Eric Vyncke - IPv6 Security Vendor Point of View
Post on 02-Nov-2014
13 Views
Preview:
DESCRIPTION
Transcript
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 1
IPv6 Security Vendor Point of View
Eric Vyncke, evyncke@cisco.comDistinguished EngineerCisco, CTO/Consulting Engineering
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 2
ARP Spoofing is now NDP Spoofing:Threats
ARP is replaced by Neighbor Discovery ProtocolNothing authenticated
Static entries overwritten by dynamic ones Stateless Address Autoconfiguration
rogue RA (malicious or not)
All nodes badly configured
DoS
Traffic interception (Man In the Middle Attack) Attack tools exist (from THC – The Hacker Choice)
Parasit6
Fakerouter6
...
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 3
ARP Spoofing is now NDP Spoofing:Mitigation
BAD NEWS: nothing like dynamic ARP inspection for IPv6Will require new hardware on some platforms
Not available now GOOD NEWS: Secure Neighbor Discovery
SEND = NDP + crypto
IOS 12.4(24)T
But not in Windows Vista, 2008 and 7
Crypto means slower... Other GOOD NEWS:
Private VLAN works with IPv6
Port security works with IPv6
801.x works with IPv6
For FTTH & other broadband, DHCP-PD means not need to NDP-proxy
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 4
Securing Link Operations:First Hop Trusted Device
Advantages– central administration, central operation
– Complexity limited to first hop
– Transitioning lot easier
– Efficient for threats coming from the link
– Efficient for threats coming from outside
Disadvantages– Applicable only to certain topologies
– Requires first-hop to learn about end-nodes
– First-hop is a bottleneck and single-point of failure
Time server
Certificate server
Cisco Future
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 5
IPv6 Header Manipulation
Unlimited size of header chain (spec-wise) can make filtering difficult
Potential DoS with poor IPv6 stack implementationsMore boundary conditions to exploit
Can I overrun buffers with a lot of extension headers?
Perfectly Valid IPv6 Packet According to the Sniffer
Destination Options Header Should
Be the Last
Header Should Only Appear Once
Destination Header Which Should Occur at Most Twice
See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 6
Parsing the Extension Header Chain
Finding the layer 4 information is not trivial in IPv6
Skip all known extension header
Until either known layer 4 header found => SUCCESS
Or unknown extension header/layer 4 header found... => FAILURE
IPv6 hdr HopByHop Routing AH TCP data
IPv6 hdr HopByHop Routing AH Unknown L4 ???
IPv6 hdr HopByHop Unk. ExtHdr AH TCP data
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 7
The IPsec Myth:IPsec End-to-End will Save the World
IPv6 mandates the implementation of IPsec IPv6 does not require the use of IPsec Some organizations believe that IPsec should be used to secure
all flows...Interesting scalability issue (n2 issue with IPsec)
Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall
IOS 12.4(20)T can parse the AH
Network telemetry is blinded: NetFlow of little use
Network services hindered: what about QoS?
Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets.
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 8
PCI DSS Compliance and IPv6
Payment Card Industry Data Security Standard requires the use of NAT for security
Yes, weird isn’t it?
There is no NAT IPv6 <-> IPv6 in most of the firewalls
IETF has just started to work on NAT66
PCI DSS compliance cannot be achieved for IPv6 ?
How important is NAT for ‘security’?
Not clear feedback from customers.
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 9
The security ‘value’ of NAT-PT
Block connection from the outside
Same as a stateful firewall
Topology hiding ?
Dubious utility
Techniques exist to by-pass
Counting host by ID field (Steve Bellovin 2002)
Counting host by TCP timestamps (Ellie Lupin 2010)
Analysis of the TTL field
Analysis of e-mail RFC 822 headers
Multiple users hidden behind a single address
Forensic is more complex
Does it really bring something?
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 10
What Default Security Policy for CPE?
Allow only all inside initiated connections?
IPv6 hosts are usually more secure than legacy OS
IPv6 has the benefit of end-to-end connectivity
Even IETF is unclear
Do we need to do same IPv4 NAT?
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 11
Dual-Stack IPS EnginesService HTTP
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 12
Anti-Spam Challenges
Little SMTPv6 emails…
Not a lot of data to test heuristics
How to build an address reputation database?
Based on /128? /64 ? /56 ?
Need more customers, more SMTPv6
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 13
Summary of Cisco IPv6 Security Products
ASA Firewall
Since version 7.0 (released 2005)
Flexibility: Dual stack, IPv6 only, IPv4 only
SSL VPN for IPv6 (ASA 8.0)
Stateful-Failover (ASA 8.2.2)
IOS Firewall
IOS 12.3(7)T (released 2005)
IPS
Since 6.2 (released 2008)
Email Security Appliance (ESA) under beta testing early 2010
Web Security Appliance (WSA) end 2011
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 14
Key Take Away
So, nothing really new in IPv6
Lack of operation experience may hinder security for a while: training is required
Security enforcement is possible, most vendors have IPv6-enabled security features/appliances
Control your IPv6 traffic as you do for IPv4
Leverage IPsec to secure IPv6 when suitable
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 15
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 16
Reference Slides
For Reference Only
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 17
Secure Neighbor Discovery (SEND)RFC 3971
Certification paths
Anchored on trusted parties, expected to certify the authority of the routers on some prefixes
Cryptographically Generated Addresses (CGA)
IPv6 addresses whose interface identifiers are cryptographically generated
RSA signature option
Protect all messages relating to neighbor and router discovery
Timestamp and nonce options
Prevent replay attacks
Requires IOS 12.4(24)T
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 18
Cryptographically Generated Addresses CGA RFC 3972 (Simplified)
Each devices has a RSA key pair (no need for cert) Ultra light check for validity Prevent spoofing a valid CGA address
SHA-1
RSA KeysPriv Pub
SubnetPrefix
InterfaceIdentifier
Crypto. Generated Address
Signature
SEND Messages
Modifier
PublicKey
SubnetPrefix
CGA Params
© 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicPresentation_ID 19
Securing Neighbor and Router Advertisements with SEND
Adding a X.509 certificate to RA
Subject Name contains the list of authorized IPv6 prefixes
Neighbor AdvertisementSource Addr = CGACGA param block (incl pub key)Signed
TrustAnchor X.509
cert
Router AdvertisementSource Addr = CGA
CGA param block (incl pub key)Signed
X.509cert
top related