Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 1
IPv6 Promised Role in Mitigating Cyber Attacks: Really it’s Time!
Alaa AL-Din Al-RadhiIPv6 & Cyber Security: Consultant Engineer,
Practitioner, Networker & TrainerIPv6 Forum Jordan Chapter President
[email protected] , [email protected]
Friday 13th
May 2011
11:30 - 12:15
IPv6 Security Techies
IPv6 Transition Threats
Common IPv4 & IPv6 Security Concerns
IPv6 Security Basic IssuesFriday, May 13, 2011 2Alaa Al-Din Al-Radhi
IPv6 Security
Road-Map& How-To Wrap-UP
Friday, May 13, 2011 3Alaa Al-Din Al-Radhi
IPv4 Addresses
Finished:
Sorry, We are
closed !!
NAT Layers for IP Shortages
Mobility Convergence
Congestion
& Delay
Current ISP (Internet Service Provider) Challanges
Too Many
Security
Attacks
IPv6 Security
Basic Issues
Friday, May 13, 2011 5Alaa Al-Din Al-Radhi
6Alaa Al-Din Al-RadhiFriday, May 13, 2011
The ONLY real security
A person can have in
this world
=
A reserve of
knowledge,
Intent, experience,
ability & action
There is NO Fixed Answer; ONLY Possible Solutions !
7Alaa Al-Din Al-RadhiFriday, May 13, 2011
IPv6 Will
restore the
CIA Model
Security Characteristics & Process
Packet
FilteringAnti
Spoofing
Learning
& Stats.
Analysis
HTTP
Analysis
& Authen.
Ou
tpu
t
Filters: IP's,
ports, flags, etc.
TCPOthers
Statistical Analysis ,
Layers 3-7
High-level
Protocols:
Anomaly
Behavior,
etc8Alaa Al-Din Al-RadhiFriday, May 13, 2011
Objective: Sieving Malicious Traffic
Secure Resources:
Firewall, Encryption,
Authentication, Audit
Monitor & Respond
Intrusion Detection,
work the incidence
Test, Practice, Drill
Vulnerability Scanning
Manage & Improve:
Post Mortem,
Analyze the
Incident, modify the
plan / procedures
9Alaa Al-Din Al-RadhiFriday, May 13, 2011
Security Policy
Security incidence are a normal part of an ISP‘s operations
NOC
ISP’s
BackboneRemote Staff Office Staff
Pen
etr
ati
on
AAA
10Alaa Al-Din Al-RadhiFriday, May 13, 2011
Identify & Evaluate RISK Assessments:
Security Breaches Likelihood
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 11
Complete Security Life Cycle
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 12
What Goal How
Access Control
Ensures access by authorized
personnel & devices only
Protects against unauthorized use
Simple log-in / Password
ACL
IDS
Authentication
Confirms communications identity of
(e.g., end-users, Net Elements, etc)
Provide assurance of an entity
Digital certificates
Digital Signatures
SSL
Non -
Repudiation
Prevents ―Actions Denial‖ of entity
Ensures availability of an evidence
that can be as has taken place
Logs
Access control
Digital signatures
Data
Confidentiality
Protects unauthorized data access
Ensures data content can NOT be
Manipulated by unauthenticated entity
Encryption (3DES, AES)
Access control lists
File permissions
Communication
Security
Ensures authorized information flow
Ensures Info. NON-Interception
VPNs (IPSec, L2TP)
MPLS tunnels
Data
Integrity
Ensures Info. accuracy
Provides event occurrence
IPSec
Anti-Virus Software
Availability Network Availability
Disaster recovery solutions
FW, IDS / IPS
Backup & Business continuity
Privacy Information Protection Encryption of IP headers (IPSec)
8 Security Dimensions for Network Vulnerabilities:
Backbone / Core Device integrity +
Route Authentication
Aggregation
& Distribution
Device integrity + Route
authentication + Stateful / stateless
firewall + Crypto + L3 filtering + L3
DDoS mitigation + L3 spoof mitigation
CPE Access /
Perimeter
Endpoints
L3 filtering, L3 DDoS mitigation
L2 security (Firewall, AAA, device
integrity) + URL filtering + IDS
(Host/Network based)
Device integrity + Device and user
AAA + Hosts: firewall (i.e. Black Ice)
+ OS patches + AV + hardening +
File system encryption +
Vulnerability scanning
ISP Security Breakdowns Checklists
What is Needed: IPv6 End-to-End Secure Communications
End-to-End secure communications
Easy to set up new connection
IPv6Internet
IPv4Internet
IPsecNode
IPsecNodeR R
Global address segments
Private address segments
Private address segments
IPv4
IPv6
Global address segments
RR
NAT NAT
Low interoperability between deferent vendors
Site-to-Site secure
communications
End-to-End secure
communications
R
Secure Transmission
Low security in the LAN segments
Branch A
Branch A
Branch B
Branch B
Partner company
Secure Transmission
Secure Transmission
14Alaa Al-Din Al-RadhiFriday, May 13, 2011
1. The Internet community has developed some application-specific security mechanisms:– Kerberos for Client / Server authentication– PGP, PEM or S/MIME for e-mail security– SSL for secure web access
2. So, we need to provide security at IP layer: IPSec, with the following benefits:
– Implemented at IP layer, all traffic can be secured, NO matter what application.
– IPSec in a firewall can NOT be bypassed if the firewall is the only connection between intranet & extranet.
– Transparent to applications: NO changes on upper-layer software.
– Provide routing security.
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 15
Motivations for “IP Layer” Security
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 16
Simple header with fixed length of 40 bytes
6 Optional extension headers when needed :
1. Hop-by-hop Option Header,
2. Routing Header,
3. Fragment Header,
4. Destination Options Header,
5. Authentication Header (AH),
6. Encapsulating Security Payload (ESP) header.
Each extension header is identified by the Next Header field in the
preceding header.
IPv6: Header Structure
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 17
Upper Layer PDU
65535 Bytes
= 40 Bytes
Upper Layer PDU 65535
Bytes = Jumbo Payload
IPv6: Header Structure
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 18
IPv6: Header Structure
Hop-by-Hop = 0; UDP = 17; Encapsulated Header = 41;
RSVP = 46; IPSEC – Encapsulating Security Payload =
50 + Authentication Header = 51; ICMPv6 = 58; No Next
Header = 59; Destination Options = 60; OSPFv3 = 98
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 19
IPv6: Header Structure Benefits
The checksum has been removed, because error checking is
usually performed in link layer and transport layer protocols.
Fragmentation has been relegated to an extension header,
the minimum MTU has been increased to 1280 bytes, and
fragmentation and reassembly are only performed by endpoints.
Routers have to examine more than the 40-byte header only
when the Next Header (NH) field is zero.
The design also pays careful attention to alignment for 64-bit
processors; for e.g., the addresses are aligned on 64-bit
boundaries.
The constant size of IPv6 headers makes the header length
field found in IPv4 unnecessary. Routers & intermediate nodes
handling the packets are NOT required to accommodate
variability in the length of headers, which expedites packet
handling.
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 20
IPv6: Some Quick Security Facts
Hop limit & GTSM: Still valid security mechanisms against DOS
attacks on local links
Amplification attack (congestion & DoS): can be caused by a
packet with a Routing Header containing multiple instances of the
same address. It is Crucial to perform ingress filtering that prohibits
the forwarding of packets with a Type 0 Routing Header
NH functionality in IPv6 provides the foundation for enhanced
services such as IPv6 security & mobility.
Packets containing hop-by-hop extension headers must be
analyzed at every node along the forwarding path
Extension headers bring additional complexity (and performance
degradation) for the purpose of traffic filtering
Block mobility headers if IPv6 mobility is NOT being used by an
organization
Extension headers can also be used as a covert channel to hide
communications between two systems, e.g., in Destination Options
IPSecAuthentication & Encryption
IPv6 Defenses: What‘s New?
SEND
Secure
Neighbor Discovery
CGA
Crypto
Graphic Generator
ULAUnique Local Addresses
Friday, May 13, 2011 21Alaa Al-Din Al-Radhi
RFC 2401
RFC 2402
RFC 2406
RFC 2408
Firewall Model Change
What is Needed: Secure Site to Site IPv6 Traffic over IPv4 & IPv6 Networks with IPSec
22Alaa Al-Din Al-RadhiFriday, May 13, 2011
Provides
Framework for the
Authenticating and
Securing Data
IP protocol 51
AH:
Authentication
Header:
ESP:
Encapsulating
Security Payload:
IKE:
Internet Key Exchange
Friday, May 13, 2011 23Alaa Al-Din Al-Radhi
Components
Provides Framework
for the Negotiation
of Security
Parameters &
Establishment of
Authenticated Keys
Provides
Framework for the
Encrypting,
Authenticating and
Securing DataIP protocol 50
IPSec RFC 2401 , RFC 2402
RFC 2406 , RFC 2408, RFC2409
IPSec = 3 Main Protocols into a Cohesive Security Framework:
Negotiation of SA characteristics
Automatic key generation
Automatic key refresh
Manageable manual configuration
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 24
IPSec Modes = Tunnel + Transport
The ESP or AH header is
inserted behind the IP header;
The IP header can be
authenticated but NOT
encrypted
A new IP header is created
in place of the original; this
allows for encryption of
entire original packet
For End-
To-End
Session
For
Everything
Else
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 25
IPSec
ServiceAH
ESP
(Encryption
ONLY)
ESP
(Encryption +
Authentication)
Access Control √√ √
Connectionless integrity√ √
Data origin authentication√ √
Reject replayed packets√ √ √
Payload confidentiality√ √
Traffic flow confidentialityLimited, due to limited amount of
payload padding
IPSec Services
Agreement between 2 entities on
method to communicate securely
IPSec SA is unidirectional
2-way communication consists of
2 SA‘s
SA (Security Association)
192.168.2.1
7A390BC1
AH, HMAC-MD5
7572CA49F7632946
1 Day or 100MBAdditional SA
Attributes
(e.g., lifetime)
Destination
Address
Security Par.
Index (SPI)
IPSec Transform
Key
Friday, May 13, 2011 26Alaa Al-Din Al-Radhi
Each SA is identified by:
Security Parameters Index (SPI): 32-bit integer chosen by
sender; enables receiving system to select the required SA.
Destination Address: Only unicast IP addresses allowed!
Security Protocol Identifier: AH or ESP.This information appears in the IP packet, so receiver knows
how to behave.
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 27
IPSec IPSec Modes in SA
Transport Mode SA Tunnel Mode SA
AH
Authenticate IP payload
& selected parts of IP
header & IPv6 extension
headers.
Authenticate entire inner IP
packet & selected parts
of outer IP header & outer
IPv6 extension headers.
ESP(Encryption ONLY)
Encrypt IP payload + any
IPv6 extension headers
after ESP header.
Encrypt inner IP packet.
ESP( Encryption +
Authentication )
Encrypt IP payload + any
IPv6 extension headers
after ESP header.
Authenticate IP payload.
Encrypt & authenticate
inner IP packet.
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 28
IPSec
ESP: Encapsulating Security Payload
AH: Authentication & Integrity
Data confidentiality (encryption)
Limited traffic flow confidentiality
Data integrity
Optional data origin authentication
Anti-replay protection
Does NOT protect IP header
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 29
IPSec AH: Authentication V4 vs. V6
V4
V6
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 30
IPSec ESP: V4 vs. V6
V4
V6
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 31
Peers Negotiate a Secure,
Authenticated Channel with
Which to Communicate ‗Main
Mode‘ or ‗Aggressive Mode‘
Accomplish a Phase I Exchange
Security Associations Are
Negotiated on Behalf of
IPSec Services; ‗Quick
Mode‘ Accomplishes a
Phase 2 Exchange
IKE (Internet Key Exchange) = Hybrid ProtocolP
ha
se
1
Ph
ase
2
IKE is a 2 Phase Protocol:
IPSec
RFC
2409
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 32
How Does IKE Works ?
Phase1
Phase 2
Authentication Architecture
IKE
IPSec
Peer
IPSec
Peer
IKE Phase 1
Secure communication channel
IKE Phase 2
IPSec Tunnel
Secured traffic exchange
1 2
3
4
Components
33Alaa Al-Din Al-RadhiFriday, May 13, 2011
IPSec
Data Integrity : Secure hashing (HMAC) is used to ensure NO data alteration in transitData Confidentiality: Encr. is used to ensure data can NOT be intercepted by 3rd partyData Origin Authentication: Authentication of the SA peerAnti-replay: Sequence numbers are used to detect & discard duplicate packetsHash Message Authentication Code (HMAC): A hash of the data & secret key used to provide message authenticityDiffie-Hellman Exchange: A shared secret key is established over an insecure path using public and private keys
Terminology
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 34
An IPSec transform
specifies either an AH or
an ESP protocol and its
corresponding algorithms
and mode.
IPSec Transforms
A transform set is a
combination of IPSec
transforms that enact a
security policy for traffic
Up to 3 transforms can be
in a set
Sets are limited to up to 1
AH and up to 2 ESP
transforms
IPSec Transforms Set
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 35
5 Steps of IPSec
1
2
3
4
5
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 36
1Inserting
Traffic
Access lists determine traffic
to encrypt:
Permit: traffic must be
encrypted
Deny: traffic sent
unencrypted
5 Steps of IPSec:
2
IKE Phase
One
Authenticates
IPSec peers
Negotiates to
protect IKE exchange
Exchanges keys
Establishes IKE SA
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 37
3
Negotiates IPSec SA
protected by an existing
IKE SA
Establishes IPSec SA
Periodically renegotiates
IPSec SAs to ensure
security
5 Steps of IPSec:
4IPSec
Encrypted
Tunnel
Information is
exchanged via IPSec
tunnel.
Packets are encrypted
& decrypted.
Uses encryption
specified in IPSec SA.
IKE Phase
Two
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 38
5
Tunnel is terminated by:
TCP session termination:
• SA lifetime timeout
• Packet counter
exceeded
Removes IPSec SA
5 Steps of IPSec:
Tunnel
Termination
Cryptographically Generated Addresses (CGA)
• Each devices has a RSA key pair (NO need for certification)
• Ultra light check for validity
• Prevent spoofing a valid CGA address
39Alaa Al-Din Al-RadhiFriday, May 13, 2011
CGA
• Certification paths: Anchored on trusted parties, expected to certify the authority of the routers on some prefixes
• Cryptographically Generated Addresses (CGA): IPv6 addresses whose interface identifiers are cryptographically generated
• RSA signature option: Protect all messages relating to neighbor & router discovery
• Timestamp and nonce options: Prevent replay attacks
40
Secure Neighbor Discovery: Based on CGA
Alaa Al-Din Al-RadhiFriday, May 13, 2011
SEND
RFC 3971A standard is to mitigate the ND attacks
41Alaa Al-Din Al-RadhiFriday, May 13, 2011
FW Model
Change
A ONEpoint for routing & security policy
Distributed Firewalls
Friday, May 13, 2011 42Alaa Al-Din Al-Radhi
Common IPv4 & IPv6
Security Concerns
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 43DDoS Vulnerabilities, Threats and Targets
• OSI Was Built to Allow
Different Layers to
Work Without the
Knowledge of Each
Other
• Unfortunately this
means if one layer is
hacked,
communication are
compromised without
the other layers being
aware of the problem
• Security is only as
strong as the weakest
link
• In networking: layer 2
can be a very weak
linkFriday, May 13, 2011 Alaa Al-Din Al-Radhi 44
Lower Levels Affect Higher Levels
45Alaa Al-Din Al-RadhiFriday, May 13, 2011
Attack Surfaces & layers
Denial of Service
Attacks (DOS)
An attempt to make a computer resource unavailable to its
intended users. One common method involves flooding the
target host with requests, thus preventing valid network traffic
to reach the host
Viruses &
Worms
Distribution
Malicious code/programs can propagate themselves from one
infected or compromised hosts to another. This distribution is
aided by the small address space of IPv4
Man-in-the-middle
Attacks (MITM)
Without strong mutual authentication, any attacks utilizing
MITM will have the same likelihood in IPv6 as in IPv4
Sniffing IPv6 is NO less likely to fall victim to a sniffing attack than IPv4
46Alaa Al-Din Al-RadhiFriday, May 13, 2011
Common IPv4 & IPv6 Security Issues
Fragmentation
Attacks
This attack uses many small fragmented ICMP packets which
when reassembled at the destination exceed the maximum
allowable size for an IP datagram which can cause the victim
host to crash, hang or even reboot
Application
Layer
Attacks
The majority of vulnerabilities on the Internet today are at the
application layer, something that IPSec will do NOTHING to
prevent
On: Briefing
Layer
1
Wiretapping, console
access, Rogue devices,
Layer
2
VLAN ―hopping‖; MAC,
DHCP, ARP, Spoofing;
Layer
3
IP Spoofing, DDoS,
Routing, Smurf,
Tunneling, Transition
Layers
4-7
Viruses, Worms,
Application, Rogue
software, MITM
Multiple
Layers
Reconnaissance,
Sniffing, unauthorized
access
Misc. Daily Probes & Attacks
47Alaa Al-Din Al-RadhiFriday, May 13, 2011
Threats Overview Top TCP
& UDP
Attacks
Friday, May 13, 2011 48Alaa Al-Din Al-Radhi
IPv6 Transition
Threats
• Consider security for both
protocols
• Resiliency (shared resources)
• Applications can be subject to
attack on both IPv6 & IPv4
• Host security controls should
block & inspect traffic from both
• Bypass FW (protocol 41 or UDP)
• Can cause asymmetric traffic
(hence breaking stateful firewalls)
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 49
IPv4 to IPv6 Transition Landscape Challenges
16+ Transition Methods, possibly in combination
Dual
StackTunnels
Example: L3-L4 Spoofing in IPv6
When Using IPv6 over IPv4 Tunnels
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 50
• Most IPv4 / IPv6
transitions have NO
authentication built
in
• => an IPv4
attacker can inject
traffic if spoofing on
IPv4 & IPv6
addresses
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 51
Example: ISATAP / 6to4
Tunnels Bypass ACL
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 52
Example: Transition
Threats: e.g. ISATAP
• Unauthorized
tunnels—firewall
bypass (protocol 41)
• IPv4 infrastructure
looks like a Layer 2
network to ALL
ISATAP hosts in the
enterprise.
This has implications
on network
segmentation &
network discovery
• NO authentication in
ISATAP & rogue
routers are possible
• IPv6 addresses can
be guessed based on
IPv4 prefix
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 53
Example: Teredo Tunnels
Without Teredo: Controls Are in Place 1
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 54
Example: Teredo Tunnels
No More Outbound Control 2
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 55
Example: Teredo Tunnels
No More Inbound Control 3
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 56
L3 Spoofing in IPv6
uRPF (Unicast Reverse Path Forwarding ) Remains the
Primary Tool for Protecting Against L3 Spoofing (e.g.. DoS)
• Dual Stack : Preferred BUT: Running dual stack will give you at least twice the number of vulnerabilities
• Tunnels (6to4, etc) can bypass firewall / security
• Tunneling mechanisms are susceptible to packet forgery and DDoS attacks
• Manual Tunnels : Preferred:
– Filter tunnel source / destination and use IPSec
– If spoofing, return traffic is not sent to attacker
57Alaa Al-Din Al-RadhiFriday, May 13, 2011
• Dynamic Tunnels
– 6 to 4 Relay routers are “open relays”
– ISATAP – potential MITM attacks
– Attackers can spoof source / destination IPv4 / IPv6 addresses
• Deny packets for transition techniques NOT in use:
– Deny IPv4 protocol 41 forwarding unless that is exactly what is intended –unless using 6to4 tunneling
– Deny UDP 3544 forwarding unless you are using Teredo tunneling
Transition Mechanism Threats Summary
1) Dual-stack = Vulnerabilities
of V4 + V6.
2) If a FW is NOT configured
to apply the same level of
screening to IPv6 packets
as for IPv4 packets, the FW
may let IPv6 pass through
to dual-stack hosts
The 3 main potential problems are:
1. 6 to 4 routers not being able to
identify whether relays are
legitimate
2. Wrong or impartially implemented
6to4 router or relay security checks
3. 6 to 4 architecture used to
participate in DoS or reflected DoS,
making attacks harder to trace
58Alaa Al-Din Al-RadhiFriday, May 13, 2011
Transition Threats ComparasionDual
Stack
Tunneling
L3-L4 Spoofing in IPv6
with 6to4 Tunneling
Friday, May 13, 2011 59Alaa Al-Din Al-Radhi
IPv6 Security Techies
• Endpoint
protection
• Admission control
• Infection
containment
• Intelligent
correlation &
incident response
• IPS & anomaly
detection
• Application
security &
defense
60
IPv6 Security
Alaa Al-Din Al-RadhiFriday, May 13, 2011
Building Blocks Protection Techniques
• Perimeter protections from the
Internet and external entities
• Secure remote-site
connectivity with Virtual Private
Network (VPN) technologies
• Infrastructure protection
measures to ensure a secure
network foundation
• Server security to protect the
critical IT assets and data
• Client security measures to
mitigate the insider threat
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 61
Equipment configuration
Perimeter defense (FW, ACL, IDPS)
Content filtering
Mail filtering
Patch Management
Vulnerability Management (scanning)
Certification & Accreditation of the new systems
AAA (Authentication, Authorization, & Accounting)
Rogue Detection
Infrastructure Protocol Security IPSec
IPv6 Security Plan
1
62Alaa Al-Din Al-RadhiFriday, May 13, 2011
Core routers individually
secured
Every router accessible from
outside
• Core routers secured
Individually
• Routers generally NOT
accessible from outside
Firewall Security World New
Model
Old
Model 2
63Alaa Al-Din Al-RadhiFriday, May 13, 2011
Enforcing a Security PolicyExample: Cisco IOS IPv6 ACL
2
64Alaa Al-Din Al-RadhiFriday, May 13, 2011
Example:
Basic IPv6
Packet Filtering
2
65Alaa Al-Din Al-RadhiFriday, May 13, 2011
Example:
IPv6 Firewall
Feature Set
2
Router Security World New
Model
Old
Model
• Policy enforced at process
level (, SNMP ACL, etc.)
• Some early features such as
ingress ACL used when
possible
• Central policy enforcement,
prior to process level
• Granular protection schemes
• On high-end platforms,
hardware implementations
3
Preventing Routing Header Attacks
Use IPSec to secure
protocols such as OSPFv3 &
RIPng
Apply same policy for IPv6 as
for Ipv4:
Prevent processing at the
intermediate nodes:
At the edge: With an ACL
blocking routing header
RFC 5095 RH0 is
deprecated: By default Cisco
Routers changed in IOS code
version 12.4(15)T to ignore and
drop RH0
• An extension header , Processed by the
listed intermediate routers
• 2 Types:
Type 0: similar to IPv4 routing
(multiple intermediate routers)
Type 2: used for mobile IPv6
IPv6 Routing
Header
Block Routing Header type 0
no ipv6 source-route
3
Essential to IPv6 & dual stack network functioning:
It reports errors if packets can NOT be processed properly &
sends informational messages about the status of network
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 68
4 ICMPv6 & other related security implications
ICMPv6
ICMPv4 vs. ICMPv6
=> ICMP policy on FW needs to change
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 69
Generic
ICMPv4
Border FW Policy
Equivalent ICMPv6
4
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 70
Potential Additional ICMPv64
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 71
ICMPv6 Neighbor Discovery
If A needs the MAC of B, it sends an ICMP6 Neighbor Solicitation
NS to ―All-Nodes‖ multicast address
B sees the request and responds to A with an ICMP6 Neighbor
Advertisement NA with its MAC address
=> Like ARP But everybody can respond to the request
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 72
If A sets a new IP address, it makes the Duplicate Address
Detection DAD check, to check if anybody uses the address
already.
Anybody can respond to the DAD checks…
=> dos-new-ipv6 prevents new systems on the LAN
ICMPv6 Duplicate Address
Detection (DAD)
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 73
Routers send periodic (& soliticated) Router Advertisements (RA) to
the All-Nodes multicast address
Clients configure their routing tables and network prefix from
advertisements => Like a DHCP-light in IPv4
Anyone can send Router Advertisements!
ICMPv6 Stateless
Auto-Configuration
• Rogue devices on the
network giving misleading
information or consuming
resources (DoS)
– Rogue DHCPv6client
and servers on the link-
local multicast address
(FF02::1:2): same threat
as IPv4
– Rogue DHCPv6servers
on the site-local multicast
address (FF05::1:3): new
threat in IPv6
• Scanning possible if leased
addresses are consecutive
• Rogue clients & servers can be
mitigated by using the authentication
option in DHCPv6
• Port ACL can block DHCPv6traffic
from client ports
• Cisco Network Registrar
– DHCPv6 Server
– Leased addresses are random
=> scanning difficult
– Can also lease temporary
addresses (like privacy
extension)
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 74
4 ICMPv6 & other related security implications
ICMPv6 ThreatsICMPv6 Threats
Mitigation
deny udp any eq 547 any eq 546
• IKE Phase 1 (ISAKMP):
– 3DES
– Lifetime
– SHA-1
– DH Group 2 (MODP)
• IKE Phase 2 (IPSec):
– 3DES
– Lifetime
– SHA-1
– PFS
– DH Group 2 (MODP)
75Alaa Al-Din Al-RadhiFriday, May 13, 2011
5A
MUST:
Good IPSec PolicyH2H Scenarios
Scenario
A
Scenario
B
• IKE Phase 1 (ISAKMP):
– 3DES
– Lifetime
– SHA-1
– DH Group 2 (MODP)
• IKE Phase 2 (IPSec):
– 3DES
– Lifetime
– SHA-1
– PFS
– DH Group 2 (MODP)
76Alaa Al-Din Al-RadhiFriday, May 13, 2011
5 Good IPSec PolicyG2G ScenariosA
MUST:
Scenario
C
Scenario
D
• IKE Phase 1 (ISAKMP):
– 3DES
– Lifetime
– SHA-1
– DH Group 2 (MODP)
• IKE Phase 2 (IPSec):
– 3DES
– Lifetime
– SHA-1
– PFS
– DH Group 2 (MODP)
77Alaa Al-Din Al-RadhiFriday, May 13, 2011
5 Good IPSec PolicyH2G + G2H
ScenarioA
MUST:
Scenario
E
78Alaa Al-Din Al-RadhiFriday, May 13, 2011
6 Some IPv6 Security Tools
Sniffers /
Packet CaptureScanners
Snort
Sun Solaris snoop
COLD
Wireshark
Analyzer
Windump
WinPcap
TCPdump
Packet
ForgersDoS Tools
6tunneldos
4to6ddos
Imps6-tools
http://www.thc.org/thc-ipv6
IPv6 security
scanner
Halfscan6
Nmap
Strobe
Netcat
Scapy6
Packit
Spak6
SendIP
79Alaa Al-Din Al-RadhiFriday, May 13, 2011
6 Some IPv6 Security Tools
Tool Usage
Alive6 Find all local IPv6 systems, checks aliveness of remote systems
PARSITE6 ICMP Neighbor Spoofer for Man-In-The-Middle attacks
REDIR6 Redirect traffic to your system on a LAN
FAKE_ROUTER6 Fake a router, implant routes, become the default router, …
DETECT-NEW
- IPv6
Detect new IPv6 systems on the LAN, automatically launch a
script
DOS-NEW
- IPv6
Denial any new IPv6 system access on the LAN (DAD
Spoofing)
SMURF6 Local Smurf Tool (attack you own LAN)
RSMURF6 Remote Smurf Tool (attack a remote LAN)
TOOBIG6 Reduce the MTU of a target
FAKE_MLD6 Play around with Multicast Listener Discovery Reports
FAKE_MIPv6 Reroute mobile IPv6 nodes where you want them if no IPSEC
is required
SENDPEES6 Neighbor solicitations with lots of CGAs
Protocol Tester Various tests
TCPdump Dumps traffic on IPv6 Networks
http://www.thc.org/thc-ipv6
80Alaa Al-Din Al-RadhiFriday, May 13, 2011
6 Some IPv6 Security Tools
Tool Usage
IPTrap
Listens to several TCP ports to simulate fake services (X11, Netbios,
DNS, etc). When a remote client connects to one of these ports, his IP
gets immediately firewalled & an alert is logged. It runs with iptables and
ipchains, but any external script can also be launched. IPv6 is supported
AESOP
A TCP-proxy that supports many advanced and powerful features. Aesop
makes use of strong cryptography for all its data-transmission up to the
end-link. Another powerful feature of Aesop is that Aesop proxies can be
transparently stacked into a secure chain. Aesop supports IPv6 and can
be used as secure IPv4-to-IPv6 tunnel for TCP connections. Aesop is
implemented using multiplexing and is therefore fast and lightweight
Netstat
Displays active TCP connections, ports on which the computer is
listening, Ethernet statistics, the IPv4 routing table, IPv4 statistics (for the
IP, ICMP, TCP, and UDP protocols), the IPv6 routing table, & IPv6
statistics (for the IPv6, ICMPv6, TCP over IPv6, & UDP over IPv6)
SendIP For sending arbitrary IP packets
COLD
Is a network monitoring & protocol analyzing tool which allows to study,
maintain & troubleshoot networks by extracting flowing data & printing out
the contents & structure.
http://www.thc.org/thc-ipv6
81Alaa Al-Din Al-RadhiFriday, May 13, 2011
6 Some IPv6 Security Tools
Tool Usage
Nmap
The command syntax is the same for V4 except that you also add the -6
option. Also, in order to perform an IPv6 scan, both the source (your host) &
the target of the scan must be configured for IPv6. It must have an IPv6
address & routing information. And, one must use IPv6 syntax if specifying
an address rather than a hostname. An address might look like ->
3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are recommended.
If your ISP (like most of them) does not allocate IPv6 addresses, free tunnel
brokers are widely available and work fine with Nmap. For e.g., the free
IPv6 tunnel broker service at http://www.tunnelbroker.net. 6to4 tunnels are
another popular, free approach. The scan O/P looks the same as with IPv4,
with IPv6 address on an ―interesting ports‖ line being the only showed away.
CH
Scanner
An ARP, IPv4 & IPv6 network scanner with 31 scan methods: it scans for
open ports, protocols, NetBIOS information & Windows shares, SNMP
information, & WMI (WBEM) information. It also has the ability to turn on
(using Wake-On-LAN) & to shutdown or reboot a remote Windows host.
Features an automatic (scriptable) working mode, a hunt mode, a passive
mode &normal scanning mode.
Hyenae
It allows you to reproduce low level Ethernet attack scenarios (such as
MITM, & DDoS) to reveal the potential security vulnerabilities in a network.
http://www.thc.org/thc-ipv6
Tool Usage
Alive6
Find all local IPv6 systems &
checks aliveness of remote
systems
• For Local / Remote unicast
targets, & local multicast
addresses
• Sends three different type of
packets:
– ICMP6 Echo Request
– IP6 packet with unknown
header
– IP6 packet with unknown
hop-by-hop option
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 82
6 Some IPv6 Security Tools
http://www.thc.org/thc-ipv6
Routing header attack , (like IPv4
Source Routing):
Use alive6 for checking if routing
headers are allowed to target
1. Check if your ISP does ingress
filtering: Send a packet from yourself to
yourself via a remote system:
alive6 eth0 YOUR-IP VICTIM-IP2. Find all servers in the world for an
anycast address: Send packets to an
anycast address via several remote
systems:
- alive6 eth0 AnyCastAddr VICTIM-IP1;- alive6 eth0 AnyCastAddr VICTIM-IP2; … etc.
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 83
6 Some IPv6 Security Tools
http://www.thc.org/thc-ipv6
Tool UsageREDIR6 Redirect traffic to your system on a LAN
Route Implanting with ICMP6 Redirects
1. (A)ttacker sends Echo Request:
Source: (T)arget, Destination: (V)ictim
2. (V)ictim received Echo Request, and send a Reply to (T)
3. (A)ttacker crafts Redirect,
Source: (R)outer, Destination: (V)ictim,
redirects all traffic for (T) to (A)
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 84
6 Some IPv6 Security Tools
Tool Usage
SMURF6 Local Smurf Tool (attack you own
LAN)
RSMURF6 Remote Smurf Tool (attack a
remote LAN)
• Source is target, destination is local
multicast Address
• Generates lots of local traffic that is
sent to source
Tool Usage
• Source is local All-Nodes multicast
address, destination is our target
• If target has mis-implemented IPv6, it
responds with an Echo Reply to the All-
Nodes multicast address
http://www.thc.org/thc-ipv6
Tool UsageFAKE_
MIPv6
Reroute mobile IPv6 nodes
where you want them if no
IPSEC is required
• Protocol specification is
secure L because IPSEC is
mandatory
• All implementations have the
option to disable IPSEC
requirement
• If this is the done, use
fake_mipv6 to redirect traffic
for any mobile IPv6 node to a
destination of your choice
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 85
7 Some IPSec Tools
Tool Usage PublisherIPSec
Diagnostic Tool 1.0
Assists Network admin. with troubleshooting network
related failures; Applicable on Windows XP, Windows
Server 2003, Windows Vista & Windows Server 2008.
www.microsoft.com
IPSecuritas
3.3
A client for Mac OS X. It supports virtually every available
IPSec compliant firewall, allowing you to Connect safely
to your office or home network from any location
www.lobotomo.com
IPSecScan 1.1
Scans either a single IP address or a range of IP
addresses looking for systems that are IPSec enabled
www.ntsecurity.nu
IPSec VPN
Client 4.70.001
Compliant with most of popular VPN gateways allowing
fast integration in existing networks. Full IPSec
standards, full IKE NAT Traversal, IP address emulation,
strong encryption (X509, AES...), strong authentication
mechanisms, high performances, no system overhead,
DNS and WINS resolutions supported, operates as a
Service, allowing the use on unattended Servers,
accepts incoming IPSec Tunnels, optional 'IPSec only'
traffic filtering.
www.thegreenbow.com
IPSec-Tools 0.8.0
A port of KAME's IPSec utilities to the Linux-2.6 IPSec
implementation. It supports NetBSD and FreeBSD as
well
www.sourceforge.net
Friday, May 13, 2011 86Alaa Al-Din Al-Radhi
IPv6 Security
Road-Map & How-ToWrap-up
• Gap the IPv6 Security-Perspectives knowledge: Training !
• Have an understood & enforced IPv6 Security Plan
• Configure Security Parameters (i.e. NOT implementing Security ONLY)
• Allow for full IPSec + Use IPSec to secure OSPFv3 & RIPng
• Ingress / Egress IPv6 Filtering @ the perimeter
• Use manual tunnels instead of dynamic tunnels
• Program Routers / Switches to Disable IPv6 Tunnels
• Filter internal-use IPv6 at the enterprise border routers
• Filter ICMP & Determine which ICMPv6 messages are required
• Use IPv6 Network Protection Tools & Enable IPv6 IDS / IPS
• Drop all fragments with less than 1280 octets
• Use cryptographic protections where critical
• Use static neighbor entries for critical systems
• Use IPv6 hop limits to protect network devices
• Separate Routing Registry for IPv4 and IPv6
87Alaa Al-Din Al-RadhiFriday, May 13, 2011
IPv6 is NO more secure than IPv4 if we do NOT ::
Friday, May 13, 2011 Alaa Al-Din Al-Radhi88
IPv6 Security Issues To Be Kept In Mind !
OSI Layers & IPv6 Security Issues
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 89
IPv6 Security Issues To Be Kept In Mind !
Defense Used ForSEND:
Secure
Neighbor
Discovery
a security extension of the Neighbor Discovery Protocol (NDP) in
IPv6. NDP replaces IPv4 ARP and is responsible for discovery of
other nodes on the link, determining the link layer addresses of other
nodes, finding available routers, and maintaining reachability
information about the paths to other active neighbor nodes.
CGA:
Crypto-
Generated
Address
A method for binding a public signature key to an IPv6 address in the
Secure Neighbor Discovery Protocol (SEND).
ULAs:
Unique Local
Addresses
An IPv6 address in the block fc00::/7 defined in RFC 4193. They are
supposed to be used for systems that are NOT connected to the
Internet.
IPSec
IPSec with Authentication Header (AH) & Encrypted Security
Payload (ESP) can protect IPv6 hosts from all kinds of DoS attacks &
have the ability to recognize the spoofed source address (or original
identity) of the malicious packets received. IPSec also able to protect
the IPv6 hosts from DDoS attacks with the spoofed address.
IPv6 Defenses
• 6 to 4 does NOT support
source address filtering
• Teredo = holes into the
NAT device
• Any Tunneling-Mechanism
may be prone to spoofing
• With any Tunneling-
Mechanism you trust the
relay-servers.
90Alaa Al-Din Al-RadhiFriday, May 13, 2011
• Do NOT just use your IPv4 FW
for IPv6 rules
• Do NOT just allow IPSec or IPv4
Protocol 41 through FW
• On networks that are IPv4-only,
block all IPv6 traffic
• Procure FW for IPv6 policy
• Look for vendor support of
Extension Headers
• FW should have granular filtering
of ICMPv6 & multicast
• Layer-2 FW are trickier with IPv6
because of ICMPv6 ND / NS /
RA / RS messages
Avoid IPv6
Tunneling
IPv6 FW
PoliciesA MUST: A MUST:
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 91
Some IPv6 Security Recommendations
If NOT deploying IPv6 Completely:1
1. Block all IPv6 traffic, native & tunneled, @
organization's FW. Both incoming & outgoing
traffic should be blocked.
2. Disable all IPv6-compatible ports, protocols &
services on all software and hardware.
3. Begin to acquire familiarity and expertise with
IPv6, through laboratory experimentation &/or
limited pilot deployments.
4. Make organization web servers, located
outside of the organizational FW, accessible
via IPv6 connections. This will enable IPv6-only
users to access the servers & aid organization
in acquiring familiarity with some aspects of
IPv6 deployment.
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 92
Some IPv6 Security Recommendations
2
Apply an appropriate mix of different types of IPv6 addressing (privacy
addressing, ULA, etc) to limit access & knowledge of IPv6-addressed
environments. Leverage IPSec to secure IPv6 when suitable
Use automated address management tools to avoid manual entry of
IPv6 addresses, which is prone to error because of their length.
Develop ICMPv6 filtering policy. Ensure that ICMPv6 messages that
are essential to IPv6 operation are allowed, but others are blocked
Use IPSec to authenticate & provide confidentiality to critical assets
Enable controls that might not have been used in IPv4 due to a lower
threat level during initial deployment (implementing default deny
access control policies, implementing routing protocol security, etc).
Pay close attention to the security aspects of transition (tunneling, etc)
Ensure that IPv6routers, packet filters, firewalls, and tunnel endpoints
enforce multicast scope boundaries and make sure that Multicast
Listener Discovery (MLD) packets are not inappropriately routable
If deploying IPv6 :
• Always null route unused address space within your network: If you have
prefixes you know are unused, route them towards null0 on your routers.
• Enable port security & limit the number of MACs on customer ports
• Always filter ingress traffic from customers with uRPF or ACLs
• Authenticate All of your network protocols
• ALWAYS ENCRYPT YOUR MANAGEMENT TRAFFIC!
• Filter BGP sessions ingress and egress
• Set maximum-prefix/prefix-limit on BGP sessions (including customers,
transits, and peers)
• Give high priority to network control traffic
• Ideally, have an out-of-band management path to all POPs.
• Restrict DHCP & Router Advertisements on customer ports
• Separate customers into separate VLANs if you can
• Monitor critical network element resources, e.g. memory, bandwidth, etc
• Keep Patching up-to-date
• Have a security plan that includes incident management processes:
Identify who, what, and how; Practice and test the plan; Make sure you
know how to reach your peers and transit providers, and how their
security plans work!Friday, May 13, 2011 Alaa Al-Din Al-Radhi 93
Some IPv6 Simple Best Security Practices
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 94
IPv6 Compliance
Mandatory Support
RFCStandard
Network Security:
Firewalls, IDS, IPS,etc
IPv6 Basic specification 2460
IPv6 Addressing Architecture 4291
Default Address Selection 3484
ICMPv6 4443
SLAAC 4862
Router-Alert option 2711
Path MTU Discovery 1981
Neighbor Discovery 4861
BGP4 protocol 4760
OSPF-v3 4552
RIPng 2080
IS-IS 5308
Support for QoS 3140
Basic Transition Mechanisms for IPv6 Hosts and Routers
4213
Using IPsec to Secure IPv6-in-IPv4 Tunnels 4891
Check IPv6-Ready Compliance Requirements 1
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 95
IPv6
Compliance
Mandatory
Support
RFC
Standard
Router /
Layer 3Switch
IPv6 Basic specification 2460
IPv6 Addressing Architecture 4291Default Address Selection 3484
ICMPv6 4443SLAAC 4862
MLDv2 snooping 4541Router-Alert option 2711Path MTU Discovery 1981Neighbor Discovery 4861
Classless Inter-domain Routing 4632Dynamic Internal Guidance Protocol (IGP) RIPng 2080
OSPF-v3 5340IS-IS 5308
BGP4 2545Support for QoS 3140
Basic Transition Mechanisms for IPv6 Hosts and Routers 4213
Using IPsec to Secure IPv6-in-IPv4 tunnels 4891
Generic Packet Tunneling and IPv6 2473Mobile IPv6 (MIPv6) 4877MPLS functionality 4798
Layer-3 VPN functionality 4659MPLS Traffic Engineering 5120
Check IPv6-Ready Compliance Requirements 2
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 96
IPv6
Compliance
Mandatory
Support
RFC
Standard
Host:
Client
/
Server
IPv6 Basic specification 2460
IPv6 Addressing Architecture 4291
Default Address Selection 3484
ICMPv6 4443
DHCPv6 client 3315
SLAAC 4862
Path MTU Discovery 1981
Neighbor Discovery 4861
Basic Transition Mechanisms for IPv6 Hosts and Routers 4213
IPsec-v2 2406
IKE version 2 (IKEv2) 4718
Mobile IPv6 (MIPv6) 4877
DNS protocol extensions for incorporating IPv6 DNS
resource records
3596
DNS message extension mechanism 2671
DNS message size requirements 3226
Check IPv6-Ready Compliance Requirements 3
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 97
IPv6
Compliance
Mandatory
Support
RFC
Standard
Layer
2
Switch
MLDv2 snooping 4541
DHCPv6 snooping 3315
Router Advertisement (RA) filtering 5006
Dynamic "IPv6 NA / NS inspection 4861
Neighbor Un-Reachability Detection NUD 4861
Duplicate Address Detection 4429
IPv6
support
in
software
All software must support IPv4 and IPv6 and be able to
communicate over both types of Networks. If software includes
network parameters in its local or remote server settings, it
should also support configuration of IPv6 parameters.
Functional differences must not be significantly different
between IPv4 and IPv6. The user should not experience any
significant difference when software is communicating over IPv4
or IPv6.
Check IPv6-Ready Compliance Requirements 4
So: Is IPv6 more secure ? Yes & No !
• IPSec (Authentication
+ Encryption)
• Secure Neighbor
Discovery (SEND)
• Crypto-generated
Address (CGA)
• Unique Local
Addresses (ULAs)
• Privacy Addresses
99Alaa Al-Din Al-RadhiFriday, May 13, 2011
• Automated Tunneling
• Neighbor Discovery &
Auto-Configuration
• End-To-End-Model
• Newness & Complexity
• Lack of Guidance, Policy
& Training
• Tools Using
Yes: NO:
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 100
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 101
IPv6 Security Issues Are
Evolving & In Continous
Progress…
Stay Tuned !