff:fedc:799f 00-16-3e-dc-79-9f Stale fe80::216:3eff:fee4:40ed 00-16-3e-e4-40-ed Stale fe80::216:3eff:fee6:4869 00-16-3e-e6-48-69 Stale fe80::216:3eff:fee9:53d5 00-16-3e-e9-53-d5 Stale fe80::216:3eff:feeb:de71 00-16-3e-eb-de-71 Stale fe80::216:3eff:fef2:273b 00-16-3e-f2-27-3b Stale fe80::216:3eff:fef2:96c5 00-16-3e-f2-96-c5 Stale fe80::216:3eff:fef3:c0ac 00-16-3e-f3-c0-ac Stale fe80::216:3eff:fef5:c548 00-16-3e-f5-c5-48 Stale fe80::216:3eff:fef6:d428 00-16-3e-f6-d4-28 Stale fe80::216:3eff:fef7:ec4e 00-16-3e-f7-ec-4e Stale fe80::216:3eff:fef8:9be1 00-16-3e-f8-9b-e1 Stale fe80::216:3eff:fef9:46a4 00-16-3e-f9-46-a4 Stale fe80::216:3eff:fefa:c342 00-16-3e-fa-c3-42 Stale Elkins Expires March 22, 2015 [Page 10] INTERNET DRAFT elkins-v6ops-multicast-virtual-nodes-00 September 2014 fe80::216:3eff:fefc:8f91 00-16-3e-fc-8f-91 Stale fe80::32ff:b90c:73b1:34a7 00-16-3e-e1-2f-5e Stale fe80::5246:5dff:fee0:31b4 50-46-5d-e0-31-b4 Stale fe80::a089:f460:ad2b:6723 00-16-3e-c6-d4-df Stale fe80::a5ff:73b8:3bc8:4c4 00-00-00-00-00-00 Unreachable fe80::b479:2679:b663:4470 00-16-3e-84-1b-1d Stale fe80::cc18:c232:74cb:d08c 00-00-00-00-00-00 Unreachable ff02::1 33-33-00-00-00-01 Permanent ff02::1:2 33-33-00-01-00-02 Permanent ff02::1:3 33-33-00-01-00-03 Permanent ff02::1:ffab:742e 33-33-ff-ab-74-2e Permanent ff02::1:ffba:10eb 33-33-ff-ba-10-eb Permanent Elkins Expires March 22, 2015 [Page 11]