120 likes | 341 Views
Tunnel Loops and Its Detection draft-ng-intarea-tunnel-loop-00.txt. Chan-Wah Ng chanwah.ng@sg.panasonic.com Mohana Jeyatheran mohana.jeyatharan@sg.panasonic.com Benjamin Lim benjamin.limck@sg.panasonic.com. Tunnel Loops. Tunnel packet: Encapsulated by Tunnel Entry Node
E N D
Tunnel Loops and Its Detectiondraft-ng-intarea-tunnel-loop-00.txt Chan-Wah Ng chanwah.ng@sg.panasonic.com Mohana Jeyatheran mohana.jeyatharan@sg.panasonic.com Benjamin Lim benjamin.limck@sg.panasonic.com IETF-73 Minnepolis
Tunnel Loops • Tunnel packet: • Encapsulated by Tunnel Entry Node • Decapsulated by Tunnel Exit Node • A tunnel loop is formed when • A tunnel packet is routed back to its tunnel entry node before reaching its tunnel exit node • There can be multiple tunnel entry nodes in a tunnel loop Tunnel Exit Node Tunnel Entry Node IETF-73 Minnepolis
Problem of Tunnel Loops Tunnel Entry Node 2 Tunnel Entry Node 2 • Each encapsulation increases packet size • leads to fragmentation amplifies the problem Each encapsulation has a new hop count packet will be routed indefinitely Tunnel Entry Node 1 IETF-73 Minnepolis
HoA HoA HoA HoA HoA HoA CoA CoA CoA CoA CoA CoA 4 4 3 3 3 Binds MN.HoA to 3GPP.Addr Binds MN.HoA to 3GPP.Addr 3 3 3 3GPP.Addr 3GPP.Addr 3GPP.Addr ePDG.Addr ePDG.Addr ePDG.Addr Binds 3GPP.Addr to ePDG.Addr Binds 3GPP.Addr to ePDG.Addr Binds 3GPP.Addr to ePDG.Addr HoA HoA HoA HoA HoA HoA CoA CoA CoA CoA CoA CoA MN.HoA MN.HoA MN.HoA MN.HoA MN.HoA Addr AR.Addr Addr 3GPP.Addr 3GPP.Addr 1 1 4 4 1 MSP MSP MSP MSP MSP MSP PDNGW PDNGW PDNGW PDNGW PDNGW PDNGW HA HA HA HA HA HA 3GPP EPC 3GPP EPC 3GPP EPC 3GPP EPC 3GPP EPC 3GPP EPC ePDG ePDG ePDG ePDG ePDG ePDG INTERNET INTERNET INTERNET INTERNET INTERNET INTERNET Loop forms! Loop forms! Assigned Assigned Assigned Assigned Assigned Assigned Nomadic Nomadic Nomadic Nomadic Nomadic Nomadic 2 2 2 2 ePDG.Addr ePDG.Addr ePDG.Addr ePDG.Addr MN.HoA MN.HoA MN.HoA MN.HoA 1 1 1 1 1 Binds MN.HoA to AR.Addr Binds MN.HoA to AR.Addr Binds MN.HoA to AR.Addr Binds MN.HoA to AR.Addr Binds MN.HoA to AR.Addr 2 2 2 2 MN MN MN MN MN MN Sets up Mobike mapping Sets up Mobike mapping Sets up Mobike mapping Sets up Mobike mapping Example of Tunnel Loop Formation IETF-73 Minnepolis
Current Protection • RFC 2473 specifies the Tunnel Encapsulation Limit Option for IPv6 packets • Adds a maximum number of encapsulation to Destination Header of outer packet • All Tunnel Entry Nodes must process this option • RFC 1701 has a 3-bit recursion field for IPv4 GRE based tunneling IETF-73 Minnepolis
Inadequacies • Both mechanisms only limits the number of times a packet will traverse a loop • Does not allow a tunnel entry node to differentiate between • The case where a tunnel loop has occurred • The case where the initial TEL/Recursion value is set too low IETF-73 Minnepolis
Add Identifier • We propose • Adds an identifier to the tunnel packet header • Can be an additional field in TEL option • Can be coded using multiple TEL option • Can be an additional field in GRE header • Can be coded using the Key field in GRE header • The type of identifier is for further analysis IETF-73 Minnepolis
Tunnel Entry Node Processing Receives a packet to be encapsulated Is there an identifier in received packet? Does identifier indicates a loop? yes yes no no Encapsulate packet Adds identifier Encapsulate packet Copy identifier Loop detected!!! IETF-73 Minnepolis
Comments So Far • Any practical situation where the problem is encountered? • Issue #17 in the ongoing work of RFC 3775-bis • 3GPP CT1 has agreed that this is a realistic problem in TS 24.303 IETF-73 Minnepolis
Comments So Far • Better to avoid the loop entirely • Using control plane signaling (if present) • However with possible malicious mobile nodes dynamically setting up tunnels, this is not possible • Address check mechanism • HA to check the validity of the care-of address before accepting the BU • With Monami6, a malicious mobile can still set up the loop while passing any address check mechanism But it is not always possible IETF-73 Minnepolis
Comments So Far • Rely on generic DoS defense • Most operators has defense mechanism to drop packets when a DoS attack is launched • Problems: • Reactive: network is already under attack before defense is triggered • Does not know if DoS attack is due to tunnel loop • Since DoS defense generally drops packets from a domain where the attack is suspected to have originated, a tunnel loop can be used to cause packets from an innocent domain to be dropped • Avoid a loop > Detect a loop > Defense against DoS IETF-73 Minnepolis
Discussion Points • Is this specific to Mobility? • The problem is generic • But all practical scenarios identified so far are mobility related • Should we solve it? • If so, where? IETF-73 Minnepolis