Unfortunate History of Transient Numeric IdentifiersSI6 NetworksSegurola y Habana4310 7mo pisoCiudad Autonoma de Buenos AiresArgentinafgont@si6networks.comhttps://www.si6networks.comQuarkslabSegurola y Habana4310 7mo pisoCiudad Autonoma de Buenos AiresArgentinaiarce@quarkslab.comhttps://www.quarkslab.comPrivacy Enhancements and Assessmentssecurityvulnerabilityalgorithmattackfingerprinting
This document analyzes the timeline of the specification and implementation of different types of "transient numeric identifiers" used in IETF protocols and how the security and privacy properties of such protocols have been affected as a result of it. It provides empirical evidence that advice in this area is warranted. This document is a product of the Privacy Enhancements and Assessments Research Group (PEARG) in the IRTF.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Research Task Force
(IRTF). The IRTF publishes the results of Internet-related
research and development activities. These results might not be
suitable for deployment. This RFC represents the consensus of the Privacy Enhancements and Assessments
Research Group of the Internet Research Task Force (IRTF).
Documents approved for publication by the IRSG are not
candidates for any level of Internet Standard; see Section 2 of RFC
7841.
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
() in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document.
Table of Contents
. Introduction
. Terminology
. Threat Model
. Issues with the Specification of Transient Numeric Identifiers
. IPv4/IPv6 Identification
. TCP Initial Sequence Numbers (ISNs)
. IPv6 Interface Identifiers (IIDs)
. NTP Reference IDs (REFIDs)
. Transport-Protocol Ephemeral Port Numbers
. DNS ID
. Conclusions
. IANA Considerations
. Security Considerations
. References
. Normative References
. Informative References
Acknowledgements
Authors' Addresses
Introduction
Networking protocols employ a variety of transient numeric identifiers for different protocol objects, such as IPv4 and IPv6 Identification values , IPv6 Interface Identifiers (IIDs) , transport-protocol ephemeral port numbers , TCP Initial Sequence Numbers (ISNs) , NTP Reference IDs (REFIDs) , and DNS IDs . These identifiers typically have specific requirements (e.g., uniqueness during a specified period of time) that must be satisfied such that they do not result in negative interoperability implications and an associated failure severity when such requirements are not met .For more than 30 years, a large number of implementations of IETF protocols have been subject to a variety of attacks, with effects ranging from Denial of Service (DoS) or data injection to information leakages that could be exploited for pervasive monitoring . The root cause of these issues has been, in many cases, the poor selection of transient numeric identifiers in such protocols, usually as a result of insufficient or misleading specifications. While it is generally trivial to identify an algorithm that can satisfy the interoperability requirements of a given transient numeric identifier, empirical evidence exists that doing so without negatively affecting the security and/or privacy properties of the aforementioned protocols is prone to error.For example, implementations have been subject to security and/or privacy issues resulting from:
predictable IPv4 or IPv6 Identification values (e.g., see , , and ),
predictable IPv6 IIDs (e.g., see , , and ),
predictable transport-protocol ephemeral port numbers (e.g., see and ),
predictable TCP Initial Sequence Numbers (ISNs) (e.g., see , , and ),
predictable initial timestamps in TCP timestamps options (e.g., see and ), and
predictable DNS IDs (see, e.g., and ).
Recent history indicates that, when new protocols are standardized or new protocol implementations are produced, the security and privacy properties of the associated transient numeric identifiers tend to be overlooked, and inappropriate algorithms to generate such identifiers are either suggested in the specifications or selected by implementers. As a result, advice in this area is warranted.
This document contains a non-exhaustive timeline of the specification and vulnerability disclosures related to some sample transient numeric identifiers, including other work that has led to advances in this area. This analysis indicates that:
vulnerabilities associated with the inappropriate generation of transient numeric identifiers have affected protocol implementations for an extremely long period of time,
such vulnerabilities, even when addressed for a given protocol version, were later reintroduced in new versions or new implementations of the same protocol, and
standardization efforts that discuss and provide advice in this area can have a positive effect on IETF specifications and their corresponding implementations.
While it is generally possible to identify an algorithm that can satisfy the interoperability requirements for a given transient numeric identifier, this document provides empirical evidence that doing so without negatively affecting the security and/or privacy properties of the corresponding protocols is nontrivial. Other related documents ( and ) provide guidance in this area, as motivated by the present document.This document represents the consensus of the Privacy Enhancements and Assessments Research Group (PEARG).Terminology
Transient Numeric Identifier:
A data object in a protocol specification that can be used to definitely distinguish a protocol object (a datagram, network interface, transport-protocol endpoint, session, etc.) from all other objects of the same type, in a given context. Transient numeric identifiers are usually defined as a series of bits and represented using integer values. These identifiers are typically dynamically selected, as opposed to statically assigned numeric identifiers (e.g., see ). We note that different transient numeric identifiers may have additional requirements or properties depending on their specific use in a protocol. We use the term "transient numeric identifier" (or simply "numeric identifier" or "identifier" as short forms) as a generic term to refer to any data object in a protocol specification that satisfies the identification property stated above.
The terms "constant IID", "stable IID", and "temporary IID" are to be
interpreted as defined in .
Threat ModelThroughout this document, we do not consider on-path attacks. That is, we assume the attacker does not have physical or logical access to the system(s) being attacked and that the attacker can only observe traffic explicitly directed to the attacker. Similarly, an attacker cannot observe traffic transferred between the sender and the receiver(s) of a target protocol but may be able to interact with any of these entities, including by, e.g., sending any traffic to them to sample transient numeric identifiers employed by the target hosts when communicating with the attacker.
For example, when analyzing vulnerabilities associated with TCP Initial Sequence Numbers (ISNs), we consider the attacker is unable to capture network traffic corresponding to a TCP connection between two other hosts. However, we consider the attacker is able to communicate with any of these hosts (e.g., establish a TCP connection with any of them) to, e.g., sample the TCP ISNs employed by these hosts when communicating with the attacker.Similarly, when considering host-tracking attacks based on IPv6 Interface Identifiers, we consider an attacker may learn the IPv6 address employed by a victim host if, e.g., the address becomes exposed as a result of the victim host communicating with an attacker-operated server. Subsequently, an attacker may perform host-tracking by probing a set of target addresses composed by a set of target prefixes and the IPv6 Interface Identifier originally learned by the attacker.
Alternatively, an attacker may perform host-tracking if, e.g., the victim host communicates with an attacker-operated server as it moves from one location to another, thereby exposing its configured addresses. We note that none of these scenarios require the attacker observe traffic not explicitly directed to the attacker.
Issues with the Specification of Transient Numeric IdentifiersWhile assessing IETF protocol specifications regarding the use of transient numeric identifiers, we have found that most of the issues discussed in this document arise as a result of one of the following conditions:
protocol specifications that under specify their transient numeric identifiers
protocol specifications that over specify their transient numeric identifiers
protocol implementations that simply fail to comply with the specified requirements
A number of IETF protocol specifications under specified their transient numeric identifiers, thus leading to implementations that were vulnerable to numerous off-path
attacks. Examples of them are the specification of TCP local ports in or the specification of the DNS ID in .On the other hand, there are a number of IETF protocol specifications that over specify some of their associated transient numeric identifiers. For example, essentially overloads the semantics of IPv6 Interface Identifiers (IIDs) by embedding link-layer addresses in the IPv6 IIDs when the interoperability requirement of uniqueness could be achieved in other ways that do not result in negative security and privacy implications . Similarly, suggests the use of a global counter for the generation of Identification values when the interoperability requirement of uniqueness per {IPv6 Source Address, IPv6 Destination Address} could be achieved with other algorithms that do not result in negative security and privacy implications .Finally, there are protocol implementations that simply fail to comply with existing protocol specifications. For example, some popular operating systems still fail to implement transport-protocol ephemeral port randomization, as recommended in , or TCP Initial Sequence Number randomization, as recommended in .The following subsections document the timelines for a number of sample transient numeric identifiers that illustrate how the problem discussed in this document has affected protocols from different layers over time. These sample transient numeric identifiers have different interoperability requirements and failure severities (see ), and thus are considered to be representative of the problem being analyzed in this document.IPv4/IPv6 IdentificationThis section presents the timeline of the Identification field employed by IPv4 (in the base header) and IPv6 (in Fragment Headers). The reason for presenting both cases in the same section is to make it evident that, while the Identification value serves the same purpose in both protocols, the work and research done for the IPv4 case did not influence IPv6 specifications or implementations.The IPv4 Identification is specified in , which specifies the interoperability requirements for the Identification field, i.e., the sender must choose the Identification field to be unique for a given {Source Address, Destination Address, Protocol} for the time the datagram (or any fragment of it) could be alive in the Internet. It suggests that a sending protocol module may keep "a table of Identifiers, one entry for each destination it has communicated with in the last maximum packet lifetime for the [I]nternet", and it also suggests that "since the Identifier field allows 65,536 different values, hosts may be able to simply use unique identifiers independent of destination". The above has been interpreted numerous times as a suggestion to employ per-destination or global counters for the generation of Identification values. While does not suggest any flawed algorithm for the generation of Identification values, the specification omits a discussion of the security and privacy implications of predictable Identification values. This resulted in many IPv4 implementations generating predictable Identification values by means of a global counter, at least at some point in time.
The IPv6 Identification was originally specified in . It serves the same purpose as its IPv4 counterpart, but rather than being part of the base header (as in the IPv4 case), it is part of the Fragment Header (which may or may not be present in an IPv6 packet). states that the Identification must be different than that of any other fragmented packet sent recently (within the maximum likely lifetime of a packet) with the same Source Address and Destination Address. Subsequently, it notes that this requirement can be met by means of a wrap-around 32-bit counter that is incremented each time a packet must be fragmented and that it is an implementation choice whether to use a global or a per-destination counter. Thus, the specification of the IPv6 Identification is similar to that of the IPv4 case, with the only difference that, in the IPv6 case, the suggestions to use simple counters is more explicit. is the first revision of the core IPv6 specification and maintains the same text for the specification of the IPv6 Identification field. , the second revision of the core IPv6 specification, removes the suggestion from to use a counter for the generation of IPv6 Identification values and points to for sample algorithms for their generation.
September 1981:
specifies the interoperability requirements for the IPv4 Identification but does not perform a vulnerability assessment of this transient numeric identifier.
December 1995:
, the first specification of the IPv6 protocol, is published. It suggests that a counter be used to generate the IPv6 Identification values and notes that it is an implementation choice whether to maintain a single counter for the node or multiple counters (e.g., one for each of the node's possible Source Addresses, or one for each active {Source Address, Destination Address} set).
December 1998:
finds that predictable IPv4 Identification values (as generated by most popular implementations) can be leveraged to count the number of packets sent by a target node. explains how to leverage the same vulnerability to implement a port-scanning technique known as "idle scan". A tool that implements this attack is publicly released.
December 1998:
, a revision of the IPv6 specification, is published, obsoleting . It maintains the same specification of the IPv6 Identification field as its predecessor .
December 1998:
OpenBSD implements randomization of the IPv4 Identification field .
November 1999:
discusses how to leverage predictable IPv4 Identification values to uncover the rules of a number of firewalls.
September 2002:
documents the implementation of the "idle scan" technique in the popular Network Mapper (nmap) tool.
November 2002:
explains how the IPv4 Identification field can be exploited to count the number of systems behind a NAT.
October 2003:
OpenBSD implements randomization of the IPv6 Identification field .
December 2003:
explains a technique to perform TCP data injection attacks based on predictable IPv4 Identification values, which requires less effort than TCP injection attacks performed with bare TCP packets.
January 2005:
discusses shortcomings in a number of techniques to mitigate predictable IPv4 Identification values.
October 2007:
describes a weakness in the pseudorandom number generator (PRNG) in use for the generation of IP Identification values by a number of operating systems.
June 2011:
describes how to perform idle scan attacks in IPv6.
November 2011:
Linux mitigates predictable IPv6 Identification values .
December 2011:
describes the security implications of predictable IPv6 Identification values and possible mitigations. This document has the intended status of "Standards Track", with the intention to formally update to introduce security and privacy requirements on the generation of IPv6 Identification values.
May 2012:
notes that some major IPv6 implementations still employ predictable IPv6 Identification values.
March 2013:
The 6man WG adopts but changes the track to "BCP" (while still formally updating ), posting the resulting document as .
June 2013:
A patch to incorporate support for IPv6-based idle scans in nmap is submitted .
December 2014:
The 6man WG changes the intended status of to "Informational" and posts it as . As a result, it no longer formally updates , and security and privacy requirements on the generation of IPv6 Identification values are eliminated.
June 2015:
notes that some popular host and router implementations still employ predictable IPv6 Identification values.
February 2016:
(based on ) analyzes the security and privacy implications of predictable IPv6 Identification values and provides guidance for selecting an algorithm to generate such values. However, being published as an "Informational" RFC, it does not formally update and does not introduce security and privacy requirements on the generation of IPv6 Identification values.
June 2016:
, a draft revision of , removes the suggestion from to use a counter for the generation of IPv6 Identification values but does not perform a vulnerability assessment of the generation of IPv6 Identification values and does not introduce security and privacy requirements on the generation of IPv6 Identification values.
July 2017:
is finally published as , obsoleting and pointing to for sample algorithms for the generation of IPv6 Identification values. However, it does not introduce security and privacy requirements on the generation of IPv6 Identification values.
October 2019:
notes that the IPv6 Identification generators of two popular operating systems are flawed.
TCP Initial Sequence Numbers (ISNs) suggests that the choice of the ISN of a connection is not arbitrary but aims to reduce the chances of a stale segment from being accepted by a new incarnation of a previous connection. suggests the use of a global 32-bit ISN generator that is incremented by 1 roughly every 4 microseconds. However, as a matter of fact, protection against stale segments from a previous incarnation of the connection is enforced by preventing the creation of a new incarnation of a previous connection before 2*MSL has passed since a segment corresponding to the old incarnation was last seen (where "MSL" is the "Maximum Segment Lifetime" ). This is accomplished by the TIME-WAIT state and TCP's "quiet time" concept (see ). Based on the assumption that ISNs are monotonically increasing across connections, many stacks (e.g., 4.2BSD-derived) use the ISN of an incoming SYN segment to perform "heuristics" that enable the creation of a new incarnation of a connection while the previous incarnation is still in the TIME-WAIT state (see p. 945 of ). This avoids an interoperability problem that may arise when a node establishes connections to a specific TCP end-point at a high rate .The interoperability requirements for TCP ISNs are probably not as clearly spelled out as one would expect. Furthermore, the suggestion of employing a global counter in negatively affects the security and privacy properties of the protocol.
September 1981:
suggests the use of a global 32-bit ISN
generator, whose lower bit is incremented roughly every 4 microseconds. However, such an ISN generator makes it trivial to predict the ISN that a TCP implementation will use for new connections, thus allowing a variety of attacks against TCP.
February 1985:
is the first to describe how to exploit predictable TCP ISNs for forging TCP connections that could then be leveraged for trust relationship exploitation.
April 1989:
discusses the security considerations for predictable ISNs (along with a range of other protocol-based vulnerabilities).
January 1995:
reports a real-world exploitation of the vulnerability described in ten years before (in 1985).
May 1996:
is the first IETF effort, authored by Steven Bellovin, to address predictable TCP ISNs. However, does not formally update . Note: The same concept specified in this document for TCP ISNs was later proposed for TCP ephemeral ports , TCP Timestamps, and eventually even IPv6 Interface Identifiers .
July 1996:
OpenBSD implements TCP ISN randomization based on random increments (please see ) .
December 2000:
OpenBSD implements TCP ISN randomization using simple randomization (please see ) .
March 2001:
provides a detailed analysis of statistical weaknesses in some TCP ISN generators and includes a survey of the algorithms in use by popular TCP implementations. Vulnerability advisories were released regarding statistical weaknesses in some TCP ISN generators, affecting popular TCP implementations. Other vulnerability advisories on the same vulnerability, such as , were published later on.
March 2002:
updates and complements . It concludes that "while some vendors [...] reacted promptly and tested their solutions properly, many still either ignored the issue and never evaluated their implementations, or implemented a flawed solution that apparently was not tested using a known approach" .
June 2007:
OpenBSD implements TCP ISN randomization based on the algorithm specified in (currently obsoleted and replaced by ) for the TCP endpoint that performs the active open while keeping the simple randomization scheme for the endpoint performing the passive open . This provides monotonically increasing ISNs for the "client side" (allowing the BSD heuristics to work as expected) while avoiding any patterns in the ISN generation for the "server side".
February 2012:
, published 27 years after Morris's original work , formally updates to mitigate predictable TCP ISNs.
August 2014:
The algorithm specified in becomes the recommended ("SHOULD") algorithm for TCP ISN generation in , an early revision of the core TCP specification .
August 2022:
, a revision of the core TCP specification, is published, adopting the algorithm specified in as the recommended ("SHOULD") algorithm for TCP ISN generation.
IPv6 Interface Identifiers (IIDs)IPv6 Interface Identifiers can be generated as a result of different mechanisms, including Stateless Address Autoconfiguration (SLAAC) , DHCPv6 , and manual configuration. This section focuses on Interface Identifiers resulting from SLAAC.The Interface Identifier of stable IPv6 addresses resulting from SLAAC originally resulted in the underlying link-layer address being embedded in the IID. At the time, employing the underlying link-layer address for the IID was seen as a convenient way to obtain a unique address. However, recent awareness about the security and privacy properties of this approach has led to the replacement of this flawed scheme with an alternative one that does not negatively affect the security and privacy properties of the protocol.
January 1997:
specifies the syntax of IPv6 global addresses (referred to as "An IPv6 Provider-Based Unicast Address Format" at the time), which is consistent with the IPv6 addressing architecture specified in .
Hosts are recommended to "generate addresses using link-specific addresses as Interface ID such as 48 bit IEEE-802 MAC addresses".
July 1998:
specifies "An IPv6 Aggregatable Global Unicast Address Format" (obsoleting ), changing the size of the IID to 64 bits, and specifies that IIDs must be constructed in IEEE 64-bit Extended Unique Identifier (EUI-64) format. How such identifiers are constructed is specified in the corresponding "IPv6 over <link>" specifications, such as "IPv6 over Ethernet".
January 2001:
recognizes the problem of IPv6 network activity correlation and specifies IPv6 temporary addresses. Temporary addresses are to be used along with stable addresses.
August 2003:
obsoletes , making the Top-Level Aggregator (TLA) / Next-Level
Aggregator (NLA) structure historic, though the syntax and recommendations for the stable IIDs remain unchanged.
February 2006:
is published as the latest "IP Version 6 Addressing Architecture", requiring the IIDs of "all unicast addresses, except those that start with the binary value 000" to employ the Modified EUI-64 format. The details of constructing such interface identifiers are defined in the corresponding "IPv6 over <link>" specifications.
March 2008:
provides hints regarding how patterns in IPv6 addresses could be leveraged for the purpose of address scanning.
December 2011:
notes that the original scheme for generating stable addresses allows for IPv6 address scanning and for active host tracking (even when IPv6 temporary addresses are employed). It also specifies an alternative algorithm meant to replace IIDs based on Modified EUI-64 format identifiers.
November 2012:
The 6man WG adopts as a working group item (as ). However, the document no longer formally updates ; therefore, the specified algorithm no longer formally replaces the Modified EUI-64 format identifiers.
February 2013:
An address-scanning tool (scan6 of ) that leverages IPv6 address patterns is released .
July 2013:
elaborates on the security and privacy properties of all known algorithms for generating IPv6 IIDs.
January 2014:
The 6man WG posts ("Recommendation on Stable IPv6 Interface Identifiers"), recommending for the generation of stable addresses.
April 2014:
(formerly ) is published, specifying "A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)" as an alternative to (but not replacement of) Modified EUI-64 format IIDs.
March 2016:
(formerly and later ), about "Network Reconnaissance in IPv6 Networks", is published.
March 2016:
(formerly and later ), about "Security and Privacy Considerations for IPv6 Address Generation Mechanisms", is published.
May 2016:
is posted, with the goal of specifying requirements for non-stable addresses and updating such that use of only temporary addresses is allowed.
May 2016:
is posted, providing an analysis of how different aspects on an address (from stability to usage mode) affect their corresponding security and privacy properties and meaning to eventually provide advice in this area.
February 2017:
, produced by the 6man WG, is published as ("Recommendation on Stable IPv6 Interface Identifiers"), with requirements for stable addresses and a recommendation to employ for the generation of stable addresses. It formally updates a large number of RFCs.
March 2018:
is posted (as suggested by the 6man WG) to address flaws in by revising it (as an alternative to the effort, posted in March 2016).
July 2018:
is adopted (as ) as a WG item of the 6man WG.
December 2020:
is approved by the IESG for publication as an RFC.
February 2021:
is finally published as .
NTP Reference IDs (REFIDs)The NTP Reference ID is a 32-bit code identifying the particular server or reference clock. Above stratum 1 (secondary servers and clients), this value can be employed to avoid degree-one timing loops, that is, scenarios where two NTP peers are (mutually) the time source of each other. If using the IPv4 address family, the identifier is the four-octet IPv4 address. If using the IPv6 address family, it is the first four octets of the MD5 hash of the IPv6 address.
June 2010:
("Network Time Protocol Version 4: Protocol and Algorithms Specification") is published. It specifies that, for NTP peers with stratum higher than 1, the REFID embeds the IPv4 address of the time source or the first four octets of the MD5 hash of the IPv6 address of the time source.
July 2016:
is posted, describing the information leakage produced via the NTP REFID. It proposes that NTP returns a special REFID when a packet employs an IP Source Address that is not believed to be a current NTP peer but otherwise generates and returns the common REFID. It is subsequently adopted by the NTP WG as .
April 2019:
notes that the proposed fix specified in is, at the very least, sub-optimal. As a result of a lack of WG support, the effort is eventually abandoned.
Transport-Protocol Ephemeral Port NumbersMost (if not all) transport protocols employ "port numbers" to demultiplex packets to the corresponding transport-protocol instances. "Ephemeral ports" refer to the local ports employed in active OPEN requests, that is, typically the local port numbers employed on the side initiating the communication.
August 1980:
notes that the UDP source port is optional and identifies the port of the sending process. It does not specify interoperability requirements for source port selection, nor does it suggest possible ways to select port numbers. Most popular implementations end up selecting source ports from a system-wide global counter.
September 1981:
(the TCP specification) essentially describes the use of port numbers and specifies that port numbers should result in a unique socket pair {local address, local port, remote address, remote port}. How ephemeral ports are selected and the port range from which they are selected are left unspecified.
July 1996:
OpenBSD implements ephemeral port randomization .
July 2008:
The CERT Coordination Center publishes details of what became known as the "Kaminsky Attack" on the DNS. The attack exploits the lack of ephemeral port randomization and DNS ID randomization in many major DNS implementations to perform cache poisoning in an effective and practical manner.
January 2009:
mandates the use of port randomization for DNS resolvers and mandates that implementations must randomize ports from the range of available ports (53 or 1024 and above) that is as large as possible and practicable. It does not recommend possible algorithms for port randomization, although the document specifically targets DNS resolvers, for which a simple port randomization suffices (e.g., Algorithm 1 of ). This document led to the implementation of port randomization in the DNS resolvers themselves, rather than in the underlying transport protocols.
January 2011:
notes that many TCP and UDP implementations result in predictable ephemeral port numbers and also notes that many implementations select port numbers from a small portion of the whole port number space. It recommends the implementation and use of ephemeral port randomization, proposes a number of possible algorithms for port randomization, and also recommends to randomize port numbers over the range 1024-65535.
March 2016:
reports a non-normal distribution of the ephemeral port numbers employed by the NTP clients of an Internet Time Service.
April 2019:
notes that some NTP implementations employ the NTP service port (123) as the local port for nonsymmetric modes and aims to update the NTP specification to recommend port randomization in such cases, which is in line with . The proposal experiences some pushback in the relevant working group (NTP WG) but is finally adopted as a working group item as .
August 2021:
is finally published as .
DNS IDThe DNS ID can be employed to match DNS replies to outstanding DNS queries.
November 1987:
specifies that the DNS ID is a 16-bit identifier assigned by the program that
generates any kind of query and that this identifier is copied in the corresponding reply and can be used by the requester to match up replies to outstanding queries. It does not specify the interoperability requirements for this numeric identifier, nor does it suggest an algorithm for generating it.
August 1993:
describes DNS cache poisoning attacks that require the attacker to guess the DNS ID.
June 1995:
suggests that both the UDP source port and the DNS ID of query packets should be randomized, although that might not provide enough entropy to prevent an attacker from guessing these values.
April 1997:
finds that implementations employ predictable UDP source ports and predictable DNS IDs and argues that both should be randomized.
November 2002:
finds that, by spoofing multiple requests for the same domain name from different IP addresses, an attacker may guess the DNS ID employed for a victim with a high probability of success, thus allowing for DNS cache poisoning attacks.
March 2007:
finds that the Microsoft Windows DNS server generates predictable DNS ID values.
July 2007:
finds that a popular DNS server software (BIND 9) that randomizes the DNS ID is still subject to DNS cache poisoning attacks by forging a large number of queries and leveraging the birthday paradox.
October 2007:
finds that OpenBSD's DNS software (based on the BIND DNS server of the Internet Systems Consortium (ISC)) generates predictable DNS ID values.
January 2009:
is published, requiring resolvers to randomize the DNS ID of queries and to verify that the DNS ID of a reply matches that of the DNS query as part of the DNS reply validation process.
May 2010:
finds that the Windows SMTP Service implements its own DNS resolver that results in predictable DNS ID values. Additionally, it fails to validate that the DNS ID of a reply matches that of the DNS query that supposedly elicited it.
Conclusions
For more than 30 years, a large number of implementations of IETF protocols have been subject to a variety of attacks, with
effects ranging from Denial of Service (DoS) or data injection to
information leakages that could be exploited for pervasive monitoring
. The root cause of these issues has been, in many cases, the poor selection of transient numeric identifiers in such protocols, usually as a result of insufficient or misleading specifications.
While it is generally possible to identify an algorithm that can
satisfy the interoperability requirements for a given transient
numeric identifier, this document provides empirical evidence that
doing so without negatively affecting the security and/or privacy
properties of the aforementioned protocols is nontrivial. It is thus
evident that advice in this area is warranted.
aims at requiring future
IETF protocol specifications to contain analysis of the security and
privacy properties of any transient numeric identifiers specified by
the protocol and to recommend an algorithm for the generation
of such transient numeric identifiers. specifies a number of sample algorithms for generating
transient numeric identifiers with specific interoperability
requirements and failure severities.
IANA ConsiderationsThis document has no IANA actions.Security ConsiderationsThis document analyzes the timeline of the specification and implementation of the transient numeric identifiers of some sample IETF protocols and how the security and privacy properties of such protocols have been affected as a result of it. It provides concrete evidence that advice in this area is warranted. analyzes and categorizes transient numeric identifiers based on their interoperability requirements and their associated failure severities and recommends possible algorithms that can be employed to comply with those requirements without negatively affecting the security and privacy properties of the corresponding protocols. formally requires IETF protocol specifications to specify the interoperability requirements for their transient numeric identifiers, to do a warranted vulnerability assessment of such transient numeric identifiers, and to recommend possible algorithms for their generation, such that the interoperability requirements are complied with, while any negative security or privacy properties of these transient numeric identifiers are mitigated.ReferencesNormative ReferencesUser Datagram ProtocolInternet ProtocolTransmission Control ProtocolTCP Extensions for High PerformanceThis memo presents a set of TCP extensions to improve performance over large bandwidth*delay product paths and to provide reliable operation over very high-speed paths. It defines new TCP options for scaled windows and timestamps, which are designed to provide compatible interworking with TCP's that do not implement the extensions. [STANDARDS-TRACK]Internet Protocol, Version 6 (IPv6) SpecificationThis document specifies version 6 of the Internet Protocol (IPv6), also sometimes referred to as IP Next Generation or IPng. [STANDARDS-TRACK]IP Version 6 Addressing ArchitectureThis specification defines the addressing architecture of the IP Version 6 protocol [IPV6]. [STANDARDS-TRACK]An IPv6 Provider-Based Unicast Address FormatThis document defines an IPv6 provider-based unicast address format for use in the Internet. [STANDARDS-TRACK]An IPv6 Aggregatable Global Unicast Address FormatThis document defines an IPv6 aggregatable global unicast address format for use in the Internet. [STANDARDS-TRACK]Internet Protocol, Version 6 (IPv6) SpecificationThis document specifies version 6 of the Internet Protocol (IPv6), also sometimes referred to as IP Next Generation or IPng. [STANDARDS-TRACK]Privacy Extensions for Stateless Address Autoconfiguration in IPv6This document describes an extension to IPv6 stateless address autoconfiguration for interfaces whose interface identifier is derived from an IEEE identifier. [STANDARDS-TRACK]IPv6 Global Unicast Address FormatThis document obsoletes RFC 2374, "An IPv6 Aggregatable Global Unicast Address Format". It defined an IPv6 address allocation structure that includes Top Level Aggregator (TLA) and Next Level Aggregator (NLA). This document makes RFC 2374 and the TLA/NLA structure historic. This memo provides information for the Internet community.IP Version 6 Addressing ArchitectureThis specification defines the addressing architecture of the IP Version 6 (IPv6) protocol. The document includes the IPv6 addressing model, text representations of IPv6 addresses, definition of IPv6 unicast addresses, anycast addresses, and multicast addresses, and an IPv6 node's required addresses.This document obsoletes RFC 3513, "IP Version 6 Addressing Architecture". [STANDARDS-TRACK]IPv6 Stateless Address AutoconfigurationThis document specifies the steps a host takes in deciding how to autoconfigure its interfaces in IP version 6. The autoconfiguration process includes generating a link-local address, generating global addresses via stateless address autoconfiguration, and the Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link. [STANDARDS-TRACK]Privacy Extensions for Stateless Address Autoconfiguration in IPv6Nodes use IPv6 stateless address autoconfiguration to generate addresses using a combination of locally available information and information advertised by routers. Addresses are formed by combining network prefixes with an interface identifier. On an interface that contains an embedded IEEE Identifier, the interface identifier is typically derived from it. On other interface types, the interface identifier is generated through other means, for example, via random number generation. This document describes an extension to IPv6 stateless address autoconfiguration for interfaces whose interface identifier is derived from an IEEE identifier. Use of the extension causes nodes to generate global scope addresses from interface identifiers that change over time, even in cases where the interface contains an embedded IEEE identifier. Changing the interface identifier (and the global scope addresses generated from it) over time makes it more difficult for eavesdroppers and other information collectors to identify when different addresses used in different transactions actually correspond to the same node. [STANDARDS-TRACK]Measures for Making DNS More Resilient against Forged AnswersThe current Internet climate poses serious threats to the Domain Name System. In the interim period before the DNS protocol can be secured more fully, measures can already be taken to harden the DNS to make 'spoofing' a recursing nameserver many orders of magnitude harder.Even a cryptographically secured DNS benefits from having the ability to discard bogus responses quickly, as this potentially saves large amounts of computation.By describing certain behavior that has previously not been standardized, this document sets out how to make the DNS more resilient against accepting incorrect responses. This document updates RFC 2181. [STANDARDS-TRACK]Recommendations for Transport-Protocol Port RandomizationDuring the last few years, awareness has been raised about a number of "blind" attacks that can be performed against the Transmission Control Protocol (TCP) and similar protocols. The consequences of these attacks range from throughput reduction to broken connections or data corruption. These attacks rely on the attacker's ability to guess or know the five-tuple (Protocol, Source Address, Destination Address, Source Port, Destination Port) that identifies the transport protocol instance to be attacked. This document describes a number of simple and efficient methods for the selection of the client port number, such that the possibility of an attacker guessing the exact value is reduced. While this is not a replacement for cryptographic methods for protecting the transport-protocol instance, the aforementioned port selection algorithms provide improved security with very little effort and without any key management overhead. The algorithms described in this document are local policies that may be incrementally deployed and that do not violate the specifications of any of the transport protocols that may benefit from them, such as TCP, UDP, UDP-lite, Stream Control Transmission Protocol (SCTP), Datagram Congestion Control Protocol (DCCP), and RTP (provided that the RTP application explicitly signals the RTP and RTCP port numbers). This memo documents an Internet Best Current Practice.Defending against Sequence Number AttacksThis document specifies an algorithm for the generation of TCP Initial Sequence Numbers (ISNs), such that the chances of an off-path attacker guessing the sequence numbers in use by a target connection are reduced. This document revises (and formally obsoletes) RFC 1948, and takes the ISN generation algorithm originally proposed in that document to Standards Track, formally updating RFC 793. [STANDARDS-TRACK]A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)This document specifies a method for generating IPv6 Interface Identifiers to be used with IPv6 Stateless Address Autoconfiguration (SLAAC), such that an IPv6 address configured using this method is stable within each subnet, but the corresponding Interface Identifier changes when the host moves from one network to another. This method is meant to be an alternative to generating Interface Identifiers based on hardware addresses (e.g., IEEE LAN Media Access Control (MAC) addresses), such that the benefits of stable addresses can be achieved without sacrificing the security and privacy of users. The method specified in this document applies to all prefixes a host may be employing, including link-local, global, and unique-local prefixes (and their corresponding addresses).TCP Extensions for High PerformanceThis document specifies a set of TCP extensions to improve performance over paths with a large bandwidth * delay product and to provide reliable operation over very high-speed paths. It defines the TCP Window Scale (WS) option and the TCP Timestamps (TS) option and their semantics. The Window Scale option is used to support larger receive windows, while the Timestamps option can be used for at least two distinct mechanisms, Protection Against Wrapped Sequences (PAWS) and Round-Trip Time Measurement (RTTM), that are also described herein.This document obsoletes RFC 1323 and describes changes from it.Internet Protocol, Version 6 (IPv6) SpecificationThis document specifies version 6 of the Internet Protocol (IPv6). It obsoletes RFC 2460.Dynamic Host Configuration Protocol for IPv6 (DHCPv6)This document describes the Dynamic Host Configuration Protocol for IPv6 (DHCPv6): an extensible mechanism for configuring nodes with network configuration parameters, IP addresses, and prefixes. Parameters can be provided statelessly, or in combination with stateful assignment of one or more IPv6 addresses and/or IPv6 prefixes. DHCPv6 can operate either in place of or in addition to stateless address autoconfiguration (SLAAC).This document updates the text from RFC 3315 (the original DHCPv6 specification) and incorporates prefix delegation (RFC 3633), stateless DHCPv6 (RFC 3736), an option to specify an upper bound for how long a client should wait before refreshing information (RFC 4242), a mechanism for throttling DHCPv6 clients when DHCPv6 service is not available (RFC 7083), and relay agent handling of unknown messages (RFC 7283). In addition, this document clarifies the interactions between models of operation (RFC 7550). As such, this document obsoletes RFC 3315, RFC 3633, RFC 3736, RFC 4242, RFC 7083, RFC 7283, and RFC 7550.Transmission Control Protocol (TCP)This document specifies the Transmission Control Protocol (TCP). TCP is an important transport-layer protocol in the Internet protocol stack, and it has continuously evolved over decades of use and growth of the Internet. Over this time, a number of changes have been made to TCP as it was specified in RFC 793, though these have only been documented in a piecemeal fashion. This document collects and brings those changes together with the protocol specification from RFC 793. This document obsoletes RFC 793, as well as RFCs 879, 2873, 6093, 6429, 6528, and 6691 that updated parts of RFC 793. It updates RFCs 1011 and 1122, and it should be considered as a replacement for the portions of those documents dealing with TCP requirements. It also updates RFC 5961 by adding a small clarification in reset handling while in the SYN-RECEIVED state. The TCP header control bits from RFC 793 have also been updated based on RFC 3168.Informative ReferencesBIND Vulnerabilities and SolutionsCore Seguridad del InformacionCore Seguridad del InformacionSecurity Problems in the TCP/IP Protocol SuiteComputer Communications Review, vol. 19, no. 2, pp. 32-48A Technique for Counting NATted HostsIMW'02, Marseille, FranceCERT Advisory CA-2001-09: Statistical Weaknesses in TCP/IP Initial Sequence NumbersCERT/CCPrivacy Considerations for IPv6 Address Generation MechanismsWork in ProgressTransmission Control Protocol SpecificationWork in ProgressPrivacy Extensions for Stateless Address Autoconfiguration in IPv6Ericsson ResearchIBM CorporationMicrosoft ResearchWork in ProgressIPv6 Address Usage RecommendationsWork in ProgressRecommendation on Non-Stable IPv6 Interface IdentifiersWork in ProgressSecurity Implications of Predictable Fragment Identification ValuesWork in ProgressSecurity Implications of Predictable Fragment Identification ValuesWork in ProgressA method for Generating Stable Privacy-Enhanced Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC)Work in ProgressA method for Generating Stable Privacy-Enhanced Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC)Work in ProgressPort Randomization in the Network Time Protocol Version 4Work in ProgressNetwork Reconnaissance in IPv6 NetworksWork in ProgressSecurity and Privacy Implications of Numeric Identifiers Employed in Network ProtocolsQuarkslabWork in ProgressRecommendation on Stable IPv6 Interface IdentifiersWork in ProgressRecommendation on Stable IPv6 Interface IdentifiersCiscoMicrosoftHuawei TechnologiesWork in ProgressPrivacy Considerations for IPv6 Address Generation MechanismsWork in ProgressSecurity Implications of Predictable Fragment Identification ValuesWork in ProgressSecurity Implications of Predictable Fragment Identification ValuesWork in ProgressSecurity Implications of Predictable Fragment Identification ValuesWork in ProgressSecurity Implications of Predictable Fragment Identification ValuesWork in ProgressSecurity Implications of Predictable Fragment Identification ValuesWork in ProgressInternet Protocol, Version 6 (IPv6) SpecificationWork in Progressdraft-ietf-6man-rfc2460bis-13Work in ProgressPrivacy Extensions for Stateless Address Autoconfiguration in IPv6Ericsson ResearchIBM CorporationMicrosoft ResearchWork in ProgressTemporary Address Extensions for Stateless Address Autoconfiguration in IPv6SI6 NetworksKaloomMicrosoft ResearchWork in ProgressA method for Generating Stable Privacy-Enhanced Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC)Work in ProgressA Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)Work in ProgressPort Randomization in the Network Time Protocol Version 4Work in ProgressPort Randomization in the Network Time Protocol Version 4Work in ProgressNetwork Time Protocol REFID UpdatesWork in ProgressNetwork Reconnaissance in IPv6 NetworksWork in ProgressNetwork Time Protocol Not You REFIDBoston UniversityNetwork Time FoundationWork in ProgressWindows SMTP Service DNS query Id vulnerabilitiesAdvisory ID Internal CORE-2010-0427Idle scanning and related IP ID gamesFyodor[Ntp] Comments on draft-ietf-ntp-refid-updates-05message to the IETF NTP mailing listHacking IPv6 Networks (training course)Hack In Paris 2011 Conference, Paris, FranceRecent Advances in IPv6 SecurityBSDCan 2012 Conference, Ottawa, CanadaBeta release of the SI6 Network's IPv6 Toolkit (help wanted!)message to the IPv6 Hackers mailing listProtocol RegistriesIANAFrom IP ID to Device ID and KASLR Bypass (Extended Version)IPv6 ToolkitSI6 NetworksBlack Ops 2008: It's The End Of The Cache As We Know ItOpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID VulnerabilityBIND 9 DNS Cache PoisoningWindows DNS Server Cache Poisoning[PATCH] TCP Idle Scan in IPv6message to the nmap-dev mailing listA Weakness in the 4.2BSD UNIX TCP/IP SoftwareCSTR 117, AT&T Bell Laboratories, Murray Hill, NJUsage Analysis of the NIST Internet Time ServiceJournal of Research of the National Institute of Standards and Technology, Volume 121[Ntp] New rev of the NTP port randomization I-D (Fwd: New Version Notification for draft-gont-ntp-port-randomization-01.txt)message to the IETF NTP mailing listRandomization of the IPv4 Identification fieldOpenBSDRandomization of the IPv6 Identification fieldOpenBSDImplementation of port randomizationOpenBSDImplementation of RFC1948 for TCP ISN randomizationOpenBSDImplementation of TCP ISN randomization based on random incrementsOpenBSDImplementation of TCP ISN randomization based on simple randomizationOpenBSDRHSA-2011:1465-1 - Security AdvisoryRed HatDomain names - implementation and specificationThis RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication.Defending Against Sequence Number AttacksIP spoofing attacks based on sequence number spoofing have become a serious threat on the Internet (CERT Advisory CA-95:01). While ubiquitous crypgraphic authentication is the right answer, we propose a simple modification to TCP implementations that should be a very substantial block to the current wave of attacks. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind.IPv6 Implications for Network ScanningThe much larger default 64-bit subnet address space of IPv6 should in principle make traditional network (port) scanning techniques used by certain network worms or scanning tools less effective. While traditional network scanning probes (whether by individuals or automated via network worms) may become less common, administrators should be aware that attackers may use other techniques to discover IPv6 addresses on a target network, and thus they should also be aware of measures that are available to mitigate them. This informational document discusses approaches that administrators could take when planning their site address allocation and management strategies as part of a defence-in-depth approach to network security. This memo provides information for the Internet community.Network Time Protocol Version 4: Protocol and Algorithms SpecificationThe Network Time Protocol (NTP) is widely used to synchronize computer clocks in the Internet. This document describes NTP version 4 (NTPv4), which is backwards compatible with NTP version 3 (NTPv3), described in RFC 1305, as well as previous versions of the protocol. NTPv4 includes a modified protocol header to accommodate the Internet Protocol version 6 address family. NTPv4 includes fundamental improvements in the mitigation and discipline algorithms that extend the potential accuracy to the tens of microseconds with modern workstations and fast LANs. It includes a dynamic server discovery scheme, so that in many cases, specific server configuration is not required. It corrects certain errors in the NTPv3 design and implementation and includes an optional extension mechanism. [STANDARDS-TRACK]Security Assessment of the Internet Protocol Version 4This document contains a security assessment of the IETF specifications of the Internet Protocol version 4 and of a number of mechanisms and policies in use by popular IPv4 implementations. It is based on the results of a project carried out by the UK's Centre for the Protection of National Infrastructure (CPNI). This document is not an Internet Standards Track specification; it is published for informational purposes.Pervasive Monitoring Is an AttackPervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible.Network Reconnaissance in IPv6 NetworksIPv6 offers a much larger address space than that of its IPv4 counterpart. An IPv6 subnet of size /64 can (in theory) accommodate approximately 1.844 * 10^19 hosts, thus resulting in a much lower host density (#hosts/#addresses) than is typical in IPv4 networks, where a site typically has 65,000 or fewer unique addresses. As a result, it is widely assumed that it would take a tremendous effort to perform address-scanning attacks against IPv6 networks; therefore, IPv6 address-scanning attacks have been considered unfeasible. This document formally obsoletes RFC 5157, which first discussed this assumption, by providing further analysis on how traditional address-scanning techniques apply to IPv6 networks and exploring some additional techniques that can be employed for IPv6 network reconnaissance.Security and Privacy Considerations for IPv6 Address Generation MechanismsThis document discusses privacy and security considerations for several IPv6 address generation mechanisms, both standardized and non-standardized. It evaluates how different mechanisms mitigate different threats and the trade-offs that implementors, developers, and users face in choosing different addresses or address generation mechanisms.Security Implications of Predictable Fragment Identification ValuesIPv6 specifies the Fragment Header, which is employed for the fragmentation and reassembly mechanisms. The Fragment Header contains an "Identification" field that, together with the IPv6 Source Address and the IPv6 Destination Address of a packet, identifies fragments that correspond to the same original datagram, such that they can be reassembled together by the receiving host. The only requirement for setting the Identification field is that the corresponding value must be different than that employed for any other fragmented datagram sent recently with the same Source Address and Destination Address. Some implementations use a simple global counter for setting the Identification field, thus leading to predictable Identification values. This document analyzes the security implications of predictable Identification values, and provides implementation guidance for setting the Identification field of the Fragment Header, such that the aforementioned security implications are mitigated.Recommendation on Stable IPv6 Interface IdentifiersThis document changes the recommended default Interface Identifier (IID) generation scheme for cases where Stateless Address Autoconfiguration (SLAAC) is used to generate a stable IPv6 address. It recommends using the mechanism specified in RFC 7217 in such cases, and recommends against embedding stable link-layer addresses in IPv6 IIDs. It formally updates RFC 2464, RFC 2467, RFC 2470, RFC 2491, RFC 2492, RFC 2497, RFC 2590, RFC 3146, RFC 3572, RFC 4291, RFC 4338, RFC 4391, RFC 5072, and RFC 5121. This document does not change any existing recommendations concerning the use of temporary addresses as specified in RFC 4941.Temporary Address Extensions for Stateless Address Autoconfiguration in IPv6This document describes an extension to IPv6 Stateless Address Autoconfiguration that causes hosts to generate temporary addresses with randomized interface identifiers for each prefix advertised with autoconfiguration enabled. Changing addresses over time limits the window of time during which eavesdroppers and other information collectors may trivially perform address-based network-activity correlation when the same address is employed for multiple transactions by the same host. Additionally, it reduces the window of exposure of a host as being accessible via an address that becomes revealed as a result of active communication. This document obsoletes RFC 4941.Network Time Protocol Version 4: Port RandomizationThe Network Time Protocol (NTP) can operate in several modes. Some of these modes are based on the receipt of unsolicited packets and therefore require the use of a well-known port as the local port. However, in the case of NTP modes where the use of a well-known port is not required, employing such a well-known port unnecessarily facilitates the ability of attackers to perform blind/off-path attacks. This document formally updates RFC 5905, recommending the use of transport-protocol ephemeral port randomization for those modes where use of the NTP well-known port is not required.On the Generation of Transient Numeric IdentifiersSecurity Considerations for Transient Numeric Identifiers Employed in Network ProtocolsCAIS-ALERT: Vulnerability in the sending requests control of BINDmessage to the Bugtraq mailing listabout the ip header idmessage to the Bugtraq mailing listnew tcp scan methodmessage to the Bugtraq mailing listmore ip idmessage to the Bugtraq mailing listAddressing Weakness in the Domain Name System ProtocolTechnical details of the attack described by Markoff in NYTmessage to the USENET comp.security.misc newsgroupImproving TCP/IP security through randomization without sacrificing interoperabilityThe FreeBSD ProjectEuroBSDCon 2005 Conference[security-announce] SUSE Security Announcement: Linux kernel security update (SUSE-SA:2011:046)SUSEmessage to the openSUSE Security Announce mailing listTCP Timestamping - Obtaining System Uptime RemotelySecuriteammessage to the Bugtraq mailing listUSN-1253-1: Linux kernel vulnerabilitiesUbuntuMultiple TCP/IP implementations may use statistically predictable initial sequence numbersCERT CCVulnerability Note VU#498440DNS and BIND Security Issues5th Usenix Security SymposiumMultiple DNS implementations vulnerable to cache poisoningCERT/CCVulnerability Note VU#800113TCP/IP Illustrated, Volume 2: The ImplementationAddison-WesleyStrange Attractors and TCP/IP Sequence Number Analysis (2001)Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later (2002)A new TCP/IP blind data injection technique?AcknowledgementsThe authors would like to thank (in alphabetical order) , , , , , , , , , , , , and for providing valuable comments on earlier versions of this document.The authors would like to thank (in alphabetical order) , , , and for providing valuable comments on , on which this document is based. of this document borrows text from , authored by and .The authors would like to thank and for their guidance during the publication process of this document.The authors would like to thank for his magic and inspiration.Authors' AddressesSI6 NetworksSegurola y Habana4310 7mo pisoCiudad Autonoma de Buenos AiresArgentinafgont@si6networks.comhttps://www.si6networks.comQuarkslabSegurola y Habana4310 7mo pisoCiudad Autonoma de Buenos AiresArgentinaiarce@quarkslab.comhttps://www.quarkslab.com