Yuji Ukai, Senior Software Engineer Ryan Permeh, Founding Software Engineer Ryoji Kanai, Software Engineer Retina Network Security Scanner Development Core Team PacSec 2006 Conference The fourth annual PacSec conference November 27-30 2006, at the Aoyama Diamond Hall in Tokyo, Japan.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Yuji Ukai, Senior Software Engineer
Ryan Permeh, Founding Software Engineer
Ryoji Kanai, Software Engineer
RetinaNetwork Security Scanner
DevelopmentCore Team
PacSec 2006 ConferenceThe fourth annual PacSec conference November 27-30 2006, at the Aoyama Diamond Hall in Tokyo, Japan.
2Introduction
• The American Department of Defense announced that they will
move their network to IPv6. Because of this, IPv6 is currently
in the spotlight in the U.S.
• All network devices should be updated to support IPv6Security products must also updated to keep up
• Network security scanner must have be able to scan an IPv6
network. Most of the core technologies based on IPv4 can still be
used, but we are facing some new issues.
• We will describe some of the issues and some possible solutions to the problem of security risk management in an IPv6 network.
3IPv6 networking
• IPv6 is rapidly becoming more popular since the DoD IPv6 announcement.
- DoD will switch their network to IPv6 across the board.- This network is responsible for supporting soldiers and signal communications.
All new network devices purchased should already support IPv6.
• The US Department of Commerce is investigating the economic effect of IPv6.The governments and militaries in Germany, France, U.K., China, and Korea and Japan all have plans to push IPv6 forward in their networks.
• Many vendors, ISPs, and research institutes have accelerated their R&D for IPv6 deployment.
• Security risk management solutions must consider the implications of supporting IPv6 as well.
4Security risk management using network security scanner
• Scan the network.• Collect the assets and their vulnerability information. • Analyze the threat, vulnerability, and importance of asset.• Know the risk factors on the network and take action
to fix them.
• We must deploy accurate and fast vulnerabilityscanning to manage the risk on their network appropriately.
• Supporting IPv6 might have a bad effect on the accuracy and speed of a traditional scanningmethodology.
- Host discovery and OS detection technique
5
IPv6Host Discovery
6Negative impact caused by supporting IPv6 - Host discovery
• Discover the hosts using ICMP 、 TCP 、 and UDP probe.
• Host discovery is necessary to collect the asset information and list of targets for vulnerability scanning.
• Huge Address Space
• Secure Neighbor Discovery and CGA
• Privacy Enhanced Addresses
Host Discovery
7Huge Address Space
• The traditional host discovery method takes very long time because the address space is expanded to 128bit
- A typical IPv4 subnet may have 8 bits reserved for host addressing 1 packet/sec : 5 min
- A typical IPv6 subnet may have 64 bits reserved for host addressing 1 packet/sec : 50 billion years
Address can be guessed. We can not reduce search space.
9Privacy Enhanced Addresses
• IETF scheme for generating random address bits
• Instead of using IEEE identifier (i.e., a link-layer MAC address)Privacy protection, etc.
• Generates short lived addresses with small chance of repeat
• Generated on boot or periodically at runtime
Current Address Seed or History
64 bits 64 bits
md5
64 bits 64 bits
Set bit 6 to 0 to create global address
New Address New History
Address can be guessed. We can not reduce search space.
10IPv6 Discovery Solutions
• Multicast
• Neighbor Discovery
• Ethernet Vendor ID
• DHCPv6 State Tables
• Neighbor Cache
• Target IPv4 Stack instead
• Local Discovery and Distributed Architecture
11IPv6 Layer 3 – Multicast
Multicast is a core component of IPv6
We can get some live IP addresses using multicast
• Typically site or link local
• Certain IPv6 Functions require multicast, so you are likely to have responses
• Common groups:
– FF02:0:0:0:0:0:0:1 – All nodes on the local link
– FF02:0:0:0:0:0:0:2 – All routers on the local link
– FF02:0:0:0:0:0:1:3 – All DHCP agents on the local link
12IPv6 Layer 3 – Neighbor Discovery
• Neighbor Discovery is an ICMPv6 specific service
• Peer Discovery (layer 3 ARP)Sent by a node to determine the link-layer address of a neighbor.Neighbor discovery can act as a link local ping replacement. Some hosts may block multicast pings, but none should block multicast ND solicitations.
• Every IPv6 router and host must keep a neighbor cacheWe can get some live IP addresses.
• Similar to an ARP cache in IPv4• Contains Live Addresses and their associated layer 2 addresses• Can be accessed via SNMP or OS/Application specific APIs
SNMP OID – .1.3.6.1.2.1.55.1.12
Windows –C:\research>netsh interface ipv6 show neighborsInterface 6: Local Area ConnectionInternet Address Physical Address Typefe80::210:a4ff:feb6:b972 00-10-a4-b6-b9-72 Stalefe80::211:25ff:fe5a:cd63 00-11-25-5a-cd-63 Permanent
Linux –# ip -6 neigh show fe80::201:23ff:fe45:6789 dev eth0 lladdr 00:01:23:45:67:89 router nud reachable
16Target IPv4
• Mixed mode networks often have both IPv4 and IPV6 addresses, use the ipv4 instead!
• IPv6 transition addressing schemes often embed ipv4 addresses in their scheme, potentially reducing the address search space (ISATAP , 6to4 Transitional Addresses)
17Local Discovery and Distributed Architecture
• IPv6 designed to make internal visibility good, buyt external visibility poor
Probe - Send a UDP packet over IPv6 to closed port
Type = 1 Code = 4 Check sum
Unused ICMPv6Destination
Unreachable As much of invoking packet as will fit without the ICMPv6 packetexceeding the minimum IPv6 MTU
Flow Label
Payload Length
Destination Port
UDP Data Length UDP Check Sum
Data . . .
Version Traffic Class
Next Header Hop LimitIPv6
UDPSource Port
Response - ICMPv6 Destination Unreachable Message is sent back from the target
Port Unreachable
Closed Port
28UDP Port Unreachable / Characteristics
OS Response
Windows XP Yes
Windows Vista No
Solaris Yes
Linux Yes
FreeBSD No
ResponseICMPv6 Echo Reply HopLimit
128 64 255
Solaris
ICMPv6 Echo ReplyInvalid Code
Yes No
LinuxFreeBSD
"A destination node SHOULD send a Destination Unreachable message with Code 4 in response to a packet for which the transport protocol (e.g., UDP) has no listener, if that transport protocol has no alternative means to inform the sender."
Probe - Send Multicast Listener Discovery (MLDv1) packet to the target
Response - Multicast Listener Report is sent back from target
The purpose MLD is to enable router to discover the presence of multicast listeners
Type = 130 Code = 0 Check sum
Maximum Response Delay (0x0000) Reserved
Multicast Address ( All 0x00)
ICMPv6Multicast Listener
Discovery
Type = 131 or 143 Code = 0 Check sum
ICMPv6Multicast Listener
Discovery Multicast Listener Report (Depend of Type field)
30MLDv1 vs MLDv2
- MLDv2 = Added sender information (source address) on MLDv1- MLDv1 Query and MLDv2 Query have same ICMPv6 Type(130). IPv6 node recognize the MLD version by checking the length of packet.- Some implementations make response by MLDv2 even if the query is MLDv1. Some implementations don't make any response.
IPv6 Hop-By-Hop Option is included in MLD Report response packetThe sequence of options is depend on implementation
Flow Label
Payload Length
Version Traffic Class
Next Header = 0 Hop LimitIPv6
IPv6Hop-by-Hop
Option
Type = 131 Code = 0 Check sum
ICMPv6Multicast Listener
Discovery Multicast Listener Report (Depend on Type Field)
Next Header = 58 Header Ext Len
Hop-by-Hop Option
Hop-by-HopOption
ICMPv6
33IPv6 Hop-By-Hop Option / Characteristics
OS Response
Windows XP 05 -> 01
Windows Vista No Response
Solaris No Response
Linux 05 -> 01
FreeBSD 01 -> 05
Option sequence
Option format
Type Length DataType 8bit option typeLength 8bit option lengthData Option data depend of option type
Option type
00 skip over this option and continue processing the header
01 discard the packet.
10 discard the packet and, regardless of whether or not the packets's Destination Address was a multicast address, send an ICMP Parameter Problem
11 discard the packet and, only if the packet's Destination Address was not a multicast address, send an ICMP Parameter Problem
34ICMPv6 Neighbor Solicitation / Probe&ResponseSent by a node to determine the link-layer address of a neighbor,or to verify that a neighbor is still reachable via a cached link-layer address.
Probe - Send Neighbor Solicitation to the target
Response - Neighbor Advertisement is sent back from target
Type = 135 Code = 0 Check sum
Reserved
Target Address = Source IPv6 Address
ICMPv6Neighbor
Solicitation
Option
Type = 136 Code = 0 Check sum
Reserved
Target Address
ICMPv6Neighbor Advertisement
Option
R S O
Router flag
Solicited flag
Override flag
35ICMPv6 Neighbor Solicitation / Characteristics
OS Response
Windows XP Enable
Windows Vista Enable
Solaris Enable
Linux Disable
FreeBSD Disable
・ Override flag
36Fingerprint
Bit Parameter Value
Bit 7,8 Hop Limit 00=other 、 01=64, 10=128, 11=255
Bit 6 Invalid Code 0=No response, 1=Response
Bit 5 UDP Unreachable 0=No response, 1=Response
Bit 4,3 MDL Query 00=No response, 01=MLDv1, 10=MLDv2, 11=other