IPv6 Security Talk 2012

8/13/2019 IPv6 Security Talk 2012

1/112

Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 1

IPv6 Introduction and

Implications on NetworkSecurityKeith OBrien

Cisco

Distinguished Engineer

[email protected]


2/112

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Keith OBrienDistinguished Engineer

Cisco

[email protected]

Specializes in large scale IP routing, network security and incident response within ISP and enterprise networks.

Working with major US based ISPs on their transition to an IPv6 network

Adjunct professor of Computer Science at NYUs Polytechnic Institute - Graduate Studies

Visiting Professor of Electrical and Computer Engineering at the United States Coast Guard Academy

BSEE Lafayette College, MS Stevens Institute of Technology

CCIE, CISSP, SANS GIAC

http://keithobrien.org

Twitter: @keitheobrien
http://keithobrien.org/http://keithobrien.org/


3/112


IPv6Why Now?

Technology Intro

Comparison to IPv4

Addressing

ICMPv6 and Neighbor Discovery

DHCPv6 and DNS

IPv4/IPv6 Transition and Coexistence

IPv6 Security


4/112



5/112



6/112


Source: Cisco Visual Networking Index (VNI) Global IP Traffic Forecast, 20102015

More Devices

More Internet Users

Faster Broadband Speeds

More Rich Media Content

Key

GrowthFactors

Nearly 15B Connections 4-Fold Speed Increase

3 Billion Internet Users 1M Video Minutes per Second


7/112 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

IETF IPv6 WG began in early 90s, to solve addressing growth issues,but

CIDR, NAT,were developed

IPv4 32 bit address = 4 billion hosts

IANA recently issued their last /8 blocks to the regional registries

IP is everywhere

Data, voice, audio and video integration is a reality

Main Compelling reason: More IP addresses



http://www.bgpexpert.com/ianaglobalpool2.php

https://reader010.{domain}/reader010/html5/0624/5b2f2a4e530d1/5b2f2a53f21fb.jpg

Probability of when RIR reaches

last /8 threshold



Service Segment

Mobile Enterprise Wireline

When do you run out

of IPv4 addresses?

NowDevices are already

being actively

deployed with IPv6

addresses

VariesNAT is already

being used at

peering points

where run out hasoccurred

NowA combination of NAT

and IPv6 enabled CPE

are being deployed

When is most of the

content available on

IPv6 network?

Growing rapidly

Slower rampDue to enterprise

specific applications

and longer

development cycles

Growing rapidly

What is the

device/CPE refresh

frequency?

Short refresh

cycle

Longer refresh

cycle

Longer refresh

cycle



June 6, 2012 Network equipment vendors, ISPs and content providers are coming together on

June 6 to permanently enable IPv6 on the Internet.

Last June 6thWorld IPv6 Day was a 24 hour soak period

Current playersAkamai Comcast AT&T Cisco

D-Link Facebook Free Telecom Google

Internode KDDI Limelight Bing

Time Warner Cable Yahoo Netflix AOL

NASA Sprint

http://www.worldipv6launch.org/



Service IPv4 IPv6

Addressing Range32-bit, Network

Address Translation128-bit, Multiple

Scopes

IP Provisioning DHCPSLAAC, Renumbering,

DHCP

Security IPSecIPSec Mandated, Works

End-to-End

Mobility Mobile IPMobile IP with Direct

Routing

Quality-of-Service

Differentiated Service,

Integrated Service

Differentiated Service,

Integrated Service

Multicast IGMP/PIM/MBGPMLD/PIM/MBGP, Scope

Identifier


14/112


FragmentOffset

Flags

Total LengthType ofService

IHL

PaddingOptions

Destination Address

Source Address

Header ChecksumProtocolTime to Live

Identification

Version

IPv4 Header

NextHeader

Hop Limit

Flow LabelTrafficClass

Destination Address

Source Address

Payload Length

Version

IPv6 Header

Fields Name Kept from IPv4 to IPv6

Fields Not Kept in IPv6

Name and Position Changed in IPv6

New Field in IPv6Legend


15/112


Extension Headers Are Daisy Chained

Class Flow

6 Hop

Destination

V

Len

Source

Upper Layer TCP Header

Payload

Class Flow

43 Hop

Destination

V

Len

Source

Upper Layer UDP Header

Payload

Routing Header17

Class Flow

43 Hop

Destination

V

Len

Source

Upper Layer TCP Header

Payload

Routing Header60

Destination Options6


16/112


Order Header Type Header Code

1 Basic IPv6 Header -

2 Hop-by-Hop Options 0

3 Dest Options (with Routing options) 60

4 Routing Header 43

5 Fragment Header 44

6 Authentication Header 51

7 ESP Header 50

8 Destination Options 60

9 Mobility Header 135

- No Next Header 59Upper Layer TCP 6

Upper Layer UDP 17

Upper Layer ICMPv6 58


17/112



18/112


IPv4 32-bits

IPv6 128-bits

32= 4,294,967,296

128 = 340,282,366,920,938,463,463,374,607,431,768,211,456

128

= 2

32 96* 2

962

= 79,228,162,514,264,337,593,543,950,336 times thenumber of possible IPv4 Addresses

(79 trillion trillion)

2

2

2


19/112


IPv6 addresses are 128 bits long

Segmented into 8 groups of four HEX characters (called HEXtets)

Separated by a colon (:)

Default is 50% for network ID, 50% for interface ID

Network portion is allocated by Internet registries 2^64 (1.8 x 1019)

Global Routing Prefix

n


20/112


Hex numbers are not case sensitive Abbreviations are possible

Leading zeros in contiguous block could be represented by (::)

2001:0db8:0000:130F:0000:0000:087C:140B

2001:db8:0:130F::87C:140B

Double colon can only appear once in the address

IPv6 uses CIDR representation

IPv4 address looks like 98.10.0.0/16

IPv6 address is represented the same way 2001:db8:12::/48

Only leading zeros are omitted, trailing zeros cannot be omitted

2001:0db8:0012::/48 = 2001:db8:12::/48

2001:db80:1200::/48 2001:db8:12::/48


21/112


Loopback address representation0:0:0:0:0:0:0:1 == ::1

Same as 127.0.0.1 in IPv4

Identifies self

Unspecified address representation

0:0:0:0:0:0:0:0 == ::

Used as a placeholder when no address available

(Initial DHCP request, Duplicate Address Detection DAD)

NOT the default route

Default Route representation

::/0


22/112


Site

/48Site

/48

ISP

/32ISP

/32

IANA

2001::/3

APNIC

::/12 to::/23

AfriNIC

::/12 to::/23

ARIN

::/12 to::/23

LACNIC

::/12 to::/23

RIPE NCC

::/12 to::/23

ISP

/32

Site

/48

Site

/48Site

/48

ISP

/32ISP

/32ISP

/32

Site

/48

Site

/48Site

/48

ISP

/32ISP

/32ISP

/32

Site

/48

Site

/48Site

/48

ISP

/32ISP

/32ISP

/32

Site

/48

Site

/48Site

/48

ISP

/32ISP

/32ISP

/32

Site

/48


23/112


Partition of Allocated IPv6 Address Space


24/112


Partition of Allocated IPv6 Address Space (Cont.)

Lowest-Order 64-bit fieldof unicast address maybe assigned in severaldifferent ways:

Auto-configured from a 64-bitEUI-64, or expanded from a

48-bit MAC address(e.g., Ethernet address)

Auto-generatedpseudo-random number(to address privacy concerns)

Assigned via DHCPManually configured


25/112


This format expands the

48 bit MAC address to64 bits by insertingFFFE into the middle 16bits

To make sure that the

chosen address is froma unique Ethernet MACaddress, theuniversal/local (u bit) isset to 1 for global scopeand 0 for local scope

FF FE

00 90 27 17 FC 0F

000000U0 Where U=1 = Unique

0 = Not UniqueU = 1

00 90 27 17 FC 0F

FF FE00 90 27 17 FC 0F

FF FE02 90 27 17 FC 0F

MAC Address


26/112


Addresses are assigned to interfacesChange from IPv4 mode:

Interface expected to have multiple addresses

Addresses have scope

Link LocalUnique Local

Global

Addresses have lifetime

Valid and preferred lifetime

Link LocalUnique LocalGlobal


27/112


Link Local

Multicast addresses (FF00::/8)

Flags (f) in 3rdnibble (4 bits) Scope (s) into 4thnibble

Three types of unicast address scopes

Link-LocalNon routable exists on single layer 2 domain (FE80::/64)

FCgg:gggg:gggg: ssss:

FE80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx

2ggg:gggg:gggg: ssss:

FFfs: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

3ggg:gggg:gggg: ssss:

FDgg:gggg:gggg: ssss:

Unique-LocalRoutable within administrative domain (FC00::/7)

GlobalRoutable across the Internet (2000::/3)

xxxx:xxxx:xxxx:xxxx

xxxx:xxxx:xxxx:xxxx

xxxx:xxxx:xxxx:xxxx

xxxx:xxxx:xxxx:xxxx


28/112


Unicast

Address of a single interface. One-to-one delivery tosingle interface

Multicast

Address of a set of interfaces. One-to-many delivery to all interfaces in the set

Anycast

Address of a set of interfaces. One-to-one-of-many delivery toa single interface in the set that is closest

No more broadcast addresses


29/112


An interface can have many addresses allocated to it

Address Type Requirement Comment

Link Local Required Required on all interfaces

Unique Local Optional Valid only within an Administrative

Domain

Global Unicast Optional Globally routed prefix

Auto-Config 6to4 Optional Used for 2002:: 6to4 tunnelling

Solicited Node Multicast Required Neighbour Discovery and Duplicate

Detection (DAD)

All Nodes Multicast Required For ICMPv6 messages


30/112


Address Scope MeaningFF01::1 Node-Local All Nodes

FF01::2 Node-Local All Routers

FF02::1 Link-Local All Nodes

FF02::2 Link-Local All Routers

FF02::5 Link-Local OSPFv3 Routers

FF02::6 Link-Local OSPFv3 DR Routers

FF02::1:FFXX:XXXX Link-Local Solicited-Node

http://www.iana.org/assignments/ipv6-multicast-addresses
http://www.iana.org/assignments/ipv6-multicast-addresseshttp://www.iana.org/assignments/ipv6-multicast-addresseshttp://www.iana.org/assignments/ipv6-multicast-addresseshttp://www.iana.org/assignments/ipv6-multicast-addresseshttp://www.iana.org/assignments/ipv6-multicast-addresseshttp://www.iana.org/assignments/ipv6-multicast-addresses


31/112


R1#show ipv6 interface e0

Ethernet0 is up, line protocol is upIPv6 is enabled, link-local address isFE80::200:CFF:FE3A:8B18No global unicast address is configuredJoined group address(es):FF02::1FF02::2

FF02::1:FF3A:8B18MTU is 1500 bytesICMP error messages limited to one every 100 millisecondsICMP redirects are enabledND DAD is enabled, number of DAD attempts: 1ND reachable time is 30000 millisecondsND advertised reachable time is 0 millisecondsND advertised retransmit interval is 0 millisecondsND router advertisements are sent every 200 secondsND router advertisements live for 1800 secondsHosts use stateless autoconfig for addresses.

R1#

SolicitedNode Multicast Address

All RoutersAll Nodes


32/112



33/112


Function IPv4 IPv6

Address Assignment DHCPv4DHCPv6, SLAAC,Reconfiguration

Address Resolution ARP, RARP NS, NA

Router DiscoveryICMP Router

DiscoveryRS, RA

Name Resolution DNSv4 DNSv6


34/112


Internet Control Message Protocol version 6

RFC 2463

Modification of ICMP from IPv4

Message types are similar

(but different types/codes)Destination unreachable (type 1)

Packet too big (type 2)

Time exceeded (type 3)

Parameter problem (type 4)

Echo request/reply (type 128 and 129)


35/112


Replaces ARP, ICMP (redirects, router discovery)

Reachability of neighbors

Hosts use it to discover routers, auto configuration

of addresses

Duplicate Address Detection (DAD)


36/112


Neighbor discovery uses ICMPv6 messages, originated from node onlink local with hoplimit of 255

Consists of IPv6 header, ICMPv6 header, neighbor discovery header,and neighbor discovery options

Five neighbor discovery messages

Router solicitation (ICMPv6 type 133)

Router advertisement (ICMPv6 type 134)

Neighbor solicitation (ICMPv6 type 135)

Neighbor advertisement (ICMPv6 type 136)Redirect (ICMPV6 type 137)


37/112


A B

Neighbour

Solicitation

ICMP Type 135

IPv6 Source A Unicast

IPv6 Destination B Solicited Node Multicast

Data FE80:: address of A

Query What is B link layer address?

Neighbour

AdvertismentICMP Type 136

IPv6 Source B Unicast

IPv6 Destination A Unicast

Data FE80:: address of B, MAC

Address

NS NA


38/112


Router solicitations (RS) are sent by booting nodes to request RAs forconfiguring the interfaces

Routers send periodic Router Advertisements (RA) to the all-nodesmulticast address

Router

Solicitation

ICMP Type 133

IPv6 Source A Link Local (FE80::1)

IPv6 Destination All Routers Multicast (FF02::2)

Query Please send RA

Router

Advertisement

ICMP Type 134

IPv6 Source A Link Local (FE80::2)

IPv6 Destination All Nodes Multicast (FF02::1)

Data Options, subnet prefix, lifetime,

autoconfig flag

RS RA


39/112


Autoconfiguration is used to automatically assigned an address to a host plug and play

Generating a link-local address,

Generating global addresses via stateless address autoconfiguration

Duplicate Address Detection procedure to verify the uniqueness of the addresses on alink

Host Autoconfigured AddresscomprisesPrefix Received + Link-LayerAddress if DAD check passes

MAC00:2c:04:00:fe:56

Router

Advertisement

(RA)

Ethernet DA/SA Router R2 / Host A

Prefix

Information

2001:db8:face::/64

Default Router Router R1

2001:db8:face::/64R1

RA

2

RS

1

DAD

3

2001:db8:face::22c:4ff:fe00:fe56

A


40/112



41/112


IPv4 IPv6

Hostname toIP address

A record:www.abc.test. A 192.168.30.1

AAAA record:www.abc.test AAAA 2001:db8:C18:1::2

IP address tohostname

PTR record:2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.

8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.

PTR record:

1.30.168.192.in-addr.arpa. PTR

www.abc.test.


42/112


DNSServer

www.example.org = * ?

2001:db8:1::1www IN A 192.168.0.3

www IN AAAA 2001:db8:1::1

In a dual stack case an application that:

Is IPv4 and IPv6-enabled

Can query the DNS for IPv4 and/or IPv6records (A) or (AAAA) records

Chooses one address and, for example, connects to the IPv6 address

IPv4

IPv6

IPv4

IPv6

192.168.0.3


43/112


mSecs Source Destination Prot Info

0.000 64.104.197.141 64.104.200.248 DNS Standard query A ipv6.google.com

0.158 64.104.200.248 64.104.197.141 DNSStandard query response CNAMEipv6.l.google.com

0.000 64.104.197.141 64.104.200.248 DNS Standard query AAAA ipv6.google.com

0.135 64.104.200.248 64.104.197.141 DNSStandard query response CNAMEipv6.l.google.com AAAA 2404:6800:8004::68

Initial Query over IPv4 for IPv4 A record

DNS response refers to an alias/canonical address

Host immediately sends a request for AAAA record (original FQDN)

Domain name with IPv6 address only

IPv6 address of canonical name returned

mSecs Source Destination Prot Info

0.000 64.104.197.141 64.104.200.248 DNS Standard query A www.apnic.net

0.017 64.104.200.248 64.104.197.141 DNSStandard query response A202.12.29.211

0.000 64.104.197.141 64.104.200.248 DNS

Standard query AAAA

www.apnic.net

0.017 64.104.200.248 64.104.197.141 DNSStandard query response AAAA2001:dc0:2001:11::211

0.001 2001:420:1:fff:2 2001:dc0:2001:11::211ICMPv6

Echo request (Unknown (0x00))

0.023 2001:dc0:2001:11::211 2001:420:1:fff::2ICMPv6

Echo reply (Unknown (0x00))

Domain name with both addresses

Initial Query over IPv4 for IPv4 A record

IPv4 address returned

Host immediately sends a request for AAAA record

IPv6 address of FQDN returned

Hosts prefers IPv6 address (configurable)


44/112


Manual AssignmentStatically configured by human operator

Stateless Address Autoconfiguration (SLAAC RFC 4862)

Allows auto assignment of address through Router Advertisements

Stateful DHCPv6 (RFC 3315)Allows DHCPv6 to allocate IPv6 address plus other configuration parameters(DNS, NTP etc)

DHCPv6-PD (RFC 3633)

Allows DHCPv6 to allocate entire subnets to a router/CPE device for further

allocation

Stateless DHCPv6 (RFC 3736)

Combination of SLAAC for host address allocation

DHCPv6 for additional parameters such as DNS Servers and NTP


45/112


Updated version of DHCP for IPv4

Supports new addressing

Can be used for renumbering

DHCP Process is same as in IPv4, but,

Client first detect the presence of routers on the link

If found, then examines router advertisements to determine if DHCP can be used

If no router found or if DHCP can be used, then

DHCP Solicit message is sent to the All-DHCP-Agentsmulticast address

Using the link-local address as the source address

Multicast addresses used:FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope)

FF05::1:3 = All DHCP Servers (Site-local scope)

DHCP Messages: Clients listen UDP port 546; servers and relay agents listen onUDP port 547


46/112


RA message contain flags that indicate address allocation combination (A, Mand O bits)

Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for otheroptions

Router

Advertisement (RA)

A bit (Address config flag) Set to 0- Do not use SLAAC for host config

M bit (Managed address configuration flag) Set to 1- Use DHCPv6 for host IPv6 address

O bit (Other configuration flag) Set to 1- Use DHCPv6 for additional info (DNS, NTP)

Router 1(DHCPv6 Relay)

RA

1

Send DHCP Solicit to FF02::1:2 (All DHCP Relays)

2

DHCP

Server

2001:db8:face::/64

2001:db8:face::1/64, DNS1, DNS2, NTP

3

A


47/112


RA message contain flags that indicate address allocation combination (A, M and O bits)

Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options

Router

Advertisement (RA)

A bit (Address config flag) Set to 1- Use SLAAC for host address config

On-link Prefix 2001:db8:face::/64

M bit (Managed address configuration flag) Set to 0- Do not use DHCPv6 for IPv6 address

O bit (Other configuration flag) Set to 1- Use DHCPv6 for additional info (DNS, NTP)

Router 1(DHCPv6 Relay)

RA

1

2

DHCP

Server

DNS1, DNS2, NTP

42001:db8:face::/64

2001:db8:face::22c:4ff:fe00:fe56

Send DHCP Solicit to FF02::1:2 for options only

3

A


48/112



49/112


A wide range of techniques have been identified and implemented,basically falling into three categories:

Dual-stacktechniques, to allow IPv4 and IPv6 toco-exist in the same devices and networks

Tunnelingtechniques, to avoid order dependencies when upgrading hosts,routers, or regions

Translationtechniques, to allow IPv6-only devices to communicate with IPv4-only devices

Expect all of these to be used, in combination


50/112


All P + PE routers are capable of IPv4+IPv6 support

Two IGPs supporting IPv4 and IPv6

Memory considerations for larger routing tables

Native IPv6 multicast support

All IPv6 traffic routed in global space

Good for content distribution and global services (Internet)

IPv4/IPv6Core

CE

IPv6IPv4

PE P P PE CE

IPv4

IPv6

IPv6 configured interface

IPv4 configured interface

Some or all interfaces in clouddual configured

IPv6 + IPv4Core

IPv4 + IPv6 Edge IPv4 and/or IPv4 edgeDual Stack App


51/112


IPv4/IPv6Core

CE

IPv6IPv4

PE P P PE CE

IPv4

IPv6

IPv6 + IPv4Core

IPv4 + IPv6 Edge IPv4 and/or IPv4 edgeDual Stack App

ipv6 unicast-routinginterface Ethernet0ip address 192.168.99.1 255.255.255.0

ipv6 address 2001:db8:213:1::1/64


52/112


Dual Stack Node Means: Both IPv4 and IPv6 stacks enabled

Applications can talk to both

Choice of the IP version is based on name lookup andapplication preference

TCP UDP

IPv4 IPv6

Application

Data Link (Ethernet)

0x0800 0x86dd

TCP UDP

IPv4 IPv6

IPv6-Enabled Application

Data Link (Ethernet)

0x0800 0x86ddFrame

Protocol ID

Preferred Method

on Applications

Servers


53/112


GRE

Manual

6to4

DMVPN

ISATAP MPLS Manual

MPLS 6PE


54/112


IPv4IPv6

Network

IPv6Network

Dual-Stack

Router2

Dual-Stack

Router1

IPv4: 192.168.99.1IPv6: 2001:db8:800:1::3

IPv4: 192.168.30.1IPv6: 2001:db8:800:1::2

router1#

interface Tunnel0ipv6 enableipv6 address 2001:db8:c18:1::3/128tunnel source 192.168.99.1tunnel destination 192.168.30.1tunnel mode gre ipv6

router2#

interface Tunnel0ipv6 enableipv6 address 2001:db8:c18:1::2/128tunnel source 192.168.30.1tunnel destination 192.168.99.1tunnel mode gre ipv6


55/112


IPv4IPv6

network

IPv6

network

Dual-Stack

Router2

Dual-Stack

Router1

IPv4: 192.168.99.1IPv6: 2001:db8:800:1::3

IPv4: 192.168.30.1IPv6: 2001:db8:800:1::2

router1#

interface Tunnel0ipv6 enableipv6 address2001:db8:c18:1::3/127tunnel source 192.168.99.1tunnel destination 192.168.30.1tunnel mode ipv6ip

router2#

interface Tunnel0ipv6 enableipv6 address 2001:db8:c18:1::2/127tunnel source 192.168.30.1tunnel destination 192.168.99.1tunnel mode ipv6ip


56/112


IPv62002:c80b:0b01

Automatic tunnel method using 2002:IPv4::/48 IPv6 range

IPv4 embedded in IPv6 format eg. 2002:c80f:0f01:: = 200.15.15.1

No impact on existing IPv4 or MPLS Core (IPv6 unaware)

Tunnel endpoints have to be IPv6 and IPv4 aware (Dual stack)

Transition technologynot for long term use

No multicast support, Static Routing

Intrinsic linkage between destination IPv6 Subnet and IPv4 gateway interface

IPv4 Gateway = Tunnel End point

IPv4Backbone Network

CE

IPv62002:c80f:0f01

PE

P P

PE

6 to 4 Tunnel

CE

IPv4Header

IPv6Packet

IPv6Packet

IPv6Packet

IPv4 Backbone NetworkIPv6 Network IPv6 Network

200.11.11.1 (e0/0)200.15.15.1 (e0/0)

2002:c80f:0f01:100::1 2002:c80b:0b01:100::1


57/112


6 to 4 relay allows access to IPv6 global network

Can use tunnel Anycast address 192.88.99.1

6 to 4 router finds closest 6-to-4 relay router

Return path could be asymmetric

Default route to IPv6 Internet

BGP can also be used to select particular 6 to 4 relay based on prefix

Allows more granular routing policy

IPv4Backbone Network

CE

IPv62002:c80f:0f01

PE

P P

PE

PE

IPv6Packet

IPv4 Backbone NetworkIPv6 Network

192.88.99.1 (lo0)

200.15.15.1 (e0/0)

2002:c80f:0f01:100::1

2002:c058:6301::1 (lo0)

IPv4Header

IPv6Packet

6 to 4 Tunnel

IPv6 Internet2000::/3

192.88.99.1 (lo0)

2002:c058:6301::1 (lo0)

IPv6 Relay

IPv6 Relay


58/112



59/112



60/112


Additional and increased focus on IPv6 at security conferencesuch as Blackhat, CanSecWest and others.

Companies putting additional effort into IPv6 vulnerabilityresearchStonesoft released 163 new Advanced EvasionTechniques 12 of those are IPv6-specific

Private security researchers are also putting additional focus onIPv6. Chinese researchers, Marc Heuse, Fernando Gonttoname a few

UKs CPNI The Centre for the Protection of National

Infrastructure220 page report Security Assessment of theInternet Protocol version 6 (IPv6)


61/112


The Hackers Choice http://thc.org/thc-ipv6/

Over 30 toolsIncluded in BackTrack

Private version available

A sampling

Parasite6: icmp neighbor solicitation/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)

dnsdict6: parallized dns ipv6 dictionary bruteforcer

fake_router6: announce yourself as a router on the network, with the highest priority

flood_router6: flood a target with random router advertisements


62/112


Industry as a whole has far less experience with IPv6 vs IPv4

IPv6 implementations have not been proven over time

Security tools such as firewalls, IDS have varying levels of IPv6support. Even when it is claimed to be supported that level of

support varies widely IPv6 brings added complexity which is the enemy of security

Network engineers and security operations staff are not fullytrained on IPv6


63/112



64/112


Default subnets in IPv6 have 264addresses

10 Mpps = more than 50 000 years

NMAP doesnt even support ping sweeps onIPv6 networks

Worlds population isapproximately 6.5 billion

2128

6.5

Billion

= 52 Trillion Trillion IPv6addresses per person


65/112


Public servers will still need to be DNS reachable

Increased deployment and reliance on Dynamic DNSMore info in DNS

Admins might adopt easy to remember addresses such as:

::20, ::F00D, ::CAFE, or the last IPv4 octet

Transition technologies derive IPv6 address from IPv6 addresses

Brute force IPv6 scanning assumes that the addresses arerandomly distributed. This has been shown not to be the case*:

SLACCIP based on MAC

IPv4 based(2001:0db8::192.168.100.1)

Low number(2001:0db8:1:1::1)

(*) Malone, D. 2008. Observations of IPv6 Addresses. Passive and Active Measurement Conference (PAM 2008,

LNCS 4979), 2930 April 2008.


66/112


3 site-local multicast addresses

FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers

Several link-local multicast addresses

FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP, ...

Some deprecated (RFC 3879) site-local addresses but still used

FEC0:0:0:FFFF::1 DNS server

Not feasible from remote

2001:db8:2::50

2001:db8:1::60

2001:db8:3::70

Attacker FF05::1:3

Source Destination Payload

DHCP Attack

http:/ /www.iana.org/ass ignments/ ipv6-mult icast-addresses/


67/112


Bittorrent will expose IPv6 peers

Look in web server log files for IPv6 address. Convince the targetto browse to web server

Email headers from target

Mailing list archives


68/112


ICMPv6 echo/response

Send invalid ICMPv6 options and nodes will be forced to reply

Use Traceroute6

Look for well know IPv4 addresses which are linked to IPv6 (e.g.

Teredo)

Neighbor discovery cache for already compromised hostsroot@bt:~# alive6 -s 1 eth1

Alive: 2001:470:67b9:1:234:36ff:fe9c:3132

Alive: 2001:470:67b9:1:21d:29ff:fef9:bc06

Alive: 2001:470:67b9:1:22f:29ff:fe61:1ea1

Alive: 2001:470:67b9:1:259:29ff:fe40:e19aAlive: 2001:470:67b9:1:231:ebff:fef7:f140

Alive: fe80::ebff:d4ff:fedd:c572

Alive: 2001:470:67b9:1:b917:c2ff:fed9:6b1b

Alive: 2001:470:67b9:1:993:cbff:fea3:1733

Alive: 2001:470:67b9:1:675:dfff:fede:4875

Alive: 2001:470:67b9:1:b67d:caff:fe1b:c7a7

Alive: 2001:470:67b9:1:b78f:cbff:fee9:fd7f

Found 11 systems alive

root@bt:~# ip -6 neigh show

2001:470:67b9:1:7273:cbff:fee9:ddf3 dev eth1 lladdr 70:73:cb:e9:dd:f3 DELAY

2001:470:67b9:1:224:36ff:fe9c:ff56 dev eth1 lladdr 00:24:36:9c:ff:56 DELAY

2001:470:67b9:1:216:cbff:fea3:dd44 dev eth1 lladdr 00:16:cb:a3:dd:44 DELAY

2001:470:67b9:1:223:dfff:fede:1122 dev eth1 lladdr 00:23:df:de:11:22 DELAY

fe80::223:ebff:fedd:1298 dev eth1 lladdr 00:23:eb:dd:12:98 DELAY2001:470:67b9:1:ba17:c2ff:fed9:11ed dev eth1 lladdr b8:17:c2:d9:11:ed DELAY

2001:470:67b9:1:5a55:caff:fe1b:dfee dev eth1 lladdr 58:55:ca:1b:df:ee DELAY


69/112


Temporary addresses for IPv6 host client application,e.g. web browser

Inhibit device/user trackingRandom 64 bit interface ID, then run Duplicate Address Detectionbefore using it

Rate of change based on local policy

Can have this address in addition to EUI-64 address on an interface

(based on mac address)

2001

/32 /48 /64/23

Interface ID

Recommendation: Use Privacy Extensions forExternal Communication but not for InternalNetworks (Troubleshooting and Attack Trace Back)


70/112


GoogleMany sites use ipv6.example.com or ip6.example.comduring the transition phase.

Search for site: ipv6* or site: ip6*

Do a AXFR if DNS is misconfigured

If DNSSEC is being used try NSEC walk*. NSEC3 records makethis more difficult.

Try a brute force. Perform automated AAAA lookups based ona preconfigured dictionary. (i.e. lookup firewall.example.com,server1.example.com, mail.example.com)


71/112



72/112


Your host:

IPv4 is protected by your favorite personal firewall...

IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)

Your network:

Does not run IPv6

Your assumption:Im safe

Reality

You arenotsafe

Attacker sends Router Advertisements

Your host configures silently to IPv6

You are now under IPv6 attack

=> Probably time to think about IPv6 in your network


73/112


Easy to check!

Look inside NetFlow records

Protocol 41: IPv6 over IPv4 or 6to4 tunnels

IPv4 address: 192.88.99.1 (6to4 anycast server)

UDP 3544, the public part of Teredo, yet another tunnel

Look into DNS server log for resolution of ISATAP

Beware of the IPv6 latent threat: you r IPv4-only n etwork m ay bevuln erable to IPv6 attack s NOW


74/112



75/112


1. RS:

Data = Query: please send RA

2. RA:

Data= options, prefix, lifetime,A+M+O flags

2. RA1. RS

RA w/o Any

Authentication

Gives Exactly Same

Level of Security asDHCPv4 (None)

Router Advertisementscontains:

-Prefix to be used by hosts-Data-link layer address of the router

-Miscellaneous options: MTU, DHCPv6 use,

2. RA

DoSMITM


76/112


Devastating:

Denial of service: all traffic sent to a black hole

Man in the Middle attack: attacker can intercept, listen, modify unprotecteddata

Also affects legacy IPv4-only network with IPv6-enabled hosts

Most of the time from non-malicious users

Requires layer-2 adjacency(some relief)

The major blocking factor for enterprise IPv6 deployment


77/112


Where What

Routers Increase legal router preference

Hosts Disabling Stateless Address Autoconfiguration

Routers & Hosts SeND Router Authorization

Switch (First Hop) Host isolation

Switch (First Hop) Port Access List (PACL)

Switch (First Hop) RA Guard


78/112


RFC 3972 Cryptographically Generated Addresses (CGA)

IPv6 addresses whose interface identifiers are cryptographically generatedfrom node public key

SeND adds a signature option to Neighbor Discovery Protocol

Using node private key

Node public key is sent in the clear (and linked to CGA)

Very powerful

If MAC spoofing is prevented

But, not a lot of implementations: Cisco IOS, Linux, some H3C, third party forWindows


79/112


Each devices has a RSA key pair (no need for cert)

Ultra light check for validity

Prevent spoofing a valid CGA address

SHA-1

RSA Keys

Priv Pub

Subnet

Prefix

Interface

Identifier

Crypto. Generated Address

Signature

SeND Messages

Modifier

Public

Key

Subnet

Prefix

CGA Params


80/112


Adding a X.509 certificate to RA

Subject Name contains the list of authorized IPv6 prefixes

TrustAnchor X.509

cert

Router AdvertisementSource Addr = CGA

CGA param block (incl pub key)Signed

X.509cert


81/112


PC

(public V6)

CPE

PC

(public V6)

CPE

PVLAN

PVLAN

RA BNG

Prevent Node-Node Layer-2 communication by using:

1 VLAN per host (SP access network with Broadband Network Gateway)

Private VLANs (PVLAN) where node can only contact the official router

Link-local scope multicast (RA, DHCP request, etc) sent only to the localofficial router: no harm

Can also be used on Wireless in AP Isolation Mode


82/112


Port ACL blocks all ICMPv6 Router

Advertisements from hostsinterface FastEthernet3/13

switchport mode access

ipv6 traffic-filter ACCESS_PORT in

access-group mode prefer port

RA

RA

RA

RA

RA


83/112


host

Router AdvertisementOption: prefix(s)

I am the default gateway

?

Configuration- basedLearning-basedChallenge-based

Verificationsucceeded ?

Bridge RA

Switch selectively accepts or rejects RAs based on various criteriasCan be ACL based, learning based or challenge (SeND) based.Hosts see only allowed RAs, and RAs with allowed content


84/112



85/112


Pretty much like RA: no authentication

Any node can steal the IP address of any other node

Impersonation leading to denial of service or MITM

Requires layer-2 adjacency


86/112


Where What

Routers & Hosts configure static neighbor cache entries

Routers & Hosts Use CryptoGraphic Addresses (SeND CGA)

Switch (First Hop) Host isolationSwitch (First Hop) Address watch

Glean addresses in NDP and DHCP

Establish and enforce rules for address ownership


87/112



88/112


Remote

Remote router CPU/memory DoS attack if aggressive scanningRouter will do Neighbor Discovery... And waste CPU and memory

Local router DoS with NS/RS/

2001:db8::/64

NS: 2001:db8::1

NS: 2001:db8::2

NS: 2001:db8::3

NS: 2001:db8::1

NS: 2001:db8::2

NS: 2001:db8::3

NS: 2001:db8::1

NS: 2001:db8::2

NS: 2001:db8::3


89/112


Mainly an implementation issueRate limiter on a global and per interface

Prioritize renewal (PROBE) rather than new resolution

Maximum Neighbor cache entries per interface and per MAC address

Internet edge/presence: a target of choiceIngress ACL permitting traffic to specific statically configured (virtual)IPv6 addresses only

=> Allocate and configure a /64 but uses addresses fitting in a /120 inorder to have a simple ingress ACL


90/112


Built-in rate limiter but no option to tune itSince 15.1(3)T: ipv6 nd cache interface-limit

Or IOS-XE 2.6: ipv6 nd resolution data limit

Destination-guard is coming with First Hop Security phase 3

Using a /64 on point-to-point links => a lot of addresses to scan!Using /127 could help (RFC 6164)

Internet edge/presence: a target of choice

Ingress ACL permitting traffic to specific statically configured (virtual)IPv6 addresses only

Using infrastructure ACL prevents this scanning

iACL: edge ACL denying packets addressed to your routers

Easy with IPv6 because new addressing scheme can be done


91/112



92/112


RFC allows for multiple and repeating extension headers.

RFC 3128 is not applicable to IPv6; extension header can befragmented

Packets get increasing complex to parse

IPv6 hdr Dest Option Dest Option TCP data

IPv6 hdr Frag Header Dest Option

IPv6 hdr Frag Header Dest Option TCP data

Original Packet

First Fragment

Second Fragment


93/112


Unlimited size of header chain (spec-wise) can make

filtering difficult

Potential DoS with poor IPv6 stack implementations

More boundary conditions to exploit

Can I overrun buffers with a lot of extension headers?

Perfectly Valid IPv6 PacketAccording to the Sniffer

Destination Options Header ShouldBe the Last

Destination Header Which Should

Occur at Most Twice

Header Should Only Appear Once

See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html


94/112


Use a stateful firewall which reassembles all of the fragments and

then applies the filtering rules

This only has limited usefulness as the attacker can keep addingheaders and increasing the number of fragments to a point wherethe firewall can no longer reassemble

Filter out packets with specific combinations of ExtensionHeaders or number of Extension Headers

Filter out packets that combine fragmentation with additionalExtension Headers


95/112



96/112


IPv6 in IPv4Tunnel

Most IPv4/IPv6 transition mechanisms have no authentication

built in

=> an IPv4 attacker can inject traffic if spoofing on IPv4 andIPv6 addresses

Public IPv4

Internet

Server BServer A

Tunnel

Termination

Tunnel

Termination

IPv6 Network IPv6 Network

IPv6 ACLs Are IneffectiveSince IPv4 & IPv6 Is Spoofed

Tunnel Termination Forwardsthe Inner IPv6 Packet

IPv4

IPv6


97/112


Unauthorized tunnelsfirewall bypass (protocol 41)

IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in theenterprise

This has implications on network segmentation and network discovery

No authentication in ISATAProgue routers are possible

Windows default to isatap.example.com

Ipv6 addresses can be guessed based on IPv4 prefix

ISATAP Router

ISATAP Tunnels

DirectCommunication

Any Host Can Talkto the Router

IPv4 Network ~ Layer 2 for IPv6 Service


98/112


IPv4

6to4

router

IPv6

Internet6to4 relay

6to4 router

6to4

router

tunnel

Direct tunneled

traffic ignores

hub ACL

ACL


99/112


Teredo navalis

A shipworm drilling holesin boat hulls

Teredo Microsoftis

IPv6 in IPv4 punching holesin NAT devices

Source: United States Geological Survey


100/112


All outbound traffic inspected: e.g., P2P is blocked

All inbound traffic blocked by firewall

IPv4 Intranet

IPv4 Firewall

IPv6 Internet

Teredo RelayIPv4 Internet


101/112


Internal users wants to get P2P over IPv6

Configure the Teredo tunnel (already enabled by default!)

FW just sees IPv4 UDP traffic (may be on port 53)

No more outbound control by FW

IPv4 Intranet

IPv4 Firewall


IPv6 Internet

Teredo threatsIPv6 Over UDP (port 3544)


102/112


Inboundconnections are allowed

IPv4 firewall unable to control

IPv6 hackers can penetrate

Host security needs IPv6 support now

IPv4 Intranet

IPv4 Firewall


IPv6 Internet

Once Teredo Configured


103/112


Residential Broadband Service Case: CPE based

Scenario 1 thru 5 And Future

Red : New

or Changed

Function in

the network


104/112


IP NGN Backbone

1. Running 6PE/6vPE

2. Running Dual-Stack

IPv4-Only

IPv4 Address

Sharing

IPv4-Only

IPv4 Internet

Access

IPv6Internet Access

IPv4-Only

IPv4 Address

Sharing

IPv6 Internet

Access

Dual-Stack

IPv4 Internet

Access

IPv6

Internet Access

Dual-Stack

IPv4 AddressSharing

IPv6 Internet

Access

CGN 6rd BR CGN +

6rdCGN

IPv4 IPv4 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6

6RD CE 6RD CEDual Stack DualStack

IPv6 only

IPv4 AddressSharing

IPv6 Internet

Access

Stateful[DS Lite]

Stateless 46

IPv4 IPv6

DualStack

IPv4

Internet

IPv6

Internet

IPv4

PublicIPv4

IPv4

Private

IPv4


105/112


Use of Carrier Grade NAT will require more information to be

gathered in order to accurately identify a subscriber.

Currently a simple IPv4 address and a time frame is normallysufficient

With the advent of IPv6 and IPv4 address exhaustion you willneed more.

The following should be gathered:

IPv4 address (source and destination)

IPv6 address if in use

TCP/UDP ports (source and destination)

Time


106/112


More likely scenario:

IPv6 being available all the way to the consumer

SP core and customer has to use IPv4 NAT due to v4 depletion

IPv4

Internet

IPv4 host

IPv4+IPv6 host

Subscriber Network Dual-Stack SP Network usingRFC1918 addresses

Internet

Customer

Router

IPv6 host

IPv6

Internet

SP NATSharing IPv4 address(es)

IPv6

IPv4


107/112


Every IPv4 address has a reputation

Either blacklist or more sophisticated (senderbase.org)

Used to detect spam, botnet members,

It is fine as long as:

One IPv4 == One legal entity (subscriber)

What if

One IPv4 == 10.000 entities/subscribers through SP NAT?

11

5


108/112


Usual way to block a Denial of Service (DoS) against a server is to block

the source IPv4 address(es)Before SP NAT: ok because it blocks only the attacker

With SP NAT: will block the attacker but also 9.999 potential users/customers

11

6


109/112


Servers currently keep only the remote IPv4 address in their log

Law Enforcement Agencies (LEA) can request any ISP to get thesubscriber ID of this IPv4 address on a specific time

With SP NAT, there will be 10,000 subscribers using this IPv4 address

11

7


110/112


SP will have to keep all the translation log (data retention)

AND, the server will have to extend the log to include the TCP/UDPport

At 10:23:02 who was using the shared port 23944?

11

8


111/112


Operator has expanding customer base, but does not have enough IPv4 addresses

to service new customers.

Business need is to be able to assign new users an IP address and give those new

subscribers access to IPv4 Internet content as well as IPv6 internet content.

Possible Scenarios

1.1 IPv6 address to subscriber with Carrier Grade NAT

1.2 Carrier Grade NAT with private v4 address

1.3 Dual stack private v4 and public v6 at customer.

1.4 Dual stack public v4 and public v6 at customer


112/112

Thank you.

Documents

IPv6 Security Talk 2012