summaryrefslogtreecommitdiffstats
path: root/src/plugins
diff options
context:
space:
mode:
authorJon Loeliger <jdl@netgate.com>2020-01-28 07:30:28 -0600
committerOle Trøan <otroan@employees.org>2020-01-30 11:05:35 +0000
commit65866f03d96bd41b99b1c823ea6f38cd77fac58c (patch)
treea1c63ac21b3549ba0160e313ecee6bc275ec71c0 /src/plugins
parent56817e2c486a26167783676774b0dea9c103b200 (diff)
map: Prevent IPv4 prefix spoofing during IPv6 -> IPv4
Prevent malicious packets with spoofed embedded IPv4 addresses by limiting the IPv6 ingress packets to known MAP-T domains. Drop spoofed packets. Add several tests that ensure spoofing isn't allowed. Type: fix Fixes: fc7344f9be Change-Id: I80a5dd10d5fe7492e3a1b04de389d649a78065e2 Signed-off-by: Jon Loeliger <jdl@netgate.com>
Diffstat (limited to 'src/plugins')
-rw-r--r--src/plugins/map/ip6_map_t.c16
-rw-r--r--src/plugins/map/test/test_map_br.py265
2 files changed, 279 insertions, 2 deletions
diff --git a/src/plugins/map/ip6_map_t.c b/src/plugins/map/ip6_map_t.c
index 95104dc78f4..e205c60e29a 100644
--- a/src/plugins/map/ip6_map_t.c
+++ b/src/plugins/map/ip6_map_t.c
@@ -66,7 +66,7 @@ ip6_to_ip4_set_icmp_cb (ip6_header_t * ip6, ip4_header_t * ip4, void *arg)
// Security check
// Note that this prevents an intermediate IPv6 router from answering
// the request.
- ip4_sadr = map_get_ip4 (&ip6->src_address, ctx->d->flags);
+ ip4_sadr = map_get_ip4 (&ip6->src_address, ctx->d->ip6_src_len);
if (ip6->src_address.as_u64[0] !=
map_get_pfx_net (ctx->d, ip4_sadr, ctx->sender_port)
|| ip6->src_address.as_u64[1] != map_get_sfx_net (ctx->d, ip4_sadr,
@@ -88,7 +88,7 @@ ip6_to_ip4_set_inner_icmp_cb (ip6_header_t * ip6, ip4_header_t * ip4,
u32 inner_ip4_dadr;
//Security check of inner packet
- inner_ip4_dadr = map_get_ip4 (&ip6->dst_address, ctx->d->flags);
+ inner_ip4_dadr = map_get_ip4 (&ip6->dst_address, ctx->d->ip6_src_len);
if (ip6->dst_address.as_u64[0] !=
map_get_pfx_net (ctx->d, inner_ip4_dadr, ctx->sender_port)
|| ip6->dst_address.as_u64[1] != map_get_sfx_net (ctx->d,
@@ -305,6 +305,8 @@ ip6_map_t_fragmented (vlib_main_t * vm,
/*
* Translate IPv6 UDP/TCP packet to IPv4.
+ * Returns 0 on success.
+ * Returns a non-zero error code on error.
*/
always_inline int
map_ip6_to_ip4_tcp_udp (vlib_main_t * vm, vlib_buffer_t * p,
@@ -370,6 +372,16 @@ map_ip6_to_ip4_tcp_udp (vlib_main_t * vm, vlib_buffer_t * p,
ip4->dst_address.as_u32 = vnet_buffer (p)->map_t.v6.daddr;
ip4->src_address.as_u32 = vnet_buffer (p)->map_t.v6.saddr;
+ /*
+ * Drop spoofed packets that from a known domain source.
+ */
+ u32 map_domain_index = -1;
+ u8 error = 0;
+
+ ip4_map_get_domain (&ip4->src_address, &map_domain_index, &error);
+ if (error)
+ return error;
+
ip4->ip_version_and_header_length =
IP4_VERSION_AND_HEADER_LENGTH_NO_OPTIONS;
ip4->tos = ip6_translate_tos (ip6->ip_version_traffic_class_and_flow_label);
diff --git a/src/plugins/map/test/test_map_br.py b/src/plugins/map/test/test_map_br.py
new file mode 100644
index 00000000000..7869e5f24f1
--- /dev/null
+++ b/src/plugins/map/test/test_map_br.py
@@ -0,0 +1,265 @@
+#!/usr/bin/env python3
+
+import ipaddress
+import unittest
+
+from framework import VppTestCase, VppTestRunner
+from vpp_ip import DpoProto
+from vpp_ip_route import VppIpRoute, VppRoutePath
+from util import fragment_rfc791, fragment_rfc8200
+
+import scapy.compat
+from scapy.layers.l2 import Ether
+from scapy.packet import Raw
+from scapy.layers.inet import IP, UDP, ICMP, TCP
+from scapy.layers.inet6 import IPv6, ICMPv6TimeExceeded, IPv6ExtHdrFragment
+from scapy.layers.inet6 import ICMPv6EchoRequest, ICMPv6EchoReply
+
+
+class TestMAPBR(VppTestCase):
+ """ MAP-T Test Cases """
+
+ @classmethod
+ def setUpClass(cls):
+ super(TestMAPBR, cls).setUpClass()
+
+ @classmethod
+ def tearDownClass(cls):
+ super(TestMAPBR, cls).tearDownClass()
+
+ def setUp(self):
+ super(TestMAPBR, self).setUp()
+
+ #
+ # Create 2 pg interfaces.
+ # pg0 is IPv4
+ # pg1 is IPv6
+ #
+ self.create_pg_interfaces(range(2))
+
+ self.pg0.admin_up()
+ self.pg0.config_ip4()
+ self.pg1.generate_remote_hosts(20)
+ self.pg1.configure_ipv4_neighbors()
+ self.pg0.resolve_arp()
+
+ self.pg1.admin_up()
+ self.pg1.config_ip6()
+ self.pg1.generate_remote_hosts(20)
+ self.pg1.configure_ipv6_neighbors()
+
+ #
+ # BR configuration parameters used for all test.
+ #
+ self.ip4_prefix = '198.18.0.0/24'
+ self.ip6_prefix = '2001:db8:f0::/48'
+ self.ip6_src = '2001:db8:ffff:ff00::/64'
+ self.ea_bits_len = 12
+ self.psid_offset = 6
+ self.psid_length = 4
+ self.mtu = 1500
+ self.tag = 'MAP-T BR'
+
+ self.ipv4_internet_address = self.pg0.remote_ip4
+ self.ipv4_map_address = "198.18.0.12"
+ self.ipv4_udp_or_tcp_internet_port = 65000
+ self.ipv4_udp_or_tcp_map_port = 16606
+
+ self.ipv6_cpe_address = "2001:db8:f0:c30:0:c612:c:3" # 198.18.0.12
+ self.ipv6_spoof_address = "2001:db8:f0:c30:0:c612:1c:3" # 198.18.0.28
+ self.ipv6_spoof_prefix = "2001:db8:f0:c30:0:a00:c:3" # 10.0.0.12
+ self.ipv6_spoof_psid = "2001:db8:f0:c30:0:c612:c:4" # 4
+ self.ipv6_spoof_subnet = "2001:db8:f1:c30:0:c612:c:3" # f1
+
+ self.ipv6_udp_or_tcp_internet_port = 65000
+ self.ipv6_udp_or_tcp_map_port = 16606
+ self.ipv6_udp_or_tcp_spoof_port = 16862
+
+ self.ipv6_map_address = (
+ "2001:db8:ffff:ff00:ac:1001:200:0") # 176.16.1.2
+ self.ipv6_map_same_rule_diff_addr = (
+ "2001:db8:ffff:ff00:c6:1200:10:0") # 198.18.0.16
+
+ self.map_br_prefix = "2001:db8:f0::"
+ self.map_br_prefix_len = 48
+ self.psid_number = 3
+
+ #
+ # Add an IPv6 route to the MAP-BR.
+ #
+ map_route = VppIpRoute(self,
+ self.map_br_prefix,
+ self.map_br_prefix_len,
+ [VppRoutePath(self.pg1.remote_ip6,
+ self.pg1.sw_if_index)])
+ map_route.add_vpp_config()
+
+ ip4_map_route = VppIpRoute(self,
+ "198.18.0.0",
+ 24,
+ [VppRoutePath(self.pg1.remote_ip4,
+ self.pg1.sw_if_index)])
+ ip4_map_route.add_vpp_config()
+
+ #
+ # Add a MAP BR domain that maps from pg0 to pg1.
+ #
+ self.vapi.map_add_domain(ip4_prefix=self.ip4_prefix,
+ ip6_prefix=self.ip6_prefix,
+ ip6_src=self.ip6_src,
+ ea_bits_len=self.ea_bits_len,
+ psid_offset=self.psid_offset,
+ psid_length=self.psid_length,
+ mtu=self.mtu,
+ tag=self.tag)
+
+ #
+ # Set BR parameters.
+ #
+ self.vapi.map_param_set_fragmentation(inner=1, ignore_df=0)
+ self.vapi.map_param_set_fragmentation(inner=0, ignore_df=0)
+ self.vapi.map_param_set_icmp(ip4_err_relay_src=self.pg0.local_ip4)
+ self.vapi.map_param_set_traffic_class(copy=1)
+
+ #
+ # Enable MAP-T on interfaces.
+ #
+ self.vapi.map_if_enable_disable(is_enable=1,
+ sw_if_index=self.pg0.sw_if_index,
+ is_translation=1)
+
+ self.vapi.map_if_enable_disable(is_enable=1,
+ sw_if_index=self.pg1.sw_if_index,
+ is_translation=1)
+
+ self.vapi.map_if_enable_disable(is_enable=1,
+ sw_if_index=self.pg1.sw_if_index,
+ is_translation=1)
+
+ def tearDown(self):
+ super(TestMAPBR, self).tearDown()
+ for i in self.pg_interfaces:
+ i.unconfig_ip4()
+ i.unconfig_ip6()
+ i.admin_down()
+
+ #
+ # Spoofed IPv4 Source Address v6 -> v4 direction
+ # Send a packet with a wrong IPv4 address embedded in bits 72-103.
+ # The BR should either drop the packet, or rewrite the spoofed
+ # source IPv4 as the actual source IPv4 address.
+ # The BR really should drop the packet.
+ #
+
+ def test_map_t_spoof_ipv4_src_addr_ip6_to_ip4(self):
+ """ MAP-T spoof ipv4 src addr IPv6 -> IPv4 """
+
+ eth = Ether(src=self.pg1.remote_mac,
+ dst=self.pg1.local_mac)
+ ip = IPv6(src=self.ipv6_spoof_address,
+ dst=self.ipv6_map_address)
+ udp = UDP(sport=self.ipv6_udp_or_tcp_map_port,
+ dport=self.ipv6_udp_or_tcp_internet_port)
+ payload = "a" * 82
+ tx_pkt = eth / ip / udp / payload
+
+ self.pg_send(self.pg1, tx_pkt * 1)
+
+ self.pg0.get_capture(0, timeout=1)
+ self.pg0.assert_nothing_captured("Should drop IPv4 spoof address")
+
+ #
+ # Spoofed IPv4 Source Prefix v6 -> v4 direction
+ # Send a packet with a wrong IPv4 prefix embedded in bits 72-103.
+ # The BR should either drop the packet, or rewrite the source IPv4
+ # to the prefix that matches the source IPv4 address.
+ #
+
+ def test_map_t_spoof_ipv4_src_prefix_ip6_to_ip4(self):
+ """ MAP-T spoof ipv4 src prefix IPv6 -> IPv4 """
+
+ eth = Ether(src=self.pg1.remote_mac,
+ dst=self.pg1.local_mac)
+ ip = IPv6(src=self.ipv6_spoof_prefix,
+ dst=self.ipv6_map_address)
+ udp = UDP(sport=self.ipv6_udp_or_tcp_map_port,
+ dport=self.ipv6_udp_or_tcp_internet_port)
+ payload = "a" * 82
+ tx_pkt = eth / ip / udp / payload
+
+ self.pg_send(self.pg1, tx_pkt * 1)
+
+ self.pg0.get_capture(0, timeout=1)
+ self.pg0.assert_nothing_captured("Should drop IPv4 spoof prefix")
+
+ #
+ # Spoofed IPv6 PSID v6 -> v4 direction
+ # Send a packet with a wrong IPv6 port PSID
+ # The BR should drop the packet.
+ #
+
+ def test_map_t_spoof_psid_ip6_to_ip4(self):
+ """ MAP-T spoof psid IPv6 -> IPv4 """
+
+ eth = Ether(src=self.pg1.remote_mac,
+ dst=self.pg1.local_mac)
+ ip = IPv6(src=self.ipv6_spoof_psid,
+ dst=self.ipv6_map_address)
+ udp = UDP(sport=self.ipv6_udp_or_tcp_map_port,
+ dport=self.ipv6_udp_or_tcp_internet_port)
+ payload = "a" * 82
+ tx_pkt = eth / ip / udp / payload
+
+ self.pg_send(self.pg1, tx_pkt * 1)
+
+ self.pg0.get_capture(0, timeout=1)
+ self.pg0.assert_nothing_captured("Should drop IPv6 spoof PSID")
+
+ #
+ # Spoofed IPv6 subnet field v6 -> v4 direction
+ # Send a packet with a wrong IPv6 subnet as "2001:db8:f1"
+ # The BR should drop the packet.
+ #
+
+ def test_map_t_spoof_subnet_ip6_to_ip4(self):
+ """ MAP-T spoof subnet IPv6 -> IPv4 """
+
+ eth = Ether(src=self.pg1.remote_mac,
+ dst=self.pg1.local_mac)
+ ip = IPv6(src=self.ipv6_spoof_subnet,
+ dst=self.ipv6_map_address)
+ udp = UDP(sport=self.ipv6_udp_or_tcp_map_port,
+ dport=self.ipv6_udp_or_tcp_internet_port)
+ payload = "a" * 82
+ tx_pkt = eth / ip / udp / payload
+
+ self.pg_send(self.pg1, tx_pkt * 1)
+
+ self.pg0.get_capture(0, timeout=1)
+ self.pg0.assert_nothing_captured("Should drop IPv6 spoof subnet")
+
+ #
+ # Spoofed IPv6 port PSID v6 -> v4 direction
+ # Send a packet with a wrong IPv6 port PSID
+ # The BR should drop the packet.
+ #
+
+ def test_map_t_spoof_port_psid_ip6_to_ip4(self):
+ """ MAP-T spoof port psid IPv6 -> IPv4 """
+
+ eth = Ether(src=self.pg1.remote_mac,
+ dst=self.pg1.local_mac)
+ ip = IPv6(src=self.ipv6_cpe_address,
+ dst=self.ipv6_map_address)
+ udp = UDP(sport=self.ipv6_udp_or_tcp_spoof_port,
+ dport=self.ipv6_udp_or_tcp_internet_port)
+ payload = "a" * 82
+ tx_pkt = eth / ip / udp / payload
+
+ self.pg_send(self.pg1, tx_pkt * 1)
+
+ self.pg0.get_capture(0, timeout=1)
+ self.pg0.assert_nothing_captured("Should drop IPv6 spoof port PSID")
+
+if __name__ == '__main__':
+ unittest.main(testRunner=VppTestRunner)