Post on 09-Nov-2018
transcript
Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.
IPv6 Routing and Security
Janne Östling, Systems Engineer
janoz@cisco.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• Routing in IPv6
• Enforcing a Security Policy in IPv6
Firewalls and First Hop Security (FHS)
• Conclusion
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 3
Routing in IPv6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
• As in IPv4, IPv6 has 2 families of routing protocols: IGP and EGP, andstill uses the longest-prefix match routing algorithm
• IGP
RIPng (RFC 2080)
IPv6 address family on Cisco EIGRP
OSPFv3 (RFC 2740)
IPv6 address family on IS-IS (draft-ietf-isis-ipv6-02) and Multi-Topology IS-IS
• EGP : IPv6 address family (Unicast and Multicast) on MP-BGP4 (RFC 2858 and RFC 2545)
• Cisco IOS supports all of them
Pick one meeting your objectives
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
• RIPv6 is RIP for IPv6 (RFC 2080)
• Based on RIP for IPv4, with enhancements
• Distributes IPv6 prefixes
• Runs directly over IPv6
• Use the all-RIP-routers multicast group address FF02::9
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• OSPFv3 is OSPF for IPv6 (RFC 2740)
• Based on OSPFv2, with enhancements
• Distributes IPv6 prefixes
• Runs directly over IPv6
• Ships-in-the-night with OSPFv2
• Uses multicast addresses FF02::5 and FF02::6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
• 2 Tag/Length/Values added to introduce IPv6 routing
• IPv6 Reachability TLV (0xEC)
External bit
Equivalent to IP Internal/External Reachability TLV’s
• IPv6 Interface Address TLV (0xE8)
For Hello PDUs, must contain the Link-Local address
For LSP, must only contain the non-Link Local address
• IPv6 NLPID (0x8E) is advertised by IPv6 enabled routers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• IPv6 specific extensions:
Scoped addresses: Next-hop contains a global IPv6 address and/or potentially a link-local address
NEXT_HOP and NLRI are expressed as IPv6 addresses and prefix.
Address Family Information (AFI) = 2 (IPv6)
Sub-AFI = 1 (NLRI is used for unicast)
Sub-AFI = 2 (NLRI is used for multicast RPF check)
Sub-AFI = 3 (NLRI is used for both unicast and multicast RPF check)
Sub-AFI = 4 (label)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
AS 65001AS 65002
Router2Router1
Router1#
interface Ethernet0
ipv6 address 3FFE:B00:C18:2:1::F/64
!
router bgp 65001
bgp router-id 10.10.10.1
no bgp default ipv4-unicast
neighbor 3FFE:B00:C18:2:1::1 remote-as 65002
address-family ipv6
neighbor 3FFE:B00:C18:2:1::1 activate
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in in
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out out
exit-address-family
3ffe:b00:c18:2:1::F 3ffe:b00:c18:2:1::1
BRKRST-2301
14340_04_2008_c2
RIPRIPv2 for IPv4
RIPng for IPv6
Distinct but similar protocols with RIPng taking advantage of IPv6 specificities
OSPF
OSPFv2 for IPv4
OSPFv3 for IPv6
Distinct but similar protocols with OSPFv3 being a cleaner implementation
that takes advantage of IPv6 specificities
IS-ISExtended to support IPv6
Natural fit to some of the IPv6 foundational concepts
Supports Single and Multi Topology operation
EIGRPExtended to support IPv6
(IPv6_REQUEST_TYPE, IPv6_METRIC_TYPE, IPv6_EXTERIOR_TYPE) Some changes reflecting IPv6 characteristics
BGPNew MP_REACH_NLRI, MP_UNREACH_NLRI, AFI=2 with SAFI for
Unicast/Multicast/Label/VPN
Peering over IPv6 or IPv4 (route maps)
For all intents and purposes, IPv6 IGPs are similar to their IPv4 counterparts
IPv6 IGPs have additional features that could lead to new designs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 11
Routing Protocols Coexistence & Convergence
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Almost
• Most likely the IPv6 IGP will not be deployed in a brand new network and just by itself
• Most likely the IPv4 services are more important at first since they are generating most of the revenue
• Redefine “better”
• What is the impact on the convergence of IPv4?
• Are the resources optimally shared?
• Are the topologies going to be congruent?
• Etc.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• What IGPs coexist better?
• What IPv6 IGP impacts IPv4 the least (hopefully not at all)?
At First, the IPv6 IGP Convergence Might Be Less Important than the Impact of IPv6 on the Convergence of the Existent IPv4 Infrastructure
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• Resources will be shared between the two IGPs and they will compete for processor cycles in a way that reflects their relative configuration
• This has implications on:
Expected convergence behavior
Single process/topology vs Multi process/topology selection
Resources (Memory, CPU) planning
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
• With the exception of ISIS single topology, the IPv4 and IPv6 routing processes claim their own memory and processing resources for maintaining adjacencies, databases and related calculations
• It is important to define the IPv6 network design in order to understand the new resource requirements (memory) and the new operational parameters (max CPU) for the network devices
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
The IGPs Will Compete over Processor Cycles Based on Their Relative Tuning
If you configure the IPv4 and IPv6 IGPs the same way (aggressively tuned for fast convergence), naturally expect a doubling of their stand alone operation convergence time
If the IPv6 IGP is operating under default settings, the convergence time for the optimally tuned IPv4 IGP is not significantly affected
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
In Theory:
• The similarity between the IPv6 and IPv4 routing protocols leads to similar behavior and expectations
• To select the IPv6 IGP, start by using the IPv4 IGP rules of thumb
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• In Practice:
The IPv6 IGP implementations might not be fully optimized yet so there is a bit more uncertainty
Not all knobs for Fast Convergence might be available
No significant operational experience with large scale IPv6 networks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
• Same topology considerations as for IPv4
• Convergence time
There are HW and SW dependencies
The average convergence time is 100% larger than IPv4, as IPv6 converges after IPv4
Not all knobs are available. Ex: Fast Hellos for OSPFv3 -> Bidirectional Forwarding Detection (BFD) instead in the future.
Test tools still need to improve
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 20
IPv4 Vulnerabilities IPv6 Vulnerabilities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Public servers will still need to be DNS reachable
More information collected by Google...
Increased deployment/reliance on dynamic DNS
More information will be in DNS
Using peer-to-peer clients gives IPv6 addresses of peers
Administrators may adopt easy-to-remember addresses (::10,::20,::BAD:F00D, ::C5C0 or simply IPv4 last octet for dual stack)
By compromising hosts in a network, an attacker can learn new addresses to scan
Transition techniques (see further) derive IPv6 address from IPv4 address
can scan again
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Access
Layer
Spoofed IPv6
Source Address
X IPv6
Intranet/Internet
No Route to Src Addr prefix
=> Drop
Access
Layer
Spoofed IPv6
Source Address
X IPv6
Intranet/Internet
No Route to Src Addr prefix out the
packet inbound interface => Drop
uRPF Loose Mode
uRPF Strict Mode
uRPF Remains the Primary Tool for Protecting Against L3
Spoofing
ipv6 verify unicast source reachable-via rx
ipv6 verify unicast source reachable-via any
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
• Potential router CPU attacks if aggressive scanning
Router will do Neighbor Discovery... And waste CPU and memory
Built-in rate limiter but no option to tune it
• Using a /64 on point-to-point links => a lot of addresses to scan!
• Using infrastructure ACL prevents this scanning
iACL: edge ACL denying packets addressed to your routers
Easy with IPv6 because new addressing scheme can be done
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
• Operations contained within the link boundaries, necessary for a node to communicate with his neighbors, as well as learn the link exit points. Encompass:
– Address configuration parameters
– Address initialization
– Address resolution
– Default gateway discovery
– Local network configuration
– Neighbor reachability tracking
link
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Binding
table
Policy
table
Dynamic
rules
Static
rules
NDP
Glean
DHCP
Glean
MLD
Glean
RA
guard
Source
guardDHCP
guard
Device
tracking
NDP
monitoring
Port
ACL
Router
table
Address
ownership
Data
Glean
NDP
Inspection
Mobility
NDP
Multicast
suppress
RA
Throttler
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• BGP, ISIS, EIGRP no change:
An MD5 authentication of the routing update
• OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPSec
• RIPng, PIM also rely on IPSec
• IPv6 routing attack best practices
Use traditional authentication mechanisms on BGP and IS-IS
Use IPSec to secure protocols such as OSPFv3 and RIPng
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• Sniffing
IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
• Application layer attacks
The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent
• Rogue devices
Rogue devices will be as easy to insert into an IPv6 network as in IPv4
• Man-in-the-Middle Attacks (MITM)
Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4
• Flooding
Flooding attacks are identical between IPv4 and IPv6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
IPv6 mandates the implementation of IPsec
IPv6 does not require the use of IPsec
Some organizations believe that IPsec should be used to secure all flows...
Interesting scalability issue (n2 issue with IPsec)
Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall
IOS 12.4(20)T can parse the AH
Network telemetry is blinded: NetFlow of little use
Network services hindered: what about QoS?
Recommendation: do not use IPsec end to end within an
administrative domain.
Suggestion: Reserve IPsec for residential or hostile environment or
high profile targets.
Cisco Confidential 29© 2010 Cisco and/or its affiliates. All rights reserved.
The Content Owner
The Application Developer
The Billing Engine
The Vendor
The Enterprise
The ISP
The CIO
The Operations Group
The Transit Provider
We’re all waiting for something…
The RIR
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 30
Enforcing a Security Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
• Can match on
Upper layers: TCP, UDP, SCTP port numbers
TCP flags SYN, ACK, FIN, PUSH, URG, RST
ICMPv6 code and type
Traffic class (only six bits/8) = DSCP
Flow label (0-0xFFFFF)
• IPv6 extension header
routing matches any RH, routing-type matches specific RH
mobility matches any MH, mobility-type matches specific MH
dest-option matches any, dest-option-type matches specific destination options
auth matches AH
Can skip AH (but not ESP) since IOS 12.4(20)T
• fragments keyword matches
Non-initial fragments (same as IPv4)
And the first fragment if the L4 protocol cannot be determined
• undetermined-transport keyword matches (only for deny)
Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
• Stateful protocol inspection (anomaly detection) of IPv6 fragmented packets, TCP, UDP, ICMP and FTP traffic
• IOS 12.3(7)T (released 2005)
• Stateful inspection of IPv4/IPv6 packets
• IPv6 DoS attack mitigation
• Recognizes IPv6 extension headers
IPv4
Site 3
IPv6
Site 2IPv6 IPv6
Dual Stack
Router
IPv6 Router with
Cisco IOS Firewall
Internet
(IPv4)
IPv6
Site 1IPv6 Router with
Cisco IOS Firewall
IPv6 Router with
Cisco IOS Firewall
IPv6 Router with
Cisco IOS Firewall
Cisco Confidential 34© 2010 Cisco and/or its affiliates. All rights reserved.
• Since version 7.0 (April 2005)
• Dual-stack, IPv6 only, IPv4 only
• Extended IP ACL with stateful inspection
• Application awareness
HTTP, FTP, telnet, SMTP, TCP, SSH, UDP
• uRPF and v6 Frag guard
• IPv6 header security checks
Always block routing-header (type 0 and 2)
• Management access via IPv6
Telnet, SSH, HTTPS
• ASDM support (ASA 8.2)
• Routed & transparent mode (ASA 8.2)
• Fail-over support (ASA 8.2.2)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 35
Conclusion
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
• Your host:IPv4 is protected by your favorite personal firewall...
IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)
• Your network:Does not run IPv6
• Your assumption:I’m safe
• RealityYou are not safe
Attacker sends Router Advertisements
Your host configures silently to IPv6
You are now under IPv6 attack
• => Probably time to think about IPv6 in your network
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
• Easy to check!
• Look inside NetFlow records
Protocol 41: IPv6 over IPv4 or 6to4 tunnels
IPv4 address: 192.88.99.1 (6to4 anycast server)
UDP 3544, the public part of Teredo, yet another tunnel
• Look into DNS server log for resolution of ISATAP
• Beware of the IPv6 latent threat: your IPv4-only network may be vulnerable to IPv6 attacks NOW
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Main IPv6 page
http://cisco.com/go/ipv6
IPv6 Configuration Guide, Cisco IOS Release 15.0S
http://www.cisco.com/en/US/partner/docs/ios/ipv6/configuration/guide/15_0s/ipv6_15_0s_book.html
First Hop Security white paper
http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11-602135.html
First Hop Security documentation
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
So, nothing really new in IPv6
Lack of operation experience may hinder security for a while: training is required
Security enforcement is possible
Control your IPv6 traffic as you do for IPv4
Leverage IPsec to secure IPv6 when suitable
Thank you.