Upload
lehanh
View
224
Download
1
Embed Size (px)
Citation preview
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Advanced IPv6 Security: Securing Link-
Operations at the First Hop ERIC LEVY-ABEGNOLI
BRKSEC-3003
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Quick overview on the Layer 2 domain & IPv6
• Some definitions
‒ Layer 2 domain: same “broadcast domain = link = vlan”
‒ Nodes: hosts, routers, switches, access points
‒ Link operations: operations between nodes on the shared link
‒ Security perimeter: draw a line between trusted and untrusted devices
‒ First hop: first trusted device inside the security perimeter
• What is specific to IPv6 on a link? More addresses!
‒ More hosts allowed on the link (up to 264 !). Results in much bigger links
‒ More states (neighbor cache, etc) on hosts, routers and switches: creates new opportunities for DoS attacks
• And protocols… IPv6 link operations protocol is Neighbor Discovery
‒ More distributed and more autonomous operations
‒ Nodes discover their default router automatically
‒ Nodes auto-configure their addresses
‒ Nodes defend themselves (SeND)
3
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Abstract summary and pre-requisite
• This session focuses on IPv6 security within the Layer 2 domain
• It focuses on 4 cases: Router theft, Address theft, Address spoofing and Remote
address resolution cache exhaustion
• It discuss the role of the First Hop, more often than not a Layer 2/3 switch
• It introduces security features at the First Hop, such RA Guard, Source Guard,
Destination guard, etc
• Requirements: Knowledge of the IPv6 and IPv6 Neighbor Discovery
• Related recommended sessions:
‒ BRKSEC-2003 - IPv6 Security Threats and Mitigations
‒ TECSEC-2680 - IPv6 Security
‒ BRKRST-2301 - Enterprise IPv6 Deployment
4
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Agenda
• IPv6 in the Layer 2 domain: high level considerations
• Use Case #1: Router theft
• Use Case #2: Address theft
• Use Case #3: Address spoofing
• Use Case #4: Remote address resolution cache exhaustion
5
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Quick overview on the Layer 2 domain & IPv6
• Some definitions
‒ Layer 2 domain: same “broadcast domain = link = vlan”
‒ Nodes: hosts, routers, switches, access points
‒ Link operations: operations between nodes on the shared link
‒ Security perimeter: draw a line between trusted and untrusted devices
‒ First hop: first trusted device inside the security perimeter
• What is specific to IPv6 on a link? More addresses!
‒ More hosts allowed on the link (up to 264 !). Results in much bigger links
‒ More states (neighbor cache, etc) on hosts, routers and switches: creates new opportunities for DoS attacks
• And protocols… IPv6 link operations protocol is Neighbor Discovery
‒ More distributed and more autonomous operations
‒ Nodes discover their default router automatically
‒ Nodes auto-configure their addresses
‒ Nodes defend themselves (SeND)
6
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Is Bigger better? More secure?
7
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
How about newer?
Sometimes, newer means better and more secure
Sometimes, experience IS better and safer!
8
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Fundamentals On Neighbor Discovery
• Defined in:
‒ RFC 4861 Neighbor Discovery for IP Version 6 (IPv6)
‒ RFC 4862 IPv6 Stateless Address Auto-configuration
‒ RFC 3971 Secure Neighbor Discovery etc.
• Used for:
‒ Router discovery
‒ IPv6 Stateless Address Auto Configuration (SLAAC)
‒ IPv6 address resolution (replaces ARP)
‒ Neighbor Unreachability Detection (NUD)
‒ Duplicate Address Detection (DAD)
‒ Redirection
• Operates above ICMPv6
‒ Relies heavily on (link-local scope) multicast, combined with Layer 2 Multicast
• Works with ICMP messages and message “options”
9
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Agenda
• IPv6 in the Layer 2 domain: high level considerations
• Use Case #1: Router theft
‒ Target deployment model
‒ Vulnerability scope
‒ Protocols: operations and vulnerabilities
‒ Mitigation solutions
‒ Remaining vulnerabilities
• Use Case #2: Address ownership
• Use Case #3: Address spoofing
• Use Case #4: Remote address resolution cache exhaustion
10
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Router Theft - Target deployment model
• Attacker goal is to become the primary link’s default router
• Hosts, Routers and attacker reside on a shared “Layer 2
domain“
• Hosts discover their IPv6 “default router” with IPv6 ND
• Attacker can be a plain PC, running simple (publically
available) attack tools. Or it can be a careless user
11
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Router Theft – Vulnerability scope
12
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
ICMP Type = 133 (Router Solicitation)
Src = Host link-local address Dst = All-routers multicast address (FF02::2) Query = please send RA
RS
Use B as default gateway
• Discover default/first hop routers
• Discover on-link prefixes
B A
Router Theft – Router Discovery protocol
ICMP Type = 134 (Router Advertisement)
Src = Router link-local address
Dst = All-nodes multicast address (FF02::1)
Data = router lifetime, preference=medium,…
Option = Prefix X,Y,Z, lifetime
RA
13
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Stateless Address Auto-Configuration, based on prefix information delivered in Router
Advertisement
ICMP Type = 133 (Router Solicitation)
Src = Host link-local address Dst = All-routers multicast address (FF02::2) Query = please send RA
RS
ICMP Type = 134 (Router Advertisement)
Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, oreference=medium Options = Prefix X,Y,Z, lifetime
RA
Source traffic with X::x, Y::y, Z::z
Router Theft – Router Discovery protocol cont’d
14
Computes X::x, Y::y, Z::z and DAD them
NS
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
• Attacker tricks victim into accepting itself as default router
• Based on rogue Router Advertisements
• The most frequent threat by non-malicious user
• Many variants: preference, timing, final RA, etc.
Src = C’s link-local address
Dst = All-nodes
Data = preference=high
Options = subnet prefix, slla
RA
Node A sending off-link traffic to C
B C A
Router Theft – Vulnerability #1
15
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
C
• Attacker spoofs Router Advertisement with false on-link prefix
• Victim generates (topology-bogus) IP address with this prefix
• Access router drops outgoing packets from victim (ingress filtering)
• Or return path is broken
Node A sourcing off-link traffic via B with BAD::A
B
B filters out BAD::A
Autoconf BAD::A and DAD it
Src = B’s link-local address
Dst = All-nodes
Options = prefix BAD
RA
A
Router Theft – Vulnerability #2
OR NOT … 16
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Router Theft - Mitigations
Where What Routers Increase “legal” router preference
Hosts Disable Stateless Address Autoconfiguration
Routers & Hosts SeND “Router Authorization”
Switch (First Hop) Host isolation
Switch (First Hop) Port Access Lists (PACL)
Switch (First Hop) RA Guard
17
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
• Objectives for (SeND) Router authorization:
‒ Secure default router election on hosts
‒ Authorize routers to advertise certain prefixes
• Protocol overview
‒ SeND is “just” an extension to Neighbor Discovery Protocol, NOT a new protocol
‒ SeND secures ND operations, not the “end-to-end” communication
‒ It provides Router Authorization and proof of Address Ownership
‒ SeND is specified in RFC3971 & RFC3972
‒ Router identity is the IPv6 source (cryptographic) address of RAs
‒ This address is certified in a certificate delivered by a Certificate Authority (CA)
Router Theft – Mitigation: Router Authorization overview
18
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Router Theft – Mitigation: Router Authorization overview cont’d
Router R host
Certificate Authority CA0 Certificate Authority
Certificate C0
Router
certificate
request
Router certificate CR
Certificate Path Solicit (CPS): I trust CA0, who are you R?
Certificate Path Advertise (CPA): I am R, this is my certificate CR
signed by CA0
1
2
3
4
5
6 Verify CR against CA0
7 Insert R as default route
ROUTER ADVERTISEMENT (SRC = R)
provision provision
19
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
To benefit fully from SeND, nodes must be provisioned with CA certificate(s)
A chain of trust is “easy” to establish within the administrative boundaries, but very hard
outside
It is a 2 player game! And very few IPv6 stacks can play the game today: Cisco IOS, Linux,
some H3C, third party for Windows (from Hasso-Plattner-Institut in Germany!)
ADMINISTRATIVE BOUNDARY
CA
Router Host
CA
Router Host
CA
Router Theft – Mitigation: SeND Deployment Challenges
20
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Router Theft Mitigation: Host Isolation
• Prevent Node-Node Layer-2 communication by using:
‒ Private VLANs (PVLAN) where nodes (isolated port) can
only contact the official router (promiscuous port)
‒ WLAN in ‘AP Isolation Mode’
‒ one VLAN per host (SP access network with Broadband
Network Gateway)
• Link-local multicast (RA, DHCP request, etc) sent
only to the local official router: no harm
‒ But Duplicate Address Detection does not work anymore...
Isolated Port
RA
RA
RA
RA
RA
Promiscuous
Port
21
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Router Theft Mitigation: RA Guard (RFC 6105)
RA
RA
RA
RA
RA
• Port ACL: blocks all ICMPv6 RA from hosts interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
access-group mode prefer port
• RA-guard lite: pre-programmed ACL interface FastEthernet0/2
ipv6 nd raguard
access-group mode prefer port
• RA-guard: deep RA packet inspection
ipv6 nd raguard policy HOST
device-role host
ipv6 nd raguard policy ROUTER
device-role router
vlan configuration 100
ipv6 nd raguard attach-policy HOST vlan 100
interface FastEthernet0/0
ipv6 nd raguard attach-policy ROUTER
22
Device-role
router
Device-role
host
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
HOST HOST
RA
RA RA
RA
device-role=router
device-role=host device-role=router
device-role=trusted switch
RA deep inspection - hop-limit - M & O flag - Router preference - Source - Prefix list - CGA credentials
RA
trusted-port
Router Theft – Mitigation: Security Perimeter & Device Role
23
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
General principles on FH command interface
• Each FH feature provides a configuration mode to create and populate policies (+
one implicit “default” policy) ipv6 nd raguard policy host
device-role host
• Each FH feature provides commands to attach policies to targets: box, vlan, port vlan configuration 100
ipv6 nd raguard attach-policy host
ipv6 snooping
interface e 0/0
ipv6 nd raguard attach-policy router
• Packets are processed by the lowest-level matching policy for each feature
− Packets received on e0/0 are processed by policy ra-guard “router” AND policy snooping
“default”
− Packets received on any other port of vlan 100 are processed by policy ra-guard “host”
AND policy snooping “default”
For Your Reference
24
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Configuration examples For Your Reference
Step1: Configures policies Step2: Attach policies to target
Vlan Port
ipv6 nd raguard policy HOST
device-role host
vlan configuration 100-200
ipv6 nd raguard attach-policy HOST
ipv6 nd raguard policy ROUTER
device-role router
interface Ethernet0/0
ipv6 nd raguard attach-policy ROUTER
ipv6 snooping policy NODE
tracking enable
limit address-count 10
security-level guard
vlan configuration 100,101
ipv6 snooping attach-policy NODE
ipv6 snooping policy SERVER
trusted-port
tracking disable
security-level glean
interface Ethernet1/0
ipv6 snooping attach-policy SERVER
25
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
VILLAIN
vlan 100
SWITCH
DUMB
HOST
CAT
PEER ROUTER
Router Theft – Demo: topology
26
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Regular operations ROUTER sends RAs
HOST picks up ROUTER as default router and installs default route
HOST goes via default route to reach PEER
Attack VILLAIN sends RA with higher preference. With prefix BAD::
HOST (and DUMB) picks VILLAIN as default router
HOST installs default route to VILLAIN and assigns addresses on BAD::
HOST connects to CAT
Mitigation Increase preference on ROUTER: works but …
Enable SeND on ROUTER. HOST safe, not DUMB
(FH) RA-guard
Router Theft – Demo: Router Discovery, Theft & Mitigation
27
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
• Problem - RA Guard works like a stateless ACL filtering ICMP type 134 (no reassembly)
- Attackers can exploit that to evade RA guard by “pushing” ULP header (RA) into second fragment
- They can even use overlapping fragments to “disguise” RA into some other valid message
- RFC 3128 is not applicable to IPv6
- THC fake_router6 –FD implements this attack which bypasses RA Guard
• Possible solutions
- block all fragments sent to ff02::1
- deny ipv6 any any undetermined-transport
- How about overlapping fragments? Forbidden: RFC 5722- Use a compliant host stack!
Router Theft – Here comes fragmentation …
IPv6 hdr HopByHop Routing Destination … Fragment1
ICMP type=134 IPv6 hdr HopByHop Routing ..Destination … Fragment2
ICMP header is in 2nd fragment, RA Guard has no clue where to find it!
28
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Agenda
• IPv6 in the Layer 2 domain: high level considerations
• Use Case #1: Router discovery
• Use Case #2: Address theft
‒ Target deployment model
‒ Vulnerability scope
‒ Protocols: operations and vulnerabilities
‒ Mitigation solutions
‒ Demo
‒ Remaining vulnerabilities
• Use Case #3: Address spoofing
• Use Case #4: Remote address resolution cache exhaustion
29
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
• Hosts reside on a shared “Layer 2 domain “ (same link)
• Hosts address assignment performed using SLAAC, DHCP or
statically assigned
• Attacker is also on the link. Can be a plain desktop/laptop,
running simple attack tools. Or it can be a careless user
• Attacker goal is to take over (steal) someone else’s address to
either source (bogus) traffic or hijack sessions
• Attacker can also perform a DoS attack by pretending to own
the entire address space
• Vulnerability scope: the link (same as for Router
discovery)
Address Theft - Target deployment model
30
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
ICMP type = 136 (Neighbor Advertisement) Src = one B’s I/F address , Dst=A target = B
Option = Target link-layer address (MACB)
NA
B A C
When needed, it resolves the IP address into a MAC address
Creates neighbor cache entry
Maintains entry with NUD or upon receipt of any updated LLA
Last Come, First Serve (LCFS): good for mobility, bad for security!
Address Theft – Address Resolution protocol
B MAC B Neighbor cache
ICMP type = 135 (Neighbor Solicitation)
Dst = Solicited-node multicast address of B target = B Query = what is B’s Link-Layer Address?
NS
31
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Node A can start using address A
B A C
Verify address uniqueness before using it
Required (MUST) by SLAAC, recommended (SHOULD) by DHCP
Probe neighbors to verify nobody claims the address
Address Theft – Duplicate Address Resolution
NS
ICMP type = 135 (Neighbor Solicitation)
Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of A target= A Query = Does anybody use A already?
32
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Attacker can claim victim's IP address
B A C
B MAC B
Address resolution flow
Address Theft – Vulnerability #1
Src = B
Target = B
Dst = all-nodes Option = MACC
(unsolicited) NA B MAC C MAC C
Attack Tool: Parasite6 Answer to all NS, Claiming to Be All Systems in the LAN...
33
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Attacker hacks any victim's DAD attempts
Victim can't configure IP address and can't communicate
Src = UNSPEC Dst = Solicited-node multicast address of A target= A Query = Does anybody use A already?
NS
Src = any C’s I/F address Dst = A
target= A Option = link-layer address of C
NA “it’s mine !”
C A
Address Theft – Vulnerability #2
From RFC 4862 5.4: « If a duplicate @ is discovered… the address cannot be assigned to the interface» What If: Use MAC@ of the Node You Want to DoS and Claim Its IPv6 @
Attack Tool: Dos-new-IPv6 Mitigation in IOS: Configuring the IPv6 address as anycast disables DAD on the interface
34
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Address theft mitigations
Where What Routers & Hosts configure static neighbor cache entries
Routers & Hosts Use CryptoGraphic Addresses (SeND CGA)
Switch (First Hop) Host isolation
Switch (First Hop) Address watch • Glean addresses in NDP and DHCP
• Log bindings <address, port, MAC, vlan> for traceability
• Establish and enforce rules for address ownership
• Prevent address thefts
• Limit number of bindings accepted per user (define “user”)
35
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
• Objectives for Address ownership:
‒ Enable the ND message sender to provide proof of ownership of address and for the receiver
to validate the proof
‒ Verify that the address is either the source of the ND message or the “target” for DAD
messages (when source is UNSPEC)
‒ This is a SeND feature
• Protocol overview
‒ Hosts (and routers) generate a pair of RSA keys
‒ The public key is hashed to create a Cryptographic address (CGA)
‒ The CGA address is signed by the private key
‒ Both the public key and signature are provided in ND messages
‒ Receivers must verify the signature and address/key consistency (address = hash(key))
‒ No key distribution required!
Address Theft – Mitigation: Address ownership proof
36
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Address Theft – Mitigation: Address ownership overview
37
ND-message
Address Src =
SIGN
Prefix Interface-id = hash ( )
Computes Address
My address!
VERIFY
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
• 62 bits is not considered a good protection against brute force
• Need to inject “delay” in the computation
• Need to make the computation able to evolve
Generate keys pub and priv
hash’ = hash
hash’=SHA-1(pub+pfx)
done
hash’’=hash’[0..61]
262 attempts
NO
Generate keys pub and priv
hash’=SHA-1(pub+pfx)
done
hash’’=hash’[0..61]
Add tunable delay there!
Address Theft – Mitigation: SeND cont’d SeND: Extending the 62 bits crypto barrier
38
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
key: public key in DER format sec: security level col: collision count = {0}
Generate random 16 bytes : mod
Build message = mod || 0 || 0 || key
hash = SHA-1 (message)
bits 016*sec of hash
≠ 0
Increment mod
message = mod || prefix || col || key
hash = SHA-1 (message)
Compute address = • bytes 0 7 = prefix • bytes 8 15 = hash, bytes 0 7 • bits 64 66 = sec • bits 70, 71 = 0 (“u” and “g”)
yes
no
Do DAD
col<2
yes
Report error
no
Increment col duplicate
Start using address
No response
Delay is
here!
For Your Reference
Address Theft – Mitigation: : SeND cont’d The “real” thing
39
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
DHCP-
server H1 H2 H3
Address Theft – Mitigation: Address Glean at the First Hop
DAD NS [IP source=UNSPEC, target=A1, SMAC=MACH1]
REPLY[XID, IPA21, IPA22]
REQUEST [XID, SMAC = MACH2]
data [IP source=A3, SMAC=MACH3]
NA [IP source=A3, LLA=MACH3]
DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
Binding table
ADR MAC VLAN IF
A1 MACH1 100 P1
A21 MACH2 100 P2
A22 MACH2 100 P2
A3 MACH3 100 P3
Preference
X
Y
Y
Z
40
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
host
Binding table
Address glean
– Arbitrate collisions, check ownership
– Check against max allowed per box/vlan/port
– Record & report changes
Valid? bridge
• Preference is a function of: configuration, learning method, credential provided
• Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP preferred
over dynamic, not_trusted, not_CGA, SLAAC)
• For collision with same preference, choose First Come, First Serve
Address Theft – Mitigation: Address Watch at the First Hop
41
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
H11
Binding table
Address glean
Binding table
Address glean
H21 ADR MAC IF
A11 MACH1 P1
A21 MACH2 P2
ADR MAC IF
A21 MACH1 P1
A22 MACH2 P2
Binding table
ADR MAC IF
A11 MACH1 P1
A21 MACH2 P2
A21 MACH1 P1
A22 MACH2 P2
Address Theft – Mitigation: Security Perimeter & State Distribution
42
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
VILLAIN
vlan 100
SWITCH
DUMB
HOST ROUTER+DHCP server
Provisioning system
Address Theft – Demo: the topology
43
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Regular operations − Show ipv6 address: SLAAC, DHCP, static
− HOST connects to ROUTER
− Show neighbor cache
Attack − HOST connects to ROUTER
− VILLAIN steals 2001:100::1 and connection breaks
− HOST re-connects and ends up at VILLAIN
Mitigation
− Configures static cache entry on HOST
− Configure CGA address on ROUTER. Helps HOST, not DUMB
− Enable “ipv6 snooping” on SWITCH
• Show binding table, preference values, etc.
• Helps for non-CGA, CGA, HOST and DUMB
• Show logging
Address Theft – Demo: Address theft & Mitigation
44
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
• Problems
‒ address ownership ≠ address authorization! Attacker can forge any address of its own and prove ownership
‒ CGA is not widely available
‒ First-come first-serve is NOT very secure for SLAAC
‒ First-come first-serve is hardly compatible with mobility
• Solutions
‒ Use FH address glean & watch (combine with CGA when available)
‒ Use non-default preferences whenever you can.
‒ Use authoritative address assignment method (DHCP) when you can.
‒ When FCFS must be used, use long lifetime to keep entries in the binding table as long as you can
‒ Use logging to trace problems after the fact
‒ To reduce issues with mobility, use 802.1X whenever possible
‒ For address authorization, see next use case …
Address Theft – Remaining Vulnerabilities
45
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Agenda
• IPv6 in the Layer 2 domain: high level considerations
• Use Case #1: Router theft
• Use Case #2: Address theft
• Use Case #3: Source Address spoofing
‒ Target deployment model
‒ Mitigation solutions
‒ Demo
‒ The standard
• Use Case #4: Remote address resolution cache exhaustion
46
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
• Hosts (victims) are anywhere (on/off link)
• Attacker is on the link
• Attacker can be a plain PC, running simple attack tools
• Attacker goal is to launch single packet attacks or Flood-Based
DoS attack without being identified or traceable
Address Spoofing - Target deployment model
47
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
• Blind attacks →Single packet attacks
→Flood-Based DoS
→Poisoning attack
→Spoof-based Worm/Malware Propagation
→Reflective Attacks
→Accounting Subversion
• Non-blind attacks →Man in the Middle attacks
→Third Party Recon
Address Spoofing – Vulnerability scope
48
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Address Spoofing - Mitigations
Where What Routers Ingress filtering
Unicast Reverse Path Forwarding (uRPF)
Nodes Address Provisioning Mechanisms
Layer 2 Switch Port-based Address Binding (FH Source Guard) − draft-ietf-savi-fcfs − draft-ietf-savi-dhcp − draft-ietf-savi-send − draft-ietf-savi-mix
Layer 2/3 Switch Prefix Guard
49
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
H1
Binding table
IPv6 MAC VLAN IF
A1 MACA1 100 P1
A21 MACA21 100 P2
A22 MACA22 100 P2
A3 MACA3 100 P3
H2 H3
Address glean
– Allow traffic sourced with known IP/SMAC
– Deny traffic sources with unknown IP/SMAC and
triggers address glean process
P1:: data, src= A1, SMAC = MACA1
P2:: data src= A21, SMAC = MACA21
P3:: data src= A3, SMAC = MACA3
P3 ::A3, MACA3
DAD NS [IP source=UNSPEC, target = A3]
NA [target = A1LLA=MACA3]
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
Address Spoofing – Mitigation: Source Guard
50
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Home
gateway
L2 switch: - FH security - DHCP tag
L3 switch: - FH security - DHCP relay
DHCP server Home
Network
Shared vlan G1 p1
DHCP-PD reply: PREFIX=P1
RA [P1]
SLAAC
src = P1::iid
src = BAD::iid
p2 p3 G2
G3
P1
Address Spoofing – Mitigation: Prefix Guard
IPv6 MAC VLAN Port
P1 MACG1 100 p1
51
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
vlan 100
SWITCH
VILLAIN
HOST ROUTER+ DHCP server
PEER
Address Spoofing – Demo For Your Reference
52
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Agenda
• IPv6 in the Layer 2 domain: high level considerations
• Use Case #1: Router discovery
• Use Case #2: Address ownership
• Use Case #3: Source Address Validation
• Use Case #4: Remote address resolution cache exhaustion
‒ The target deployment model
‒ Protocol and vulnerabilities
‒ Mitigation solutions
‒ Demo
53
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
• Attacker is off link
• Attacker can be a PC, running simple attack tools
• Attacker goal is to launch Flood-Based DoS attack targeting the
last-hop router, the link behind it, and all nodes on the link
• Attacker method is to “scan” the link prefix to force high
resolution attempts rate, exhaust the router resources, slow or
deny valid resolutions, load the link with useless multicast
packets
Remote address resolution cache Exhaustion Target deployment model
54
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Remote address resolution cache exhaustion Vulnerability scope
Internet
• Attacker is anywhere on the internet • His primary victim is the last-hop Layer 3 device (router) • He can also harm the link and nodes behind it
55
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Gateway
PFX::/64
NS
Dst = Solicited-node multicast address of PFX::a
Query = what is PFX::a ’s link-layer address?
NS
Dst = Solicited-node multicast address of PFX::b
Query = what is PFX::b ’s link-layer address?
NS
Dst = Solicited-node multicast address of PFX::z
Query = what is PFX::z’s link-layer address?
3 seconds history
X
Remote address resolution cache exhaustion Protocol
X scanning 2 64 addresses
(ping PFX::a, PFX::b, …PFX::z)
Neighbor cache
56
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Remote address resolution cache exhaustion Mitigation
Where What Routers − Address Provisioning Mechanisms
− Allocate addresses by blocks and filter at the edge
− ND resolution algorithm - Rate limiting of new resolutions
- Separate cache for confirmed reachable entries
- Circular buffer for new resolution
- Cache boundaries
Layer 3 Switch Destination Guard
57
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
• Mitigate prefix-scanning attacks and Protect ND cache • Useful at last-hop router and L3 distribution switch • Drops packets for destinations without a binding entry
DoS Attack on Address Resolution – Mitigation Destination Guard
host
Forward packet
Lookup D1
found
B
NO
L3 switch
SRC=D1
Internet
Address glean Scanning {P/64}
SRC=Dn
Binding table Neighbor cache
58
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
vlan 100 L2/L3 SWITCH
VILLAIN
HOST
DHCP server
PEER
DoS Attack on Address Resolution – Demo
59
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
IPv6 First Hop Security Platform Support
Available Now Not Available Roadmap
Feature/Platform Catalyst 6500
Series Catalyst 4500
Series Catalyst 2K/3K
Series ASR1000 Router
7600 Router Catalyst 3850
Wireless LAN
Controller
(Flex 7500, 5508,
2500, WISM-2)
RA Guard 15.0(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2
IPv6 Snooping 15.0(1)SY1 15.1(2)SG 15.0.(2)SE XE 3.9.0S 15.2(4)S 15.0(1)EX 7.2
DHCPv6 Guard 15.2(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2
Source/Prefix Guard 15.2(1)SY 15.2(1)E 15.0.(2)SE2 XE 3.9.0S 15.3(1)S 7.2
Destination Guard 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.2(4)S
RA Throttler 15.2(1)SY 15.2(1)E 15.2(1)E 15.0(1)EX 7.2
ND Multicast
Suppress 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.0(1)EX 7.2
Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release
60
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Recommended Reading for BRKSEC-3003
61
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public
Call to Action
• Visit the Cisco Campus at the World of Solutions to experience Cisco innovations in action
• Get hands-on experience attending one of the Walk-in Labs
• Schedule face to face meeting with one of Cisco’s engineers
at the Meet the Engineer center
• Discuss your project’s challenges at the Technical Solutions Clinics
62
© 2013 Cisco and/or its affiliates. All rights reserved. BRKSEC-3003 Cisco Public 63
Q & A