New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
smf/upf allow uplink forwarding of IPv6 packets with wrong global source IPv6 address outside allocated 64 prefix #1354
Comments
I think this is actually security related, as the current behavior seems to permit source address spoofing. There is no legitimate use case of one subscriber sending packets from an address outside from their allocated prefeix/address. Does the same also apply to IPv4? Or does the SMF/UPF check the source IP address in the IPv4 case? |
I bet it's the case for IPv4 too, since I don't recall seeing any check in gtp-path.c in upfd/smfd. It only checks for PFCP rules to forward packets over GTP UPFD->SMFD, and if it doesn't match, it just forwards any packet to the tunnel. |
I confirm I see the bug in IPv4 too (TTCN3 test TC_pdp46_act_deact_gtpu_access) |
I have a few questions, I don't know much about network security, so I hope you understand what I'm saying. In relation to this problem, would there be any problem if I restrict the source address to IPv6 64bit prefix? Is it ok even if UPF drops packets that use a different 64-bit prefix? For IPv4, can you figure out that the source address has been faked with? I was wondering how can we block the source address with UPF? I hope open5gs can also prevent source address spoofing if possible. Thanks a lot! |
I would consider the "reasonable" approach to be:
This should be a sane default configuration. I'm not sure 3GPP makes any requirement about it. |
Hi @acetcom I run the TTCN3 tests again with the patch applied (current main + my gtpv1c patches to be able to run GGSN_Tests testsuite) and the situation is now indeed better. There's still one scenario where osmo-upfd is forwarding packets with wrong address: This is happening because your patch only validates source IP address on the path sending the packet through the tun device to towards the Internet, but not the path fowarding packets through GTP to the SMF. |
Hi @pespin Oops! That's my mistake. I've updated it. Thanks a lot! |
Hi @acetcom , all related tests seem to be passing now, thanks for looking at it! |
This situation is tested by TTCN3 test GGSN_Tests.TC_pdp6_act_deact_gtpu_access, which can be found here:
https://git.osmocom.org/osmo-ttcn3-hacks/tree/ggsn_tests/GGSN_Tests.ttcn#n983
The test triggers the situation using GTPv1C setup from my currently WIP branch, but I suspect the same is happening when the already supported GTPv2C is in use, since this affects the user plane path.
In that test, a subscriber is emulated creating an IPv6 session towards open5gs-smf/upf. It then sends a few stuff over the userplane to test several situations.
This part is showing an issue with open5gs implementation:
So it first sends a ping request using the proper IPv6 source IP address, which consists of the first 64 bit prefix obtained through RouterSolicitation and RouterAdvertisement, and whatever value it wishes on the last 64 bits. This one is properly forwarded, and the ping response comes back OK.
Then, it builds up a new IPv6 address containing a 64 bit prefix different than the one which was allocated for the subscriber, and it sends a ping request with it. It can be seen with wireshark that the ping request is actually forwarded outside of the GTP tunnel, and the peer answers back with pong response, and only then the response packet is dropped, since there's no routing for that address.
However, the ping request went through and was forwarded to the Internet side, which seems to be wrong.
The UPF should check the source IP address of uplink IPv6 packets and only allow:
Packets coming from the GTP tunnel containing other source IP addresses should be dropped.
The text was updated successfully, but these errors were encountered: