Cisco Press
Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
Contents Introduction xix
Reintroduction to IPv6 3
Summary 12
Chapter 2 IPv6 Protocol Security Vulnerabilities 15
The IPv6 Protocol Header 16 ICMPv6 17
ICMPv6 Functions and Message Types 18 ICMPv6 Attacks and Mitigation Techniques 20
Multicast Security 22
Extension Header Threats 24 Extension Header Overview 24 Extension Header Vulnerabilities 28 Hop-by-Hop Options Header and Destination Options Header 29
IPv6 Extension Header Fuzzing 33 Router Alert Attack 33
Routing Headers 36 RHO Attack 36 Preventing RHO Attacks 40 Additional Router Header Attack Mitigation Techniques 42
Fragmentation Header 43 Overview of Packet Fragmentation Issues 43 Fragmentation Attacks 45 Preventing Fragmentation Attacks 47 Virtual Fragment Reassembly 49
Unknown Option Headers 52 Upper-Layer Headers 55
Reconnaissance on IPv6 Networks 55 Scanning and Assessing the Target 56
Registry Checking 56 Automated Reconnaissance 56
X
Speeding Up the Scanning Process 58 Leveraging Multicast for Reconnaissance 59 Automated Reconnaissance Tools 61 Sniffing to Find Nodes 61 Neighbor Cache 62 Node Information Queries 62
Protecting Against Reconnaissance Attacks 63
Layer 3 and Layer 4 Spoofing 65
Summary 69
References 70
Large-Scale Internet Threats 74 Packet Flooding 74 Internet Worms 77
Worm Propagation 78 Speeding Worm Propagation in IPv6 78 Current IPv6 Worms 79 Preventing IPv6 Worms 80
Distributed Denial of Service and Botnets 80 DDoS on IPv6 Networks 81 Attack Filtering 81 Attacker Traceback 82 Black Holes and Dark Nets 84
Ingress/Egress Filtering 85 Filtering IPv6 Traffic 85 Filtering on Allocated Addresses 85 Bogon Filtering 87 Bogon Filtering Challenges and Automation 90
Securing BGP Sessions 90 Explicitly Configured BGP Peers 92 Using BGP Session Shared Secrets 92 Leveraging an IPsec Tunnel 93 Using Loopback Addresses on BGP Peers 93 Controlling the Time-to-Live (TTL) on BGP Packets 94 Filtering on the Peering Interface 97 Using Link-Local Peering 97
Link-Local Addresses and the BGP Next-Hop Address 99 Drawbacks of Using Link-Local Addresses 101
Preventing Long AS Paths 102 Limiting the Number of Prefixes Received 103 Preventing BGP Updates Containing Private AS Numbers 103
xi
Maximizing BGP Peer Availability 103 Disabling Route-Flap Dampening 104 Disabling Fast External Fallover 104 Enabling Graceful Restart and Route Refresh or Soft Reconfiguration 104 BGP Connection Resets 105
Logging BGP Neighbor Activity 106 Securing IGP 106 Extreme Measures for Securing Communications Between BGP Peers 106
IPv6 over MPLS Security 107 Using Static IPv6 over IPv4 Tunnels Between PE Routers 108 Using 6PE 109 Using 6VPE to Create IPv6-Aware VRFs 109
Customer Premises Equipment 110
Multihoming Issues 119
IPv6 Firewalls 128 Filtering IPv6 Unallocated Addresses 128 Additional Filtering Considerations 133
Firewalls and IPv6 Headers 133 Inspecting Tunneled Traffic 134 Layer 2 Firewalls 135 Firewalls Generate ICMP Unreachables 136 Logging and Performance 136
Firewalls and NAT 136
Cisco IOS Router ACLs 138 Implicit IPv6 ACL Rules 142 Internet ACL Example 143 IPv6 Reflexive ACLs 147
Cisco IOS Firewall 149 Configuring IOS Firewall 150 IOS Firewall Example 153 IOS Firewall Port-to-Application Mapping for IPv6 157
Cisco PIX/ASA/FWSM Firewalls 158
Configuring Firewall Interfaces 159 Management Access 161 Configuring Routes 162 Security Policy Configuration 164 Object Group Policy Configuration 168 Fragmentation Protection 172 Checking Traffic Statistics 173 Neighbor Discovery Protocol Protections 174
Summary 177
References 177
Chapter 5 Local Network Security 181
Why Layer 2 Is Important 181
ICMPv6 Layer 2 Vulnerabilities for IPv6 182 Stateless Address Autoconfiguration Issues 183 Neighbor Discovery Issues 187 Duplicate Address Detection Issues 190 Redirect Issues 193
ICMPv6 Protocol Protection 195 Secure Neighbor Discovery 196 Implementing CGA Addresses in Cisco IOS 198 Understanding the Challenges with SEND 199
Network Detection of ICMPv6 Attacks 199 Detecting Rogue RA Messages 199 Detecting NDP Attacks 201
Network Mitigation Against ICMPv6 Attacks 201 Rafixd 202 Reducing the Target Scope 203 IETF Work 203 Extending IPv4 Switch Security to IPv6 204
Privacy Extension Addresses for the Better and the Worse 205
DHCPv6 Threats and Mitigation 208 Threats Against DHCPv6 210 Mitigating DHCPv6 Attacks 211
Mitigating the Starvation Attack 211 Mitigating the DoS Attack 211 Mitigating the Scanning 213 Mitigating the Rogue DHCPv6 Server 213
Point-to-Point Link 213
Endpoint Security 215
Threats Against Network Devices 220
Cisco IOS Versions 220
Disabling Unnecessary Network Services 222 Interface Hardening 223
Limiting Router Access 224 Physical Access Security 224 Securing Console Access 225 Securing Passwords 225 VTY Port Access Controls 226 AAA for Routers 229 HTTP Access 230
IPv6 Device Management 233 Loopback and Null Interfaces 233 Management Interfaces 234 Securing SNMP Communications 235
Threats Against Interior Routing Protocol 239 RIPng Security 241 EIGRPv6 Security 242 IS-IS Security 244 OSPF Version 3 Security 247
First-Hop Redundancy Protocol Security 255 Neighbor Unreachability Detection 255 HSRPv6 257 GLBPv6 260
Controlling Resources 262 Infrastructure ACLs 263 Receive ACLs 265 Control Plane Policing 265
QoS Threats 269
IPv6 Host Security 281 Host Processing of ICMPv6 282
xiv
Services Listening on Ports 284 Microsoft Windows 284 Linux 284 BSD 285 Sun Solaris 285
Checking the Neighbor Cache 285 Microsoft Windows 286 Linux 286 BSD 287 Sun Solaris 287
Detecting Unwanted Tunnels 287 Microsoft Windows 287 Linux 290 BSD 291 Sun Solaris 292
IPv6 Forwarding 292 Microsoft Windows 293 Linux 293 BSD 294 Sun Solaris 294
Address Selection Issues 295 Microsoft Windows 296 Linux 297 BSD 297 Sun Solaris 297
Host Firewalls 297 Microsoft Windows Firewall 298 Linux Firewalls 301 BSD Firewalls 303
OpenBSD Packet Filter 304 ipfirewall 306 IPFilter 310
Sun Solaris 312
Summary 316
References 317
Chapter 8 IPsec and SSL Virtual Private Networks 319
IP Security with IPv6 320 IPsec Extension Headers 320 IPsec Modes of Operation 322
XV
IPsec with Network Address Translation 324 IPv6 and IPsec 325
Host-to-Host IPsec 326
Site-to-Site IPsec Configuration 328 IPv6 IPsec over IPv4 Example 329
Configuring IPv6 IPsec over IPv4 329 Verifying the IPsec State 332 Adding Some Extra Security 337 Dynamic Crypto Maps for Multiple Sites 338
IPv6 IPsec Example 339 Configuring IPsec over IPv6 340 Checking the IPsec Status 343
Dynamic Multipoint VPN 349 Configuring DMVPN for IPv6 351 Verifying the DMVPN at the Hub 353 Verifying the DMVPN at the Spoke 359
Remote Access with IPsec 361
SSL VPNs 368
Mobile IPv6 Operation 378
MIPv6 Messages 379 Indirect Mode 381 Home Agent Address Determination 381 Direct Mode 382
Threats Linked to MIPv6 385 Protecting the Mobile Device Software 386 Rogue Home Agent 386 Mobile Media Security 386 Man-in-the-Middle Threats 387 Connection Interception 388 Spoofing MN-to-CN Bindings 389 DoS Attacks 390
Using IPsec with MIPv6 390
xvi
Filtering for MIPv6 392 Filters at the CN 395 Filters at the MN/Foreign Link 398 Filters at the HA 402
Other IPv6 Mobility Protocols 406 Additional IETF Mobile IPv6 Protocols 407 Network Mobility (NEMO) 409 IEEE 802.16e 411 Mobile Ad-hoc Networks 411
Summary 413
References 413
Understanding IPv4-to-IPv6 Transition Techniques 417 Dual-Stack 417 Tunnels 419
Configured Tunnels 420 6to4 Tunnels 423 ISATAP Tunnels 428 Teredo Tunnels 430 6VPE 434
Protocol Translation 437
Implementing Dual-Stack Security 439 Exploiting Dual-Stack Environment 440 Protecting Dual-Stack Hosts 443
Hacking the Tunnels 444 Securing Static Tunnels 447 Securing Dynamic Tunnels 449
6to4 450 ISATAP 453 Teredo 455
Securing 6VPE 459
Attacking NAT-PT 459
Summary 462
References 463
Managing and Monitoring IPv6 Networks 467 Router Interface Performance 468
xvii
Device Performance Monitoring 469 SNMP MIBs for Managing IPv6 Networks 469 IPv6-Capable SNMP Management Tools 471 NetFlow Analysis 472
Router Syslog Messages 478 Benefits of Accurate Time 481
Managing IPv6 Tunnels 482
Using Forensics 483
Using Intrusion Detection and Prevention Systems 485 Cisco IPS Version 6.1 486 Testing the IPS Signatures 487
Managing Security Information with CS-MARS 489
Managing the Security Configuration 493
Summary 495
References 496
Chapter 12 IPv6 Security Conclusions 499
Comparing IPv4 and IPv6 Security 499 Similarities Between IPv4 and IPv6 499 Differences Between IPv4 and IPv6 501
Changing Security Perimeter 501
Creating an IPv6 Security Policy 503 Network Perimeter 504 Extension Headers 504 LAN Threats 505 Host and Device Hardening 505 Transition Mechanisms 506 IPsec 506 Security Management 506
On the Horizon 506
Summary 511
References 511
Index 512