This memo recommends filtering configurations for firewalls designed
to minimize the security vulnerabilities that can arise in using the
many different sub-protocols of ICMPv6 in support of IPv6
communication.
A major concern is that it is generally not possible to use IPsec or
other means to authenticate the sender and validate the contents of
many ICMPv6 messages. To a large extent, this is because a site can
legitimately expect to receive certain error and other messages from
almost any location in the wider Internet, and these messages may
occur as a result of the first message sent to a destination.
Establishing security associations with all possible sources of
ICMPv6 messages is therefore impossible.
The inability to establish security associations to protect some
messages that are needed to establish and maintain communications
means that alternative means have to be used to reduce the
vulnerability of sites to ICMPv6-based attacks. The most common way
of doing this is to establish strict filtering policies in site
firewalls to limit the unauthenticated ICMPv6 messages that can pass
between the site and the wider Internet. This makes control of
ICMPv6 filtering a delicate balance between protecting the site by
dropping some of the ICMPv6 traffic passing through the firewall and
allowing enough of the traffic through to make sure that efficient
communication can be established.
SEND [RFC3971] has been specified as a means to improve the security
of local ICMPv6 communications. SEND sidesteps security association
bootstrapping problems that would result if IPsec was used. SEND
affects only link-local messages and does not limit the filtering
that firewalls can apply, and its role in security is therefore not
discussed further in this document.
Firewalls will normally be used to monitor ICMPv6 to control the
following security concerns:
ICMPv6 can be used to cause a denial of service (DoS) in a number of
ways, including simply sending excessive numbers of ICMPv6 packets to
destinations in the site and sending error messages that disrupt
established communications by causing sessions to be dropped. Also,
if spurious communication establishment or maintenance messages can
be infiltrated onto a link, it might be possible to invalidate
legitimate addresses or disable interfaces.
3.2. Probing
A major security consideration is preventing attackers from probing
the site to determine the topology and identify hosts that might be
vulnerable to attack. Carefully crafted but, often, malformed
messages can be used to provoke ICMPv6 responses from hosts thereby
informing attackers of potential targets for future attacks.
However, the very large address space of IPv6 makes probing a less
effective weapon as compared with IPv4 provided that addresses are
not allocated in an easily guessable fashion. This subject is
explored in more depth in [SCAN-IMP].
3.3. Redirection Attacks
A redirection attack could be used by a malicious sender to perform
man-in-the-middle attacks or divert packets either to a malicious
monitor or to cause DoS by blackholing the packets. These attacks
would normally have to be carried out locally on a link using the
Redirect message. Administrators need to decide if the improvement
in efficiency from using Redirect messages is worth the risk of
malicious use. Factors to consider include the physical security of
the link and the complexity of addressing on the link. For example,
on an open wireless link, redirection would be a serious hazard due
to the lack of physical security. On the other hand, with a wired
link in a secure building with complex addressing and redundant
routers, the efficiency gains might well outweigh the small risk of a
rogue node being connected.
3.4. Renumbering Attacks
Spurious Renumbering messages can lead to the disruption of a site.
Although Renumbering messages are required to be authenticated with
IPsec, so that it is difficult to carry out such attacks in practice,
they should not be allowed through a site boundary firewall. On the
other hand, a site may employ multiple "layers" of firewalls. In
this case, Renumbering messages might be expected to be allowed to
transit interior firewalls but not pass across the outer boundary.
3.5. Problems Resulting from ICMPv6 Transparency
Because some ICMPv6 error packets need to be passed through a
firewall in both directions, malicious users can potentially use
these messages to communicate between inside and outside, bypassing
administrative inspection. For example, it might be possible to
carry out a covert conversation through the payload of ICMPv6 error
messages or tunnel inappropriate encapsulated IP packets in ICMPv6
error messages. This problem can be alleviated by filtering ICMPv6
errors using a deep packet inspection mechanism to ensure that the
packet carried as a payload is associated with legitimate traffic to
or from the protected network.
