IPv6 Security Why you should care
Stefan Avgoustakis - CSE
2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Understand Why IPv6 Matters Now
IPv6 Security myths
Securing the transition mechanisms
IPv6 Protocol Security Vulnerabilities
3 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
2010 2007
Total 35 Billion Total 500 Million
5 Devices per Person on Earth
1/10th of a Device per Person on Earth
Growth of Connected Devices – Internet of Things
Source: Forrester Research, Cisco IBSG
2013
Total 50 Billion
7 Devices per Person on Earth
4 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
2020
Total 1 Trillion
140 Devices per Person on Earth
5 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 5 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security
IPv4 Pool ExhausIon: IANA Is Now Out
http://www.apnic.net/community/ipv4-exhaustion/ipv4-exhaustion-details
6 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 6 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security
Introducing IPv6
IPv4 4.3 Billion IP addresses
IPv6 340282366920938463374607 432768211456 IP addresses
7 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 7 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security
Introducing IPv6
100 IP addresses for every Atom on
this Earth 1 IP addresses per water drop on this earth…a Trillion
Imes
IPv4 equals an Atom…IPv6 equals
80 ton
8 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 8 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security
Other IPv6 adopIon drivers
§ Mandated e.g.Australia’s AGIMO IPv6 strategy
§ Research environments e.g. Australia’s GrangeNet
§ End-‐to-‐end packet integrity : effecIve security and enhanced applicaIon experience for peer-‐to-‐peer connecIons e.g. Telephony and Video
9 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 9 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security
IPv6 AdopIon
10 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 10 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security
IPv6 AdopIon -‐ Australia
Source: h\p://6lab.cisco.com/stats/index.php
11 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 11 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security
Why you should care about IPv6 Security now
§ Most networks have already (parIally) deployed IPv6 § You will likely perform a deployment in the near term § You may communicate with IPv6 systems (via transiIon/co-‐
existence technologies)
12 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 12 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security
State of IPv6 Security
§ Less experience/knowledge with IPv6 § IPv6 implementaIons are much less mature § Security products less support for IPv6 § TransiIon increases complexity :
● Dual Stack (IPv4 and IPv6) ● Increased use of NATs ● Increased use of tunnels
13 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv4 and IPv6 Header Comparison
IPv4 Header IPv6 Header
Fragment Offset Flags
Total Length Type of Service HL
Padding OpDons
DesDnaDon Address
Source Address
Header Checksum Protocol Time to Live
IdenDficaDon
Version
Next Header Hop Limit
Flow Label Traffic Class
DesDnaDon Address
Source Address
Payload Length
Version
Field’s Name Kept from IPv4 to IPv6
Fields Not Kept in IPv6
Name and PosiDon Changed in IPv6
New Field in IPv6
14 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv6 over Ethernet
§ IPv6 uses Ethernet Protocol ID (0x86DD)
§ IPv4 uses Ethernet Protocol ID (0x0800)
0x86DD IPv6 Header and Payload Dest MAC Source MAC
0x0800 IPv4 Header and Payload Dest MAC Source MAC
15 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Extension Header – RFC 2460
§ Indicate Transport layer info or extend funcIonality
TCP Header DATA L2 HEADER IPv6 Header
NH=6 NH=59
Routing Header L2 HEADER IPv6 Header
NH=43 NH=6
DATA TCP Header
NH=59
Routing Header L2 HEADER IPv6 Header
NH=43 NH=44
DATA FRAG
TCP Header
NH=59
Frag Header
NH=6
16 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Extension Header – RFC 2460 § Consists of an IPv6 header chain and an (optional) payload
§ Extension Header is encoded as TLV (Type-Length-Value)
§ Any number of instances of any number of different headers are allowed
§ Each header can contain an arbitrary number of options
§ Large number of headers/options have a negative impact on inspection performance
§ It may be impossible to “identify” which “type” of packet a specific fragment belongs to.
17 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Extension Header – Route Header type 0 Threat
§ RH=0 provides similar funcIonality to that of IPv4 source rouIng
• Can be leveraged to make packets bounce between network addresses
• Higher impact due to some hosts “forwarded” them
§ A\acker creates payload (A-‐>B-‐>A-‐B..) resulIng in packet loop
A B
18 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Extension Header – Route Header type 0 MiIgaIon
§ Apply same policy for IPv6 as for Ipv4: Block RouIng Header type 0
§ Prevent processing at the intermediate nodes no ipv6 source-‐route
Windows, Linux, Mac OS: default sejng
§ RFC 5095 (Dec 2007) RH0 is deprecated § CauIon required – default enable prior to 2007
19 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv6 Extension Headers and Upper Layer Protocols INFO
20 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv4 Protocol Stack -‐ The relevant bits
Physical Layer
Link Layer
Internet Protocol v4 – 32 bits ARP
TCP UDP ICMP
DHCP HTTP TLS
HTTP
21 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv6 Protocol Stack – More than just 128 bits
Physical Layer
Link Layer
Internet Protocol v6 – 128 bits ARP
TCP UDP ICMP
DHCP HTTP TLS
HTTP
ICMP
NDP MLD MRD
22 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv6 Protocol Stack – New kids on the block
NDP
MLD
MRD
§ Neighbor Discovery protocol
§ MulIcast Listener Discovery protocol
§ MulIcast Router Discovery
23 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Neighbour Discovery replaces ARP § Find the link-‐layer addresses of nodes on the local link -‐ uses a mix of ICMPv6 messages and mulIcast addresses.
§ Stateless Auto-‐ConfiguraIon -‐ allows nodes on the local link to configure their IPv6 addresses by themselves by using a mix of ICMPv6 messages and mulIcast addresses.
§ Five different packet types: • Router SolicitaIon -‐ Router AdverIsement • Neighbour SolicitaIon -‐ Neighbour AdverIsement • Redirect message
NDP
24 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Neighbor Discovery -‐ Stateless AutoconfiguraIon
1. RS: Src = :: Dst = All-‐Routers mulIcast Address ICMP Type = 133 Data = Query: please send RA
2. RA: Src = Router Link-‐local Address Dst = All-‐nodes mulIcast address ICMP Type = 134 Data= opIons, prefix, lifeIme, autoconfig flag
2. RA 1. RS
Router SolicitaIons Are Sent by BooIng Nodes to Request Router AdverIsements for Stateless Address Auto-‐Configuring
25 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
ARP Spoofing is now NDP Spoofing -‐ Threat § ARP is replaced by Neighbor Discovery Protocol
• Nothing authenIcated • StaIc entries overwri\en by dynamic ones
§ Stateless Address AutoconfiguraIon • Rogue RA (malicious or not) • All nodes badly configured
• DoS • Traffic intercepIon (Man In the Middle A\ack)
26 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
ARP Spoofing is now NDP Spoofing – MiIgaIon RFC6104 § Manual configuraIon of host – discards RA’s § RA Snooping aka RA Guard § Port ACL opIons – filter on RA packets (ICMP 134) § Secure Neighbor Discovery SEND = NDP + crypto § Host isolaIon :
• Private VLAN works with IPv6 • Port security works with IPv6 • 802.1x works with IPv6
27 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv6 Protocol Stack – ICMP
ICMP
ICMP Message Type ICMPv4 ICMPv6
ConnecIvity Checks X X
InformaIonal/Error Messaging X X
FragmentaIon Needed NoIficaIon X X
Address Assignment X
Address ResoluIon X
Router Discovery X
MulIcast Group Management X
Mobile IPv6 Support X
28 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Filtering ICMPv6 Messages in Firewalls -‐ RFC 4890
AcIon Src Dst ICMPv6 Type
ICMPv6 Code Name
Permit Any A 128 0 Echo Reply
Permit Any A 129 0 Echo Request
Permit Any A 1 All No Route to DesInaIon
Permit Any A 2 0 Packet Too Big
Permit Any A 3 0 Time Exceeded— TTL Exceeded
Permit Any A 4 1 & 2 only Parameter Problem
29 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
ICMPv6 – Message Types and Codes INFO
30 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv6 – General Addressing § IPv6 uses 128-‐bit addresses § Hex presentaIon § Addresses are aggregated into “prefixes” (for rouIng purposes) § Address types : Unicast, Anycast and MulIcast § Address scopes : (link-‐local, global, etc.) § Any given Ime, several IPv6 addresses, of mulIple types and
scopes are used -‐ Examples • One or more unicast link-‐local address • One or more global unicast address • One or more link-‐local address
31 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv6 – Address types
Address Type IPv6 prefix Unspecified ::/128 Loopback :: ::1/128 MulIcast FF00::/8 Link-‐local unicast Link-‐local unicast Unique Local Unicast FE80::/10 Global Unicast everything else
32 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
The IPv6 Address Interface ID § Interface ID of unicast address may be assigned in different ways
§ Auto-‐configured from a 64-‐bit EUI-‐64 or expanded from a 48-‐bit MAC § Auto-‐generated pseudo-‐random number (to address privacy concerns) § Assigned via DHCP § Manually configured
§ EUI-‐64 format to do stateless auto-‐configuraIon § Expands the 48 bit MAC address to 64 bits by inserIng FFFE into the middle § To ensure chosen address is from a unique Ethernet MAC address
§ The universal/local U/L bit is set to 1 for global scope and 0 for local scope
33 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv6 – Security Myths : Absence of Reconnaissance § Default subnets in IPv6 have 264 addresses -‐ 10 Mpps = more than
50 000 years Reconnaissance techniques get smarter : § IPv6 addresses embedding IEEE IDs (Mac derived info) § Increased deployment/reliance on dynamic DNS § Human factor : Easy to remember addresses (wordy, IPv4 last octet) § MulIcast :
§ 3 site-‐local mulIcast addresses (not enabled by default) FF05::2 all-‐routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers
§ Several link-‐local mulIcast addresses (enabled by default) FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP, …
34 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv6 – Security Myths : Absence of Reconnaissance
LOWER 24 BITS OF MAC 24 bits
IEEE IOU 24 bits
FF FE 16 bits
NOT KNOWN KNOWN / GUESS KNOWN
35 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv6 – Security Myths : Absence of Reconnaissance
Interface ID – lower 24 bits : § MAC addresses can be consecuIve in larger organizaIons and
geographical areas § VMWare ESX employs:
• AutomaIc MACs: OUI 00:05:59, and next 16 bits copied from the low order 16 bits of the host's IPv4 address (search space: 2n8)
• Manually-‐configured MACs:OUI 00:50:56 and the rest in the range 0x000000-‐0x3fffff (search space: 2n22)
36 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
IPv6 – Security Myths : IPSec will save the world § IPv6 originally mandated the implementaIon of Ipsec -‐ but not its
use § RFC 6434 “IPsec SHOULD be supported by all IPv6 nodes” § IPSec comes with challenges:
§ InteresIng scalability issue (n2 issue with IPsec) § Need to trust endpoints and end-‐users because the network
cannot secure the traffic: no IPS, no ACL, no firewall § Network telemetry is blinded: NetFlow of li\le use § Network services hindered: QoS ?
37 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Tunneling Services
Connect Islands of IPv6 or IPv4 IPv4 over IPv6 IPv6 over IPv4
Dual Stack
Recommended Enterprise Co-‐existence strategy
TranslaIon Services
Connect to the IPv6 community
IPv4
IPv6
Business Partners
Internet consumers Remote Workers InternaIonal Sites Government Agencies
IPv6 IPv4
IPv6 – TransiIon Mechanisms
38 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Dual Stack -‐ intro
§ Each node’s IP stack supports both IPv4 and IPv6 § Domain names include both A and AAAA records § IPv4 or IPv6 are used as needed or preferred – eg Happy Eyeballs § Main operaIng systems include naIve IPv6 support enabled by
default and prefer IPv6 over IPv4 § Dual-‐stack is the recommended strategy for hosts
39 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Dual Stack – Threats and miIgaIon
§ Lack of awareness that IPv6 is enabled – even on IPv4 only networks § Rogue IPv6 Router uses RA’s to configure IPv6 stack § Host security mechanisms not IPv6 aware § IPv6 used to evade network security controls
§ Disable IPv6 stack on host if not used § Create IPv6 control policy – host and network
40 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Tunnels -‐ Intro
Transport IPv6 packets over IPv4 § Configured: Manual configuration
• 6in4 • Tunnel broker
§ Automatic: Tunnel end-points derived from the IPv6 addresses • ISATAP • Teredo • 6to4 • 6rd
41 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Tunnels – Threats
ISATAP : Intra-‐Site AutomaIc Tunnel and Addressing Protocol § Unauthorized tunnels—firewall bypass (protocol 41) § IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts
in the enterprise § No authenIcaIon in ISATAP—rogue routers are possible § Windows default to isatap.example.com § IPv6 addresses can be guessed based on IPv4 prefix (scanning is
back!)
42 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Tunnels – Threats
Toredo : § IPv6 over UDP (port 3544) -‐ FW just sees IPv4 UDP traffic § Hosts behind a NAT may become reachable from the public Internet § Windows systems resole “teredo.ipv6.microsoy.com” –
impersonate a Teredo server if he can a\ack the DNS
43 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Tunnels – MiIgaIons
Toredo : § Filter IPv4.dst == known_teredo_servers && UDP.DstPort == 3544
ISATAP : § Filter IPv4.Protocol == 41 § Check DNS logs for ISATAP resolving
44 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
How imminent are IPv6 a\acks ?
§ The tools : § THC-‐IPv6 by Van Hauser § SI6 IPv6 Toolkit by Fernando Gont
§ The exploits : § Zeus botnet is IPv6 compliant
45 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Key observaIons IPv6 robustness § ImplementaIons have not really been the target of a\ackers, yet § Only a handful of publicly available a\ack tools § Lots of vulnerabiliIes and bugs sIll to be discovered. IPv6 control policy points § IPv6 inspecIon is not broadly supported in security devices EducaIon/Training/Awareness § Pushing people to “Enable IPv6” as turn-‐key soluIon doesn’t work § CreaIng awareness and experIse
46 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID
Resources
§ RFC’s are your friend § NIST Special PublicaIon 800-‐119. Guidelines for the Secure
Deployment of IPv6 § Cisco.com/go/ipv6 § 6lab.cisco.com § IPv6 Security – Erick Vyncke and Sco\ Hogg @ Cisco Press