Session Hijack in Neighbor DiscoveryCisco SystemsSanta Barbara93117CaliforniaUSAfred@cisco.com
Internet
IPv6 MaintenanceThis memo is to point out a security issue in IPv6 Neighbor
Discovery.This memo, which augments , is to point
out a security issue in IPv6, Neighbor Discovery and Secure Neighbor Discovery.The attack is as follows. Imagine a LAN (wired or wireless, switched
or direct) like or .Host 1 properly allocates an address by whatever means including
manual configuration, DHCPv6, SeND, or ND, and uses the address to open
a session with Host 2. The fact that it has allocated the address is
observed by Host 3, perhaps by receipt of a Neighbor Solicitation during
Duplicate Address Detection.Host 1 now experiences a link-down event, losing the use of the
address. This might be because the switch rebooted, Host 1's
connectivity to the LAN was temporarily lost, or because Host 1 itself
failed.Host 3 now issues a Neighbor Solicitation for Host 1's address, and
because Host 1 has lost its memory of the address or is unavailable at
the time the request goes out. It has therefore correctly allocated the
address to itself.In this case, it would appear that the session between Host 1 and
Host 2 is transferred, so that it is now between Host 2 and Host 3.First one should note that in a cloud computing environment this may
be an intended behavior. If it is unintended, it constitutes an
attack.There are a number of possible mitigations: Obviously, if the hosts have any form of session security
including IPsec AH, IPsec ESP, TLS, etc, the applications will be
prevented from communicating. Host 3 will still, however, be aware
that the sessions existed.Neighbor Discovery could be augmented to prevent movement of the
IPv6 address from one MAC Address to another without an
application-obvious hiccup.If a SAVI switch is in use, the SAVI behavior could similarly be
extended to prevent the movement of the address from Host 1 to Host
3 without an application-obvious hiccup.This memo asks the IANA for no new parameters.Note to RFC Editor: This section will have served its purpose if it
correctly tells IANA that no new assignments or registries are required,
or if those assignments or registries are created during the RFC
publication process. From the author"s perspective, it may therefore be
removed upon publication as an RFC at the RFC Editor"s discretion.This note augments , and constitutes a
security consideration.The observation came out of a discussion regarding threats in a SAVI
environment, among the author, Jun Bi, Guang Yao, and Eric
Levy-Abegnoli.