IPv6 Security-2011-09-26

9/26/2011 1© 2011 Global Technology Resources, Inc. All Rights Reserved.

IPv6 SecurityInterface 2011 – Denver, Colorado

October 20, 2011

Scott HoggGTRI - Director of Technology Solutions

CCIE #5133, CISSP #4610

IPv6 Adoption

• IPv6 is the next generation computer network protocol for use on the Internet and within private networks.

• IPv6 is a standard defined by the Internet Engineering Task Force (IETF) and was first specified in the mid-90s.

• IPv6 is designed to replace IPv4 but IPv6 is a different protocol than IPv4 yet they can both coexist.

• IPv6 has taken many years to mature and get ready for mass deployment and now IPv6 is deployed on the global Internet.

• IPv4 address exhaustion has occurred and has limited expansion of the Internet.


IPv6 Address Allocations


Number of IPv6 Prefixes and ASNs



IPv6 – Coming to a Network Near You

• An IPv6-enabled Internet already exists.

• An IPv6 transition is already underway in the U.S. Federal Government and other parts of the world.

• IPv6 infrastructure and Host OSs are ready now!

• Much of the infrastructure you have already purchased is IPv6 capable (software upgrade); it’s just a matter of enabling it.

• Service providers have initial IPv6 services and are continuing to work on their deployments.

• Organizations that connect to the Internet now need to learn about IPv6 and prepare their systems to communicate using this protocol.

• You will be transitioning to IPv6 over the coming years and you want to consider the security implications of IPv6 before you deploy it throughout your network.


IPv6 Security – Latent Threat

• Even if you haven’t started using IPv6 yet, you

probably have some IPv6 running on your networks

already and didn’t know it

• Do you use Linux, Mac OS X, BSD, or Microsoft

Vista/Windows 7 systems in your environment?

– They all come with IPv6 capability, some even have IPv6

enabled by default (IPv6 preferred)

– They may try to use IPv6 first and then fall-back to IPv4

– Or they may create IPv6-in-IPv4 tunnels to Internet

resources to reach IPv6 content

– Some of these techniques take place regardless of user

input or configuration

• If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist


IPv6 Security Threats

• There isn’t a large hacker community focusing on

IPv6 today but it is starting to gain the attacker’s

attention

• THC IPv6 Attack Toolkit, IPv6 port scan tools, IPv6

packet forgery tools and IPv6 DoS tools all exist and continue to evolve

• Many major vendors and open-source software

have already published IPv6 bugs/vulnerabilities

• Attacks at the layers below and above the network layer are unaffected by the security of IPv6

– Buffer overflows, SQL Injection, cross-site scripting will all

remain valid attacks on IPv6 servers

– E-mail/SPAM is still a problem in IPv6 nets


Reconnaissance

• Ping sweeps, port scans, application vulnerability scans are problematic with IPv6’s large address space - brute-force scanning a /64 is not practical

• There are methods of speeding up reconnaissance– ping6 -I eth0 ff02::1

– [root@hat ~]# ./alive6 eth0 ff02::1

– Node Information Queries (RFC 4620) in BSD

– Scanning for specific EUI-64 addresses using specific OUIs

– Scanning IPv4 and getting IPv6 info

• Metasploit Framework “ipv6_neighbor" auxiliary module can leverage IPv4 to find IPv6 hosts

– Scanning 6to4, ISATAP, Teredo addresses

– Attackers may find one node and leverage the neighbor cache to find other nodes

– DHCPv6 logs, DNS servers, server logs, NMSs, Google


IPv6 Privacy Addressing

• Privacy of addresses in an issue with IPv6– EUI-64 addresses are derived from the host’s MAC

– That could be used to track user’s activity and thus identity

• Temporary and Privacy IPv6 address intended to protect the identity of the end-user– MD5 hash of the EUI-64 concatenated with a random

number that can change over time

– Different implementations rotate the address at different frequencies – can be disabled

• Forensics and troubleshooting are difficult with privacy addresses – Who had what address when?

• Dynamic DNS and firewall state updates• Difficulty creating granular firewall policy when IP

addresses change often

• Better to use DHCPv6 with randomized IIDs

IPv6 Attack Tools

• THC IPv6 Attack Toolkit– parasite6, alive6, fake_router6, redir6, toobig6,

detect-new-ip6, dos-new-ip6, fake_mld6, fake_mipv6, fake_advertiser6, smurf6, rsmurf6

• Scanners– Nmap, halfscan6, Scan6, CHScanner

• Packet forgery– Scapy6, SendIP, Packit, Spak6

• DoS Tools– 6tunneldos, 4to6ddos, Imps6-tools



LAN Threats

• IPv6 uses ICMPv6 for many LAN operations

– Stateless auto-configuration

– Neighbor Discovery Protocol (NDP)

– IPv6 equivalent of IPv4 ARP – same attack types

• Spoofed RAs can renumber hosts or launch a MITM

attack

• Forged NA/NS messages to confuse NDP

• Redirects – same as ICMPv4 redirects

• Forcing nodes to believe all addresses are on-link

• These attacks presume the attacker is on-net or has

compromised a local computer

Methods of Preventing Rogue RAs

• Prevent unauthorized LAN access

• Disable unused switch ports

• Network Access Control (NAC), Network Admission Control (NAC)

• IEEE 802.1AE (MACsec), Cisco TrustSec

• IEEE 802.1X

• RA Guard (RFC 6105)

• NDPMon

• Ramond

• Kame rafixd

• Port Security

• Cisco Port-based ACL (PACL)9/26/2011 12© 2011 Global Technology Resources, Inc. All Rights Reserved.

AllowIncoming

RA Message

BlockIncoming

RA Message

AllowSending

RAs


Extension Headers

• There are rules for the frequency and order of various extension headers

– Hop-by-Hop and Destination Options

• Header Manipulation – Crafted Packets– Large chains of extension headers

– Separate payload into second fragment

– Consume resources - DoS– Invalid Extension Headers – DoS

• Routing Headers Type 0 – source routing

– Routers can be configured to block RH0– This is now the default on newer routers

– Firewalls, Windows, Linux and MacOS all block RH0 by default


Fragmentation

• In IPv6 routers do not fragment

– Fragments destined for network device should be dropped

• IPv6 links must have MTU >= 1280 bytes

– Fragments with less than 1280 bytes should be dropped with the exception of the last fragment

• It is left to the end-systems to perform Path MTU Discovery (PMTUD)

– ICMPv6 – Type 2 - Packet Too Big

• Fragmentation can hide attacks or as an attack itself on the upper layers

– Overlapping fragments, out of order fragments, tiny fragments

• Handling of Overlapping IPv6 Fragments - RFC 5722

Layer-3/4 Spoofing

• Spoofing of IPv6 packets is possible

• IPv6 BOGON (Martians) Filtering is required

– Filter traffic from unallocated space and filter router

advertisements of bogus prefixes

– Permit Legitimate Global Unicast Addresses

– Don’t block FF00::/8 and FE80::/10 – these will block NDP

• Hierarchical addressing and ingress/egress filtering

can catch packets with forged source addresses

• Tracebacks may prove to be easier with IPv6

• You can use inbound Infrastructure ACLs (iACLs)

that deny packets sent to infrastructure IPv6

addresses


Transition Mechanism Threats

• Dual Stack is the preferred transition method

• You are only as strong as the weakest of the two

stacks

• Running dual stack will give you at least twice the

number of vulnerabilities and require twice the work

to secure


IPv4 IPv6


Threats Against Translation

• Manual Tunnels– Preferred over dynamic tunnels

– Filter tunnel source/destination and use IPsec

– If spoofing, return traffic is not sent to attacker

• Dynamic Tunnels– 6to4 Relay routers are “open relays”

– Attackers can guess 6to4 addresses easily

– ISATAP can have potential MITM attacks

– Attackers can spoof source/dest IPv4/v6 addresses

• Translation techniques are susceptible to DoSattacks– NAT prevents IPsec, DNSSEC, Geolocation and other

applications from working

– Consuming connection state (CPU resource consumption attack on ALG)

– Consuming public IPv4 pool and port numbers (pool depletion attack)


Application Threats

• Applications for IPv4 and IPv6 are the same

• Buffer overflows, SQL Injection, cross-site scripting will all remain valid attacks on IPv6 servers

• Use of IPsec can prevent many of these attacks that exploit trust between servers

• Completely hierarchal addressing will make trace-back easier but privacy addressing and forged MAC addresses won’t

• E-mail/SPAM is still a problem in IPv6 nets

• DNS servers will still be attacked


IPv6 Firewalls

• Don’t just use your IPv4 policy for your IPv6 policy

• Don’t blindly allow IPsec or IPv4 Protocol 41 (6in4 tunneled traffic) through the firewall unless you know the tunnel endpoints

• Firewalls have improved their IPv6 capabilities, IPv6 addresses in the GUI, some logs, ability to filter on Extension Headers, Fragmentation, PMTUD, and granular filtering of ICMPv6 and multicast

• IPv6 firewalls may not have all the same full

features as IPv4 firewalls

– UTM/DPI/IPS/WAF/content filtering features may only work for IPv4


IPv6 Intrusion Prevention

• Few signatures exist for IPv6 packets or you have to build your own using cryptic regular expressions or byte-offset values

• IPSs should send out notifications when non-conforming IPv6 packets are observed having faulty parameters, bad extension headers, source address is a multicast address

• Many IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite)

• IPv6 support varies greatly in modern IPS systems

• Talk with your vendor about what you need

Host-Based Firewalls and AV

• There are many IPv6-capable host-based firewalls

available depending on the OS you prefer

– Linux: ip6tables (NetFilter), ipf

– Windows Firewall with Advanced Security

– BSD: pf, ipfw, ipf

– Mac: ipfw, ipf

– Solaris, HP-UX : ipf

• Few Host-based IPS systems support IPv6

• Desktop AntiVirus software has gotten better at allowing ICMPv6 (RA/RS/NA/NS) packets through

• However, there are still a handful of popular AV

suites that don’t support IPv6


Capturing and Monitoring IPv6


• SPAN ports add CPU overhead to switches and may not capture all the traffic you want

• Taps are by far a better method than hubs

• Packet Monitoring Matrix Switches can monitor ports and send traffic to tool ports

• They have flexible admin interface and advanced filtering capabilities to help you reduce the monitored traffic and more precisely look at what you are interested

• Flexible matching of packets based on rules

• Traffic can be collected from multiple sources and sent to a single tool port

• Traffic can be “forked” and sent to multiple tool ports

Packet Monitoring Matrix Switches


Anue Net Tool Optimizer


IPv6 addresses can

be specified in the

filter criteria


IP Security (IPsec)

• IPsec was first designed for IPv6 and then was added to IPv4 where it became widely deployed

• IPsec is defined by the IETF as several complimentary protocols

– Encapsulating Security Payload (ESP)

– Authentication Header (AH)

– Internet Key Exchange (IKE)

• IPsec can provide the following protections

– Data origin authentication

– Connectionless integrity

– Replay protection

– Confidentiality (encryption)

– Traffic flow confidentiality

– Access control

IPv6 Security Policies

• Many security standards don’t discuss IPv6.

However, any guideline related to IP may apply to

both versions – many policies are higher level

• NIST SP 800-119: Guidelines for the Secure

Deployment of IPv6, December 2010

– http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf

• NIST Special Publication (SP) 500-267: A Profile for

IPv6 in the U.S. Government – V1, USGv6-V2 comments due June 10, 2011, results Sept. 2011

– USGv6 Profile tests for granular filtering of IPv6 and ICMPv6 messages

• http://www.antd.nist.gov/usgv6/cfp.html



Summary of BCPs

• Perform IPv6 filtering at the perimeter

• Use RFC2827 filtering and Unicast RPF checks throughout the network

• Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels and deny packets for transition techniques not used

• Use common access-network security measures (NAC/802.1X, disable unused switch ports, Ethernet port security, MACSec/TrustSec) because SEND won’t be available any time soon

• Strive to achieve equal protections for IPv6 as with IPv4

• Continue to let vendors know what you expect in terms of IPv6 security features


Yet another IPv6 Book

• IPv6 Security, By Scott Hogg and Eric

Vyncke, Cisco Press, 2009.

ISBN-10: 1-58705-594-5

ISBN-13: 978-1-58705-594-2

Date post:	02-Oct-2014
Category:	Documents
Upload:	cpuhogg
View:	34 times
Download:	0 times

IPv6 Security-2011-09-26

Documents