Top Banner
IPv6 Security Why you should care Stefan Avgoustakis - CSE
47

IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

May 25, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

IPv6 Security Why you should care

Stefan Avgoustakis - CSE

Page 2: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

2 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Understand Why IPv6 Matters Now

IPv6 Security myths

Securing the transition mechanisms

IPv6 Protocol Security Vulnerabilities

Page 3: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

3 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

2010  2007  

Total  35  Billion  Total  500  Million  

5  Devices  per  Person  on  Earth  

1/10th  of  a  Device  per  Person  on  Earth  

Growth  of  Connected  Devices  –  Internet  of  Things  

Source:  Forrester  Research,  Cisco  IBSG  

2013  

Total  50  Billion  

7  Devices  per  Person  on  Earth  

Page 4: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

4 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

2020  

Total  1  Trillion  

140  Devices  per  Person  on  Earth  

Page 5: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

5 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 5 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security

IPv4  Pool  ExhausIon:  IANA  Is  Now  Out  

http://www.apnic.net/community/ipv4-exhaustion/ipv4-exhaustion-details

Page 6: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

6 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 6 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security

Introducing  IPv6  

IPv4    4.3  Billion  IP  addresses  

IPv6  340282366920938463374607  432768211456  IP  addresses  

Page 7: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

7 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 7 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security

Introducing  IPv6  

100  IP  addresses  for  every  Atom  on  

this  Earth  1  IP  addresses  per  water  drop  on  this  earth…a  Trillion  

Imes  

IPv4  equals  an  Atom…IPv6  equals  

80  ton  

Page 8: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

8 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 8 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security

Other  IPv6  adopIon  drivers

§ Mandated  e.g.Australia’s  AGIMO  IPv6  strategy    

§ Research  environments  e.g.  Australia’s  GrangeNet    

§ End-­‐to-­‐end  packet  integrity  :  effecIve  security  and  enhanced  applicaIon  experience  for  peer-­‐to-­‐peer  connecIons  e.g.  Telephony  and  Video    

   

Page 9: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

9 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 9 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security

IPv6  AdopIon  

Page 10: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

10 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 10 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security

IPv6  AdopIon  -­‐  Australia  

Source:  h\p://6lab.cisco.com/stats/index.php  

Page 11: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

11 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 11 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security

Why  you  should  care  about  IPv6  Security  now  

§  Most  networks  have  already  (parIally)  deployed  IPv6  §  You  will  likely  perform  a  deployment  in  the  near  term  §  You  may  communicate  with  IPv6  systems  (via  transiIon/co-­‐

existence  technologies)  

Page 12: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

12 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 12 © 2013 Cisco Systems, Inc. All rights reserved. IPv6 Security

State  of  IPv6  Security  

§  Less  experience/knowledge  with  IPv6  §  IPv6  implementaIons  are  much  less  mature  §  Security  products  less  support  for  IPv6    §  TransiIon  increases  complexity  :  

●  Dual  Stack  (IPv4  and  IPv6)  ●  Increased  use  of  NATs  ●  Increased  use  of  tunnels  

Page 13: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

13 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv4 and  IPv6  Header  Comparison  

IPv4  Header   IPv6  Header  

Fragment    Offset  Flags  

Total  Length  Type  of    Service  HL  

Padding  OpDons  

DesDnaDon  Address  

Source  Address  

Header  Checksum  Protocol  Time  to  Live  

IdenDficaDon  

Version  

Next    Header   Hop  Limit  

Flow  Label  Traffic    Class  

DesDnaDon  Address  

Source  Address  

Payload  Length  

Version  

Field’s  Name  Kept  from  IPv4  to  IPv6  

Fields  Not  Kept  in  IPv6  

Name  and  PosiDon  Changed  in  IPv6  

New  Field  in  IPv6  

Page 14: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

14 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv6  over  Ethernet    

§ IPv6  uses  Ethernet  Protocol  ID  (0x86DD)  

 § IPv4  uses  Ethernet  Protocol  ID  (0x0800)  

0x86DD IPv6 Header and Payload Dest MAC Source MAC

0x0800 IPv4 Header and Payload Dest MAC Source MAC

Page 15: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

15 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Extension  Header  –  RFC  2460  

§ Indicate  Transport  layer  info  or  extend  funcIonality

 TCP Header DATA L2 HEADER IPv6 Header

NH=6 NH=59

Routing Header L2 HEADER IPv6 Header

NH=43 NH=6

DATA TCP Header

NH=59

Routing Header L2 HEADER IPv6 Header

NH=43 NH=44

DATA FRAG

TCP Header

NH=59

Frag Header

NH=6

Page 16: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

16 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Extension  Header  –  RFC  2460  § Consists of an IPv6 header chain and an (optional) payload

§ Extension Header is encoded as TLV (Type-Length-Value)

§ Any number of instances of any number of different headers are allowed

§ Each header can contain an arbitrary number of options

§  Large number of headers/options have a negative impact on inspection performance

§  It may be impossible to “identify” which “type” of packet a specific fragment belongs to.

 

Page 17: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

17 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Extension  Header  –  Route  Header  type  0  Threat  

§ RH=0  provides  similar  funcIonality  to  that  of  IPv4  source  rouIng  

•  Can  be  leveraged  to  make  packets  bounce  between  network  addresses  

•  Higher  impact  due  to  some  hosts  “forwarded”  them  

§ A\acker  creates  payload  (A-­‐>B-­‐>A-­‐B..)  resulIng  in  packet  loop    

A B

Page 18: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

18 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Extension  Header  –  Route  Header  type  0  MiIgaIon  

§ Apply  same  policy  for  IPv6  as  for  Ipv4:    Block  RouIng  Header  type  0  

§ Prevent  processing  at  the  intermediate  nodes  no  ipv6  source-­‐route  

Windows,  Linux,  Mac  OS:  default  sejng  

§ RFC    5095  (Dec  2007)  RH0  is  deprecated  § CauIon  required  –  default  enable  prior  to  2007  

Page 19: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

19 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv6  Extension  Headers  and  Upper  Layer  Protocols  INFO  

Page 20: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

20 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv4  Protocol  Stack  -­‐  The  relevant  bits  

Physical Layer

Link Layer

Internet Protocol v4 – 32 bits ARP

TCP UDP ICMP

DHCP HTTP TLS

HTTP

Page 21: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

21 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv6  Protocol  Stack  –  More  than  just  128  bits  

Physical Layer

Link Layer

Internet Protocol v6 – 128 bits ARP

TCP UDP ICMP

DHCP HTTP TLS

HTTP

ICMP

NDP MLD MRD

Page 22: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

22 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv6  Protocol  Stack  –  New  kids  on  the  block  

NDP

MLD

MRD

§ Neighbor  Discovery  protocol  

§ MulIcast  Listener  Discovery  protocol  

§ MulIcast  Router  Discovery  

Page 23: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

23 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Neighbour  Discovery  replaces  ARP  §  Find  the  link-­‐layer  addresses  of  nodes  on  the  local  link  -­‐  uses  a  mix  of  ICMPv6  messages  and  mulIcast  addresses.  

§  Stateless  Auto-­‐ConfiguraIon  -­‐  allows  nodes  on  the  local  link  to  configure  their  IPv6  addresses  by  themselves  by  using  a  mix  of  ICMPv6  messages  and  mulIcast  addresses.  

§  Five  different  packet  types:    •  Router  SolicitaIon  -­‐  Router  AdverIsement    •  Neighbour  SolicitaIon  -­‐  Neighbour  AdverIsement    •  Redirect  message  

NDP

Page 24: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

24 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Neighbor  Discovery  -­‐  Stateless  AutoconfiguraIon  

1.  RS:  Src  =  ::  Dst  =  All-­‐Routers  mulIcast  Address  ICMP  Type  =  133  Data  =  Query:  please  send  RA  

2.  RA:  Src  =  Router  Link-­‐local  Address  Dst  =  All-­‐nodes  mulIcast  address  ICMP  Type  =  134  Data=  opIons,  prefix,  lifeIme,    autoconfig  flag  

2.  RA  1.  RS  

Router  SolicitaIons  Are  Sent  by  BooIng  Nodes  to  Request  Router  AdverIsements  for  Stateless  Address  Auto-­‐Configuring  

Page 25: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

25 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

ARP  Spoofing  is  now  NDP  Spoofing  -­‐  Threat  §  ARP  is  replaced  by  Neighbor  Discovery  Protocol  

•  Nothing  authenIcated  •  StaIc  entries  overwri\en  by  dynamic  ones  

§  Stateless  Address  AutoconfiguraIon    •  Rogue  RA  (malicious  or  not)  •  All  nodes  badly  configured    

•  DoS  •  Traffic  intercepIon  (Man  In  the  Middle  A\ack)  

 

Page 26: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

26 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

ARP  Spoofing  is  now  NDP  Spoofing  –  MiIgaIon  RFC6104  § Manual  configuraIon  of  host  –  discards  RA’s  §  RA  Snooping  aka  RA  Guard  §  Port  ACL  opIons  –  filter  on  RA  packets  (ICMP  134)  §  Secure  Neighbor  Discovery  SEND  =  NDP  +  crypto    § Host  isolaIon  :    

•  Private  VLAN  works  with  IPv6  •  Port  security  works  with  IPv6  •  802.1x  works  with  IPv6  

Page 27: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

27 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv6  Protocol  Stack  –  ICMP    

ICMP

ICMP  Message  Type   ICMPv4   ICMPv6  

ConnecIvity  Checks   X   X  

InformaIonal/Error  Messaging   X   X  

FragmentaIon  Needed  NoIficaIon   X   X  

Address  Assignment   X  

Address  ResoluIon   X  

Router  Discovery   X  

MulIcast  Group  Management   X  

Mobile  IPv6  Support   X  

Page 28: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

28 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Filtering  ICMPv6  Messages  in  Firewalls  -­‐  RFC  4890  

AcIon   Src   Dst   ICMPv6    Type  

ICMPv6    Code   Name  

Permit   Any   A   128     0   Echo  Reply  

Permit   Any   A   129   0   Echo  Request  

Permit   Any   A   1   All   No  Route  to  DesInaIon  

Permit   Any   A   2   0   Packet  Too  Big  

Permit   Any   A   3   0   Time  Exceeded—    TTL  Exceeded  

Permit   Any   A   4   1  &  2  only   Parameter  Problem  

Page 29: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

29 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

ICMPv6  –  Message  Types  and  Codes  INFO  

Page 30: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

30 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv6  –  General  Addressing  §  IPv6  uses  128-­‐bit  addresses  §  Hex  presentaIon  §  Addresses  are  aggregated  into  “prefixes”  (for  rouIng  purposes)  §  Address  types  :  Unicast,  Anycast  and  MulIcast  §  Address  scopes  :  (link-­‐local,  global,  etc.)  §  Any  given  Ime,  several  IPv6  addresses,  of  mulIple  types  and  

scopes  are  used  -­‐  Examples  •  One  or  more  unicast  link-­‐local  address  •  One  or  more  global  unicast  address  •  One  or  more  link-­‐local  address  

Page 31: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

31 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv6  –  Address  types    

Address  Type   IPv6  prefix  Unspecified     ::/128  Loopback  ::   ::1/128  MulIcast   FF00::/8  Link-­‐local  unicast   Link-­‐local  unicast  Unique  Local  Unicast   FE80::/10  Global  Unicast   everything  else  

Page 32: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

32 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

The  IPv6  Address  Interface  ID  §  Interface  ID  of  unicast  address  may  be  assigned  in  different  ways  

§  Auto-­‐configured  from  a  64-­‐bit  EUI-­‐64  or  expanded  from  a  48-­‐bit    MAC  §  Auto-­‐generated  pseudo-­‐random  number  (to  address  privacy  concerns)  §  Assigned  via  DHCP  §  Manually  configured  

§  EUI-­‐64  format  to  do  stateless  auto-­‐configuraIon  §  Expands  the  48  bit  MAC  address  to  64  bits  by  inserIng  FFFE  into  the  middle  §  To  ensure  chosen  address  is  from  a  unique  Ethernet  MAC  address  

§  The  universal/local    U/L  bit  is  set  to  1  for  global  scope  and  0  for  local  scope  

Page 33: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

33 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv6  –  Security  Myths  :  Absence  of  Reconnaissance    §  Default  subnets  in  IPv6  have  264  addresses  -­‐  10  Mpps  =  more  than  

50  000  years  Reconnaissance  techniques  get  smarter  :    §  IPv6  addresses  embedding  IEEE  IDs  (Mac  derived  info)  §  Increased  deployment/reliance  on  dynamic  DNS    §  Human  factor  :  Easy  to  remember  addresses  (wordy,  IPv4  last  octet)  §  MulIcast  :  

§  3  site-­‐local  mulIcast  addresses  (not  enabled  by  default)    FF05::2  all-­‐routers,  FF05::FB  mDNSv6,  FF05::1:3  all  DHCP  servers  

§  Several  link-­‐local  mulIcast  addresses  (enabled  by  default)  FF02::1  all  nodes,  FF02::2  all  routers,  FF02::F  all  UPnP,  …  

Page 34: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

34 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv6  –  Security  Myths  :  Absence  of  Reconnaissance      

LOWER 24 BITS OF MAC 24 bits

IEEE IOU 24 bits

FF FE 16 bits

NOT KNOWN KNOWN / GUESS KNOWN

Page 35: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

35 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv6  –  Security  Myths  :  Absence  of  Reconnaissance      

Interface  ID  –  lower  24  bits  :      §  MAC  addresses  can  be  consecuIve  in  larger  organizaIons  and  

geographical  areas  §  VMWare  ESX  employs:  

•  AutomaIc  MACs:  OUI  00:05:59,  and  next  16  bits  copied  from  the  low  order  16  bits  of  the  host's  IPv4  address  (search  space:  2n8)  

•   Manually-­‐configured  MACs:OUI  00:50:56  and  the  rest  in  the  range  0x000000-­‐0x3fffff  (search  space:  2n22)  

Page 36: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

36 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

IPv6  –  Security  Myths  :  IPSec  will  save  the  world  §  IPv6  originally  mandated  the  implementaIon  of  Ipsec    -­‐  but  not  its  

use    §  RFC  6434  “IPsec  SHOULD  be  supported  by  all  IPv6  nodes”  §  IPSec  comes  with  challenges:    

§  InteresIng  scalability  issue  (n2  issue  with  IPsec)  §  Need  to  trust  endpoints  and  end-­‐users  because  the  network  

cannot  secure  the  traffic:  no  IPS,  no  ACL,  no  firewall  §  Network  telemetry  is  blinded:  NetFlow  of  li\le  use  §  Network  services  hindered:  QoS  ?  

Page 37: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

37 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Tunneling  Services  

Connect  Islands  of  IPv6  or  IPv4  IPv4  over  IPv6   IPv6  over  IPv4  

Dual  Stack  

Recommended  Enterprise  Co-­‐existence  strategy  

TranslaIon  Services  

Connect  to  the  IPv6  community  

IPv4  

IPv6  

Business  Partners  

Internet  consumers  Remote  Workers  InternaIonal  Sites  Government  Agencies  

IPv6  IPv4  

IPv6  –  TransiIon  Mechanisms  

Page 38: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

38 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Dual  Stack  -­‐  intro  

§  Each  node’s  IP  stack  supports  both  IPv4  and  IPv6  §  Domain  names  include  both  A  and  AAAA  records  §  IPv4  or  IPv6  are  used  as  needed  or  preferred  –  eg  Happy  Eyeballs  §  Main  operaIng  systems  include  naIve  IPv6  support  enabled  by  

default  and  prefer  IPv6  over  IPv4  §  Dual-­‐stack  is  the  recommended  strategy  for  hosts  

Page 39: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

39 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Dual  Stack  –  Threats  and  miIgaIon  

§  Lack  of  awareness  that  IPv6  is  enabled  –  even  on  IPv4  only  networks  §  Rogue  IPv6  Router  uses  RA’s  to  configure  IPv6  stack  §  Host  security  mechanisms  not  IPv6  aware  §  IPv6  used  to  evade  network  security  controls    

§  Disable  IPv6  stack  on  host  if  not  used  §  Create  IPv6  control  policy  –  host  and  network  

Page 40: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

40 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Tunnels  -­‐  Intro  

Transport IPv6 packets over IPv4 §  Configured: Manual configuration

•  6in4 •  Tunnel broker

§  Automatic: Tunnel end-points derived from the IPv6 addresses •  ISATAP •  Teredo  •  6to4 •  6rd

Page 41: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

41 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Tunnels  –  Threats  

ISATAP  :  Intra-­‐Site  AutomaIc  Tunnel  and  Addressing  Protocol    §  Unauthorized  tunnels—firewall  bypass  (protocol  41)    §  IPv4  infrastructure  looks  like  a  Layer  2  network  to  ALL  ISATAP  hosts  

in  the  enterprise    §  No  authenIcaIon  in  ISATAP—rogue  routers  are  possible  §  Windows  default  to  isatap.example.com  §  IPv6  addresses  can  be  guessed  based  on  IPv4  prefix  (scanning  is  

back!)  

Page 42: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

42 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Tunnels  –  Threats  

Toredo  :    §  IPv6  over  UDP  (port  3544)  -­‐  FW  just  sees  IPv4  UDP  traffic  §  Hosts  behind  a  NAT  may  become  reachable  from  the  public  Internet  §  Windows  systems  resole  “teredo.ipv6.microsoy.com”  –  

impersonate  a  Teredo  server  if  he  can  a\ack  the  DNS  

Page 43: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

43 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Tunnels  –  MiIgaIons  

Toredo  :    §  Filter  IPv4.dst  ==  known_teredo_servers  &&  UDP.DstPort  ==  3544  

ISATAP  :      §  Filter  IPv4.Protocol  ==  41  §  Check  DNS  logs  for  ISATAP  resolving    

Page 44: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

44 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

How  imminent  are  IPv6  a\acks  ?  

§  The  tools  :    §  THC-­‐IPv6  by  Van  Hauser    §  SI6  IPv6  Toolkit  by  Fernando  Gont  

§  The  exploits  :  §  Zeus  botnet  is  IPv6  compliant  

Page 45: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

45 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Key  observaIons  IPv6  robustness  §  ImplementaIons  have  not  really  been  the  target  of  a\ackers,  yet  §  Only  a  handful  of  publicly  available  a\ack  tools  §  Lots  of  vulnerabiliIes  and  bugs  sIll  to  be  discovered.    IPv6  control  policy  points  §  IPv6  inspecIon  is  not  broadly  supported  in  security  devices      EducaIon/Training/Awareness  §  Pushing  people  to  “Enable  IPv6”  as  turn-­‐key  soluIon  doesn’t  work  §  CreaIng  awareness  and  experIse    

Page 46: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

46 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID

Resources  

§  RFC’s  are  your  friend  §  NIST  Special  PublicaIon  800-­‐119.  Guidelines  for  the  Secure  

Deployment  of  IPv6  §  Cisco.com/go/ipv6  §  6lab.cisco.com  §  IPv6  Security  –  Erick  Vyncke  and  Sco\  Hogg  @  Cisco  Press  

Page 47: IPv6 Security Why you should care - AusCERT …...Consists of an IPv6 header chain and an (optional) payload Extension Header is encoded as TLV (Type-Length-Value) Any number of instances

Questions ?

[email protected] - @savgoust