Skip to main content

5. Security Considerations

5.1. Authentication and Confidentiality of ICMP Messages

ICMP protocol packet exchanges can be authenticated using the IP Authentication Header [IPv6-AUTH] or IP Encapsulating Security Payload Header [IPv6-ESP]. Confidentiality for the ICMP protocol packet exchanges can be achieved using the IP Encapsulating Security Payload Header [IPv6-ESP].

[SEC-ARCH] describes the IPsec handling of ICMP traffic in detail.

5.2. ICMP Attacks

ICMP messages may be subject to various attacks. A complete discussion can be found in the IP Security Architecture [IPv6-SA]. A brief discussion of these attacks and their prevention follows:

  1. ICMP messages may be subject to actions intended to cause the receiver to believe the message came from a different source from that of the message originator. The protection against this attack can be achieved by applying the IPv6 Authentication mechanism [IPv6-AUTH] to the ICMP message.

  2. ICMP messages may be subject to actions intended to cause the message or the reply to it to go to a destination different from that of the message originator's intention. The protection against this attack can be achieved by using the Authentication Header [IPv6-AUTH] or the Encapsulating Security Payload Header [IPv6-ESP]. The Authentication Header provides the protection against change for the source and the destination address of the IP packet. The Encapsulating Security Payload Header does not provide this protection, but the ICMP checksum calculation includes the source and the destination addresses, and the Encapsulating Security Payload Header protects the checksum. Therefore, the combination of ICMP checksum and the Encapsulating Security Payload Header provides protection against this attack. The protection provided by the Encapsulating Security Payload Header will not be as strong as the protection provided by the Authentication Header.

  3. ICMP messages may be subject to changes in the message fields, or payload. The authentication [IPv6-AUTH] or encryption [IPv6-ESP] of the ICMP message protects against such actions.

  4. ICMP messages may be used to attempt denial-of-service attacks by sending back to back erroneous IP packets. An implementation that correctly followed Section 2.4, paragraph (f), of this specification, would be protected by the ICMP error rate limiting mechanism.

  5. The exception number 2 of rule e.3 in Section 2.4 gives a malicious node the opportunity to cause a denial-of-service attack to a multicast source. A malicious node can send a multicast packet with an unknown destination option marked as mandatory, with the IPv6 source address of a valid multicast source. A large number of destination nodes will send an ICMP Parameter Problem Message to the multicast source, causing a denial-of-service attack. The way multicast traffic is forwarded by the multicast routers requires that the malicious node be part of the correct multicast path, i.e., near to the multicast source. This attack can only be avoided by securing the multicast traffic. The multicast source should be careful while sending multicast traffic with the destination options marked as mandatory, because they can cause a denial-of-service attack to themselves if the destination option is unknown to a large number of destinations.

  6. As the ICMP messages are passed to the upper-layer processes, it is possible to perform attacks on the upper layer protocols (e.g., TCP) with ICMP [TCP-attack]. It is recommended that the upper layers perform some form of validation of ICMP messages (using the information contained in the payload of the ICMP message) before acting upon them. The actual validation checks are specific to the upper layers and are out of the scope of this specification. Protecting the upper layer with IPsec mitigates these attacks.

    ICMP error messages signal network error conditions that were encountered while processing an internet datagram. Depending on the particular scenario, the error conditions being reported might or might not get solved in the near term. Therefore, reaction to ICMP error messages may depend not only on the error type and code but also on other factors, such as the time at which the error messages are received, previous knowledge of the network error conditions being reported, and knowledge of the network scenario in which the receiving host is operating.

Last updated on