Company
LOGO
IPv6 Security Considerations:
Future Challenges
Prof. Sukumar Nandi
Dept of Computer Sc. & Engg.
Indian Institute of Technology Guwahati
Agenda Outline
Motivation for IPv6
Brief comparision between IPv6 and IPv4
IPv6 Addressing Architecture
IPv6 Header Fields
IPv6 Extension Headers
IPv6 Options
Internet Control Message Protocol version 6
(ICMPv6)
Neighbor Discovery for IPv6
Address Resolution
Stateless Address Auto-configuration (SLAAC)
If you use IPv4?
I’m Running IPv4…Does This Affect Me?
Your network may be IPv4…
…but your devices may be another story!
What about all These?
IPv4 vs IPv6
IPv4 IPv6
Addressing 32 bits 128 bits
Address
resolution
ARP ICMPv6 NS/NA (+ MLD)
Auto-
configuration
DHCP & ICMP
RS/RA
ICMPv6 RS/RA &
DHCPv6 (optional) (+MLD)
Fault Isolation ICMPv4 ICMPv6
IPsec support Optional Mandatory (to "optional")
Fragmentation
Both in hosts
and routers
Only in hosts
Protocol Format
Brief comparision of IPv4 and
IPv6 (II)
Header formats:
IPv6 header
Fixed-length (40-bytes) header
The Big IPv6 Security Question
Built-In IPSec Offers Better
Security… Right?
IPSec is a mandatory part of
the IPv6 Protocol
First and foremost issue!
Unfamiliarity Causes Misconfigurations
Many network administrators and IT practitioners are still relatively unfamiliar with all
IPV6’s “ins and outs”
Common issues: • Not realizing IPv6 is already in their network •Ignorance of Tunneling Mechanisms •Lack of ACL policy for IPv6 multi-homing •Unawareness of potential privacy issues •Over permissiveness, just to get it to work
What is IPSec?
Among other things, IPSec consists of:
• Authentication Headers (AH) – Provides data origin
authentication and integrity (protects against replay
attacks)
• Encapsulating Security Payloads (ESP) – Adds
encryption to the mix to provide confidentiality
Internet Protocol Security (IPSec) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications.
What are IPv6 Extension
Headers?
Remember IPv6
header simplification?
Version IHL Type of
Service Total Length
Identification Flag
s
Fragmen
t Offset
Time to
Live Protocol
Header
Checksum
Source Address
Destination Address
Options Padding
IPv4 Header (20 bytes)
Version Traffic
Class Flow Label
Payload Length
Next
Heade
r
Hop Limit
Source Address
Destination Address
IPv6 Header (40 bytes)
Dropped
Dropped options need to go somewhere…
IPv6 Header
Payload
IPv6 Header
Extension Header
Payload
IPv6 Header
Extension Header
Extension Header
Payload
Ext. headers may include: •Hop-by-hop options •Destination Options •Routing •Fragmentation •AH Header •ESP Header •Etc…
Built-In IPSec Offers Better
Security… Right?
IPSec is a mandatory
part of the IPv6 Protocol
What does this really mean? •Part of IPv6 protocol stack, not an optional add-on •Implemented with AH and ESP Extension Headers •Follows one standard (less interop issues) •Every IPv6 device can do IPSec •However, IPSec usage is still OPTIONAL! •Manual configuration of Security Associations (SA) and this can be a tedious or impractical task considering the volume. •Even if SAs were established, it is not possible to verify the ownership of dynamically generated IP addresses. •SAs can be created only through using the Internet Key Exchange (IKE). But IKE requires a functional IP stack in order to function and this result in a bootstrapping problem.
Wait! Doesn’t IPv4 Offer IPSec
too?
Some truths about IPv6’s additional
IPSec Security:
• IPv4 has it too (though, not “natively”)
• You don’t have to use it, and most don’t
• Still complex
• May require PKI Infrastructure
So is this really a security benefit?
• Short term – probably no measureable advantage over IPv4 IPSec
• Long term – More applications will leverage it now that it’s
mandatory!
I also have
192.168.20.1
A Look Back at IPv4 ARP
Poisoning
Who has
192.168.20.34?
I Do. Here’s
my MAC
Hey Everyone. I
have
192.168.20.34
And 192.168.20.2,
And …..
No authentication or
security
I Do. Send
traffic to me
Neighborhood Discovery Suffers
from Similar Issues
Who has
2001::3/64?
I Do. Here’s my
Layer 2 address
Who has
2001::3/64?
Neighbor Solicitation
Neighbor Advertisement
ND Spoofing
No authentication or
security
Many Other Neighbor and
Router Discovery Issues
Solution: SEcure Neighbor Discovery (SEND) – RFC 3971
•Essentially adds IPSec to ND communications •Requires PKI Infrastructure •Not available in all OSs yet. •802.1X also an option
Other ND related attacks:
•Duplicate Address Detection (DAD) DoS attack •ND spoofing attack for router (allows for MitM) •Neighbor Unreachability Detection (NAD) DoS attack •Last Hop Router spoofing (malicious router advertisements) •And many more… (http://rfc-ref.org/RFC-TEXTS/3756/chapter4.html)
New Multicast Protocol Helps
with Reconnaissance
IPv6 multicast addresses:
IPv6 multicast includes a ton of reserved addresses. Here’s a few:
Multicast Address Reservation
FF02::1 All Host Address
FF02::2 All Router Address (LL)
FF02::9 RIP Routers
FF02::A EIGRP Routers
FF02::B Mobile-Agents
FF02::1:2 All DHCP Agents
FF05::2 All Router Address (SL)
FF05::1:3 All DHCP Servers
FF05::1:4 ALL DHCP Relays
FF0X::101 NTP
FF0X::106 Name Service Server
Attackers can use
these multicast
addresses to
enumerate your
network.
IPv6 Security Controls Lagging
Hacking Arsenal/Tools
Attacker already have many IPv6 capable tools:
THC-IPv6 Attack Suite
Alive6
Parasite6
Redir6
Fake_Router6
Detect-New-IPv6
DoS-New-IPv6
Smurf6
rSmurf6
TooBig6
Fake_MIPv6
Fake_mld6
Fake_Advertiser6
SendPees6
DNSDict6
Trace6
Flood_Router6
Flood_Advertise6
Fuzz_IP6
etc…
Unfortunately, IPv6 security controls and products seems to be
a bit behind.
THC-IPv6 Attack Suite
Nmap
Wireshark
Multi-Generator (MGEN)
IPv6 Security Scanner (vscan6)
Halfscan6
Strobe
Netcat6
Imps6-tools
Relay6
6tunnel
NT6tunnel
VoodooNet
Scapy6
Metasploit (etc.)
Web Browsers (XSS & SQLi)
TCPDump
COLD
Spak6
Isic6 Hyenae
SendIP
Packit
4to6ddos
6tunneldos
Typical IPv6 Devices Have
Multiple Addresses
At least a Link-Local Address (FE80::/10)
Likely a Unique Global Address (2000::/3)
Possibly a Site-Local Address (FC00::/7)
You will probably need MULTIPLE
Firewall or ACL policies for these
extra networks within your
organization
Extra Security Can Cause
Insecurity
Internet
Firewalls (and Admins) Must
Learn New Tricks
How to filter ICMPv6?
Handling new extension headers
Filtering Multicast and Anycast
Hosts w/multiple addresses
EXTRA: The Same
There are some security issues
that IPv6 has little effect on:
Application-layer attacks
Sniffing
Rogue Devices
Man-in-the-Middle Attacks
Flooding/DoS Attacks
THANK YOU
Major References
IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation
http://www.cisco.com/web/about/security/security_services/ciag/documents/
v6-v4-threats.pdf
IPv6 Security Challenges
https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IP
v6SecurityChallenges.pdf
IPv6 Security Challenges by Samuel Sotillo
http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf
IPv6 Security Best Practices
http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_S
ecurity_Best_Practices.pdf
IPv6 Security Considerations and Recommendations
http://technet.microsoft.com/en-us/library/bb726956.aspx
NIST: Guidelines for the Secure Deployment of IPv6
http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
IPv6 Transition/Coexistence Security Considerations (RFC 4942)
http://www.ietf.org/rfc/rfc4942.txt
And many more….