ipv6 security talk 2012
Post on 04-Jun-2018
224 Views
Preview:
TRANSCRIPT
-
8/13/2019 IPv6 Security Talk 2012
1/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 1
IPv6 Introduction and
Implications on NetworkSecurityKeith OBrien
Cisco
Distinguished Engineer
kobrien@cisco.com
-
8/13/2019 IPv6 Security Talk 2012
2/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Keith OBrienDistinguished Engineer
Cisco
kobrien@cisco.com
Specializes in large scale IP routing, network security and incident response within ISP and enterprise networks.
Working with major US based ISPs on their transition to an IPv6 network
Adjunct professor of Computer Science at NYUs Polytechnic Institute - Graduate Studies
Visiting Professor of Electrical and Computer Engineering at the United States Coast Guard Academy
BSEE Lafayette College, MS Stevens Institute of Technology
CCIE, CISSP, SANS GIAC
http://keithobrien.org
Twitter: @keitheobrien
http://keithobrien.org/http://keithobrien.org/ -
8/13/2019 IPv6 Security Talk 2012
3/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
IPv6Why Now?
Technology Intro
Comparison to IPv4
Addressing
ICMPv6 and Neighbor Discovery
DHCPv6 and DNS
IPv4/IPv6 Transition and Coexistence
IPv6 Security
-
8/13/2019 IPv6 Security Talk 2012
4/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 4
-
8/13/2019 IPv6 Security Talk 2012
5/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 5
-
8/13/2019 IPv6 Security Talk 2012
6/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Source: Cisco Visual Networking Index (VNI) Global IP Traffic Forecast, 20102015
More Devices
More Internet Users
Faster Broadband Speeds
More Rich Media Content
Key
GrowthFactors
Nearly 15B Connections 4-Fold Speed Increase
3 Billion Internet Users 1M Video Minutes per Second
-
8/13/2019 IPv6 Security Talk 2012
7/112 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
IETF IPv6 WG began in early 90s, to solve addressing growth issues,but
CIDR, NAT,were developed
IPv4 32 bit address = 4 billion hosts
IANA recently issued their last /8 blocks to the regional registries
IP is everywhere
Data, voice, audio and video integration is a reality
Main Compelling reason: More IP addresses
-
8/13/2019 IPv6 Security Talk 2012
8/112 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
http://www.bgpexpert.com/ianaglobalpool2.php
https://reader010.{domain}/reader010/html5/0624/5b2f2a4e530d1/5b2f2a53f21fb.jpg
Probability of when RIR reaches
last /8 threshold
-
8/13/2019 IPv6 Security Talk 2012
9/112 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Service Segment
Mobile Enterprise Wireline
When do you run out
of IPv4 addresses?
NowDevices are already
being actively
deployed with IPv6
addresses
VariesNAT is already
being used at
peering points
where run out hasoccurred
NowA combination of NAT
and IPv6 enabled CPE
are being deployed
When is most of the
content available on
IPv6 network?
Growing rapidly
Slower rampDue to enterprise
specific applications
and longer
development cycles
Growing rapidly
What is the
device/CPE refresh
frequency?
Short refresh
cycle
Longer refresh
cycle
Longer refresh
cycle
-
8/13/2019 IPv6 Security Talk 2012
10/112 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
June 6, 2012 Network equipment vendors, ISPs and content providers are coming together on
June 6 to permanently enable IPv6 on the Internet.
Last June 6thWorld IPv6 Day was a 24 hour soak period
Current playersAkamai Comcast AT&T Cisco
D-Link Facebook Free Telecom Google
Internode KDDI Limelight Bing
Time Warner Cable Yahoo Netflix AOL
NASA Sprint
http://www.worldipv6launch.org/
-
8/13/2019 IPv6 Security Talk 2012
11/112 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
-
8/13/2019 IPv6 Security Talk 2012
12/112Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 12
-
8/13/2019 IPv6 Security Talk 2012
13/112 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Service IPv4 IPv6
Addressing Range32-bit, Network
Address Translation128-bit, Multiple
Scopes
IP Provisioning DHCPSLAAC, Renumbering,
DHCP
Security IPSecIPSec Mandated, Works
End-to-End
Mobility Mobile IPMobile IP with Direct
Routing
Quality-of-Service
Differentiated Service,
Integrated Service
Differentiated Service,
Integrated Service
Multicast IGMP/PIM/MBGPMLD/PIM/MBGP, Scope
Identifier
-
8/13/2019 IPv6 Security Talk 2012
14/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
FragmentOffset
Flags
Total LengthType ofService
IHL
PaddingOptions
Destination Address
Source Address
Header ChecksumProtocolTime to Live
Identification
Version
IPv4 Header
NextHeader
Hop Limit
Flow LabelTrafficClass
Destination Address
Source Address
Payload Length
Version
IPv6 Header
Fields Name Kept from IPv4 to IPv6
Fields Not Kept in IPv6
Name and Position Changed in IPv6
New Field in IPv6Legend
-
8/13/2019 IPv6 Security Talk 2012
15/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Extension Headers Are Daisy Chained
Class Flow
6 Hop
Destination
V
Len
Source
Upper Layer TCP Header
Payload
Class Flow
43 Hop
Destination
V
Len
Source
Upper Layer UDP Header
Payload
Routing Header17
Class Flow
43 Hop
Destination
V
Len
Source
Upper Layer TCP Header
Payload
Routing Header60
Destination Options6
-
8/13/2019 IPv6 Security Talk 2012
16/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Order Header Type Header Code
1 Basic IPv6 Header -
2 Hop-by-Hop Options 0
3 Dest Options (with Routing options) 60
4 Routing Header 43
5 Fragment Header 44
6 Authentication Header 51
7 ESP Header 50
8 Destination Options 60
9 Mobility Header 135
- No Next Header 59Upper Layer TCP 6
Upper Layer UDP 17
Upper Layer ICMPv6 58
-
8/13/2019 IPv6 Security Talk 2012
17/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 17
-
8/13/2019 IPv6 Security Talk 2012
18/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
IPv4 32-bits
IPv6 128-bits
32= 4,294,967,296
128 = 340,282,366,920,938,463,463,374,607,431,768,211,456
128
= 2
32 96* 2
962
= 79,228,162,514,264,337,593,543,950,336 times thenumber of possible IPv4 Addresses
(79 trillion trillion)
2
2
2
-
8/13/2019 IPv6 Security Talk 2012
19/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
IPv6 addresses are 128 bits long
Segmented into 8 groups of four HEX characters (called HEXtets)
Separated by a colon (:)
Default is 50% for network ID, 50% for interface ID
Network portion is allocated by Internet registries 2^64 (1.8 x 1019)
Global Routing Prefix
n
-
8/13/2019 IPv6 Security Talk 2012
20/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Hex numbers are not case sensitive Abbreviations are possible
Leading zeros in contiguous block could be represented by (::)
2001:0db8:0000:130F:0000:0000:087C:140B
2001:db8:0:130F::87C:140B
Double colon can only appear once in the address
IPv6 uses CIDR representation
IPv4 address looks like 98.10.0.0/16
IPv6 address is represented the same way 2001:db8:12::/48
Only leading zeros are omitted, trailing zeros cannot be omitted
2001:0db8:0012::/48 = 2001:db8:12::/48
2001:db80:1200::/48 2001:db8:12::/48
-
8/13/2019 IPv6 Security Talk 2012
21/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Loopback address representation0:0:0:0:0:0:0:1 == ::1
Same as 127.0.0.1 in IPv4
Identifies self
Unspecified address representation
0:0:0:0:0:0:0:0 == ::
Used as a placeholder when no address available
(Initial DHCP request, Duplicate Address Detection DAD)
NOT the default route
Default Route representation
::/0
-
8/13/2019 IPv6 Security Talk 2012
22/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Site
/48Site
/48
ISP
/32ISP
/32
IANA
2001::/3
APNIC
::/12 to::/23
AfriNIC
::/12 to::/23
ARIN
::/12 to::/23
LACNIC
::/12 to::/23
RIPE NCC
::/12 to::/23
ISP
/32
Site
/48
Site
/48Site
/48
ISP
/32ISP
/32ISP
/32
Site
/48
Site
/48Site
/48
ISP
/32ISP
/32ISP
/32
Site
/48
Site
/48Site
/48
ISP
/32ISP
/32ISP
/32
Site
/48
Site
/48Site
/48
ISP
/32ISP
/32ISP
/32
Site
/48
-
8/13/2019 IPv6 Security Talk 2012
23/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Partition of Allocated IPv6 Address Space
-
8/13/2019 IPv6 Security Talk 2012
24/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Partition of Allocated IPv6 Address Space (Cont.)
Lowest-Order 64-bit fieldof unicast address maybe assigned in severaldifferent ways:
Auto-configured from a 64-bitEUI-64, or expanded from a
48-bit MAC address(e.g., Ethernet address)
Auto-generatedpseudo-random number(to address privacy concerns)
Assigned via DHCPManually configured
-
8/13/2019 IPv6 Security Talk 2012
25/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
This format expands the
48 bit MAC address to64 bits by insertingFFFE into the middle 16bits
To make sure that the
chosen address is froma unique Ethernet MACaddress, theuniversal/local (u bit) isset to 1 for global scopeand 0 for local scope
FF FE
00 90 27 17 FC 0F
000000U0 Where U=1 = Unique
0 = Not UniqueU = 1
00 90 27 17 FC 0F
FF FE00 90 27 17 FC 0F
FF FE02 90 27 17 FC 0F
MAC Address
-
8/13/2019 IPv6 Security Talk 2012
26/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Addresses are assigned to interfacesChange from IPv4 mode:
Interface expected to have multiple addresses
Addresses have scope
Link LocalUnique Local
Global
Addresses have lifetime
Valid and preferred lifetime
Link LocalUnique LocalGlobal
-
8/13/2019 IPv6 Security Talk 2012
27/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Link Local
Multicast addresses (FF00::/8)
Flags (f) in 3rdnibble (4 bits) Scope (s) into 4thnibble
Three types of unicast address scopes
Link-LocalNon routable exists on single layer 2 domain (FE80::/64)
FCgg:gggg:gggg: ssss:
FE80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx
2ggg:gggg:gggg: ssss:
FFfs: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
3ggg:gggg:gggg: ssss:
FDgg:gggg:gggg: ssss:
Unique-LocalRoutable within administrative domain (FC00::/7)
GlobalRoutable across the Internet (2000::/3)
xxxx:xxxx:xxxx:xxxx
xxxx:xxxx:xxxx:xxxx
xxxx:xxxx:xxxx:xxxx
xxxx:xxxx:xxxx:xxxx
-
8/13/2019 IPv6 Security Talk 2012
28/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Unicast
Address of a single interface. One-to-one delivery tosingle interface
Multicast
Address of a set of interfaces. One-to-many delivery to all interfaces in the set
Anycast
Address of a set of interfaces. One-to-one-of-many delivery toa single interface in the set that is closest
No more broadcast addresses
-
8/13/2019 IPv6 Security Talk 2012
29/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
An interface can have many addresses allocated to it
Address Type Requirement Comment
Link Local Required Required on all interfaces
Unique Local Optional Valid only within an Administrative
Domain
Global Unicast Optional Globally routed prefix
Auto-Config 6to4 Optional Used for 2002:: 6to4 tunnelling
Solicited Node Multicast Required Neighbour Discovery and Duplicate
Detection (DAD)
All Nodes Multicast Required For ICMPv6 messages
-
8/13/2019 IPv6 Security Talk 2012
30/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Address Scope MeaningFF01::1 Node-Local All Nodes
FF01::2 Node-Local All Routers
FF02::1 Link-Local All Nodes
FF02::2 Link-Local All Routers
FF02::5 Link-Local OSPFv3 Routers
FF02::6 Link-Local OSPFv3 DR Routers
FF02::1:FFXX:XXXX Link-Local Solicited-Node
http://www.iana.org/assignments/ipv6-multicast-addresses
http://www.iana.org/assignments/ipv6-multicast-addresseshttp://www.iana.org/assignments/ipv6-multicast-addresseshttp://www.iana.org/assignments/ipv6-multicast-addresseshttp://www.iana.org/assignments/ipv6-multicast-addresseshttp://www.iana.org/assignments/ipv6-multicast-addresseshttp://www.iana.org/assignments/ipv6-multicast-addresses -
8/13/2019 IPv6 Security Talk 2012
31/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
R1#show ipv6 interface e0
Ethernet0 is up, line protocol is upIPv6 is enabled, link-local address isFE80::200:CFF:FE3A:8B18No global unicast address is configuredJoined group address(es):FF02::1FF02::2
FF02::1:FF3A:8B18MTU is 1500 bytesICMP error messages limited to one every 100 millisecondsICMP redirects are enabledND DAD is enabled, number of DAD attempts: 1ND reachable time is 30000 millisecondsND advertised reachable time is 0 millisecondsND advertised retransmit interval is 0 millisecondsND router advertisements are sent every 200 secondsND router advertisements live for 1800 secondsHosts use stateless autoconfig for addresses.
R1#
SolicitedNode Multicast Address
All RoutersAll Nodes
-
8/13/2019 IPv6 Security Talk 2012
32/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 40
-
8/13/2019 IPv6 Security Talk 2012
33/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Function IPv4 IPv6
Address Assignment DHCPv4DHCPv6, SLAAC,Reconfiguration
Address Resolution ARP, RARP NS, NA
Router DiscoveryICMP Router
DiscoveryRS, RA
Name Resolution DNSv4 DNSv6
-
8/13/2019 IPv6 Security Talk 2012
34/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Internet Control Message Protocol version 6
RFC 2463
Modification of ICMP from IPv4
Message types are similar
(but different types/codes)Destination unreachable (type 1)
Packet too big (type 2)
Time exceeded (type 3)
Parameter problem (type 4)
Echo request/reply (type 128 and 129)
-
8/13/2019 IPv6 Security Talk 2012
35/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Replaces ARP, ICMP (redirects, router discovery)
Reachability of neighbors
Hosts use it to discover routers, auto configuration
of addresses
Duplicate Address Detection (DAD)
-
8/13/2019 IPv6 Security Talk 2012
36/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Neighbor discovery uses ICMPv6 messages, originated from node onlink local with hoplimit of 255
Consists of IPv6 header, ICMPv6 header, neighbor discovery header,and neighbor discovery options
Five neighbor discovery messages
Router solicitation (ICMPv6 type 133)
Router advertisement (ICMPv6 type 134)
Neighbor solicitation (ICMPv6 type 135)
Neighbor advertisement (ICMPv6 type 136)Redirect (ICMPV6 type 137)
-
8/13/2019 IPv6 Security Talk 2012
37/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
A B
Neighbour
Solicitation
ICMP Type 135
IPv6 Source A Unicast
IPv6 Destination B Solicited Node Multicast
Data FE80:: address of A
Query What is B link layer address?
Neighbour
AdvertismentICMP Type 136
IPv6 Source B Unicast
IPv6 Destination A Unicast
Data FE80:: address of B, MAC
Address
NS NA
-
8/13/2019 IPv6 Security Talk 2012
38/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Router solicitations (RS) are sent by booting nodes to request RAs forconfiguring the interfaces
Routers send periodic Router Advertisements (RA) to the all-nodesmulticast address
Router
Solicitation
ICMP Type 133
IPv6 Source A Link Local (FE80::1)
IPv6 Destination All Routers Multicast (FF02::2)
Query Please send RA
Router
Advertisement
ICMP Type 134
IPv6 Source A Link Local (FE80::2)
IPv6 Destination All Nodes Multicast (FF02::1)
Data Options, subnet prefix, lifetime,
autoconfig flag
RS RA
-
8/13/2019 IPv6 Security Talk 2012
39/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Autoconfiguration is used to automatically assigned an address to a host plug and play
Generating a link-local address,
Generating global addresses via stateless address autoconfiguration
Duplicate Address Detection procedure to verify the uniqueness of the addresses on alink
Host Autoconfigured AddresscomprisesPrefix Received + Link-LayerAddress if DAD check passes
MAC00:2c:04:00:fe:56
Router
Advertisement
(RA)
Ethernet DA/SA Router R2 / Host A
Prefix
Information
2001:db8:face::/64
Default Router Router R1
2001:db8:face::/64R1
RA
2
RS
1
DAD
3
2001:db8:face::22c:4ff:fe00:fe56
A
-
8/13/2019 IPv6 Security Talk 2012
40/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 48
-
8/13/2019 IPv6 Security Talk 2012
41/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
IPv4 IPv6
Hostname toIP address
A record:www.abc.test. A 192.168.30.1
AAAA record:www.abc.test AAAA 2001:db8:C18:1::2
IP address tohostname
PTR record:2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.
8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
PTR record:
1.30.168.192.in-addr.arpa. PTR
www.abc.test.
-
8/13/2019 IPv6 Security Talk 2012
42/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
DNSServer
www.example.org = * ?
2001:db8:1::1www IN A 192.168.0.3
www IN AAAA 2001:db8:1::1
In a dual stack case an application that:
Is IPv4 and IPv6-enabled
Can query the DNS for IPv4 and/or IPv6records (A) or (AAAA) records
Chooses one address and, for example, connects to the IPv6 address
IPv4
IPv6
IPv4
IPv6
192.168.0.3
-
8/13/2019 IPv6 Security Talk 2012
43/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
mSecs Source Destination Prot Info
0.000 64.104.197.141 64.104.200.248 DNS Standard query A ipv6.google.com
0.158 64.104.200.248 64.104.197.141 DNSStandard query response CNAMEipv6.l.google.com
0.000 64.104.197.141 64.104.200.248 DNS Standard query AAAA ipv6.google.com
0.135 64.104.200.248 64.104.197.141 DNSStandard query response CNAMEipv6.l.google.com AAAA 2404:6800:8004::68
Initial Query over IPv4 for IPv4 A record
DNS response refers to an alias/canonical address
Host immediately sends a request for AAAA record (original FQDN)
Domain name with IPv6 address only
IPv6 address of canonical name returned
mSecs Source Destination Prot Info
0.000 64.104.197.141 64.104.200.248 DNS Standard query A www.apnic.net
0.017 64.104.200.248 64.104.197.141 DNSStandard query response A202.12.29.211
0.000 64.104.197.141 64.104.200.248 DNS
Standard query AAAA
www.apnic.net
0.017 64.104.200.248 64.104.197.141 DNSStandard query response AAAA2001:dc0:2001:11::211
0.001 2001:420:1:fff:2 2001:dc0:2001:11::211ICMPv6
Echo request (Unknown (0x00))
0.023 2001:dc0:2001:11::211 2001:420:1:fff::2ICMPv6
Echo reply (Unknown (0x00))
Domain name with both addresses
Initial Query over IPv4 for IPv4 A record
IPv4 address returned
Host immediately sends a request for AAAA record
IPv6 address of FQDN returned
Hosts prefers IPv6 address (configurable)
-
8/13/2019 IPv6 Security Talk 2012
44/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Manual AssignmentStatically configured by human operator
Stateless Address Autoconfiguration (SLAAC RFC 4862)
Allows auto assignment of address through Router Advertisements
Stateful DHCPv6 (RFC 3315)Allows DHCPv6 to allocate IPv6 address plus other configuration parameters(DNS, NTP etc)
DHCPv6-PD (RFC 3633)
Allows DHCPv6 to allocate entire subnets to a router/CPE device for further
allocation
Stateless DHCPv6 (RFC 3736)
Combination of SLAAC for host address allocation
DHCPv6 for additional parameters such as DNS Servers and NTP
-
8/13/2019 IPv6 Security Talk 2012
45/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Updated version of DHCP for IPv4
Supports new addressing
Can be used for renumbering
DHCP Process is same as in IPv4, but,
Client first detect the presence of routers on the link
If found, then examines router advertisements to determine if DHCP can be used
If no router found or if DHCP can be used, then
DHCP Solicit message is sent to the All-DHCP-Agentsmulticast address
Using the link-local address as the source address
Multicast addresses used:FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope)
FF05::1:3 = All DHCP Servers (Site-local scope)
DHCP Messages: Clients listen UDP port 546; servers and relay agents listen onUDP port 547
-
8/13/2019 IPv6 Security Talk 2012
46/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
RA message contain flags that indicate address allocation combination (A, Mand O bits)
Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for otheroptions
Router
Advertisement (RA)
A bit (Address config flag) Set to 0- Do not use SLAAC for host config
M bit (Managed address configuration flag) Set to 1- Use DHCPv6 for host IPv6 address
O bit (Other configuration flag) Set to 1- Use DHCPv6 for additional info (DNS, NTP)
Router 1(DHCPv6 Relay)
RA
1
Send DHCP Solicit to FF02::1:2 (All DHCP Relays)
2
DHCP
Server
2001:db8:face::/64
2001:db8:face::1/64, DNS1, DNS2, NTP
3
A
-
8/13/2019 IPv6 Security Talk 2012
47/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
RA message contain flags that indicate address allocation combination (A, M and O bits)
Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options
Router
Advertisement (RA)
A bit (Address config flag) Set to 1- Use SLAAC for host address config
On-link Prefix 2001:db8:face::/64
M bit (Managed address configuration flag) Set to 0- Do not use DHCPv6 for IPv6 address
O bit (Other configuration flag) Set to 1- Use DHCPv6 for additional info (DNS, NTP)
Router 1(DHCPv6 Relay)
RA
1
2
DHCP
Server
DNS1, DNS2, NTP
42001:db8:face::/64
2001:db8:face::22c:4ff:fe00:fe56
Send DHCP Solicit to FF02::1:2 for options only
3
A
-
8/13/2019 IPv6 Security Talk 2012
48/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 56
-
8/13/2019 IPv6 Security Talk 2012
49/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
A wide range of techniques have been identified and implemented,basically falling into three categories:
Dual-stacktechniques, to allow IPv4 and IPv6 toco-exist in the same devices and networks
Tunnelingtechniques, to avoid order dependencies when upgrading hosts,routers, or regions
Translationtechniques, to allow IPv6-only devices to communicate with IPv4-only devices
Expect all of these to be used, in combination
-
8/13/2019 IPv6 Security Talk 2012
50/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
All P + PE routers are capable of IPv4+IPv6 support
Two IGPs supporting IPv4 and IPv6
Memory considerations for larger routing tables
Native IPv6 multicast support
All IPv6 traffic routed in global space
Good for content distribution and global services (Internet)
IPv4/IPv6Core
CE
IPv6IPv4
PE P P PE CE
IPv4
IPv6
IPv6 configured interface
IPv4 configured interface
Some or all interfaces in clouddual configured
IPv6 + IPv4Core
IPv4 + IPv6 Edge IPv4 and/or IPv4 edgeDual Stack App
-
8/13/2019 IPv6 Security Talk 2012
51/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
IPv4/IPv6Core
CE
IPv6IPv4
PE P P PE CE
IPv4
IPv6
IPv6 + IPv4Core
IPv4 + IPv6 Edge IPv4 and/or IPv4 edgeDual Stack App
ipv6 unicast-routinginterface Ethernet0ip address 192.168.99.1 255.255.255.0
ipv6 address 2001:db8:213:1::1/64
-
8/13/2019 IPv6 Security Talk 2012
52/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Dual Stack Node Means: Both IPv4 and IPv6 stacks enabled
Applications can talk to both
Choice of the IP version is based on name lookup andapplication preference
TCP UDP
IPv4 IPv6
Application
Data Link (Ethernet)
0x0800 0x86dd
TCP UDP
IPv4 IPv6
IPv6-Enabled Application
Data Link (Ethernet)
0x0800 0x86ddFrame
Protocol ID
Preferred Method
on Applications
Servers
-
8/13/2019 IPv6 Security Talk 2012
53/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
GRE
Manual
6to4
DMVPN
ISATAP MPLS Manual
MPLS 6PE
-
8/13/2019 IPv6 Security Talk 2012
54/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
IPv4IPv6
Network
IPv6Network
Dual-Stack
Router2
Dual-Stack
Router1
IPv4: 192.168.99.1IPv6: 2001:db8:800:1::3
IPv4: 192.168.30.1IPv6: 2001:db8:800:1::2
router1#
interface Tunnel0ipv6 enableipv6 address 2001:db8:c18:1::3/128tunnel source 192.168.99.1tunnel destination 192.168.30.1tunnel mode gre ipv6
router2#
interface Tunnel0ipv6 enableipv6 address 2001:db8:c18:1::2/128tunnel source 192.168.30.1tunnel destination 192.168.99.1tunnel mode gre ipv6
-
8/13/2019 IPv6 Security Talk 2012
55/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
IPv4IPv6
network
IPv6
network
Dual-Stack
Router2
Dual-Stack
Router1
IPv4: 192.168.99.1IPv6: 2001:db8:800:1::3
IPv4: 192.168.30.1IPv6: 2001:db8:800:1::2
router1#
interface Tunnel0ipv6 enableipv6 address2001:db8:c18:1::3/127tunnel source 192.168.99.1tunnel destination 192.168.30.1tunnel mode ipv6ip
router2#
interface Tunnel0ipv6 enableipv6 address 2001:db8:c18:1::2/127tunnel source 192.168.30.1tunnel destination 192.168.99.1tunnel mode ipv6ip
-
8/13/2019 IPv6 Security Talk 2012
56/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
IPv62002:c80b:0b01
Automatic tunnel method using 2002:IPv4::/48 IPv6 range
IPv4 embedded in IPv6 format eg. 2002:c80f:0f01:: = 200.15.15.1
No impact on existing IPv4 or MPLS Core (IPv6 unaware)
Tunnel endpoints have to be IPv6 and IPv4 aware (Dual stack)
Transition technologynot for long term use
No multicast support, Static Routing
Intrinsic linkage between destination IPv6 Subnet and IPv4 gateway interface
IPv4 Gateway = Tunnel End point
IPv4Backbone Network
CE
IPv62002:c80f:0f01
PE
P P
PE
6 to 4 Tunnel
CE
IPv4Header
IPv6Packet
IPv6Packet
IPv6Packet
IPv4 Backbone NetworkIPv6 Network IPv6 Network
200.11.11.1 (e0/0)200.15.15.1 (e0/0)
2002:c80f:0f01:100::1 2002:c80b:0b01:100::1
-
8/13/2019 IPv6 Security Talk 2012
57/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
6 to 4 relay allows access to IPv6 global network
Can use tunnel Anycast address 192.88.99.1
6 to 4 router finds closest 6-to-4 relay router
Return path could be asymmetric
Default route to IPv6 Internet
BGP can also be used to select particular 6 to 4 relay based on prefix
Allows more granular routing policy
IPv4Backbone Network
CE
IPv62002:c80f:0f01
PE
P P
PE
PE
IPv6Packet
IPv4 Backbone NetworkIPv6 Network
192.88.99.1 (lo0)
200.15.15.1 (e0/0)
2002:c80f:0f01:100::1
2002:c058:6301::1 (lo0)
IPv4Header
IPv6Packet
6 to 4 Tunnel
IPv6 Internet2000::/3
192.88.99.1 (lo0)
2002:c058:6301::1 (lo0)
IPv6 Relay
IPv6 Relay
-
8/13/2019 IPv6 Security Talk 2012
58/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 66
-
8/13/2019 IPv6 Security Talk 2012
59/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
-
8/13/2019 IPv6 Security Talk 2012
60/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Additional and increased focus on IPv6 at security conferencesuch as Blackhat, CanSecWest and others.
Companies putting additional effort into IPv6 vulnerabilityresearchStonesoft released 163 new Advanced EvasionTechniques 12 of those are IPv6-specific
Private security researchers are also putting additional focus onIPv6. Chinese researchers, Marc Heuse, Fernando Gonttoname a few
UKs CPNI The Centre for the Protection of National
Infrastructure220 page report Security Assessment of theInternet Protocol version 6 (IPv6)
-
8/13/2019 IPv6 Security Talk 2012
61/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
The Hackers Choice http://thc.org/thc-ipv6/
Over 30 toolsIncluded in BackTrack
Private version available
A sampling
Parasite6: icmp neighbor solicitation/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
dnsdict6: parallized dns ipv6 dictionary bruteforcer
fake_router6: announce yourself as a router on the network, with the highest priority
flood_router6: flood a target with random router advertisements
-
8/13/2019 IPv6 Security Talk 2012
62/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Industry as a whole has far less experience with IPv6 vs IPv4
IPv6 implementations have not been proven over time
Security tools such as firewalls, IDS have varying levels of IPv6support. Even when it is claimed to be supported that level of
support varies widely IPv6 brings added complexity which is the enemy of security
Network engineers and security operations staff are not fullytrained on IPv6
-
8/13/2019 IPv6 Security Talk 2012
63/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 71
-
8/13/2019 IPv6 Security Talk 2012
64/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Default subnets in IPv6 have 264addresses
10 Mpps = more than 50 000 years
NMAP doesnt even support ping sweeps onIPv6 networks
Worlds population isapproximately 6.5 billion
2128
6.5
Billion
= 52 Trillion Trillion IPv6addresses per person
-
8/13/2019 IPv6 Security Talk 2012
65/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Public servers will still need to be DNS reachable
Increased deployment and reliance on Dynamic DNSMore info in DNS
Admins might adopt easy to remember addresses such as:
::20, ::F00D, ::CAFE, or the last IPv4 octet
Transition technologies derive IPv6 address from IPv6 addresses
Brute force IPv6 scanning assumes that the addresses arerandomly distributed. This has been shown not to be the case*:
SLACCIP based on MAC
IPv4 based(2001:0db8::192.168.100.1)
Low number(2001:0db8:1:1::1)
(*) Malone, D. 2008. Observations of IPv6 Addresses. Passive and Active Measurement Conference (PAM 2008,
LNCS 4979), 2930 April 2008.
-
8/13/2019 IPv6 Security Talk 2012
66/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
3 site-local multicast addresses
FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers
Several link-local multicast addresses
FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP, ...
Some deprecated (RFC 3879) site-local addresses but still used
FEC0:0:0:FFFF::1 DNS server
Not feasible from remote
2001:db8:2::50
2001:db8:1::60
2001:db8:3::70
Attacker FF05::1:3
Source Destination Payload
DHCP Attack
http:/ /www.iana.org/ass ignments/ ipv6-mult icast-addresses/
-
8/13/2019 IPv6 Security Talk 2012
67/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Bittorrent will expose IPv6 peers
Look in web server log files for IPv6 address. Convince the targetto browse to web server
Email headers from target
Mailing list archives
-
8/13/2019 IPv6 Security Talk 2012
68/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
ICMPv6 echo/response
Send invalid ICMPv6 options and nodes will be forced to reply
Use Traceroute6
Look for well know IPv4 addresses which are linked to IPv6 (e.g.
Teredo)
Neighbor discovery cache for already compromised hostsroot@bt:~# alive6 -s 1 eth1
Alive: 2001:470:67b9:1:234:36ff:fe9c:3132
Alive: 2001:470:67b9:1:21d:29ff:fef9:bc06
Alive: 2001:470:67b9:1:22f:29ff:fe61:1ea1
Alive: 2001:470:67b9:1:259:29ff:fe40:e19aAlive: 2001:470:67b9:1:231:ebff:fef7:f140
Alive: fe80::ebff:d4ff:fedd:c572
Alive: 2001:470:67b9:1:b917:c2ff:fed9:6b1b
Alive: 2001:470:67b9:1:993:cbff:fea3:1733
Alive: 2001:470:67b9:1:675:dfff:fede:4875
Alive: 2001:470:67b9:1:b67d:caff:fe1b:c7a7
Alive: 2001:470:67b9:1:b78f:cbff:fee9:fd7f
Found 11 systems alive
root@bt:~# ip -6 neigh show
2001:470:67b9:1:7273:cbff:fee9:ddf3 dev eth1 lladdr 70:73:cb:e9:dd:f3 DELAY
2001:470:67b9:1:224:36ff:fe9c:ff56 dev eth1 lladdr 00:24:36:9c:ff:56 DELAY
2001:470:67b9:1:216:cbff:fea3:dd44 dev eth1 lladdr 00:16:cb:a3:dd:44 DELAY
2001:470:67b9:1:223:dfff:fede:1122 dev eth1 lladdr 00:23:df:de:11:22 DELAY
fe80::223:ebff:fedd:1298 dev eth1 lladdr 00:23:eb:dd:12:98 DELAY2001:470:67b9:1:ba17:c2ff:fed9:11ed dev eth1 lladdr b8:17:c2:d9:11:ed DELAY
2001:470:67b9:1:5a55:caff:fe1b:dfee dev eth1 lladdr 58:55:ca:1b:df:ee DELAY
-
8/13/2019 IPv6 Security Talk 2012
69/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Temporary addresses for IPv6 host client application,e.g. web browser
Inhibit device/user trackingRandom 64 bit interface ID, then run Duplicate Address Detectionbefore using it
Rate of change based on local policy
Can have this address in addition to EUI-64 address on an interface
(based on mac address)
2001
/32 /48 /64/23
Interface ID
Recommendation: Use Privacy Extensions forExternal Communication but not for InternalNetworks (Troubleshooting and Attack Trace Back)
-
8/13/2019 IPv6 Security Talk 2012
70/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
GoogleMany sites use ipv6.example.com or ip6.example.comduring the transition phase.
Search for site: ipv6* or site: ip6*
Do a AXFR if DNS is misconfigured
If DNSSEC is being used try NSEC walk*. NSEC3 records makethis more difficult.
Try a brute force. Perform automated AAAA lookups based ona preconfigured dictionary. (i.e. lookup firewall.example.com,server1.example.com, mail.example.com)
-
8/13/2019 IPv6 Security Talk 2012
71/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 79
-
8/13/2019 IPv6 Security Talk 2012
72/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Your host:
IPv4 is protected by your favorite personal firewall...
IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)
Your network:
Does not run IPv6
Your assumption:Im safe
Reality
You arenotsafe
Attacker sends Router Advertisements
Your host configures silently to IPv6
You are now under IPv6 attack
=> Probably time to think about IPv6 in your network
-
8/13/2019 IPv6 Security Talk 2012
73/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Easy to check!
Look inside NetFlow records
Protocol 41: IPv6 over IPv4 or 6to4 tunnels
IPv4 address: 192.88.99.1 (6to4 anycast server)
UDP 3544, the public part of Teredo, yet another tunnel
Look into DNS server log for resolution of ISATAP
Beware of the IPv6 latent threat: you r IPv4-only n etwork m ay bevuln erable to IPv6 attack s NOW
-
8/13/2019 IPv6 Security Talk 2012
74/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 82
-
8/13/2019 IPv6 Security Talk 2012
75/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
1. RS:
Data = Query: please send RA
2. RA:
Data= options, prefix, lifetime,A+M+O flags
2. RA1. RS
RA w/o Any
Authentication
Gives Exactly Same
Level of Security asDHCPv4 (None)
Router Advertisementscontains:
-Prefix to be used by hosts-Data-link layer address of the router
-Miscellaneous options: MTU, DHCPv6 use,
2. RA
DoSMITM
-
8/13/2019 IPv6 Security Talk 2012
76/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Devastating:
Denial of service: all traffic sent to a black hole
Man in the Middle attack: attacker can intercept, listen, modify unprotecteddata
Also affects legacy IPv4-only network with IPv6-enabled hosts
Most of the time from non-malicious users
Requires layer-2 adjacency(some relief)
The major blocking factor for enterprise IPv6 deployment
-
8/13/2019 IPv6 Security Talk 2012
77/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
Where What
Routers Increase legal router preference
Hosts Disabling Stateless Address Autoconfiguration
Routers & Hosts SeND Router Authorization
Switch (First Hop) Host isolation
Switch (First Hop) Port Access List (PACL)
Switch (First Hop) RA Guard
-
8/13/2019 IPv6 Security Talk 2012
78/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
RFC 3972 Cryptographically Generated Addresses (CGA)
IPv6 addresses whose interface identifiers are cryptographically generatedfrom node public key
SeND adds a signature option to Neighbor Discovery Protocol
Using node private key
Node public key is sent in the clear (and linked to CGA)
Very powerful
If MAC spoofing is prevented
But, not a lot of implementations: Cisco IOS, Linux, some H3C, third party forWindows
-
8/13/2019 IPv6 Security Talk 2012
79/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
Each devices has a RSA key pair (no need for cert)
Ultra light check for validity
Prevent spoofing a valid CGA address
SHA-1
RSA Keys
Priv Pub
Subnet
Prefix
Interface
Identifier
Crypto. Generated Address
Signature
SeND Messages
Modifier
Public
Key
Subnet
Prefix
CGA Params
-
8/13/2019 IPv6 Security Talk 2012
80/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
Adding a X.509 certificate to RA
Subject Name contains the list of authorized IPv6 prefixes
TrustAnchor X.509
cert
Router AdvertisementSource Addr = CGA
CGA param block (incl pub key)Signed
X.509cert
-
8/13/2019 IPv6 Security Talk 2012
81/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
PC
(public V6)
CPE
PC
(public V6)
CPE
PVLAN
PVLAN
RA BNG
Prevent Node-Node Layer-2 communication by using:
1 VLAN per host (SP access network with Broadband Network Gateway)
Private VLANs (PVLAN) where node can only contact the official router
Link-local scope multicast (RA, DHCP request, etc) sent only to the localofficial router: no harm
Can also be used on Wireless in AP Isolation Mode
-
8/13/2019 IPv6 Security Talk 2012
82/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
Port ACL blocks all ICMPv6 Router
Advertisements from hostsinterface FastEthernet3/13
switchport mode access
ipv6 traffic-filter ACCESS_PORT in
access-group mode prefer port
RA
RA
RA
RA
RA
-
8/13/2019 IPv6 Security Talk 2012
83/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
host
Router AdvertisementOption: prefix(s)
I am the default gateway
?
Configuration- basedLearning-basedChallenge-based
Verificationsucceeded ?
Bridge RA
Switch selectively accepts or rejects RAs based on various criteriasCan be ACL based, learning based or challenge (SeND) based.Hosts see only allowed RAs, and RAs with allowed content
-
8/13/2019 IPv6 Security Talk 2012
84/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 92
-
8/13/2019 IPv6 Security Talk 2012
85/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93
Pretty much like RA: no authentication
Any node can steal the IP address of any other node
Impersonation leading to denial of service or MITM
Requires layer-2 adjacency
-
8/13/2019 IPv6 Security Talk 2012
86/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94
Where What
Routers & Hosts configure static neighbor cache entries
Routers & Hosts Use CryptoGraphic Addresses (SeND CGA)
Switch (First Hop) Host isolationSwitch (First Hop) Address watch
Glean addresses in NDP and DHCP
Establish and enforce rules for address ownership
-
8/13/2019 IPv6 Security Talk 2012
87/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 95
-
8/13/2019 IPv6 Security Talk 2012
88/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 96
Remote
Remote router CPU/memory DoS attack if aggressive scanningRouter will do Neighbor Discovery... And waste CPU and memory
Local router DoS with NS/RS/
2001:db8::/64
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
-
8/13/2019 IPv6 Security Talk 2012
89/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 97
Mainly an implementation issueRate limiter on a global and per interface
Prioritize renewal (PROBE) rather than new resolution
Maximum Neighbor cache entries per interface and per MAC address
Internet edge/presence: a target of choiceIngress ACL permitting traffic to specific statically configured (virtual)IPv6 addresses only
=> Allocate and configure a /64 but uses addresses fitting in a /120 inorder to have a simple ingress ACL
-
8/13/2019 IPv6 Security Talk 2012
90/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98
Built-in rate limiter but no option to tune itSince 15.1(3)T: ipv6 nd cache interface-limit
Or IOS-XE 2.6: ipv6 nd resolution data limit
Destination-guard is coming with First Hop Security phase 3
Using a /64 on point-to-point links => a lot of addresses to scan!Using /127 could help (RFC 6164)
Internet edge/presence: a target of choice
Ingress ACL permitting traffic to specific statically configured (virtual)IPv6 addresses only
Using infrastructure ACL prevents this scanning
iACL: edge ACL denying packets addressed to your routers
Easy with IPv6 because new addressing scheme can be done
-
8/13/2019 IPv6 Security Talk 2012
91/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 99
-
8/13/2019 IPv6 Security Talk 2012
92/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 100
RFC allows for multiple and repeating extension headers.
RFC 3128 is not applicable to IPv6; extension header can befragmented
Packets get increasing complex to parse
IPv6 hdr Dest Option Dest Option TCP data
IPv6 hdr Frag Header Dest Option
IPv6 hdr Frag Header Dest Option TCP data
Original Packet
First Fragment
Second Fragment
-
8/13/2019 IPv6 Security Talk 2012
93/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 101
Unlimited size of header chain (spec-wise) can make
filtering difficult
Potential DoS with poor IPv6 stack implementations
More boundary conditions to exploit
Can I overrun buffers with a lot of extension headers?
Perfectly Valid IPv6 PacketAccording to the Sniffer
Destination Options Header ShouldBe the Last
Destination Header Which Should
Occur at Most Twice
Header Should Only Appear Once
See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html
-
8/13/2019 IPv6 Security Talk 2012
94/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 102
Use a stateful firewall which reassembles all of the fragments and
then applies the filtering rules
This only has limited usefulness as the attacker can keep addingheaders and increasing the number of fragments to a point wherethe firewall can no longer reassemble
Filter out packets with specific combinations of ExtensionHeaders or number of Extension Headers
Filter out packets that combine fragmentation with additionalExtension Headers
-
8/13/2019 IPv6 Security Talk 2012
95/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 103
-
8/13/2019 IPv6 Security Talk 2012
96/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 104
IPv6 in IPv4Tunnel
Most IPv4/IPv6 transition mechanisms have no authentication
built in
=> an IPv4 attacker can inject traffic if spoofing on IPv4 andIPv6 addresses
Public IPv4
Internet
Server BServer A
Tunnel
Termination
Tunnel
Termination
IPv6 Network IPv6 Network
IPv6 ACLs Are IneffectiveSince IPv4 & IPv6 Is Spoofed
Tunnel Termination Forwardsthe Inner IPv6 Packet
IPv4
IPv6
-
8/13/2019 IPv6 Security Talk 2012
97/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 105
Unauthorized tunnelsfirewall bypass (protocol 41)
IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in theenterprise
This has implications on network segmentation and network discovery
No authentication in ISATAProgue routers are possible
Windows default to isatap.example.com
Ipv6 addresses can be guessed based on IPv4 prefix
ISATAP Router
ISATAP Tunnels
DirectCommunication
Any Host Can Talkto the Router
IPv4 Network ~ Layer 2 for IPv6 Service
-
8/13/2019 IPv6 Security Talk 2012
98/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 106
IPv4
6to4
router
IPv6
Internet6to4 relay
6to4 router
6to4
router
tunnel
Direct tunneled
traffic ignores
hub ACL
ACL
-
8/13/2019 IPv6 Security Talk 2012
99/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 107
Teredo navalis
A shipworm drilling holesin boat hulls
Teredo Microsoftis
IPv6 in IPv4 punching holesin NAT devices
Source: United States Geological Survey
-
8/13/2019 IPv6 Security Talk 2012
100/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 108
All outbound traffic inspected: e.g., P2P is blocked
All inbound traffic blocked by firewall
IPv4 Intranet
IPv4 Firewall
IPv6 Internet
Teredo RelayIPv4 Internet
-
8/13/2019 IPv6 Security Talk 2012
101/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 109
Internal users wants to get P2P over IPv6
Configure the Teredo tunnel (already enabled by default!)
FW just sees IPv4 UDP traffic (may be on port 53)
No more outbound control by FW
IPv4 Intranet
IPv4 Firewall
Teredo RelayIPv4 Internet
IPv6 Internet
Teredo threatsIPv6 Over UDP (port 3544)
-
8/13/2019 IPv6 Security Talk 2012
102/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 110
Inboundconnections are allowed
IPv4 firewall unable to control
IPv6 hackers can penetrate
Host security needs IPv6 support now
IPv4 Intranet
IPv4 Firewall
Teredo RelayIPv4 Internet
IPv6 Internet
Once Teredo Configured
-
8/13/2019 IPv6 Security Talk 2012
103/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 111
Residential Broadband Service Case: CPE based
Scenario 1 thru 5 And Future
Red : New
or Changed
Function in
the network
-
8/13/2019 IPv6 Security Talk 2012
104/112
Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved. 112
IP NGN Backbone
1. Running 6PE/6vPE
2. Running Dual-Stack
IPv4-Only
IPv4 Address
Sharing
IPv4-Only
IPv4 Internet
Access
IPv6Internet Access
IPv4-Only
IPv4 Address
Sharing
IPv6 Internet
Access
Dual-Stack
IPv4 Internet
Access
IPv6
Internet Access
Dual-Stack
IPv4 AddressSharing
IPv6 Internet
Access
CGN 6rd BR CGN +
6rdCGN
IPv4 IPv4 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6
6RD CE 6RD CEDual Stack DualStack
IPv6 only
IPv4 AddressSharing
IPv6 Internet
Access
Stateful[DS Lite]
Stateless 46
IPv4 IPv6
DualStack
IPv4
Internet
IPv6
Internet
IPv4
PublicIPv4
IPv4
Private
IPv4
-
8/13/2019 IPv6 Security Talk 2012
105/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 113
Use of Carrier Grade NAT will require more information to be
gathered in order to accurately identify a subscriber.
Currently a simple IPv4 address and a time frame is normallysufficient
With the advent of IPv6 and IPv4 address exhaustion you willneed more.
The following should be gathered:
IPv4 address (source and destination)
IPv6 address if in use
TCP/UDP ports (source and destination)
Time
-
8/13/2019 IPv6 Security Talk 2012
106/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 114
More likely scenario:
IPv6 being available all the way to the consumer
SP core and customer has to use IPv4 NAT due to v4 depletion
IPv4
Internet
IPv4 host
IPv4+IPv6 host
Subscriber Network Dual-Stack SP Network usingRFC1918 addresses
Internet
Customer
Router
IPv6 host
IPv6
Internet
SP NATSharing IPv4 address(es)
IPv6
IPv4
-
8/13/2019 IPv6 Security Talk 2012
107/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 115
Every IPv4 address has a reputation
Either blacklist or more sophisticated (senderbase.org)
Used to detect spam, botnet members,
It is fine as long as:
One IPv4 == One legal entity (subscriber)
What if
One IPv4 == 10.000 entities/subscribers through SP NAT?
11
5
-
8/13/2019 IPv6 Security Talk 2012
108/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 116
Usual way to block a Denial of Service (DoS) against a server is to block
the source IPv4 address(es)Before SP NAT: ok because it blocks only the attacker
With SP NAT: will block the attacker but also 9.999 potential users/customers
11
6
-
8/13/2019 IPv6 Security Talk 2012
109/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 117
Servers currently keep only the remote IPv4 address in their log
Law Enforcement Agencies (LEA) can request any ISP to get thesubscriber ID of this IPv4 address on a specific time
With SP NAT, there will be 10,000 subscribers using this IPv4 address
11
7
-
8/13/2019 IPv6 Security Talk 2012
110/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 118
SP will have to keep all the translation log (data retention)
AND, the server will have to extend the log to include the TCP/UDPport
At 10:23:02 who was using the shared port 23944?
11
8
-
8/13/2019 IPv6 Security Talk 2012
111/112
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 119
Operator has expanding customer base, but does not have enough IPv4 addresses
to service new customers.
Business need is to be able to assign new users an IP address and give those new
subscribers access to IPv4 Internet content as well as IPv6 internet content.
Possible Scenarios
1.1 IPv6 address to subscriber with Carrier Grade NAT
1.2 Carrier Grade NAT with private v4 address
1.3 Dual stack private v4 and public v6 at customer.
1.4 Dual stack public v4 and public v6 at customer
-
8/13/2019 IPv6 Security Talk 2012
112/112
Thank you.
top related