This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Cisco Press
Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
Contents Introduction xix
Reintroduction to IPv6 3
Summary 12
Chapter 2 IPv6 Protocol Security Vulnerabilities 15
The IPv6 Protocol Header 16 ICMPv6 17
ICMPv6 Functions and Message Types 18 ICMPv6 Attacks and Mitigation
Techniques 20
Multicast Security 22
Extension Header Threats 24 Extension Header Overview 24 Extension
Header Vulnerabilities 28 Hop-by-Hop Options Header and Destination
Options Header 29
IPv6 Extension Header Fuzzing 33 Router Alert Attack 33
Routing Headers 36 RHO Attack 36 Preventing RHO Attacks 40
Additional Router Header Attack Mitigation Techniques 42
Fragmentation Header 43 Overview of Packet Fragmentation Issues 43
Fragmentation Attacks 45 Preventing Fragmentation Attacks 47
Virtual Fragment Reassembly 49
Unknown Option Headers 52 Upper-Layer Headers 55
Reconnaissance on IPv6 Networks 55 Scanning and Assessing the
Target 56
Registry Checking 56 Automated Reconnaissance 56
X
Speeding Up the Scanning Process 58 Leveraging Multicast for
Reconnaissance 59 Automated Reconnaissance Tools 61 Sniffing to
Find Nodes 61 Neighbor Cache 62 Node Information Queries 62
Protecting Against Reconnaissance Attacks 63
Layer 3 and Layer 4 Spoofing 65
Summary 69
References 70
Large-Scale Internet Threats 74 Packet Flooding 74 Internet Worms
77
Worm Propagation 78 Speeding Worm Propagation in IPv6 78 Current
IPv6 Worms 79 Preventing IPv6 Worms 80
Distributed Denial of Service and Botnets 80 DDoS on IPv6 Networks
81 Attack Filtering 81 Attacker Traceback 82 Black Holes and Dark
Nets 84
Ingress/Egress Filtering 85 Filtering IPv6 Traffic 85 Filtering on
Allocated Addresses 85 Bogon Filtering 87 Bogon Filtering
Challenges and Automation 90
Securing BGP Sessions 90 Explicitly Configured BGP Peers 92 Using
BGP Session Shared Secrets 92 Leveraging an IPsec Tunnel 93 Using
Loopback Addresses on BGP Peers 93 Controlling the Time-to-Live
(TTL) on BGP Packets 94 Filtering on the Peering Interface 97 Using
Link-Local Peering 97
Link-Local Addresses and the BGP Next-Hop Address 99 Drawbacks of
Using Link-Local Addresses 101
Preventing Long AS Paths 102 Limiting the Number of Prefixes
Received 103 Preventing BGP Updates Containing Private AS Numbers
103
xi
Maximizing BGP Peer Availability 103 Disabling Route-Flap Dampening
104 Disabling Fast External Fallover 104 Enabling Graceful Restart
and Route Refresh or Soft Reconfiguration 104 BGP Connection Resets
105
Logging BGP Neighbor Activity 106 Securing IGP 106 Extreme Measures
for Securing Communications Between BGP Peers 106
IPv6 over MPLS Security 107 Using Static IPv6 over IPv4 Tunnels
Between PE Routers 108 Using 6PE 109 Using 6VPE to Create
IPv6-Aware VRFs 109
Customer Premises Equipment 110
Multihoming Issues 119
IPv6 Firewalls 128 Filtering IPv6 Unallocated Addresses 128
Additional Filtering Considerations 133
Firewalls and IPv6 Headers 133 Inspecting Tunneled Traffic 134
Layer 2 Firewalls 135 Firewalls Generate ICMP Unreachables 136
Logging and Performance 136
Firewalls and NAT 136
Cisco IOS Router ACLs 138 Implicit IPv6 ACL Rules 142 Internet ACL
Example 143 IPv6 Reflexive ACLs 147
Cisco IOS Firewall 149 Configuring IOS Firewall 150 IOS Firewall
Example 153 IOS Firewall Port-to-Application Mapping for IPv6
157
Cisco PIX/ASA/FWSM Firewalls 158
Configuring Firewall Interfaces 159 Management Access 161
Configuring Routes 162 Security Policy Configuration 164 Object
Group Policy Configuration 168 Fragmentation Protection 172
Checking Traffic Statistics 173 Neighbor Discovery Protocol
Protections 174
Summary 177
References 177
Chapter 5 Local Network Security 181
Why Layer 2 Is Important 181
ICMPv6 Layer 2 Vulnerabilities for IPv6 182 Stateless Address
Autoconfiguration Issues 183 Neighbor Discovery Issues 187
Duplicate Address Detection Issues 190 Redirect Issues 193
ICMPv6 Protocol Protection 195 Secure Neighbor Discovery 196
Implementing CGA Addresses in Cisco IOS 198 Understanding the
Challenges with SEND 199
Network Detection of ICMPv6 Attacks 199 Detecting Rogue RA Messages
199 Detecting NDP Attacks 201
Network Mitigation Against ICMPv6 Attacks 201 Rafixd 202 Reducing
the Target Scope 203 IETF Work 203 Extending IPv4 Switch Security
to IPv6 204
Privacy Extension Addresses for the Better and the Worse 205
DHCPv6 Threats and Mitigation 208 Threats Against DHCPv6 210
Mitigating DHCPv6 Attacks 211
Mitigating the Starvation Attack 211 Mitigating the DoS Attack 211
Mitigating the Scanning 213 Mitigating the Rogue DHCPv6 Server
213
Point-to-Point Link 213
Endpoint Security 215
Threats Against Network Devices 220
Cisco IOS Versions 220
Disabling Unnecessary Network Services 222 Interface Hardening
223
Limiting Router Access 224 Physical Access Security 224 Securing
Console Access 225 Securing Passwords 225 VTY Port Access Controls
226 AAA for Routers 229 HTTP Access 230
IPv6 Device Management 233 Loopback and Null Interfaces 233
Management Interfaces 234 Securing SNMP Communications 235
Threats Against Interior Routing Protocol 239 RIPng Security 241
EIGRPv6 Security 242 IS-IS Security 244 OSPF Version 3 Security
247
First-Hop Redundancy Protocol Security 255 Neighbor Unreachability
Detection 255 HSRPv6 257 GLBPv6 260
Controlling Resources 262 Infrastructure ACLs 263 Receive ACLs 265
Control Plane Policing 265
QoS Threats 269
IPv6 Host Security 281 Host Processing of ICMPv6 282
xiv
Services Listening on Ports 284 Microsoft Windows 284 Linux 284 BSD
285 Sun Solaris 285
Checking the Neighbor Cache 285 Microsoft Windows 286 Linux 286 BSD
287 Sun Solaris 287
Detecting Unwanted Tunnels 287 Microsoft Windows 287 Linux 290 BSD
291 Sun Solaris 292
IPv6 Forwarding 292 Microsoft Windows 293 Linux 293 BSD 294 Sun
Solaris 294
Address Selection Issues 295 Microsoft Windows 296 Linux 297 BSD
297 Sun Solaris 297
Host Firewalls 297 Microsoft Windows Firewall 298 Linux Firewalls
301 BSD Firewalls 303
OpenBSD Packet Filter 304 ipfirewall 306 IPFilter 310
Sun Solaris 312
Summary 316
References 317
Chapter 8 IPsec and SSL Virtual Private Networks 319
IP Security with IPv6 320 IPsec Extension Headers 320 IPsec Modes
of Operation 322
XV
IPsec with Network Address Translation 324 IPv6 and IPsec 325
Host-to-Host IPsec 326
Site-to-Site IPsec Configuration 328 IPv6 IPsec over IPv4 Example
329
Configuring IPv6 IPsec over IPv4 329 Verifying the IPsec State 332
Adding Some Extra Security 337 Dynamic Crypto Maps for Multiple
Sites 338
IPv6 IPsec Example 339 Configuring IPsec over IPv6 340 Checking the
IPsec Status 343
Dynamic Multipoint VPN 349 Configuring DMVPN for IPv6 351 Verifying
the DMVPN at the Hub 353 Verifying the DMVPN at the Spoke 359
Remote Access with IPsec 361
SSL VPNs 368
Mobile IPv6 Operation 378
MIPv6 Messages 379 Indirect Mode 381 Home Agent Address
Determination 381 Direct Mode 382
Threats Linked to MIPv6 385 Protecting the Mobile Device Software
386 Rogue Home Agent 386 Mobile Media Security 386
Man-in-the-Middle Threats 387 Connection Interception 388 Spoofing
MN-to-CN Bindings 389 DoS Attacks 390
Using IPsec with MIPv6 390
xvi
Filtering for MIPv6 392 Filters at the CN 395 Filters at the
MN/Foreign Link 398 Filters at the HA 402
Other IPv6 Mobility Protocols 406 Additional IETF Mobile IPv6
Protocols 407 Network Mobility (NEMO) 409 IEEE 802.16e 411 Mobile
Ad-hoc Networks 411
Summary 413
References 413
Understanding IPv4-to-IPv6 Transition Techniques 417 Dual-Stack 417
Tunnels 419
Configured Tunnels 420 6to4 Tunnels 423 ISATAP Tunnels 428 Teredo
Tunnels 430 6VPE 434
Protocol Translation 437
Implementing Dual-Stack Security 439 Exploiting Dual-Stack
Environment 440 Protecting Dual-Stack Hosts 443
Hacking the Tunnels 444 Securing Static Tunnels 447 Securing
Dynamic Tunnels 449
6to4 450 ISATAP 453 Teredo 455
Securing 6VPE 459
Attacking NAT-PT 459
Summary 462
References 463
Managing and Monitoring IPv6 Networks 467 Router Interface
Performance 468
xvii
Device Performance Monitoring 469 SNMP MIBs for Managing IPv6
Networks 469 IPv6-Capable SNMP Management Tools 471 NetFlow
Analysis 472
Router Syslog Messages 478 Benefits of Accurate Time 481
Managing IPv6 Tunnels 482
Using Forensics 483
Using Intrusion Detection and Prevention Systems 485 Cisco IPS
Version 6.1 486 Testing the IPS Signatures 487
Managing Security Information with CS-MARS 489
Managing the Security Configuration 493
Summary 495
References 496
Chapter 12 IPv6 Security Conclusions 499
Comparing IPv4 and IPv6 Security 499 Similarities Between IPv4 and
IPv6 499 Differences Between IPv4 and IPv6 501
Changing Security Perimeter 501
Creating an IPv6 Security Policy 503 Network Perimeter 504
Extension Headers 504 LAN Threats 505 Host and Device Hardening 505
Transition Mechanisms 506 IPsec 506 Security Management 506
On the Horizon 506
Summary 511
References 511
Index 512