Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ......

Securely Deploying IPv6

James Leinweber

State Laboratory of Hygiene

School of Medicine & Public Health

Lockdown 2017 Securely Deploying IPv6 2

v4 & v6 BGP connectivity - CAIDA 2009



State of IPv6 rollout – pessimists view

Countries <1% IPv6

DMZalexa 1000

ISP backbone


State of IPv6 rollout – optimists view

Datacenter

Facebook

Datacenter

Facebook

CDN

Akamai, Limelight, ...

DMZVerizon wireless

ISP backbonedual-stack

Last mile

broadband, 4G/LTE, IOT

Belgiumtraffic

world populationhigh IPv6 countries


If a v6 client wants a v4 server …

v6v4

NAT64 + DNS64

v6 v4

464xlat

v6 app

v4 app


TCP/IP layers (v4, v6)

● 5 layer model

● each has header or structured data

● OS layers API's too

● socket, protocol, device driver, ...

● IPv4 and IPv6 are at layer 3

● WAN addressing and routing

● helper protocols find addresses:

● 7 → 3 (name → IP): DNS

– v4: A v6: AAAA

● 3 → 2 (IP → ethernet):

– v4: ARP v6: ND


packet headers: IPv4 versus IPv6

keptgonesimilarnew

Source address

Destination Address

Payload lengthFlow Label

Next Header

Hop Limit

Traffic Class

ver

Source addressDestination AddressOptions Pad

Header checksum

protoTTLFrag ID

Total lengthTOS

OffsetLver

flag


About those 128-bit IPv6 addresses

2607:f388:1084:2050:0000:0000:0053:000b

● written as 8 colon-separated 16-bit parcels of 4 hex characters

● two abbreviations:

● 1+ contiguous all-zero parcels → ::, drop leading zeros

– e.g. loopback address compresses to ::1● routing prefix: ISP /13-/32; customers /48 (business) - /60 (home)

3 9 20 16 16 64IETF IANA

to RIRRIRto ISP

ISPto end site

subnets Host / VLAN

2 60

7f388 1084 20 50 :: 53:b


IPv6: what’s similar to IPv4? WAN

● packet switched, next hop routing based on variable length prefixes, best effort delivery

● ... the threat model is basically the same● Used with same upper & lower layer protocols

● Similar speed● LAN max throughput 4% less (1500 bytes)

– So use jumbo frames● WAN speed up to 15% faster (facebook);

– v4 delayed by Carrier NAT?


IPv6: The LAN behavior is very different

1: fe80 DAD listen ff02::1

2: multicast RS (ff02::2)

3: RA

4: multicast DHCPv6 agents (ff02::1:2)

5: DHCPv6 negotiation

6: multicast NS(ff02::1:ffxx:xxxx)

7: NA response


v4 versus v6 – network parameters

parameter IPv4 IPv6

gateway DHCP option ICMPv6 RA sender (link-local; can be 100% fe80::1)

address

DHCP lease

SLAAC privacy, EUI-64, ...

DHCPv6 lease

DNS DHCP options

DHCPv6 optionsICMPv6 RA DNS options

(or fallback to v4 DHCP)

other options DHCP DHCPv6 (static DHCPv6 ?)

layer 2 address ARP ICMPv6 neighbor discovery (NS/NA)


address scopes: node, link, site, global (of 7)

global – internet2000::/3external / all uses

link local – lanfe80::/64 (v4: 169.254.0.0/16)DHCP, ND, RS, ...

site / org / autonomous system - unique localfd + 40 random + 16 subnet + 64 host (v4: rfc-1918)internal private cross-vlan client-server

node – host loopback::1 (v4: 127.0.0.1/8)


an IPv6 host has at least 5 addresses ...

scope kind usage IPv6 address

node unicast loopback ::1 (v4: 127.0.0.1)

link multicast All-nodes (RA, MLD destination)

ff02::1 (v4: 224.0.0.1)

link unicast RS/RA, ND,DHCP source

fe80::214:5eff:fea4:7386

link multicast NS destination ff02::1:ffa4:7386

global unicast Public destination,ND, MLD source

2607:f388:1084:2050::53:b

link multicast NS destination ff02::1:ff53:b


Getting IPv6 address space – ask your ISP

● Big org – ask ARIN for /32 or /48● AS backbone routing prefixes /13../48

● UW departments – open a Cherwell ticket● Ask DoIT for /48 (+/-4)

● Wiscnet customers – ask

● Business ISP – should be available● Getting static v4 could be hard, v6 easy

● Home ISP – Real Soon Now● homework: ask when● Initially probably /64, eventually /60


Design a routing and subnet architecture

● Think big – a /48 is like being MIT● Subnets and addressess are not scarce

– all subnets /64 at the vlan● Think long term – adapt to 20 years changes

● new or renumbered vlans, new or split subnets, new locations, routing topology changes, ...

● Renumbering hosts is much easier in v6, but ...● Think easy

● Easy to document, easy to implement


WSLH IPv6 architecture (3rd try)

● route /52 (wan), firewall /60 (security), subnet /64 (vlan)

● 4-bit alignment, start in the middle, reserve growth gaps, use meaningful semantics, avoid vlan tags & v4 subnets

campus backbone

mgmt 2607:f388:1084:10a0::/64

lan 2607:f388:1084:1010::/64

465 Henry Malldmz 2607:f388:1084:2050::/64

mgmt 2607:f388:1084:20a0::/64

lan1 2607:f388:1084:2010::/64

2810 Walton Commons LN

dmz 2607:f388:1084:1050::/64

2607:f388:1084:2000::/522607:f388:1084:1000::/52

lan2 2607:f388:1084:2018::/64


IPv6 network forensics: snoop the port/host

● host interfaces will have multiple active v6 addresses

● link-local (fe80::/64) & global (2000::/3) scopes● might have multiple global scope addresses

● v6 host parts may change● windows default is new privacy addresses daily

● dual-stack clients use both v4, v6 protocols● IPv6 sites are IPv6-mostly, rarely IPv6-only

● destinations will be both unicast & multicast● senders are always unicast & have host MAC


Dual-stack network monitoring

● SIEM / log analysis - multiple IP text formats● v4 dotted quad (DNS A)● v6 native (DNS AAAA) ● v4 mapped as v6 ::ffff:p.q.r.s

● if you use SNMP to poll ARP tables, add v6 ND

● antimalware tools – need v6 support● AV, reputation blacklists, URL filtering, snort, …

● network & scanning tools – learn v6 options● ping, traceroute, wireshark, nmap, nessus, ...


switches – layer 2 defenses

● layer 3 switches can use ACL’s to block unwanted DHCP, ICMP

● probably separate v4 and v6 rules● block client ICMP redirect● block client ICMPv6 RA

● also block too many MAC’s● v4: ARP poisoning; v6: ICMPv6 ND poisoning

● use what ever subset of features makes sense● ACL, mac lock, port security, DHCP snooping,

RA guard, ...


v4 & v6 Cisco switch ACL example (partial)

ip access-list list4 deny udp any eq 68 any eq 67 deny icmp any any 9 deny icmp any any 5 permit ip any any

sdm prefer dual-ipv4-and-ipv6 default

ipv6 access-list list6 deny udp any eq 547 any eq 546 deny icmp any any 134 deny icmp any any 137 permit ip any any

interface Gi1/0/3 switchport port-security switchport port-security aging-time 1440 ip access-group list4 in ipv6 traffic-filter list6 in


firewalls

● for v6, mimic v4 application / port filtering● e.g. no egress for 445/tcp

● Cisco ASA● 8.x: make separate ipv6 access-lists

– use two access-group statements per interface● 9.x: unified access-lists, new address wildcards

any4, any6– plain any becomes dual-protocol


firewalls – filter on ICMPv6 type codes

● transparent: allow RS/RA, NS/NA (133-136)

● only routers should do redirect (137)

● allow errors (1-4)● 1=unreachable, 2=too big, 3=ttl, 4=param

– routers don’t fragment v6 - need PMTU discovery – v6 minimum is 1280 bytes … servers, be kind.

● echo request/reply: match v4 policy (128-129)

● block the rest to start with● unless you are using multicast, mobility, …● no accidental router renumbering! (138)


firewalls - block tunnels (or protocols)

● automatic tunnels turned out to be bad ideas● unreliable, latency, jitter, no security inspection● only 3 of some dozen proposed got deployed:

ISATAP, 6to4 (2002::/16), Teredo (2001:0::/32)● windows: netsh interface XXX set state disabled

● block IPv6 over IPv4 automatic tunnels by:● deny protocol 41 (v4 header, v6 payload)● deny port 3544/udp (teredo server)

● for v4 only, block IPv6 ethertype 0x86dd

● for v6 only, block IPv4 types 0x0800, 0x0806


routing – 3 methods

● static routes: both v4 and v6

● dynamic routes:● usual protocols (BGP, IS-IS, RIP, OSPF, EIGRP)

are all extended to handle IPv6● v4 and v6 will use separate peering sessions

● DHCPv6 prefix delegation● popular for ISP provider-aggregated space

– up to /48 available for business use● especially likely for home broadband

– probably /64 for now, /60 likely in future


DNS

● forward IPv6: AAAA records & v6 address● IN AAAA 2607:f388:1084:2050::53:b

● reverse IPv6: PTR under ip6.arpa● b.0.0.0.3.5.0.0.0.0.0.0.0.0.0.0.0.5.0.2.4.8.0.1.8.8.3.f.7.0.6.2.ip6.arpa.

● zone delegation: similar to IPv4● don’t forget to ask for IPv6 prefix delegation● add the v6 addresses to your nameservers

● dynamic DNS is your friend● for BIND zone files, so is $ORIGIN

● use tools (ipv6calc, arpaname, web, ...)


IPv6 Application pain: compare Y2K

● big challenge: web applications and logging

● Recent OS, e-mail, web, and DB services support IPv6

● … but stored IP addresses change format and get much bigger

● IPv6 rework is easier than similar Y2K rework

● IP addresses are less pervasive and less manipulated

● no hard deadline

● your entire backend doesn't have to be v6 yet

● just front end, stored addresses, log analysis (security, web stats)

● application code switches to new dual-stack library APIs

● getaddrinfo() returns prioritized list of v6 and v4 addresses to try for a DNS hostname

● IPv6 socket & IPV6_V6ONLY option = 0 can do mapped v4 ::ffff:p.q.r.s


deployment priorities

where priority why issues

lan low? ? easy (7 weeks?); not much breaksneeded if a v6-only service is popular

dmz - dns high needed early

dmz - https

medium mobile clients

3rd party libraries, analytics, cookies

dmz - smtp

low ? spam - IPv6 reputation lists lag v4

datacenter low out of v4? going v6-only could take 7 years(HVAC monitoring, 3rd party vendors)


Questions ?

Slide & Handout URL

http://go.wisc.edu/svv199

● start small

“don’t try to boil an ocean in a day”● test before deploying to production

● all large deployments found vendor glitches


Extra Slides


wireshark packet trace: native IPv6

● Duplicate address detection – NS to self

● MLD leave to ff02::16 – turn off multicast traffic

● ICMPv6 solicit & advertise, for routers & neighbors

● uses both link-local & global address scopes

● uses both unicast & multicast destinations

● DNS and HTTP behave similarly over v6 & v4

● Web browsers typically use a mix of v4 and v6


IPv6 security: longstanding paranoia


IPv6 is not inherently secure, but ...

● IPSEC fantasies notwithstanding

● end point security, protocol stack quality, and feature parity all problematic

● Industry record of inadequate security design extends far beyond IPv6

● Wifi WEP, DVD CSS, Mifare stored value cards, cell phone GSM, ...

● similar security disasters in progress today deploying over IPv6:

● Power industry smartgrid, FAA next generation air traffic control

● Reality: IPv4 security and IPv6 security are very similar

● same internet architecture → same threat model → same security measures

● only 3 variations: extension header + fragmentation resource exhaustion DOS, RA spoofing, many addresses


A few well known IPv6 prefixes

prefix usage

:: Unspecified link source, never a destination

::ffff:p.q.r.s Mapped IPv4; used in dual-stacked API's

2000::/3 IANA global unicast (v4: non [rfc-6890])

2001:0000::/32 Deprecated Teredo tunnel prefix

2001:db8::/32 Documentation examples (v4: 192.0.2.0/24, ...)

2002::/16 Deprecated 6to4 tunnel prefix

fd00::/7 Unique Local Addresses (v4: [rfc-1918] private)

fe80::/10 Link scope addresses [rfc-4862]; replaces IPv4 zeroconf; autoconfigured & required

ff02::/8 multicast – required (v4: 224.0.0.0/4)


IPv6 Multicast: ff + flags + scope + group

Scopes (y): 1=node 2=link ... 5=site … e=global

ff02::1 Link scope - all hosts (v4: 224.0.0.1)

ff02::2 Link scope - all routers (v4: 224.0.0.2)

ff02::16 Link scope – all MLDv2 routers

ff02::1:2 Link scope - DHCP relay agents (v4: 224.0.0.12)

ff05::1:3 Site scope - DHCP servers (from relay agents)

ff0y::101 any scope - NTP (v4: 224.0.1.1)

ff0y::130 any scope - UPnP

ff0y::fb any scope - mDNSv6 (v4: 224.0.0.251)

ff0y::c any scope - SSDP (v4: 239.255.255.250)


address preference pain

● multiple interfaces & addresses – pick which?

● complicated; ~18 rules just in [rfc-6724], plus [rfc-5220], policy table,...

– local or global scope, lifetime temporary or permanent, valid or invalid, preferred or deprecated, mobility home or care-of, ...

● Simple case: one v4 address, one active global v6 address

1) match destination protocol family, either v4 or v6

2) prefer native source to tunneled

● update: [rfc-1918] private now preferred to 6to4 & Teredo

3) prefer v6 source to v4

● default getaddrinfo() policy can be changed by vendor or admin

● linux: edit /etc/gai.conf

● windows: netsh interface ipv6 set prefixpolicies

● per-connection override: specify protocol and “zone” (interface)


IPv6 and “happy eyeballs” (rfc-6555)

● waiting for DNS or connection timeouts on mono-stack sites annoys users

● start v6 (AAAA) and v4 (A) DNS queries in parallel

● start TCP connections to destinations as DNS answers

● v6 usually gets a 300 ms head start● use the first connection to complete

● reset the other one if necessary● implemented:

● Google Chrome, Firefox, Mac Os-X, ...● Windows 10 checks for native IPv6 & adjusts v4/v6

policy table preference


RFC pain: IPv6 is a moving target

● deprecated addresses & names

● 5f00::/8, 3ffe::/16 (6bone) … use 2000::/3 globals

● ::/96 (v4 embedded) … use ::ffff:p.q.r.s

● fec0::/10 (site local) … use fd::/7 unique local

● ip6.int (DNS PTR) … use ip6.arpa

● deprecated protocols

● A6, DNAME (DNS) … use AAAA, PTR

● automatic tunnels … use 6in4, 6rd, 6pe

– 6over4, 6to4, Teredo, ISATAP● NAT-PT (a nat46 try) … use dual-stack


e-mail spam risk: lots of addresses

● can send each message from a different IPv6 host address

● with /48 from shady registrar / hosting provider has 65k networks

● … but fewer than 200k real SMTP hosts worldwide, all with v4

Countermeasures:

● wait a few more years before turning on v6 for SMTP

● switch to a reputation whitelist instead of a blacklist

● use v6 reputation lists based on v6 prefixes, not hosts

● using prefixes increases collateral damage


NAT translation considered harmful

● NAT46 breaks lots of stuff [rfc-4966]

● multichannel protocols with embedded ports or addresses

– multimedia, VoIP, FTP, ...● signed packets: IPSEC, DNSSEC, ...

● multicast, geolocation, inbound connections (gaming), …

● Fixup requires protocol-specific application gateways

● fixup fails if there are multiple NAT layers, e.g. NAT444

– (donley): streaming stutters; breaks v6 tunnels, P2P, FTP

● can't cover many protocols, nor scale to many clients


NAT translation: addresses, maybe protocols

● NAT46: IPv4 → IPv6 is intractable

● e.g. NAT-PT can't reliably fake DNS A for AAAA● NAT64: IPv6 → IPv4 is possible (but inferior)

● at least for simple TCP connections● NAT44: IPv4 → IPv4 is possible at CPE or ISP

● remember NAT444 at both CPE and ISP is bad● NAT66: IPv6 → IPv6 doesn't exist

● and IAB really wants to prevent it: [rfc-5902]


meep ... there's no NAT66

● NAT44 is not what provides IP security

● site-scope addresses → application proxies → statefull firewalls

● PCI-DSS is OK with firewalling global scope v6

● private / site-scope IP addresses don't block reconnaissance

● speed bump, yes

– browser javascript enumeration exploits, DNS queries, ARP or ND poisoning, multicast probes, ...

● NAT is evil because it prevents protocol innovation

● evading future congestion collapses needs innovation


IPv6 and the SLAAC attack … an IPv4 MITM

Suppose a v4-only network with good v4 defenses but no v6 monitoring has dual-capable hosts ...

● attack station multicast's RA's with global unicast prefix with self as router, DHCPv6, and DNS server

● dual-stack hosts autoconfigure v6 & prefer it

● so potential v4 traffic tries attacker on v6 first● attacker proxies evil outside v4 to inside v6 via

NAT-PT

● especially DNS


(accidental?) WiFi hijacking

● suppose a windows 7 laptop with internet connection sharing and tunneled v6 shows up on a v4 wifi network

● how many nearby dual-stack devices will believe it's RA's and switch to v6 routed through a really bad tunnel?

● miscreants already show up in public spaces with rogue v4 access points

Date post:	23-Jun-2018
Category:	Documents
Upload:	phungmien
View:	216 times
Download:	0 times

Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ......

Documents