Securely Deploying IPv6
James Leinweber
State Laboratory of Hygiene
School of Medicine & Public Health
Lockdown 2017 Securely Deploying IPv6 2
v4 & v6 BGP connectivity - CAIDA 2009
Lockdown 2017 Securely Deploying IPv6 3
Lockdown 2017 Securely Deploying IPv6 4
State of IPv6 rollout – pessimists view
Countries <1% IPv6
DMZalexa 1000
ISP backbone
Lockdown 2017 Securely Deploying IPv6 5
State of IPv6 rollout – optimists view
Datacenter
Datacenter
CDN
Akamai, Limelight, ...
DMZVerizon wireless
ISP backbonedual-stack
Last mile
broadband, 4G/LTE, IOT
Belgiumtraffic
world populationhigh IPv6 countries
Lockdown 2017 Securely Deploying IPv6 6
If a v6 client wants a v4 server …
v6v4
NAT64 + DNS64
v6 v4
464xlat
v6 app
v4 app
Lockdown 2017 Securely Deploying IPv6 7
TCP/IP layers (v4, v6)
● 5 layer model
● each has header or structured data
● OS layers API's too
● socket, protocol, device driver, ...
● IPv4 and IPv6 are at layer 3
● WAN addressing and routing
● helper protocols find addresses:
● 7 → 3 (name → IP): DNS
– v4: A v6: AAAA
● 3 → 2 (IP → ethernet):
– v4: ARP v6: ND
Lockdown 2017 Securely Deploying IPv6 8
packet headers: IPv4 versus IPv6
keptgonesimilarnew
Source address
Destination Address
Payload lengthFlow Label
Next Header
Hop Limit
Traffic Class
ver
Source addressDestination AddressOptions Pad
Header checksum
protoTTLFrag ID
Total lengthTOS
OffsetLver
flag
Lockdown 2017 Securely Deploying IPv6 9
About those 128-bit IPv6 addresses
2607:f388:1084:2050:0000:0000:0053:000b
● written as 8 colon-separated 16-bit parcels of 4 hex characters
● two abbreviations:
● 1+ contiguous all-zero parcels → ::, drop leading zeros
– e.g. loopback address compresses to ::1● routing prefix: ISP /13-/32; customers /48 (business) - /60 (home)
3 9 20 16 16 64IETF IANA
to RIRRIRto ISP
ISPto end site
subnets Host / VLAN
2 60
7f388 1084 20 50 :: 53:b
Lockdown 2017 Securely Deploying IPv6 10
IPv6: what’s similar to IPv4? WAN
● packet switched, next hop routing based on variable length prefixes, best effort delivery
● ... the threat model is basically the same● Used with same upper & lower layer protocols
● Similar speed● LAN max throughput 4% less (1500 bytes)
– So use jumbo frames● WAN speed up to 15% faster (facebook);
– v4 delayed by Carrier NAT?
Lockdown 2017 Securely Deploying IPv6 11
IPv6: The LAN behavior is very different
1: fe80 DAD listen ff02::1
2: multicast RS (ff02::2)
3: RA
4: multicast DHCPv6 agents (ff02::1:2)
5: DHCPv6 negotiation
6: multicast NS(ff02::1:ffxx:xxxx)
7: NA response
Lockdown 2017 Securely Deploying IPv6 12
v4 versus v6 – network parameters
parameter IPv4 IPv6
gateway DHCP option ICMPv6 RA sender (link-local; can be 100% fe80::1)
address
DHCP lease
SLAAC privacy, EUI-64, ...
DHCPv6 lease
DNS DHCP options
DHCPv6 optionsICMPv6 RA DNS options
(or fallback to v4 DHCP)
other options DHCP DHCPv6 (static DHCPv6 ?)
layer 2 address ARP ICMPv6 neighbor discovery (NS/NA)
Lockdown 2017 Securely Deploying IPv6 13
address scopes: node, link, site, global (of 7)
global – internet2000::/3external / all uses
link local – lanfe80::/64 (v4: 169.254.0.0/16)DHCP, ND, RS, ...
site / org / autonomous system - unique localfd + 40 random + 16 subnet + 64 host (v4: rfc-1918)internal private cross-vlan client-server
node – host loopback::1 (v4: 127.0.0.1/8)
Lockdown 2017 Securely Deploying IPv6 14
an IPv6 host has at least 5 addresses ...
scope kind usage IPv6 address
node unicast loopback ::1 (v4: 127.0.0.1)
link multicast All-nodes (RA, MLD destination)
ff02::1 (v4: 224.0.0.1)
link unicast RS/RA, ND,DHCP source
fe80::214:5eff:fea4:7386
link multicast NS destination ff02::1:ffa4:7386
global unicast Public destination,ND, MLD source
2607:f388:1084:2050::53:b
link multicast NS destination ff02::1:ff53:b
Lockdown 2017 Securely Deploying IPv6 15
Getting IPv6 address space – ask your ISP
● Big org – ask ARIN for /32 or /48● AS backbone routing prefixes /13../48
● UW departments – open a Cherwell ticket● Ask DoIT for /48 (+/-4)
● Wiscnet customers – ask
● Business ISP – should be available● Getting static v4 could be hard, v6 easy
● Home ISP – Real Soon Now● homework: ask when● Initially probably /64, eventually /60
Lockdown 2017 Securely Deploying IPv6 16
Design a routing and subnet architecture
● Think big – a /48 is like being MIT● Subnets and addressess are not scarce
– all subnets /64 at the vlan● Think long term – adapt to 20 years changes
● new or renumbered vlans, new or split subnets, new locations, routing topology changes, ...
● Renumbering hosts is much easier in v6, but ...● Think easy
● Easy to document, easy to implement
Lockdown 2017 Securely Deploying IPv6 17
WSLH IPv6 architecture (3rd try)
● route /52 (wan), firewall /60 (security), subnet /64 (vlan)
● 4-bit alignment, start in the middle, reserve growth gaps, use meaningful semantics, avoid vlan tags & v4 subnets
campus backbone
mgmt 2607:f388:1084:10a0::/64
lan 2607:f388:1084:1010::/64
465 Henry Malldmz 2607:f388:1084:2050::/64
mgmt 2607:f388:1084:20a0::/64
lan1 2607:f388:1084:2010::/64
2810 Walton Commons LN
dmz 2607:f388:1084:1050::/64
2607:f388:1084:2000::/522607:f388:1084:1000::/52
lan2 2607:f388:1084:2018::/64
Lockdown 2017 Securely Deploying IPv6 18
IPv6 network forensics: snoop the port/host
● host interfaces will have multiple active v6 addresses
● link-local (fe80::/64) & global (2000::/3) scopes● might have multiple global scope addresses
● v6 host parts may change● windows default is new privacy addresses daily
● dual-stack clients use both v4, v6 protocols● IPv6 sites are IPv6-mostly, rarely IPv6-only
● destinations will be both unicast & multicast● senders are always unicast & have host MAC
Lockdown 2017 Securely Deploying IPv6 19
Dual-stack network monitoring
● SIEM / log analysis - multiple IP text formats● v4 dotted quad (DNS A)● v6 native (DNS AAAA) ● v4 mapped as v6 ::ffff:p.q.r.s
● if you use SNMP to poll ARP tables, add v6 ND
● antimalware tools – need v6 support● AV, reputation blacklists, URL filtering, snort, …
● network & scanning tools – learn v6 options● ping, traceroute, wireshark, nmap, nessus, ...
Lockdown 2017 Securely Deploying IPv6 20
switches – layer 2 defenses
● layer 3 switches can use ACL’s to block unwanted DHCP, ICMP
● probably separate v4 and v6 rules● block client ICMP redirect● block client ICMPv6 RA
● also block too many MAC’s● v4: ARP poisoning; v6: ICMPv6 ND poisoning
● use what ever subset of features makes sense● ACL, mac lock, port security, DHCP snooping,
RA guard, ...
Lockdown 2017 Securely Deploying IPv6 21
v4 & v6 Cisco switch ACL example (partial)
ip access-list list4 deny udp any eq 68 any eq 67 deny icmp any any 9 deny icmp any any 5 permit ip any any
sdm prefer dual-ipv4-and-ipv6 default
ipv6 access-list list6 deny udp any eq 547 any eq 546 deny icmp any any 134 deny icmp any any 137 permit ip any any
interface Gi1/0/3 switchport port-security switchport port-security aging-time 1440 ip access-group list4 in ipv6 traffic-filter list6 in
Lockdown 2017 Securely Deploying IPv6 22
firewalls
● for v6, mimic v4 application / port filtering● e.g. no egress for 445/tcp
● Cisco ASA● 8.x: make separate ipv6 access-lists
– use two access-group statements per interface● 9.x: unified access-lists, new address wildcards
any4, any6– plain any becomes dual-protocol
Lockdown 2017 Securely Deploying IPv6 23
firewalls – filter on ICMPv6 type codes
● transparent: allow RS/RA, NS/NA (133-136)
● only routers should do redirect (137)
● allow errors (1-4)● 1=unreachable, 2=too big, 3=ttl, 4=param
– routers don’t fragment v6 - need PMTU discovery – v6 minimum is 1280 bytes … servers, be kind.
● echo request/reply: match v4 policy (128-129)
● block the rest to start with● unless you are using multicast, mobility, …● no accidental router renumbering! (138)
Lockdown 2017 Securely Deploying IPv6 24
firewalls - block tunnels (or protocols)
● automatic tunnels turned out to be bad ideas● unreliable, latency, jitter, no security inspection● only 3 of some dozen proposed got deployed:
ISATAP, 6to4 (2002::/16), Teredo (2001:0::/32)● windows: netsh interface XXX set state disabled
● block IPv6 over IPv4 automatic tunnels by:● deny protocol 41 (v4 header, v6 payload)● deny port 3544/udp (teredo server)
● for v4 only, block IPv6 ethertype 0x86dd
● for v6 only, block IPv4 types 0x0800, 0x0806
Lockdown 2017 Securely Deploying IPv6 25
routing – 3 methods
● static routes: both v4 and v6
● dynamic routes:● usual protocols (BGP, IS-IS, RIP, OSPF, EIGRP)
are all extended to handle IPv6● v4 and v6 will use separate peering sessions
● DHCPv6 prefix delegation● popular for ISP provider-aggregated space
– up to /48 available for business use● especially likely for home broadband
– probably /64 for now, /60 likely in future
Lockdown 2017 Securely Deploying IPv6 26
DNS
● forward IPv6: AAAA records & v6 address● IN AAAA 2607:f388:1084:2050::53:b
● reverse IPv6: PTR under ip6.arpa● b.0.0.0.3.5.0.0.0.0.0.0.0.0.0.0.0.5.0.2.4.8.0.1.8.8.3.f.7.0.6.2.ip6.arpa.
● zone delegation: similar to IPv4● don’t forget to ask for IPv6 prefix delegation● add the v6 addresses to your nameservers
● dynamic DNS is your friend● for BIND zone files, so is $ORIGIN
● use tools (ipv6calc, arpaname, web, ...)
Lockdown 2017 Securely Deploying IPv6 27
IPv6 Application pain: compare Y2K
● big challenge: web applications and logging
● Recent OS, e-mail, web, and DB services support IPv6
● … but stored IP addresses change format and get much bigger
● IPv6 rework is easier than similar Y2K rework
● IP addresses are less pervasive and less manipulated
● no hard deadline
● your entire backend doesn't have to be v6 yet
● just front end, stored addresses, log analysis (security, web stats)
● application code switches to new dual-stack library APIs
● getaddrinfo() returns prioritized list of v6 and v4 addresses to try for a DNS hostname
● IPv6 socket & IPV6_V6ONLY option = 0 can do mapped v4 ::ffff:p.q.r.s
Lockdown 2017 Securely Deploying IPv6 28
deployment priorities
where priority why issues
lan low? ? easy (7 weeks?); not much breaksneeded if a v6-only service is popular
dmz - dns high needed early
dmz - https
medium mobile clients
3rd party libraries, analytics, cookies
dmz - smtp
low ? spam - IPv6 reputation lists lag v4
datacenter low out of v4? going v6-only could take 7 years(HVAC monitoring, 3rd party vendors)
Lockdown 2017 Securely Deploying IPv6 29
Questions ?
Slide & Handout URL
http://go.wisc.edu/svv199
● start small
“don’t try to boil an ocean in a day”● test before deploying to production
● all large deployments found vendor glitches
Lockdown 2017 Securely Deploying IPv6 30
Extra Slides
Lockdown 2017 Securely Deploying IPv6 31
wireshark packet trace: native IPv6
● Duplicate address detection – NS to self
● MLD leave to ff02::16 – turn off multicast traffic
● ICMPv6 solicit & advertise, for routers & neighbors
● uses both link-local & global address scopes
● uses both unicast & multicast destinations
● DNS and HTTP behave similarly over v6 & v4
● Web browsers typically use a mix of v4 and v6
Lockdown 2017 Securely Deploying IPv6 32
IPv6 security: longstanding paranoia
Lockdown 2017 Securely Deploying IPv6 33
IPv6 is not inherently secure, but ...
● IPSEC fantasies notwithstanding
● end point security, protocol stack quality, and feature parity all problematic
● Industry record of inadequate security design extends far beyond IPv6
● Wifi WEP, DVD CSS, Mifare stored value cards, cell phone GSM, ...
● similar security disasters in progress today deploying over IPv6:
● Power industry smartgrid, FAA next generation air traffic control
● Reality: IPv4 security and IPv6 security are very similar
● same internet architecture → same threat model → same security measures
● only 3 variations: extension header + fragmentation resource exhaustion DOS, RA spoofing, many addresses
Lockdown 2017 Securely Deploying IPv6 34
A few well known IPv6 prefixes
prefix usage
:: Unspecified link source, never a destination
::ffff:p.q.r.s Mapped IPv4; used in dual-stacked API's
2000::/3 IANA global unicast (v4: non [rfc-6890])
2001:0000::/32 Deprecated Teredo tunnel prefix
2001:db8::/32 Documentation examples (v4: 192.0.2.0/24, ...)
2002::/16 Deprecated 6to4 tunnel prefix
fd00::/7 Unique Local Addresses (v4: [rfc-1918] private)
fe80::/10 Link scope addresses [rfc-4862]; replaces IPv4 zeroconf; autoconfigured & required
ff02::/8 multicast – required (v4: 224.0.0.0/4)
Lockdown 2017 Securely Deploying IPv6 35
IPv6 Multicast: ff + flags + scope + group
Scopes (y): 1=node 2=link ... 5=site … e=global
ff02::1 Link scope - all hosts (v4: 224.0.0.1)
ff02::2 Link scope - all routers (v4: 224.0.0.2)
ff02::16 Link scope – all MLDv2 routers
ff02::1:2 Link scope - DHCP relay agents (v4: 224.0.0.12)
ff05::1:3 Site scope - DHCP servers (from relay agents)
ff0y::101 any scope - NTP (v4: 224.0.1.1)
ff0y::130 any scope - UPnP
ff0y::fb any scope - mDNSv6 (v4: 224.0.0.251)
ff0y::c any scope - SSDP (v4: 239.255.255.250)
Lockdown 2017 Securely Deploying IPv6 36
address preference pain
● multiple interfaces & addresses – pick which?
● complicated; ~18 rules just in [rfc-6724], plus [rfc-5220], policy table,...
– local or global scope, lifetime temporary or permanent, valid or invalid, preferred or deprecated, mobility home or care-of, ...
● Simple case: one v4 address, one active global v6 address
1) match destination protocol family, either v4 or v6
2) prefer native source to tunneled
● update: [rfc-1918] private now preferred to 6to4 & Teredo
3) prefer v6 source to v4
● default getaddrinfo() policy can be changed by vendor or admin
● linux: edit /etc/gai.conf
● windows: netsh interface ipv6 set prefixpolicies
● per-connection override: specify protocol and “zone” (interface)
Lockdown 2017 Securely Deploying IPv6 37
IPv6 and “happy eyeballs” (rfc-6555)
● waiting for DNS or connection timeouts on mono-stack sites annoys users
● start v6 (AAAA) and v4 (A) DNS queries in parallel
● start TCP connections to destinations as DNS answers
● v6 usually gets a 300 ms head start● use the first connection to complete
● reset the other one if necessary● implemented:
● Google Chrome, Firefox, Mac Os-X, ...● Windows 10 checks for native IPv6 & adjusts v4/v6
policy table preference
Lockdown 2017 Securely Deploying IPv6 38
RFC pain: IPv6 is a moving target
● deprecated addresses & names
● 5f00::/8, 3ffe::/16 (6bone) … use 2000::/3 globals
● ::/96 (v4 embedded) … use ::ffff:p.q.r.s
● fec0::/10 (site local) … use fd::/7 unique local
● ip6.int (DNS PTR) … use ip6.arpa
● deprecated protocols
● A6, DNAME (DNS) … use AAAA, PTR
● automatic tunnels … use 6in4, 6rd, 6pe
– 6over4, 6to4, Teredo, ISATAP● NAT-PT (a nat46 try) … use dual-stack
Lockdown 2017 Securely Deploying IPv6 39
e-mail spam risk: lots of addresses
● can send each message from a different IPv6 host address
● with /48 from shady registrar / hosting provider has 65k networks
● … but fewer than 200k real SMTP hosts worldwide, all with v4
Countermeasures:
● wait a few more years before turning on v6 for SMTP
● switch to a reputation whitelist instead of a blacklist
● use v6 reputation lists based on v6 prefixes, not hosts
● using prefixes increases collateral damage
Lockdown 2017 Securely Deploying IPv6 40
NAT translation considered harmful
● NAT46 breaks lots of stuff [rfc-4966]
● multichannel protocols with embedded ports or addresses
– multimedia, VoIP, FTP, ...● signed packets: IPSEC, DNSSEC, ...
● multicast, geolocation, inbound connections (gaming), …
● Fixup requires protocol-specific application gateways
● fixup fails if there are multiple NAT layers, e.g. NAT444
– (donley): streaming stutters; breaks v6 tunnels, P2P, FTP
● can't cover many protocols, nor scale to many clients
Lockdown 2017 Securely Deploying IPv6 41
NAT translation: addresses, maybe protocols
● NAT46: IPv4 → IPv6 is intractable
● e.g. NAT-PT can't reliably fake DNS A for AAAA● NAT64: IPv6 → IPv4 is possible (but inferior)
● at least for simple TCP connections● NAT44: IPv4 → IPv4 is possible at CPE or ISP
● remember NAT444 at both CPE and ISP is bad● NAT66: IPv6 → IPv6 doesn't exist
● and IAB really wants to prevent it: [rfc-5902]
Lockdown 2017 Securely Deploying IPv6 42
meep ... there's no NAT66
● NAT44 is not what provides IP security
● site-scope addresses → application proxies → statefull firewalls
● PCI-DSS is OK with firewalling global scope v6
● private / site-scope IP addresses don't block reconnaissance
● speed bump, yes
– browser javascript enumeration exploits, DNS queries, ARP or ND poisoning, multicast probes, ...
● NAT is evil because it prevents protocol innovation
● evading future congestion collapses needs innovation
Lockdown 2017 Securely Deploying IPv6 43
IPv6 and the SLAAC attack … an IPv4 MITM
Suppose a v4-only network with good v4 defenses but no v6 monitoring has dual-capable hosts ...
● attack station multicast's RA's with global unicast prefix with self as router, DHCPv6, and DNS server
● dual-stack hosts autoconfigure v6 & prefer it
● so potential v4 traffic tries attacker on v6 first● attacker proxies evil outside v4 to inside v6 via
NAT-PT
● especially DNS
Lockdown 2017 Securely Deploying IPv6 44
(accidental?) WiFi hijacking
● suppose a windows 7 laptop with internet connection sharing and tunneled v6 shows up on a v4 wifi network
● how many nearby dual-stack devices will believe it's RA's and switch to v6 routed through a really bad tunnel?
● miscreants already show up in public spaces with rogue v4 access points