IPv6 Security Tutorial · • IPv6 Protocol Issues and Security Myths • IPv6 Toolkits • Scanning IPv6 Networks • Neighbour Advertisement Attacks • Attacks with Router Advertisement

21/06/16

1

IPv6 Security Tutorial TWNOG and TWNIC OPM

23 June 2016

Acknowledgment •  Some parts of this presentation is based on “IPv6 Security”

by SWITCH Networks. –  http://www.switch.ch/

21/06/16

2

Agenda •  IPv6 Operations and Features •  IPv6 Protocol Issues and Security Myths •  IPv6 Toolkits •  Scanning IPv6 Networks •  Neighbour Advertisement Attacks •  Attacks with Router Advertisement

–  Rogue RA, Lifetime 0, RA Flooding –  Extension Header Attacks (Hop by Hop, Routing Header 0)

•  Securing IPv6 – Best Practices

IPv6 Operations & Features

4

A Short Overview

21/06/16

3

IPv6 is the new Protocol •  IP stands for Internet Protocol which is one of the main

pillars that supports the Internet today

•  Current version of IP protocol is IPv4

•  The new version of IP protocol is IPv6

•  IPv6 was also called IPng in the early days of IPv6 protocol development stage

New Functional Improvement Address Space

–  Increase from 32-bit to 128-bit address space

Management –  Stateless autoconfiguration means no more need to configure IP

addresses for end systems, even via DHCP

Performance –  Fixed header size (40 bytes) and 64-bit header alignment mean better

performance from routers and bridges/switches

No hop-by-hop segmentation –  Path MTU discovery

21/06/16

4

New Functional Improvement Multicast/Multimedia

–  Built-in features for multicast groups, management, and new "anycast" groups

Mobile IP –  Eliminate triangular routing and simplify deployment of mobile IP-based systems

Virtual Private Networks –  Built-in support for ESP/AH encrypted/ authenticated virtual private network

protocols

Built-in support for QoS tagging No more broadcast

IPv6 Security Features •  IPsec is mandatory in IPv6

•  Since IPsec became part of the IPv6 protocol, all nodes can secure their IP traffic if they have required keying infrastructure

•  IPsec does not replace standard network security requirement but introduce added layer of security with existing IP network

21/06/16

5

IPsec Security Services AH ESP

Integrity of the IPv6 header & data Confidentiality of the IPv6 data Source: Migrating to IPv6, Marc Blanchet

IPv6 Addressing •  An IPv6 address is 128 bits long

•  So the number of addresses are 2^128 or –  340282366920938463463374607431768211455 –  3.40 x 1038

–  340 trillion trillion trillion addresses

2001:DC0:A910::

1010 1001 0001 0000

nibbles

21/06/16

6

IPv6 Addressing 2001:0DB8:DEAD:BEEF:1AB6:503F:A804:71D9

0010 0000 0000 0001 0000 1101 1011 1000

1101 1110 1010 1101 1011 1110 1110 1111

0001 1010 1011 0110 1001 0000 0011 1111

1010 1000 0000 0100 0111 0001 1101 1001

128 bits is reduced down to 32 hex digits 11

IPv6 Address Space IPv6 Prefix Allocation RFC

0000::/8 Reserved by IETF RFC 4291 2000::/3 Global Unicast RFC 4291 FC00::/7 Unique Local Address RFC 4193 FE80::/10 Link Local Unicast RFC 4291 FEC0::/10 Reserved by IETF RFC 3879 FF00::/8 Multicast RFC 4291 2002::/16 6to4 RFC3056

http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml

21/06/16

7

IPv6 Addressing Structure 0 127

ISP /32

32

128 bits

Customer Site /48

16

Subnet /64

16 64

Device /128

Network Prefix Interfaced Identifier (IID)

Addressing Threats •  Using EUI-64 for Interface ID means its unique worldwide

–  Same trackable IID even when network prefix changes –  Loss of privacy

21/06/16

8

IPv6 Extension Header •  Adding an optional Extension Header in IPv6 makes it simple to add

new features in IP protocol in the future without major re-engineering of IP routers everywhere.

•  The number of extension headers are not fixed, so the total length of the extension header chain is variable.

•  The extension header will be placed in between main header and payload in an IPv6 packet.

IPv6 Extension Header

16

IPv6-Header Next Header = 43

(Routing)

TCP Header & Data

Routing Hdr Next Header = 44

(Fragment)

Fragment Hdr Next Header = 6

(TCP)

IPv6-Header Next Header = 6

(TCP)

TCP Header & TCP Segment

Typical IPv6 Header

IPv6 Header with Extension Header

21/06/16

9

Next Header Field

17

IPv6 Extension Headers Value (Hex) Value (Dec) Extension Header

00 0 Hop-by-Hop Extension Header 2B 43 Routing Extension Header 2C 44 Fragmentation Extension Header 32 50 Encrypted Security Payload (ESP) Extension Header

33 51 Authentication Header (AH) Extension Header 3A 58 ICMPv6 3B 59 No Next Header 3C 60 Destination Options Extension Headers

21/06/16

10

Order Of Extension Header •  Source node follow the order:

1. Hop-by-hop 2. Routing 3. Fragment 4. Authentication 5. Encapsulating security payload 6. Destination option 7. Upper-layer

•  Only hop-by-hop has to be processed by every intermediate nodes •  Routing header need to be processed by intermediate routers •  At the destination fragmentation has to be processed before others

Extension Header Threats •  IPv6 extension headers are used to extend the functionality of the

protocol

•  An attacker could manipulate this feature to create attack –  Create an IPv6 packet with long list of extension headers that cause a DoS

to the routers along the path or to the destination host –  Lengthy extension headers could consume system resource or could crash

the the host protocol stack –  Could be use as an attack vector to inject malicious code to the network by

avoiding firewall and IDS (Numerous extension header in a single packet could spread the payload in to second fragment that could not be checked by the firewall)

21/06/16

11

Extension Header Limitations •  There is no limit to the number of extension headers that can be used

•  Different formats for each type of extension header

•  The order of extension header is a recommendation, not a requirement

ICMPv6 Messages •  There are two classes of ICMPv6 messages (like

ICMPv4) –  Error messages

Destination Unreachable, Packet Too Big, Time Exceeded, Parameter Problem –  Informational messages

Echo request, Echo reply, Router solicitation, Router advertisement, Redirect, Router renumbering

•  ICMPv6 message contain a type (8 bit) and code (8 bit) –  Type: Identifies the ICMP message type i.e Destination

Unreachable –  Code: That relate the details (Sub type) of the message to the

type of the message i.e. Destination Unreachable (Type 1) has got 4 code (Sub type)

21/06/16

12

ICMPv6 filtering is more complex

ICM

Pv6

M

essa

ge T

ypes

Error-Messages (1-127) 1:Destination Unreachable 2:Packet too big (PMTUD)

3:Time Exceeded (Hop Limit) 4:Parameter Problem

Info-Messages (Ping) 128:Echo Request 129:Echo Reply

Multicast Listener Discovery (MLD, MLD2) 130:Multicast Listener Query 131/143:Multicast Listener Report/2

132:Multicast Listener Done

Neighbor Discovery (NDP), Stateless Autoconfiguration (SLAAC) 133: Router Solicitation 134: Router Advertisement

135: Neighbor Solicitation (DAD) 136: Neighbor Advertisement (DAD) 137: Redirect Message

Other (Router Renumbering, Mobile IPv6, Inverse NS/NA,…) 138-153

ICMPv6 Messages •  One minor improvement made in ICMPv6 was that the message types were

separated –  error messages have type values from 0 to 127 –  informational messages have type values from 128 to 255

•  List of all ICMPv6 type and code value –  http://www.iana.org/assignments/icmpv6-parameters

•  Some of the type values are defined so far –  So undefined type should be blocked

•  Unallocated error messages: Type 5-99 and type 102-126 •  Unallocated informational message: Type 156-199 and type 202-254 •  Experimental message: Type 100, 101, 200, 201 •  Extension type message: Type 127, 255

•  However if new message are allocated by IANA in the future, adjustment need to be made to this filter

21/06/16

13

ICMPv6 Messages •  ICMPv6 is used for many legitimate purpose so following messages

must be permitted through the network perimeter –  Type 1: Destination Unreachable –  Type 2: Packet Too Big [PMTUD] –  Type 3: Time Exceeded –  Type 4: Parameter Problem

•  Following messages can be permitted as an option through the network perimeter (If Source & Destination of the packet can be controlled) –  Type 128: Echo Request –  Type 129: Echo Reply

ICMPv6 Messages •  Following messages need to be blocked through the network perimeter

if those functions are not used for specific purpose: –  Type 138: Router Renumbering –  Type 129: Echo Reply –  Type 139 & 140: Node Information Query Messages

•  RFC 4890 – recommendations for filtering ICMPv6

21/06/16

14

ICMPv6 Messages •  ICMPv6 error message contain part/full of the original packet in its

payload that cause the error at the first place –  More likely full packet in ICMPv6 as minimum MTU is 1280 byte

•  This payload could be used by the hacker as a covert channel to send any malicious code

•  So firewall should inspect payload segment in ICMPv6 error packet to make sure it is legitimate –  If the error packet fragment does not contain legitimate IPv6 address or it is

not statefully sent then packet should be dropped

ICMPv6 Messages •  A Denial of Service (DoS) attack can be initiated by

generating a stream of illegal packets i.e large packet, expiring hop count etc –  If enough erred packets are generated it could drive high CPU

utilization of the router

•  ICMPv6 error message generation can be limited by using following command

Router(config)#ipv6 icmp error-interval 10000 [in millisecond]

21/06/16

15

ICMPv6 Messages •  Rate limiting ICMPv6 traffic from overwhelming the router

! !ipv6 access-list ICMPv6 ! permit icmp any any !! !class-map match-all ICMPv6 ! match protocol ipv6 ! match access-group name ICMPv6 !! !! !policy-map ICMPv6_RATE_LIMIT ! class ICMPv6 ! police 100000 200000 conform-action transmit exceed-action drop !! !Interface fa0/0 ! service-policy input ICMPv6_RATE_LIMIT !!!

Example configuration •  ICMPv6 filter (Undefined ICMPv6 message type)

Router#sh ipv6 access-list ICMPV6_UNDEFINE_TYPE !

IPv6 access list ICMPV6_UNDEFINE_TYPE !

deny icmp any any 5 99 sequence 10 !

deny icmp any any 102 126 sequence 20 !

deny icmp any any 156 199 sequence 30 !

deny icmp any any 202 254 sequence 40 !

deny icmp any any 100 sequence 50 !

deny icmp any any 101 sequence 60 !

deny icmp any any 200 sequence 70 !

deny icmp any any 201 sequence 80 !

deny icmp any any 127 sequence 90 !

deny icmp any any 255 sequence 100 !

permit icmp any any sequence 110 !

21/06/16

16

Example configuration •  ICMPv6 filter (Specific ICMPv6 message type and code)

Router(config)#ipv6 access-list ICMPV6_SPECIFIC_TYPE_CODE !

Router(config-ipv6-acl)#deny icmp any any ? !

<0-255> ICMPv6 message type !

auth Match on authentication header !

beyond-scope Destination beyond scope !

dest-option Destination Option header (all types) !

dest-option-type Destination Option header with type !

destination-unreachable Destination address is unreachable !

dhaad-reply Home agent address discovery reply !

dhaad-request Home agent address discovery request !

dscp Match packets with given dscp value !

Continue next slide……….

Example configuration echo-reply Echo reply !

echo-request Echo request (ping) !

flow-label Flow label !

header Parameter header problems !

hop-limit Hop limit exceeded in transit !

log Log matches against this entry !

log-input Log matches against this entry, including input !

mld-query Multicast Listener Discovery Query !

mld-reduction Multicast Listener Discovery Reduction !

mld-report Multicast Listener Discovery Report !

mobility Mobility header (all types) !

Continue next slide……….

21/06/16

17

Example configuration mobility-type Mobility header with type !

mpd-advertisement Mobile prefix advertisement !

mpd-solicitation Mobile prefix solicitation !

nd-na Neighbor discovery neighbor advertisements !

nd-ns Neighbor discovery neighbor solicitations !

next-header Parameter next header problems !

no-admin Administration prohibited destination !

Continue next slide……….

Example configuration no-route No route to destination ! packet-too-big Packet too big ! parameter-option Parameter option problems ! parameter-problem All parameter problems ! port-unreachable Port unreachable ! reassembly-timeout Reassembly timeout ! redirect Neighbor redirect

21/06/16

18

IPv6 Neighbor Discovery (ND) •  IPv6 uses multicast (L2) instead of broadcast to find out target host

MAC address

•  It increases network efficiency by eliminating broadcast from L2 network

•  IPv6 ND uses ICMPv6 as transport –  Compared to IPv4 ARP, there is no need to write different ARP for different

L2 protocol i.e. Ethernet etc.

RFC 4861

NDP Message Types

36

133 Router Solicitation Prompts a router to send a Router Advertisement.

134 Router Advertisement Sent by routers to tell hosts on the local network the router exists and describe its capabilities

135 Neighbor Solicitation Sent by a device to request the layer two address of another device while providing its own as well

136 Neighbor Advertisement Provides information about a host to other devices on the network

137 Redirect Router informs host of a better first hop to destination

21/06/16

19

IPv6 Neighbor Discovery (ND) •  Solicited-Node Multicast is used for Duplicate Address Detection

–  Part of the Neighbour Discovery process –  Replaces ARP –  Duplicate IPv6 Addresses are rare, but still have to be tested for

•  For each unicast and anycast address configured, there is a corresponding solicited-node multicast address –  This address is only significant for the local link

IPv6 Neighbor Discovery (ND) •  Solicited Node Multicast Address

–  Starts with FF02::1:FF00:0/104 –  Last 24 bit from the interface IPV6 address

•  Example Solicited Node Multicast Address –  IPV6 Address 2406:6400:0:0:0:0:0000:0010 –  Solicited Node Multicast Address is FF02:0:0:0:0:1:FF00:0010

•  All hosts listen to its solicited node multicast address corresponding to its unicast and anycast address (if defined)

21/06/16

20

IPv6 Neighbor Discovery (ND) •  Host A would like to communicate with Host B

–  Host A IPv6 global address 2406:6400::10 –  Host A IPv6 link local address fe80::226:bbff:fe06:ff81 –  Host A MAC address 00:26:bb:06:ff:81

•  Host B IPv6 global address 2406:6400::20 –  Host B Link local UNKNOWN [Gateway if outside the link] –  Host B MAC address UNKNOWN

•  How will Host A create L2 frame for Host B?

IPv6 Neighbor Discovery (ND)

21/06/16

21

IPv6 Autoconfiguration Stateless mechanism

For a site not concerned with the exact addresses No manual configuration required Minimal configuration of routers No additional servers Use SLAAC

Stateful mechanism For a site that requires tighter control over exact address assignments Use stateful address protocol (DHCPv6)

Stateless with DHCP Use Router Advertisement to allocate prefixes Other parameters provided by DHCP

RFC 2462

What is SLAAC? •  Stateless Address Autoconfiguration (SLAAC)

•  RFC 4862

•  IP address is assigned based on the prefix provided by router (RA) + generated Interface ID

•  Use Duplicate Address Detection (DAD) to verify the new address is unique

21/06/16

22

IPv6 Autoconfiguration

Tentative Address (EUI-64) FE80::310:BAFF:FE64:1D

Is this address unique?

Assign FE80::310:BAFF:FE64:1D 2001:1234:1:1/64 network

1. A new host is turned on 2. Assign tentative address to new host

3. Perform Duplicate Address Detection (DAD)

4. Host sends NS message to all-nodes multicast address (FF02::1)

5. Wait for NA message. If none arrives, it is unique.

6. Assign link local address to interface

43

IPv6 Autoconfiguration

FE80::310:BAFF:FE64:1D

Send me Router Advertisement

Router Advertisement Assign 2001:1234:1:1:310:BAFF:FE64:1D

2001:1234:1:1/64 network

1. Host sends an RS message to all-routers multicast group (FF02::2)

2. Router replies with a Routing Advertisement (RA)

3. Host will learn the network prefix

4. Host will assign a new address using Network Prefix + Interface ID

21/06/16

23

Exercise: Basic IPv6 •  Login to your assigned VM

•  Assign a static IPv6 address to the interface –  2406:6400:X::/48

•  Launch Wireshark or any sniffing tool –  Filter out ICMPv6 –  Observe the message types (and content) of the packets

IPv6 Toolkits

46

Quick Introduction to the Tools

21/06/16

24

IPv6 Attack Frameworks •  “The Hackers’ Choice” THC-IPv6

–  https://www.thc.org/thc-ipv6/

•  SI6 Networks IPv6 Toolkit –  http://www.si6networks.com/tools/ipv6toolkit/

•  Chiron –  http://www.secfu.net/tools-scripts/

THC-IPv6 – Installation Ubuntu

#install sudo apt-get install thc-ipv6 #verify

ls /usr/bin/atk6-*

Redhat / CentOS #install sudo yum install epel-release sudo apt-get install thc-ipv6 #verify ls /usr/bin/*6

48

21/06/16

25

THC-IPv6 Tools alive6 Checks for live interfaces with ipv6 address

parasite6 “ARP spoofer” for ipv6 redir6 Redirects all traffic into a target implementation6 Test what the firewall supports

firewall6 Performs various ACL bypass attempts thcping6 Test for anti-spoofing (RPF check)

thcping6 <interface> <src-addr> <dest-addr>

fake_router26 Pretend to be a router (replaces fake_router6)

ndpexhaust26 Attack with ICMPv6 toobig and echorequest thcsyn6 Flood the target with SYN packets

http://tools.kali.org/information-gathering/thc-ipv6

SI6 IPv6Toolkit – Installation Ubuntu

sudo yum -y install libpcap-devel

wget https://github.com/fgont/ipv6toolkit/archive/master.zip

unzip master.zip cd ipv6toolkit-master/

sudo make all

sudo make install

#verify ls /usr/local/sbin/*6

Redhat / CentOS

sudo apt-get -y install libpcap-dev

wget https://github.com/fgont/ipv6toolkit/archive/master.zip

unzip master.zip cd ipv6toolkit-master/

sudo make all

sudo make install

#verify ls /usr/local/sbin/*6

50

21/06/16

26

SI6 IPv6 Toolkit Commands

addr6 IPv6 address analysis and manipulation tool

Blackhole6 Troubleshooting tool which can find IPv6 where in the network topology packet with specific Extension header is being dropped

flow6 Tool to perform security assessment of the IPv6 Flow Label frag6 Tool to perform IPv6 fragmentation-based attacks icmp6 Attacks based on ICMPv6 error messages na6 Tool to send arbitrary Neighbor Advertisement messages ra6 Tool to send arbitrary Router Advertisement messages

scan6 IPv6 address scanning tool tcp6 Send arbitrary TCP segments and perform a variety of TCP-based

attacks

https://www.si6networks.com/tools/ipv6toolkit/index.html

Exercise: Attack Toolkit •  If you are running Linux or OS X:

–  Install THC-IPv6 and IPv6 Toolkit

•  If you are running Windows: –  Request for a Linux VM from instructor –  Login to the VM assigned to you –  Both tools are already installed

21/06/16

27

Scanning IPv6 Networks

53

IPv6 uses 128-bit address

It takes too long (or impossible) to scan the entire range

Fact or Myth?

21/06/16

28

Scanning a Network •  The entire IPv4 address space can be scanned in under 5 minutes*

•  IPv6 networks are too big to scan sequentially, but still possible

It's not still possible anymore… •  DNS bruteforcing on common hostnames

–  using a dictionary –  or sequential a,aa,aaa,aab

•  Alive bruteforcing on typical addresses –  low range: ::1,::2,::3,… –  DHCP: sequential ranges 1000-2000 (find one, got all) –  Serviceport in IP addresses numbers: ::80,::53,53:1,53:2 –  Autoconfiguration with MAC: 24 Bit are per Vendor-ID, 24 Bit must be

guessed (16'777'216) –  Addresses using words 2001:db8::cafe:f00d:babe:beef –  other guessable patterns

21/06/16

29

Example: Finding hosts in DNS for target.org •  use dnsdict6 with 'xlarge' built-in dictionary

dnsdict6 –x target.org

-  apollo.target.org ==> 2001:beef:123:8:20c:29ff:fe3d:903 -  ares.target.org ==> 2001:beef:123:8:20c:29ff:fea0:11fc -  argos.target.org ==> 2001:beef:123:8:20c:29ff:fea0:2121 -  athena.target.org ==> 2001:beef:123:8:20c:29ff:fea0:2ffc –  […] –  Found 72 hosts and 60 unique ip-addresses for target.org

Example: Finding live IPs of target.org •  ping6 www.target.org (to get an idea of the used ip-pattern) •  2001:beef:123:1::5 •  use alive26 with a known or guessed pattern

alive26 -d eth1 2001:beef:123:0-ff:0:0:0:0-1f

–  Alive: 2001:beef:123:1::5 (www.target.org) [ICMP echo-reply] –  Alive: 2001:beef:123:2::4 (logon.target.org) [ICMP echo-reply] –  Alive: 2001:beef:123:3::1 (sales.target.org) [ICMP echo-reply] –  Alive: 2001:beef:123:a::9 (control.target.org) [ICMP echo-reply] –  […] –  Scanned 8192 addresses and found 138 systems alive

21/06/16

30

More help from DNS / DNSSEC

•  Try DNS Zone Transfer to read complete zone file dig @<nameserver> <domain> axfr

è seldom possible by now

•  DNSSEC Zone Walking (NSEC records are chained) dnssecwalk <nameserver> <domain>

è corrective with NSEC3 (bind 9.6.0)

If the attacker is already in the LAN •  ping multicast addresses

–  e.g.Link-local scope all nodes multicast address ff02::1 •  ping6 –I eth1 ff02::1 •  alive26 eth1 ff02::1

–  doesn't work from Windows –  doesn't work for all targets

•  Sniffing –  e.g. listen to Neighbor Discovery Protocol

•  Neighbor Cache –  the equivalent to IPv4 ARP chache

•  Linux: ip -6 neigh •  Windows: netsh interface ipv6 show neighbors •  Cisco: show ipv6 neighbors

21/06/16

31

Target Discovery – Mitigation? •  Use of static random addresses & unguessable DNS names? (hmm….)

•  Privacy extensions? (hmm….)

•  Any place where IPv6 addresses are listed will become more attractive for attackers (DNS, DHCP records, Logfiles…) è protect them

•  also mitigate Remote Neighbor Cache Exhaustion Attack –  A scan floods neighbor cache table (fast) –  Rate limiting, Ingress Filtering (see Section Perimeter)

Scanning – Attack Tool •  dnsdict6

–  Used to find all subdomains and enumerate IPv6 addresses

•  alive26 –  Shows alive addresses in the segment.

root@kali:~# atk6-dnsdict6 -d apnic.net

21/06/16

32

63

Starting DNS enumeration work on apnic.net. ... Gathering NS and MX information... NS of apnic.net. is sec1.apnic.net. => 2001:dc0:2001:a:4608::59 NS of apnic.net. is ns1.apnic.net. => 2001:dc0:2001:0:4608::25 NS of apnic.net. is sec3.apnic.net. => 2001:dc0:1:0:4777::140 NS of apnic.net. is ns3.apnic.net. => 2001:dc0:1:0:4777::131 NS of apnic.net. is sec4.apnic.net. => 2001:dc0:4001:1:0:1836:0:141 MX of apnic.net. is ao-mailgw.apnic.net. => 2001:dd8:8:701::25 MX of apnic.net. is ia-mailgw.apnic.net. => 2001:dd8:a:851::25 MX of apnic.net. is nx-mailgw.apnic.net. => 2001:dd8:9:801::25 Starting enumerating apnic.net. - creating 8 threads for 1419 words... Estimated time to completion: 1 to 2 minutes 6to4.apnic.net. => 2001:dc0:2001:11::234 api.apnic.net. => 2001:dd8:9:2::101:29 as.apnic.net. => 2001:dd8:9:2::101:12 blog.apnic.net. => 2001:dd8:8:701::11

Attacks at the Local link •  Attacks related to Neighbor Discovery (NDP)

–  Neighbor Solicitation (NS) – Advertisement (NA) –  Duplicate Address Detection

•  Attacks related to Router Advertisement (RA) –  RA Flooding

21/06/16

33

Neighbor Advertisement Attacks

65

DAD DoS, ND Spoofing, NA Spoofing

Attacker sends NA for each NS

Duplicate Address Detection - DOS

A B C

A sends NS for DAD

Sorry, I have this address already

I want to use this IPv6 address

A can't configure any IPv6 address

21/06/16

34

Duplicate Address Detection - DOS •  Attacker replies to each DAD-NS

•  Victim can't configure an IPv6 address at all

•  Works also if Autoconfiguration is disabled: DAD is mandatory also for DHCPv6 or manually configured addresses!

DAD – Attack Tool dos-new-ip6 This tool prevents new ipv6 interfaces to come up by sending answers to duplicate ip6 checks. This results in a DOS for new IPv6 devices.

root@kali:~# atk6-dos-new-ip6 eth0

Started ICMP6 DAD Denial-of-Service (Press Control-C to end) ...

Spoofed packet for existing ip6 as 2400:6401::1

Spoofed packet for existing ip6 as fe80::5054:ff:fe42:e97a

poofed packet for existing ip6 as 2001:d35d:b33f:0:5054:ff:fe42:e97a

Spoofed packet for existing ip6 as 2001:d35d:b33f:0:5054:ff:fe42:e97a

21/06/16

35

Exercise: DAD DoS •  Try to assign a new IPv6 address to your interface, using

static address sudo ifconfig eth0 add 2400:6400::1/64

•  Alternatively, restart the interfaces so it will do another ND •  If you want to act as an attacker, try the command:

dos-new-ip6 eth0

•  Observe the output of the tool. •  Has the client obtained a global unicast address?

DAD-DOS Observations •  Linux configures link local address (!) and tries every 30 seconds to

configure a Global Unicast Address. –  /proc/sys/net/ipv6/conf/*/accept_dad default=1

•  XP tries a few times – also with different random addresses, and then quits

•  Win7 tries a few times and then quits - might show popup "Windows has detected an IP address conflict“

21/06/16

36

DAD DOS Mitigation •  NS/NA can't be blocked because it's used also for Address Resolution

("ARP”)

•  Most switches can forward multicast packets only to the needed ports

•  This feature is called "MLD snooping", check if it is enabled

Neighbor Discovery Spoofing

72

A B B

Attacker spoofs NA with his MAC address

A sends NS: Who has IPv6 address B? Please send Link Layer Address

I have IP B, here is my MAC address

I want to talk to IP B, pls send your MAC addr.

A talks to Attacker instead of B

21/06/16

37

NDP Spoofing – Attack Tool Parasite6 This is an "ARP spoofer" for IPv6, redirecting all local traffic to your own system (or nirvana if fake-mac does not exist) by answering falsely to Neighbor Solicitation requests, specifying FAKE-MAC results in a local DOS.

Also check out fake_advertise6, flood_advertise6, flood_solicitate6

NDP Spoofing – Attack Tool root@kali:~# atk6-parasite6 -l eth0 aa:bb:cc:11:22:33

Remember to enable routing (ip_forwarding), you will denial service otherwise!

=> echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

Started ICMP6 Neighbor Solitication Interceptor (Press Control-C to end) ...

Spoofed packet to fe80::3636:3bff:fed0:3030 as fe80::4af8:b3ff:fe9a:d29e

Spoofed packet to fe80::3636:3bff:fed0:3030 as fe80::4af8:b3ff:fe9a:d29e

21/06/16

38

Redirect Spoofing

75

A B

B

R1

Attacker sends redirect to A with new-ip/mac

A wants to talk to B

A adds route and then talks to Attacker instead of B

<original-router> <new-ip>

<target-ip>

<src-ip>

ICMPv6 Redirect – Attack Tool redir6 Implant a route into src-ip, which redirects all traffic to target-ip to new-ip. You must know the router which would handle the route. If the new-router-mac does not exist, this results in a DOS.

21/06/16

39

Attacks with Router Advertisement

77

Rogue RA, Lifetime 0 Attacks, RA Flooding

Rogue RA Principle

A C B

Attacker sends Router Advertisements

I am your Default Router!

ICMPv6 Type 134 (RA) Src: own Link Local Address Dst: ff02::1 Data: Prefix, Options, Lifetime, Autoconfig Flag

R1

All nodes autoconfigure IPv6 according to spoofed RA: Default Router, Prefix information

21/06/16

40

Rogue RA – Denial of Service

79

A B B R1

BLOCK

All traffic sent to Attacker ends up in a black hole

Default Router

Rogue RA – Man in the Middle Attack

80

A B B R1 FORWARD

Attacker can intercept, listen, modify unprotected data

Default Router

21/06/16

41

Rogue RA – Performance Issue

81

A B B R1

WLAN

Attacker becomes a bottleneck Often not an attack but misconfigured client

Default Router

Rogue RA – Attack Tool fake_router6 / fake_router26

Announce yourself as a router and try to become the default router.

root@kali:~# atk6-fake_router26 -A 2001:D35D:B33F::/64 eth0 Starting to advertise router (Press Control-C to end) ...

21/06/16

42

Rogue RA – Attack Tool [nsadmin@server1 ~]$ ifconfig

eth0 Link encap:Ethernet HWaddr 52:54:00:42:E9:7A

inet addr:192.168.1.1 Bcast:192.168.255.255 Mask:255.255.0.0

inet6 addr: 2001:d35d:b33f:0:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2001:db8::5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: fe80::5054:ff:fe42:e97a/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:299646 errors:0 dropped:0 overruns:0 frame:0

TX packets:89280 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:220558509 (210.3 MiB) TX bytes:6622864 (6.3 MiB)

Output after fake_router26 is run

Exercise: Route Advertise •  Login to your assigned VM

•  Try to become the default route fake_router26 eth0

•  Observe the interface ip -6 route

•  Advertise a fake route fake_router26 –A 1234::abcd:X::/64 eth0

21/06/16

43

Router Lifetime 0 Attack

85

A B B

R1 is down (Router lifetime = 0)

R1

Attacker sends RAs with Lifetime = 0

Try to remove router from routing table

Router Lifetime 0 Attack kill_router6 •  Announce (to ff02:1) that a router is going down (RA with

Router Lifetime 0) to delete it from the routing tables.

86

root@kali:~# atk6-kill_router6 eth0 '*'

21/06/16

44

Some Rogue RA Facts •  Everybody can send Router Advertisements!

–  Nodes will add (new) global addresses –  Nodes will add / delete default route –  Also in "IPv4-only" networks: IPv6-enabled hosts will configure IPv6

addresses and can then be attacked over IPv6 (second door) –  Possible Attacks: DOS, MITM, decreased Network-Performance (and

more, see soon)

Router Advertisement Flooding

88

A B C

2004:: is a prefix 2005:: is a prefix 2006:: is a prefix 2007:: is a prefix…

R1

Attacker floods LAN with Router Advertisements

21/06/16

45

RA Flooding – Tool flood_router26 / flood_router6 •  Flood the local network with router advertisements

RA Flooding – Tool root@kali:~# atk6-flood_router6 eth0

!

! Please note: flood_router6 is deprecated, please use flood_router26!

!

Starting to flood network with router advertisements on eth0 (Press Control-C to end, a dot is printed for every 1000 packets):

.........................................................................

.........................................................................

.........................................................................

.........................................................................

.........................................................................

.........................................................................

..................

21/06/16

46

RA Flooding – Victim [nsadmin@server1 ~]$ ifconfig

eth0 Link encap:Ethernet HWaddr 52:54:00:42:E9:7A

inet addr:192.168.1.1 Bcast:192.168.255.255 Mask:255.255.0.0

inet6 addr: 2a01:d07b:1aca:eccb:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:d86e:5318:d649:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:364a:768d:3b38:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:cea:f971:b02b:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:3a55:4067:f66a:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:206e:57f1:c2fa:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:3b81:65c6:317b:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:de28:2da1:2a1b:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:53aa:d153:a394:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:8c7f:8bb0:1611:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:96f0:c201:ed8f:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:d4b0:f9:c3e7:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:c994:2497:861e:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:ed60:6bfd:cc19:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: 2a01:5e4c:2412:e7e0:5054:ff:fe42:e97a/64 Scope:Global

inet6 addr: fe80::5054:ff:fe42:e97a/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:370574 errors:0 dropped:0 overruns:0 frame:0

TX packets:89790 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:228886582 (218.2 MiB) TX bytes:6686773 (6.3 MiB)

91

Some RA Flooding Facts •  Everybody can send Router Advertisements!

•  Attacker floods LAN with RAs and lots of Prefixes

•  Nodes will stall or crash:

•  Windows XP,Vista,7,8,200x Server •  Free/Net/Open-BSD - depends on version •  OS X •  Juniper •  Android phones, iPads,... slow down or freeze

•  Safe: •  Cisco IOS & ASA - is fixed •  Linux has a limit of 16 IPv6 addresses incl. link local (not attackable)

21/06/16

47

Detection of Rogue RAs & ND Spoofing •  With a generic Intrusion Detection System

•  signatures needed

•  decentralized sensors in all network segments needed

•  With NDPmon

•  can monitor RAs, NAs, DAD-DOS

•  generates syslog-events and/or sends e-mails

•  free available at ndpmon.sourceforge.net

•  Using Deprecation Daemons:

•  ramond, rafixd

RA Guard •  Router Advertisement Guard (RFC 6105)

•  All messages between IPv6 end-devices traverse the controlled L2 networking device.

•  Filter RA messages based on a

set of criteria

21/06/16

48

RA Guard – 3 Types •  Stateless RA-Guard

–  filter incoming RAs based on information found in the message (Link Layer address, IP source address, Prefix List, Router Priority) or in the L2-device configuration (Switch-Port).

•  Stateful RA-Guard –  Stateful RA-Guard learns dynamically about legitimate RA senders and

stores this information for allowing subsequent RAs ("Learning-Mode").

•  SEND-based RA-Guard –  Filtering RAs based on SEND considerations

SEND •  Secure Neighbor Discovery (RFC 3971)

•  A crypto solution for securing NDP messages

•  A set of new ND options added

21/06/16

49

Rogue RA Conclusion •  Mitigation of Rogue RA must be considered - even in IPv4-only

networks

•  There are several mitigation approaches with different Pros/Cons – these can be combined

•  Different operational scenarios require different mitigation approaches

•  See RFC 6104 for more information and references

IPv6 Security Best Practices

98

21/06/16

50

0. Are you running IPv6? •  Know whether you are running IPv6

–  IPv6 is enabled by default in some devices and operating systems •  (ISATAP, Teredo, etc in Windows PC)

–  If not using IPv6, make sure to disable this in all devices

•  Decide when to enable IPv6 –  Make sure there are IPv6 policies in place

1. Learn IPv6 •  Teach your network operators about IPv6

•  Teach your users about IPv6

•  Set up a test environment –  Don’t assume that staff will get it the first time –  some trial and error to be done

•  Learn from others’ deployment strategies

21/06/16

51

2. Adopt the same BCPs in IPv4 •  Implement BCP38 and MANRS

•  Replicate your IPv4 policies into IPv6

•  Replicate your IPv4 filters

•  Use similar authentication methods as in IPv4 –  For login and routing protection

3. Apply Filters •  Filter out some ICMPv6 messages

•  Rate limit

•  Block Routing Header 0 –  This is now the default from RFC 5095

21/06/16

52

4. IPv6 Support for Equipment •  Check if your security equipment has support for IPv6

•  Always include security plans in the overall IPv6 deployment plan

•  Update purchasing plans to include this

References •  IPv6 Security by S. Hogg and E. Vyncke

•  NIST Guidelines for the Secure Deployment of IPv6

21/06/16

53

References •  RFC 2460: Internet Protocol Version 6 (IPv6) Specification

•  RFC 4861: Neighbor Discovery for IP version 6 (IPv6)

•  RFC 6583: Operational Neighbor Discovery Problem

•  RFC 5157: IPv6 Implications for Network Scanning

•  RFC 7707: Network Reconnaissance in IPv6 Networks

•  RFC 7721: Security and Privacy Considerations for IPv6 Address Generation Mechanisms

•  RFC 5095: Deprecation of Type 0 Routing Headers in IPv6

•  RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls

•  RFC 6980: Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery

•  RFC 7527: Enhanced Duplicate Address Detection

•  RFC 6104: Rogue IPv6 Router Advertisement Problem Statement

References •  RFC 6105: IPv6 Router Advertisement Guard

•  RFC 3971: Secure Neighbor Discovery (SEND)

21/06/16

54

Questions?

107

www.facebook.com/APNIC

www.twitter.com/apnic

www.youtube.com/apnicmultimedia

www.flickr.com/apnic

www.weibo.com/APNICrir