📄 rfc2187.txt
字号:
9.1. Inserting Bogus ICP Queries
Processing an ICP_OP_QUERY message has no known security
implications, so long as the requesting address is granted access to
the cache.
9.2. Inserting Bogus ICP Replies
Here we are concerned with a third party generating ICP reply
messages which are returned to the querying cache before the real
reply arrives, or before any replies arrive. The third party may
insert bogus ICP replies which appear to come from legitimate
neighbors. There are three vulnerabilities:
o Preventing a certain neighbor from being used
If a third-party could send an ICP_OP_MISS_NOFETCH reply back
before the real reply arrived, the (falsified) neighbor would
not be used.
A third-party could blast a cache with ICP_OP_DENIED messages
until the threshold described in section 5.3.1 is reached,
thereby causing the neighbor relationship to be temporarily
terminated.
o Forcing a certain neighbor to be used
If a third-party could send an ICP_OP_HIT reply back before the
real reply arrived, the (falsified) neighbor would be used.
This may violate the terms of a sibling relationship; ICP_OP_HIT
replies mean a subsequent HTTP request will also be a hit.
Similarly, if bogus ICP_OP_SECHO messages can be generated, the
cache would retrieve requests directly from the origin server.
o Cache poisoning
The ICP_OP_HIT_OBJ message is especially sensitive to security
issues since it contains actual object data. In combination
with IP address spoofing, this option opens up the likely
possibility of having the cache polluted with invalid objects.
Wessels & Claffy Informational [Page 19]
RFC 2187 ICP September 1997
9.3. Eavesdropping
Multicasting ICP queries provides a very simple method for others to
"snoop" on ICP messages. If enabling multicast, cache administrators
should configure the application to use the minimum required
multicast TTL, using a tool such as mtrace[6]. Note that the IP
Encapsulating Security Payload [7,9] mechanism can be used to provide
protection against eavesdropping of ICP messages.
Eavesdropping on ICP traffic can provide third parties with a list of
URLs being browsed by cache users. Because the Requestor Host
Address is zero-filled by Squid and Harvest, the URLs cannot be
mapped back to individual host systems.
By default, Squid and Harvest do not send ICP messages for URLs
containing `cgi-bin' or `?'. These URLs sometimes contain sensitive
information as argument parameters. Cache administrators need to be
aware that altering the configuration to make ICP queries for such
URLs may expose sensitive information to outsiders, especially when
multicast is used.
9.4. Blocking ICP Messages
Intentionally blocked (or discarded) ICP queries or replies will
appear to reflect link failure or congestion, and will prevent the
use of a neighbor as well as lead to timeouts (see section 5.1.4).
If all messages are blocked, the cache will assume the neighbor is
down and remove it from the selection algorithm. However, if, for
example, every other query is blocked, the neighbor will remain
"alive," but every other request will suffer the ICP timeout.
9.5. Delaying ICP Messages
The neighbor selection algorithm normally waits for all ICP MISS
replies to arrive. Delaying queries or replies, so that they arrive
later than they normally would, will cause additional delay for the
subsequent HTTP request. Of course, if messages are delayed so that
they arrive after the timeout, the behavior is the same as "blocking"
above.
9.6. Denial of Service
A denial-of-service attack, where the ICP port is flooded with a
continuous stream of bogus messages has three vulnerabilities:
o The application may log every bogus ICP message and eventually
fill up a disk partition.
Wessels & Claffy Informational [Page 20]
RFC 2187 ICP September 1997
o The socket receive queue may fill up, causing legitimate
messages to be dropped.
o The host may waste some CPU cycles receiving the bogus messages.
9.7. Altering ICP Fields
Here we assume a third party is able to change one or more of the ICP
reply message fields.
Opcode
Changing the opcode field is much like inserting bogus messages
described above. Changing a hit to a miss would prevent the peer
from being used. Changing a miss to a hit would force the peer to
be used.
Version
Altering the ICP version field may have unpredictable consequences
if the new version number is recognized and supported. The
receiving application should ignore messages with invalid version
numbers. At the time of this writing, both version numbers 2 and
3 are in use. These two versions use some fields (e.g. Options)
in a slightly different manner.
Message Length
An incorrect message length should be detected by the receiving
application as an invalid ICP message.
Request Number
The request number is often used as a part of the cache key.
Harvest does not use the request number. Squid uses the request
number in conjunction with the URL to create a cache key.
Altering the request number will cause a lookup of the cache key
to fail. This is similar to blocking the ICP reply altogether.
Wessels & Claffy Informational [Page 21]
RFC 2187 ICP September 1997
There is no requirement that a cache use both the URL and the
request number to locate HTTP requests with outstanding ICP
queries (however both Squid and Harvest do). The request number
must always be the same in the query and the reply. However, if
the querying cache uses only the request number to locate pending
requests, there is some possibility that a replying cache might
increment the request number in the reply to give the false
impression that the two caches are closer than they really are.
In other words, assuming that there are a few ICP requests "in
flight" at any given time, incrementing the reply request number
trick the querying cache into seeing a smaller round-trip time
than really exists.
Options
There is little risk in having the Options bitfields altered. Any
option bit must only be set in a reply if it was also set in a
query. Changing a bit from clear to set is detectable by the
querying cache, and such a message must be ignored. Changing a
bit from set to clear is allowed and has no negative side effects.
Option Data
ICP_FLAG_SRC_RTT is the only option which uses the Option Data
field. Altering the RTT values returned here can affect the
neighbor selection algorithm, either forcing or preventing the use
of a neighbor.
URL
The URL and Request Number are used to generate the cache key.
Altering the URL will cause a lookup of the cache key to fail, and
the ICP reply to be entirely ignored. This is similar to blocking
the ICP reply altogether.
9.8. Summary
o ICP_OP_HIT_OBJ is particularly vulnerable to security problems
because it includes object data. For this, and other reasons,
its use is discouraged.
o Falsifying, altering, inserting, or blocking ICP messages can
cause an HTTP request to fail only in two situations:
- If the cache is behind a firewall and cannot directly
connect to the origin server.
Wessels & Claffy Informational [Page 22]
RFC 2187 ICP September 1997
- If a false ICP_OP_HIT reply causes the HTTP request to be
forwarded to a sibling, where the request is a cache miss
and the sibling refuses to continue forwarding the request
on behalf of the originating cache.
o Falsifying, altering, inserting, or blocking ICP messages can
easily cause HTTP requests to be forwarded (or not forwarded) to
certain neighbors. If the neighbor cache has also been
compromised, then it could serve bogus content and pollute a
cache hierarchy.
o Blocking or delaying ICP messages can cause HTTP request to be
further delayed, but still satisfied.
10. References
[1] Fielding, R., et. al, "Hypertext Transfer Protocol -- HTTP/1.1",
RFC 2068, UC Irvine, January 1997.
[2] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform Resource
Locators (URL)", RFC 1738, CERN, Xerox PARC, University of Minnesota,
December 1994.
[3] Bowman M., Danzig P., Hardy D., Manber U., Schwartz M., and
Wessels D., "The Harvest Information Discovery and Access System",
Internet Research Task Force - Resource Discovery,
http://harvest.transarc.com/.
[4] Wessels D., Claffy K., "ICP and the Squid Web Cache", National
Laboratory for Applied Network Research,
http://www.nlanr.net/~wessels/Papers/icp-squid.ps.gz.
[5] Wessels D., "The Squid Internet Object Cache", National
Laboratory for Applied Network Research,
http://squid.nlanr.net/Squid/
[6] mtrace, Xerox PARC, ftp://ftp.parc.xerox.com/pub/net-
research/ipmulti/.
[7] Atkinson, R., "Security Architecture for the Internet Protocol",
RFC 1825, NRL, August 1995.
[8] Atkinson, R., "IP Authentication Header", RFC 1826, NRL, August
1995.
[9] Atkinson, R., "IP Encapsulating Security Payload (ESP)", RFC
1827, NRL, August 1995.
Wessels & Claffy Informational [Page 23]
RFC 2187 ICP September 1997
11. Acknowledgments
The authors wish to thank Paul A Vixie <paul@vix.com> for providing
excellent feedback on this document, Martin Hamilton
<martin@mrrl.lut.ac.uk> for pushing the development of multicast ICP,
Eric Rescorla <ekr@terisa.com> and Randall Atkinson <rja@home.net>
for assisting with security issues, and especially Allyn Romanow for
keeping us on the right track.
12. Authors' Addresses
Duane Wessels
National Laboratory for Applied Network Research
10100 Hopkins Drive
La Jolla, CA 92093
EMail: wessels@nlanr.net
K. Claffy
National Laboratory for Applied Network Research
10100 Hopkins Drive
La Jolla, CA 92093
EMail: kc@nlanr.net
Wessels & Claffy Informational [Page 24]
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -