Operational Security Capabilities for IP Network Infrastructure (opsec) Tec nolo!

ies Internet"#raft %&' &(%& Inten)e) status* +,pires* -une %.' &(%/

F. Gont Huawei #ece$ber Infor$ational

Virtual Private Network (VPN) traffic leakages in dual-stack hosts/networks draft-ietf-opsec-vpn-leakages-00 Abstract T e subtle way in w ic t e IP01 an) IP02 protocols co"e,ist in typical networks' to!et er wit t e lack of proper IP01 support in popular 3irtual Pri0ate Network (3PN) pro)ucts' $ay ina)0ertently result in 3PN traffic leaks. T at is' traffic $eant to be transferre) o0er a 3PN connection $ay leak out of suc connection an) be transferre) in t e clear on t e local network. T is )ocu$ent )iscusses so$e scenarios in w ic suc 3PN leaka!es $ay occur' eit er as a si)e effect of enablin! IP01 on a local network' or as a result of a )eliberate attack fro$ a local attacker. 4))itionally' it )iscusses possible $iti!ations for t e afore$entione) issue. Status of this e!o

T is Internet"#raft is sub$itte) in full confor$ance wit t e pro0isions of 5CP 67 an) 5CP 68. Internet"#rafts are workin! )ocu$ents of t e Internet +n!ineerin! Task Force (I+TF). Note t at ot er !roups $ay also )istribute workin! )ocu$ents as Internet"#rafts. T e list of current Internet"#rafts is at ttp*99)atatracker.ietf.or!9)rafts9current9. Internet"#rafts are )raft )ocu$ents 0ali) for a $a,i$u$ of si, $ont s an) $ay be up)ate)' replace)' or obsolete) by ot er )ocu$ents at any ti$e. It is inappropriate to use Internet"#rafts as reference $aterial or to cite t e$ ot er t an as :work in pro!ress.: T is Internet"#raft will e,pire on -une %.' &(%/. "op#right Notice

Copyri! t (c) &(%& I+TF Trust an) t e persons i)entifie) as t e )ocu$ent aut ors. 4ll ri! ts reser0e). T is )ocu$ent is sub;ect to 5CP 67 an) t e I+TF Trust<s =e!al Pro0isions >elatin! to I+TF #ocu$ents. ( ttp*99trustee.ietf.or!9license"info) in effect on t e )ate of publication of t is )ocu$ent? Please re0iew t ese )ocu$ents carefully' as t ey )escribe your ri! ts an) restrictions wit respect to t is )ocu$ent. Co)e Co$ponents e,tracte) fro$ t is )ocu$ent $ust inclu)e Si$plifie) 5S# =icense te,t as )escribe) in Section 2.e of t e Trust =e!al Pro0isions an) are pro0i)e) wit out warranty as )escribe) in t e Si$plifie) 5S# =icense. $able of "ontents %& 'ntroduction (& 'Pv) and 'Pv* co-e+istence ,& Virtual Private Networks in 'Pv)/'Pv* dual-stack hosts/networks )& VPN traffic-leakages in legiti!ate scenarios -& VPN traffic-leakage attacks *& itigations to VPN traffic-leakage vulnerabilities .& 'ANA "onsiderations /& Securit# "onsiderations 0& Acknowledge!ents %0& 1eferences %0&%& Nor!ative 1eferences %0&(& 'nfor!ative 1eferences Author2s Address %& 'ntroduction It is a 0ery co$$on practice for e$ployees workin! at re$ote locations to establis a 3PN connection wit t eir office or o$e office. T is is typically )one to !ain access to so$e resources only a0ailable wit in t e co$pany<s network' but also to secure t e ost<s traffic a!ainst attackers t at $i! t be connecte) to t e sa$e re$ote location. In so$e scenarios' it is e0en assu$e) t at e$ployin! a 3PN connection $akes t e use of insecure protocols (e.!. t at transfer sensiti0e infor$ation in t e clear) acceptable' as t e 3PN pro0i)es security ser0ices (suc as confi)entiality) for all co$$unications $a)e o0er t e 3PN. @any 3PN pro)ucts t at are typically e$ploye) for t e afore$entione) 3PN connections only support t e IP02 protocol* t at is' t ey perfor$ t e necessary actions suc t at IP02 traffic is sent o0er t e 3PN connection' but t ey )o not in! to secure IP01 traffic ori!inate)

fro$ (or bein! recei0e) at) t e ost e$ployin! t e 3PN client. Howe0er' t e osts t e$sel0es are typically )ual"stacke)* t ey support (an) enable by )efault) bot IP02 an) IP01 (e0en if suc IP01 connecti0ity is si$ply :)or$ant: w en t ey connect to IP02"only networks). A en t e IP01 connecti0ity of suc osts is enable)' t ey $ay en) up e$ployin! an IP01"unaware 3PN client in a )ual"stack network. T is $ay a0e :une,pecte): conseBuences' as e,plaine) below. T e subtle way in w ic t e IP02 an) IP01 protocols interact an) co" e,ist in )ual"stacke) networks $i! t' eit er ina)0ertently or as a result of a )eliberate attack' result in 3PN traffic leaka!es "" t at is' traffic $eant to be transferre) o0er a 3PN connection coul) leak out of t e 3PN connection an) be trans$itte) in t e clear on t e local network' wit out e$ployin! t e 3PN ser0ices at all. Section & pro0i)es so$e back!roun) about IP01 an) IP02 co"e,istence' su$$ariCin! ow IP02 an) IP02 interact on a typical )ual"stacke) network. Section / )escribes t e un)erlyin! proble$ t at lea)s to t e afore$entione) 3PN traffic leaka!es. Section 2 )escribes le!iti$ate scenarios in w ic suc traffic leaka!es $i! t occur' w ile Section . )escribes ow 3PN traffic leaka!es can be tri!!ere) by )eliberate attacks. (& 'Pv) and 'Pv* co-e+istence T e co"e,istence of t e IP02 an) IP01 protocols as a nu$ber of Interestin! an) subtle aspects t at $ay a0e :surprisin!: ConseBuences. A ile IP01 is not backwar)s"co$patible wit IP02' t e Two protocols are :!lue): to!et er by t e #o$ain Na$e Syste$ (#NS). For e,a$ple' consi)er a site (say' www.e,a$ple.co$) t at as bot IP02 an) IP01 support. T e correspon)in! )o$ain na$e (www.e,a$ple.co$' in our case) will contain bot 4 an) 4444 #NS resource recor)s (>>s). +ac 4 recor) will contain one IP02 a))ress' w ile eac 4444 recor) will contain one IP01 a))ress "" an) t ere $i! t be $ore t an one instance of eac of t ese recor) types. T us' w en a )ual"stacke) client application $eans to co$$unicate wit t e afore$entione) site' it can reBuest bot 4 an) 4444 recor)s' an) use any of t e a0ailable a))resses. T e preferre) a))ress fa$ily (IP02 or IP01) an) t e specific a))ress t at will be use) (assu$in! $ore t an one a))ress of eac fa$ily is a0ailable) 0aries fro$ one protocol i$ple$entation to anot er' wit $any ost i$ple$entations preferrin! IP01 a))resses o0er IP02 a))resses. D>FC16&2E specifies an al!orit $ for selectin! a )estination

a))ress fro$ a list of IP01 an) IP02 a))resses. D>FC1...E )iscusses t e c allen!e of selectin! t e $ost appropriate )estination a))ress' alon! wit a propose) i$ple$entation approac t at $iti!ates connection"establis $ent )elays. T is :co"e,istence: between IP01 an) IP02 $eans t at' w en a )ual" stacke) client $eans to co$$unicate wit so$e ot er syste$' t e a0ailability of 4 an) 4444 #NS resource recor)s will typically affect w ic protocol is e$ploye) to co$$unicate wit t at syste$. ,& Virtual Private Networks in 'Pv)/'Pv* dual-stack hosts/networks @any 3irtual Pri0ate Network (3PN) i$ple$entations )o not support t e IP01 protocol "" or' w at is worse' t ey co$pletely i!nore IP01. T is typically $eans t at' w en establis in! a 3PN connection' t e 3PN software takes care of t e IP02 connecti0ity by' e.!. insertin! an IP02 )efault route t at causes all IP02 traffic to be sent o0er t e 3PN connection (as oppose) to sen)in! t e traffic in t e clear' e$ployin! t e local router). Howe0er' if IP01 is not supporte) (or co$pletely i!nore))' any packets )estine) to an IP01 a))ress will be sent in t e clear usin! t e local IP01 router. T at is' t e 3PN software will )o not in! about t e IP01 traffic. T e un)erlyin! proble$ ere is t at w ile IP02 an) IP01 are two )ifferent protocols inco$patible wit eac ot er' t e two protocols are !lue) to!et er by t e #o$ain Na$e Syste$. T erefore' for )ual" stacke) syste$s' it is not possible to secure secure t e co$$unication wit anot er syste$ wit out securin! bot protocols (IP01 an) IP02). )& VPN traffic-leakages in legiti!ate scenarios Consi)er a )ual"stacke) ost t at e$ploys IP02"only 3PN software to establis a 3PN connection wit a 3PN ser0er' an) t at t e ost now attac es to a )ual"stacke) network (t at pro0i)es bot IP01 an) IP02 connecti0ity). If so$e application on t e client nee)s to co$$unicate wit a )ual"stacke) )estination' t e client will typically Buery bot 4 an) 4444 #NS resource recor)s. Since t e ost will a0e bot IP02 an) IP01 connecti0ity' an) t e inten)e) )estination will a0e bot 4 an) 4444 #NS resource recor)s' one of t e possible outco$es is t at t e ost will e$ploy IP01 to co$$unicate wit t e afore$entione) syste$. Since t e 3PN software )oes not support IP01' t e IP01 traffic will not e$ploy t e 3PN connection' an) will be sent in t e clear on t e local network. T is coul) ina)0ertently e,pose sensiti0e traffic t at was assu$e) to

be secure) by t e 3PN software. In t is particular scenario' t e resultin! 3PN traffic leaka!e is a si)e"effect of e$ployin! IP01" unaware software in a )ual"stacke) ost9network. -& VPN traffic-leakage attacks 4 local attacker coul) )eliberately tri!!er IP01 connecti0ity on t e 0icti$ ost by sen)in! for!e) IC@P01 >outer 4)0ertise$ent $essa!es D>FC271%E. Suc packets coul) be sent by e$ployin! stan)ar) software suc as rta)0) D>T4#3#E' or by e$ployin! packet"craftin! tools suc as t e DSI1"ToolkitE or THC"IP01 DTHC"IP01E. Once IP01 connecti0ity as been enable)' co$$unications wit )ual"stacke) syste$s coul) result in 3PN traffic leaka!es' as pre0iously $entione). A ile t is attack $ay be useful enou! ()ue to t e increasin! nu$ber of IP01"enable) sites)' it will only lea) to traffic leaka!es w en t e )estination syste$ is )ual"stacke). Howe0er' it is usually tri0ial for an attacker to tri!!er suc 3PN leaka!es for any )estination syste$s* an attacker coul) si$ply a)0ertise i$self as t e local recursi0e #NS ser0er by sen)in! for!e) >outer 4)0ertise$ent $essa!es D>FC271%E t at inclu)e t e correspon)in! >#NSS option D>FC1%(1E' an) t en perfor$ a #NS spoofin! attack suc t at e can beco$e a :@an in t e @i))le: an) intercept t e correspon)in! traffic. 4s wit t e pre0ious attack scenario' packet"craftin! tools suc as DSI1"ToolkitE an) DTHC"IP01E can rea)ily perfor$ t is attack. So$e syste$s are known to prefer IP01"base) recursi0e #NS ser0ers o0er IP02"base) ones' an) ence t e :$alicious: recursi0e #NS ser0ers woul) be preferre) o0er t e le!iti$ate ones a)0ertise) by t e 3PN ser0er. *& itigations to VPN traffic-leakage vulnerabilities

T ere are a nu$ber of possible $iti!ations for t e 3PN traffic" leaka!e 0ulnerability )iscusse) in t is )ocu$ent. If t e 3PN client is confi!ure) by a)$inistrati0e )ecision to re)irect all traffic for IP02 to t e 3PN' it s oul)* %. If IP01 is not supporte)' )isable IP01 support in all network interfaces For IP01"unaware 3PN clients' t e $ost si$ple $iti!ation (alt ou! not necessarily t e $ost )esirable one) woul) be to )isable IP01 support in all network interface car)s w en a 3PN connection is $eant to be e$ploye). T us' applications on t e ost runnin! t e 3PN client software will a0e no ot er option

t an to e$ploy IP02' an) ence t ey will si$ply not e0en try to sen)9process IP01 traffic. &. If IP01 is supporte)' ensure t at all IP01 traffic is also sent 0ia t e 3PN If t e 3PN client is confi!ure) to only sen) a subset of IP02 networks to t e 3PN tunnel (split"tunnel $o)e)' an) t e 3PN client )oes not support IP01' it s oul) )isable IP01 as well. If it supports IP01' it is t e a)$inistrators responsibility to ensure t at t e correct correspon)in! sets of IP02 an) IP01 networks !et route) into t e 3PN tunnel. 4))itionally' 3PN clients t at support IP01 s oul) $iti!ate all N#" base) attacks t at $ay intro)uce new entries in t e routin! table' suc attacks base) on for!e) >4 $essa!es containin! $ore specific routes D>FC2%8%E' for!e) IC@P01 >e)irect $essa!es' etc. 4 network $ay pre0ent local attackers fro$ successfully perfor$in! t e afore$entione) attacks a!ainst ot er local osts by i$ple$entin! First"Hop Security solutions suc as >outer 4)0ertise$ent Guar) (>4" Guar)) D>FC1%(.E an) #HCP01"S iel) DI"#.!ont"opsec") cp01"s iel)E. Howe0er' for ob0ious reasons' a ost cannot an) s oul) not rely on t is type of $iti!ations w en connectin! to an open network (cybercafe' etc.). 5esi)es' popular i$ple$entations of >4"Guar) are known to be 0ulnerable to e0asion attacks DI"#.ietf"01ops"ra"!uar)"i$ple$entationE. .& 'ANA "onsiderations T is )ocu$ent as no actions for I4N4. /& Securit# "onsiderations T is )ocu$ent )iscusses ow traffic $eant to be transferre) o0er a 3PN connection can leak out of t e 3PN' an) ence appear in t e clear on t e local network. T is is t e result of e$ployin! IP01"unaware 3PN client software on )ual"stacke) osts. Possible ways to $iti!ate t is proble$ inclu)e fi,in! t e 3PN client software' or )isablin! IP01 connecti0ity on all network interfaces w en t e pre0ious option is not feasible. 0& Acknowledge!ents T e aut or woul) like to t ank (in alp abetical or)er) Gert #oerin! an) Tor Hou! ton' w o pro0i)in! co$$ents on earlier 0ersions of t is

)ocu$ent. T is )ocu$ents as benefite) fro$ t e input of Ca$eron 5yrne' Gert #oerin!' Set Hall' Tor Hou! ton' 4lastair -o nson' Henrik =un) Fra$s o;' an) -i$ S$all' w ile )iscussin! t is topic on t e ip01 ackers $ailin!"list DIP01"HackersE. It as also benefite) fro$ )iscussions wit 4n)rew Gourtc enko on t e opsec w! $ailin!"list DOPS+C"=ISTE. %0& 1eferences %0&%& Nor!ative 1eferences D>FC2%8%E #ra0es' >. an) #. T aler' :#efault >outer Preferences an) @ore"Specific >outes:' >FC 2%8%' No0e$ber &((.. D>FC271%E Narten' T.' Nor)$ark' +.' Si$pson' A.' an) H. Soli$an' :Nei! bor #isco0ery for IP 0ersion 1 (IP01):' >FC 271%' Septe$ber &((6. D>FC1%(1E -eon!' -.' Park' S.' 5eloeil' =.' an) S. @a)anapalli' :IP01 >outer 4)0ertise$ent Options for #NS Confi!uration:' >FC 1%(1' No0e$ber &(%(. D>FC16&2E T aler' #.' #ra0es' >.' @atsu$oto' 4.' an) T. C own' :#efault 4))ress Selection for Internet Protocol 3ersion 1 (IP01):' >FC 16&2' Septe$ber &(%&. D>FC1...E Ain!' #. an) 4. Gourtc enko' :Happy +yeballs* Success wit #ual"Stack Hosts:' >FC 1...' 4pril &(%&. %0&(& 'nfor!ative 1eferences D>FC1%(.E =e0y"4be!noli' +.' 3an )e 3el)e' G.' Popo0iciu' C.' an) -. @o acsi' :IP01 >outer 4)0ertise$ent Guar):' >FC 1%(.' February &(%%. DI"#.ietf"01ops"ra"!uar)"i$ple$entationE Gont' F.' :I$ple$entation 4)0ice for IP01 >outer 4)0ertise$ent Guar) (>4"Guar)):' )raft"ietf"01ops"ra"!uar)"i$ple$entation"(6 (work in pro!ress)' No0e$ber &(%&. DI"#.!ont"opsec") cp01"s iel)E Gont' F. an) A. =iu' :#HCP01"S iel)* Protectin! 4!ainst >o!ue #HCP01 Ser0ers:' )raft"!ont"opsec") cp01"s iel)"(%

(work in pro!ress)' October &(%&. DIP01"HackersE :IP01 Hackers $ailin!"list:' ttp*99lists.si1networks.co$9listinfo9ip01 ackers9. DOPS+C"=ISTE :OPS+C AG $ailin!"list:' ttps*99www.ietf.or!9$ail$an9listinfo9opsec. DSI1"ToolkitE :SI1 Networks< IP01 toolkit:' H ttp*99www.si1networks.co$9tools9ip01toolkitI. DTHC"IP01E :T e Hacker<s C oice IP01 4ttack Toolkit:' H ttp*99www.t c.or!9t c"ip019I. D>T4#3#E :rta)0)(7) $anual pa!e:' H ttp*99www.freebs).or!9c!i9 $an.c!iJBueryKrta)0)LsektionK7I. 4ut or<s 4))ress Fernan)o Gont Huawei Tec nolo!ies +0aristo Carrie!o &122 Hae)o' Pro0incia )e 5uenos 4ires %6(1 4r!entina P one* M.2 %% 21.( 726& +$ail* f!ontNsi1networks.co$ O>I* ttp*99www.si1networks.co$