ipv6 promised friday 13 may 2011 11:30 - 12:15 really it’s ... · access control digital...

Friday, May 13, 2011 Alaa Al-Din Al-Radhi 1

IPv6 Promised Role in Mitigating Cyber Attacks: Really it’s Time!

Alaa AL-Din Al-RadhiIPv6 & Cyber Security: Consultant Engineer,

Practitioner, Networker & TrainerIPv6 Forum Jordan Chapter President

[email protected] , [email protected]

Friday 13th

May 2011

11:30 - 12:15

mailto:[email protected]




IPv6 Security Techies

IPv6 Transition Threats

Common IPv4 & IPv6 Security Concerns

IPv6 Security Basic IssuesFriday, May 13, 2011 2Alaa Al-Din Al-Radhi

IPv6 Security

Road-Map& How-To Wrap-UP

Friday, May 13, 2011 3Alaa Al-Din Al-Radhi

IPv4 Addresses

Finished:

Sorry, We are

closed !!

NAT Layers for IP Shortages

Mobility Convergence

Congestion

& Delay

Current ISP (Internet Service Provider) Challanges

Too Many

Security

Attacks

IPv6 Security

Basic Issues


6Alaa Al-Din Al-RadhiFriday, May 13, 2011

The ONLY real security

A person can have in

this world

=

A reserve of

knowledge,

Intent, experience,

ability & action

There is NO Fixed Answer; ONLY Possible Solutions !


IPv6 Will

restore the

CIA Model

Security Characteristics & Process

Packet

FilteringAnti

Spoofing

Learning

& Stats.

Analysis

HTTP

Analysis

& Authen.

Ou

tpu

t

Filters: IP's,

ports, flags, etc.

TCPOthers

Statistical Analysis ,

Layers 3-7

High-level

Protocols:

Anomaly

Behavior,

etc8Alaa Al-Din Al-RadhiFriday, May 13, 2011

Objective: Sieving Malicious Traffic

Secure Resources:

Firewall, Encryption,

Authentication, Audit

Monitor & Respond

Intrusion Detection,

work the incidence

Test, Practice, Drill

Vulnerability Scanning

Manage & Improve:

Post Mortem,

Analyze the

Incident, modify the

plan / procedures


Security Policy

Security incidence are a normal part of an ISP‘s operations

NOC

ISP’s

BackboneRemote Staff Office Staff

Pen

etr

ati

on

AAA


Identify & Evaluate RISK Assessments:

Security Breaches Likelihood


Complete Security Life Cycle


What Goal How

Access Control

Ensures access by authorized

personnel & devices only

Protects against unauthorized use

Simple log-in / Password

ACL

IDS

Authentication

Confirms communications identity of

(e.g., end-users, Net Elements, etc)

Provide assurance of an entity

Digital certificates

Digital Signatures

SSL

Non -

Repudiation

Prevents ―Actions Denial‖ of entity

Ensures availability of an evidence

that can be as has taken place

Logs

Access control

Digital signatures

Data

Confidentiality

Protects unauthorized data access

Ensures data content can NOT be

Manipulated by unauthenticated entity

Encryption (3DES, AES)

Access control lists

File permissions

Communication

Security

Ensures authorized information flow

Ensures Info. NON-Interception

VPNs (IPSec, L2TP)

MPLS tunnels

Data

Integrity

Ensures Info. accuracy

Provides event occurrence

IPSec

Anti-Virus Software

Availability Network Availability

Disaster recovery solutions

FW, IDS / IPS

Backup & Business continuity

Privacy Information Protection Encryption of IP headers (IPSec)

8 Security Dimensions for Network Vulnerabilities:

Backbone / Core Device integrity +

Route Authentication

Aggregation

& Distribution

Device integrity + Route

authentication + Stateful / stateless

firewall + Crypto + L3 filtering + L3

DDoS mitigation + L3 spoof mitigation

CPE Access /

Perimeter

Endpoints

L3 filtering, L3 DDoS mitigation

L2 security (Firewall, AAA, device

integrity) + URL filtering + IDS

(Host/Network based)

Device integrity + Device and user

AAA + Hosts: firewall (i.e. Black Ice)

+ OS patches + AV + hardening +

File system encryption +

Vulnerability scanning

ISP Security Breakdowns Checklists

What is Needed: IPv6 End-to-End Secure Communications

End-to-End secure communications

Easy to set up new connection

IPv6Internet

IPv4Internet

IPsecNode

IPsecNodeR R

Global address segments

Private address segments

Private address segments

IPv4

IPv6

Global address segments

RR

NAT NAT

Low interoperability between deferent vendors

Site-to-Site secure

communications

End-to-End secure

communications

R

Secure Transmission

Low security in the LAN segments

Branch A

Branch A

Branch B

Branch B

Partner company

Secure Transmission

Secure Transmission


1. The Internet community has developed some application-specific security mechanisms:– Kerberos for Client / Server authentication– PGP, PEM or S/MIME for e-mail security– SSL for secure web access

2. So, we need to provide security at IP layer: IPSec, with the following benefits:

– Implemented at IP layer, all traffic can be secured, NO matter what application.

– IPSec in a firewall can NOT be bypassed if the firewall is the only connection between intranet & extranet.

– Transparent to applications: NO changes on upper-layer software.

– Provide routing security.


Motivations for “IP Layer” Security


Simple header with fixed length of 40 bytes

6 Optional extension headers when needed :

1. Hop-by-hop Option Header,

2. Routing Header,

3. Fragment Header,

4. Destination Options Header,

5. Authentication Header (AH),

6. Encapsulating Security Payload (ESP) header.

Each extension header is identified by the Next Header field in the

preceding header.

IPv6: Header Structure


Upper Layer PDU

65535 Bytes

= 40 Bytes

Upper Layer PDU 65535

Bytes = Jumbo Payload




Hop-by-Hop = 0; UDP = 17; Encapsulated Header = 41;

RSVP = 46; IPSEC – Encapsulating Security Payload =

50 + Authentication Header = 51; ICMPv6 = 58; No Next

Header = 59; Destination Options = 60; OSPFv3 = 98


IPv6: Header Structure Benefits

The checksum has been removed, because error checking is

usually performed in link layer and transport layer protocols.

Fragmentation has been relegated to an extension header,

the minimum MTU has been increased to 1280 bytes, and

fragmentation and reassembly are only performed by endpoints.

Routers have to examine more than the 40-byte header only

when the Next Header (NH) field is zero.

The design also pays careful attention to alignment for 64-bit

processors; for e.g., the addresses are aligned on 64-bit

boundaries.

The constant size of IPv6 headers makes the header length

field found in IPv4 unnecessary. Routers & intermediate nodes

handling the packets are NOT required to accommodate

variability in the length of headers, which expedites packet

handling.


IPv6: Some Quick Security Facts

Hop limit & GTSM: Still valid security mechanisms against DOS

attacks on local links

Amplification attack (congestion & DoS): can be caused by a

packet with a Routing Header containing multiple instances of the

same address. It is Crucial to perform ingress filtering that prohibits

the forwarding of packets with a Type 0 Routing Header

NH functionality in IPv6 provides the foundation for enhanced

services such as IPv6 security & mobility.

Packets containing hop-by-hop extension headers must be

analyzed at every node along the forwarding path

Extension headers bring additional complexity (and performance

degradation) for the purpose of traffic filtering

Block mobility headers if IPv6 mobility is NOT being used by an

organization

Extension headers can also be used as a covert channel to hide

communications between two systems, e.g., in Destination Options

IPSecAuthentication & Encryption

IPv6 Defenses: What‘s New?

SEND

Secure

Neighbor Discovery

CGA

Crypto

Graphic Generator

ULAUnique Local Addresses


RFC 2401

RFC 2402

RFC 2406

RFC 2408

Firewall Model Change

What is Needed: Secure Site to Site IPv6 Traffic over IPv4 & IPv6 Networks with IPSec


Provides

Framework for the

Authenticating and

Securing Data

IP protocol 51

AH:

Authentication

Header:

ESP:

Encapsulating

Security Payload:

IKE:

Internet Key Exchange


Components

Provides Framework

for the Negotiation

of Security

Parameters &

Establishment of

Authenticated Keys

Provides

Framework for the

Encrypting,

Authenticating and

Securing DataIP protocol 50

IPSec RFC 2401 , RFC 2402

RFC 2406 , RFC 2408, RFC2409

IPSec = 3 Main Protocols into a Cohesive Security Framework:

Negotiation of SA characteristics

Automatic key generation

Automatic key refresh

Manageable manual configuration


IPSec Modes = Tunnel + Transport

The ESP or AH header is

inserted behind the IP header;

The IP header can be

authenticated but NOT

encrypted

A new IP header is created

in place of the original; this

allows for encryption of

entire original packet

For End-

To-End

Session

For

Everything

Else


IPSec

ServiceAH

ESP

(Encryption

ONLY)

ESP

(Encryption +

Authentication)

Access Control √√ √

Connectionless integrity√ √

Data origin authentication√ √

Reject replayed packets√ √ √

Payload confidentiality√ √

Traffic flow confidentialityLimited, due to limited amount of

payload padding

IPSec Services

Agreement between 2 entities on

method to communicate securely

IPSec SA is unidirectional

2-way communication consists of

2 SA‘s

SA (Security Association)

192.168.2.1

7A390BC1

AH, HMAC-MD5

7572CA49F7632946

1 Day or 100MBAdditional SA

Attributes

(e.g., lifetime)

Destination

Address

Security Par.

Index (SPI)

IPSec Transform

Key


Each SA is identified by:

Security Parameters Index (SPI): 32-bit integer chosen by

sender; enables receiving system to select the required SA.

Destination Address: Only unicast IP addresses allowed!

Security Protocol Identifier: AH or ESP.This information appears in the IP packet, so receiver knows

how to behave.


IPSec IPSec Modes in SA

Transport Mode SA Tunnel Mode SA

AH

Authenticate IP payload

& selected parts of IP

header & IPv6 extension

headers.

Authenticate entire inner IP

packet & selected parts

of outer IP header & outer

IPv6 extension headers.

ESP(Encryption ONLY)

Encrypt IP payload + any

IPv6 extension headers

after ESP header.

Encrypt inner IP packet.

ESP( Encryption +

Authentication )

Encrypt IP payload + any

IPv6 extension headers

after ESP header.

Authenticate IP payload.

Encrypt & authenticate

inner IP packet.


IPSec

ESP: Encapsulating Security Payload

AH: Authentication & Integrity

Data confidentiality (encryption)

Limited traffic flow confidentiality

Data integrity

Optional data origin authentication

Anti-replay protection

Does NOT protect IP header


IPSec AH: Authentication V4 vs. V6

V4

V6


IPSec ESP: V4 vs. V6

V4

V6


Peers Negotiate a Secure,

Authenticated Channel with

Which to Communicate ‗Main

Mode‘ or ‗Aggressive Mode‘

Accomplish a Phase I Exchange

Security Associations Are

Negotiated on Behalf of

IPSec Services; ‗Quick

Mode‘ Accomplishes a

Phase 2 Exchange

IKE (Internet Key Exchange) = Hybrid ProtocolP

ha

se

1

Ph

ase

2

IKE is a 2 Phase Protocol:

IPSec

RFC

2409


How Does IKE Works ?

Phase1

Phase 2

Authentication Architecture

IKE

IPSec

Peer

IPSec

Peer

IKE Phase 1

Secure communication channel

IKE Phase 2

IPSec Tunnel

Secured traffic exchange

1 2

3

4

Components


IPSec

Data Integrity : Secure hashing (HMAC) is used to ensure NO data alteration in transitData Confidentiality: Encr. is used to ensure data can NOT be intercepted by 3rd partyData Origin Authentication: Authentication of the SA peerAnti-replay: Sequence numbers are used to detect & discard duplicate packetsHash Message Authentication Code (HMAC): A hash of the data & secret key used to provide message authenticityDiffie-Hellman Exchange: A shared secret key is established over an insecure path using public and private keys

Terminology


An IPSec transform

specifies either an AH or

an ESP protocol and its

corresponding algorithms

and mode.

IPSec Transforms

A transform set is a

combination of IPSec

transforms that enact a

security policy for traffic

Up to 3 transforms can be

in a set

Sets are limited to up to 1

AH and up to 2 ESP

transforms

IPSec Transforms Set


5 Steps of IPSec

1

2

3

4

5


1Inserting

Traffic

Access lists determine traffic

to encrypt:

Permit: traffic must be

encrypted

Deny: traffic sent

unencrypted

5 Steps of IPSec:

2

IKE Phase

One

Authenticates

IPSec peers

Negotiates to

protect IKE exchange

Exchanges keys

Establishes IKE SA


3

Negotiates IPSec SA

protected by an existing

IKE SA

Establishes IPSec SA

Periodically renegotiates

IPSec SAs to ensure

security

5 Steps of IPSec:

4IPSec

Encrypted

Tunnel

Information is

exchanged via IPSec

tunnel.

Packets are encrypted

& decrypted.

Uses encryption

specified in IPSec SA.

IKE Phase

Two


5

Tunnel is terminated by:

TCP session termination:

• SA lifetime timeout

• Packet counter

exceeded

Removes IPSec SA

5 Steps of IPSec:

Tunnel

Termination

Cryptographically Generated Addresses (CGA)

• Each devices has a RSA key pair (NO need for certification)

• Ultra light check for validity

• Prevent spoofing a valid CGA address


CGA

• Certification paths: Anchored on trusted parties, expected to certify the authority of the routers on some prefixes

• Cryptographically Generated Addresses (CGA): IPv6 addresses whose interface identifiers are cryptographically generated

• RSA signature option: Protect all messages relating to neighbor & router discovery

• Timestamp and nonce options: Prevent replay attacks

40

Secure Neighbor Discovery: Based on CGA

Alaa Al-Din Al-RadhiFriday, May 13, 2011

SEND

RFC 3971A standard is to mitigate the ND attacks


FW Model

Change

A ONEpoint for routing & security policy

Distributed Firewalls


Common IPv4 & IPv6

Security Concerns

Friday, May 13, 2011 Alaa Al-Din Al-Radhi 43DDoS Vulnerabilities, Threats and Targets

• OSI Was Built to Allow

Different Layers to

Work Without the

Knowledge of Each

Other

• Unfortunately this

means if one layer is

hacked,

communication are

compromised without

the other layers being

aware of the problem

• Security is only as

strong as the weakest

link

• In networking: layer 2

can be a very weak

linkFriday, May 13, 2011 Alaa Al-Din Al-Radhi 44

Lower Levels Affect Higher Levels


Attack Surfaces & layers

Denial of Service

Attacks (DOS)

An attempt to make a computer resource unavailable to its

intended users. One common method involves flooding the

target host with requests, thus preventing valid network traffic

to reach the host

Viruses &

Worms

Distribution

Malicious code/programs can propagate themselves from one

infected or compromised hosts to another. This distribution is

aided by the small address space of IPv4

Man-in-the-middle

Attacks (MITM)

Without strong mutual authentication, any attacks utilizing

MITM will have the same likelihood in IPv6 as in IPv4

Sniffing IPv6 is NO less likely to fall victim to a sniffing attack than IPv4


Common IPv4 & IPv6 Security Issues

Fragmentation

Attacks

This attack uses many small fragmented ICMP packets which

when reassembled at the destination exceed the maximum

allowable size for an IP datagram which can cause the victim

host to crash, hang or even reboot

Application

Layer

Attacks

The majority of vulnerabilities on the Internet today are at the

application layer, something that IPSec will do NOTHING to

prevent

On: Briefing

Layer

1

Wiretapping, console

access, Rogue devices,

Layer

2

VLAN ―hopping‖; MAC,

DHCP, ARP, Spoofing;

Layer

3

IP Spoofing, DDoS,

Routing, Smurf,

Tunneling, Transition

Layers

4-7

Viruses, Worms,

Application, Rogue

software, MITM

Multiple

Layers

Reconnaissance,

Sniffing, unauthorized

access

Misc. Daily Probes & Attacks


Threats Overview Top TCP

& UDP

Attacks


IPv6 Transition

Threats

• Consider security for both

protocols

• Resiliency (shared resources)

• Applications can be subject to

attack on both IPv6 & IPv4

• Host security controls should

block & inspect traffic from both

• Bypass FW (protocol 41 or UDP)

• Can cause asymmetric traffic

(hence breaking stateful firewalls)


IPv4 to IPv6 Transition Landscape Challenges

16+ Transition Methods, possibly in combination

Dual

StackTunnels

Example: L3-L4 Spoofing in IPv6

When Using IPv6 over IPv4 Tunnels


• Most IPv4 / IPv6

transitions have NO

authentication built

in

• => an IPv4

attacker can inject

traffic if spoofing on

IPv4 & IPv6

addresses


Example: ISATAP / 6to4

Tunnels Bypass ACL


Example: Transition

Threats: e.g. ISATAP

• Unauthorized

tunnels—firewall

bypass (protocol 41)

• IPv4 infrastructure

looks like a Layer 2

network to ALL

ISATAP hosts in the

enterprise.

This has implications

on network

segmentation &

network discovery

• NO authentication in

ISATAP & rogue

routers are possible

• IPv6 addresses can

be guessed based on

IPv4 prefix


Example: Teredo Tunnels

Without Teredo: Controls Are in Place 1



No More Outbound Control 2



No More Inbound Control 3


L3 Spoofing in IPv6

uRPF (Unicast Reverse Path Forwarding ) Remains the

Primary Tool for Protecting Against L3 Spoofing (e.g.. DoS)

• Dual Stack : Preferred BUT: Running dual stack will give you at least twice the number of vulnerabilities

• Tunnels (6to4, etc) can bypass firewall / security

• Tunneling mechanisms are susceptible to packet forgery and DDoS attacks

• Manual Tunnels : Preferred:

– Filter tunnel source / destination and use IPSec

– If spoofing, return traffic is not sent to attacker


• Dynamic Tunnels

– 6 to 4 Relay routers are “open relays”

– ISATAP – potential MITM attacks

– Attackers can spoof source / destination IPv4 / IPv6 addresses

• Deny packets for transition techniques NOT in use:

– Deny IPv4 protocol 41 forwarding unless that is exactly what is intended –unless using 6to4 tunneling

– Deny UDP 3544 forwarding unless you are using Teredo tunneling

Transition Mechanism Threats Summary

1) Dual-stack = Vulnerabilities

of V4 + V6.

2) If a FW is NOT configured

to apply the same level of

screening to IPv6 packets

as for IPv4 packets, the FW

may let IPv6 pass through

to dual-stack hosts

The 3 main potential problems are:

1. 6 to 4 routers not being able to

identify whether relays are

legitimate

2. Wrong or impartially implemented

6to4 router or relay security checks

3. 6 to 4 architecture used to

participate in DoS or reflected DoS,

making attacks harder to trace


Transition Threats ComparasionDual

Stack

Tunneling

L3-L4 Spoofing in IPv6

with 6to4 Tunneling


IPv6 Security Techies

• Endpoint

protection

• Admission control

• Infection

containment

• Intelligent

correlation &

incident response

• IPS & anomaly

detection

• Application

security &

defense

60

IPv6 Security

Alaa Al-Din Al-RadhiFriday, May 13, 2011

Building Blocks Protection Techniques

• Perimeter protections from the

Internet and external entities

• Secure remote-site

connectivity with Virtual Private

Network (VPN) technologies

• Infrastructure protection

measures to ensure a secure

network foundation

• Server security to protect the

critical IT assets and data

• Client security measures to

mitigate the insider threat


Equipment configuration

Perimeter defense (FW, ACL, IDPS)

Content filtering

Mail filtering

Patch Management

Vulnerability Management (scanning)

Certification & Accreditation of the new systems

AAA (Authentication, Authorization, & Accounting)

Rogue Detection

Infrastructure Protocol Security IPSec

IPv6 Security Plan

1


Core routers individually

secured

Every router accessible from

outside

• Core routers secured

Individually

• Routers generally NOT

accessible from outside

Firewall Security World New

Model

Old

Model 2


Enforcing a Security PolicyExample: Cisco IOS IPv6 ACL

2


Example:

Basic IPv6

Packet Filtering

2


Example:

IPv6 Firewall

Feature Set

2

Router Security World New

Model

Old

Model

• Policy enforced at process

level (, SNMP ACL, etc.)

• Some early features such as

ingress ACL used when

possible

• Central policy enforcement,

prior to process level

• Granular protection schemes

• On high-end platforms,

hardware implementations

3

Preventing Routing Header Attacks

Use IPSec to secure

protocols such as OSPFv3 &

RIPng

Apply same policy for IPv6 as

for Ipv4:

Prevent processing at the

intermediate nodes:

At the edge: With an ACL

blocking routing header

RFC 5095 RH0 is

deprecated: By default Cisco

Routers changed in IOS code

version 12.4(15)T to ignore and

drop RH0

• An extension header , Processed by the

listed intermediate routers

• 2 Types:

Type 0: similar to IPv4 routing

(multiple intermediate routers)

Type 2: used for mobile IPv6

IPv6 Routing

Header

Block Routing Header type 0

no ipv6 source-route

3

Essential to IPv6 & dual stack network functioning:

It reports errors if packets can NOT be processed properly &

sends informational messages about the status of network


4 ICMPv6 & other related security implications

ICMPv6

ICMPv4 vs. ICMPv6

=> ICMP policy on FW needs to change


Generic

ICMPv4

Border FW Policy

Equivalent ICMPv6

4


Potential Additional ICMPv64


ICMPv6 Neighbor Discovery

If A needs the MAC of B, it sends an ICMP6 Neighbor Solicitation

NS to ―All-Nodes‖ multicast address

B sees the request and responds to A with an ICMP6 Neighbor

Advertisement NA with its MAC address

=> Like ARP But everybody can respond to the request


If A sets a new IP address, it makes the Duplicate Address

Detection DAD check, to check if anybody uses the address

already.

Anybody can respond to the DAD checks…

=> dos-new-ipv6 prevents new systems on the LAN

ICMPv6 Duplicate Address

Detection (DAD)


Routers send periodic (& soliticated) Router Advertisements (RA) to

the All-Nodes multicast address

Clients configure their routing tables and network prefix from

advertisements => Like a DHCP-light in IPv4

Anyone can send Router Advertisements!

ICMPv6 Stateless

Auto-Configuration

• Rogue devices on the

network giving misleading

information or consuming

resources (DoS)

– Rogue DHCPv6client

and servers on the link-

local multicast address

(FF02::1:2): same threat

as IPv4

– Rogue DHCPv6servers

on the site-local multicast

address (FF05::1:3): new

threat in IPv6

• Scanning possible if leased

addresses are consecutive

• Rogue clients & servers can be

mitigated by using the authentication

option in DHCPv6

• Port ACL can block DHCPv6traffic

from client ports

• Cisco Network Registrar

– DHCPv6 Server

– Leased addresses are random

=> scanning difficult

– Can also lease temporary

addresses (like privacy

extension)


4 ICMPv6 & other related security implications

ICMPv6 ThreatsICMPv6 Threats

Mitigation

deny udp any eq 547 any eq 546

• IKE Phase 1 (ISAKMP):

– 3DES

– Lifetime

– SHA-1

– DH Group 2 (MODP)

• IKE Phase 2 (IPSec):

– 3DES

– Lifetime

– SHA-1

– PFS



5A

MUST:

Good IPSec PolicyH2H Scenarios

Scenario

A

Scenario

B


– 3DES

– Lifetime

– SHA-1



– 3DES

– Lifetime

– SHA-1

– PFS



5 Good IPSec PolicyG2G ScenariosA

MUST:

Scenario

C

Scenario

D


– 3DES

– Lifetime

– SHA-1



– 3DES

– Lifetime

– SHA-1

– PFS



5 Good IPSec PolicyH2G + G2H

ScenarioA

MUST:

Scenario

E


6 Some IPv6 Security Tools

Sniffers /

Packet CaptureScanners

Snort

Sun Solaris snoop

COLD

Wireshark

Analyzer

Windump

WinPcap

TCPdump

Packet

ForgersDoS Tools

6tunneldos

4to6ddos

Imps6-tools

http://www.thc.org/thc-ipv6

IPv6 security

scanner

Halfscan6

Nmap

Strobe

Netcat

Scapy6

Packit

Spak6

SendIP







Tool Usage

Alive6 Find all local IPv6 systems, checks aliveness of remote systems

PARSITE6 ICMP Neighbor Spoofer for Man-In-The-Middle attacks

REDIR6 Redirect traffic to your system on a LAN

FAKE_ROUTER6 Fake a router, implant routes, become the default router, …

DETECT-NEW

- IPv6

Detect new IPv6 systems on the LAN, automatically launch a

script

DOS-NEW

- IPv6

Denial any new IPv6 system access on the LAN (DAD

Spoofing)

SMURF6 Local Smurf Tool (attack you own LAN)

RSMURF6 Remote Smurf Tool (attack a remote LAN)

TOOBIG6 Reduce the MTU of a target

FAKE_MLD6 Play around with Multicast Listener Discovery Reports

FAKE_MIPv6 Reroute mobile IPv6 nodes where you want them if no IPSEC

is required

SENDPEES6 Neighbor solicitations with lots of CGAs

Protocol Tester Various tests

TCPdump Dumps traffic on IPv6 Networks








Tool Usage

IPTrap

Listens to several TCP ports to simulate fake services (X11, Netbios,

DNS, etc). When a remote client connects to one of these ports, his IP

gets immediately firewalled & an alert is logged. It runs with iptables and

ipchains, but any external script can also be launched. IPv6 is supported

AESOP

A TCP-proxy that supports many advanced and powerful features. Aesop

makes use of strong cryptography for all its data-transmission up to the

end-link. Another powerful feature of Aesop is that Aesop proxies can be

transparently stacked into a secure chain. Aesop supports IPv6 and can

be used as secure IPv4-to-IPv6 tunnel for TCP connections. Aesop is

implemented using multiplexing and is therefore fast and lightweight

Netstat

Displays active TCP connections, ports on which the computer is

listening, Ethernet statistics, the IPv4 routing table, IPv4 statistics (for the

IP, ICMP, TCP, and UDP protocols), the IPv6 routing table, & IPv6

statistics (for the IPv6, ICMPv6, TCP over IPv6, & UDP over IPv6)

SendIP For sending arbitrary IP packets

COLD

Is a network monitoring & protocol analyzing tool which allows to study,

maintain & troubleshoot networks by extracting flowing data & printing out

the contents & structure.








Tool Usage

Nmap

The command syntax is the same for V4 except that you also add the -6

option. Also, in order to perform an IPv6 scan, both the source (your host) &

the target of the scan must be configured for IPv6. It must have an IPv6

address & routing information. And, one must use IPv6 syntax if specifying

an address rather than a hostname. An address might look like ->

3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are recommended.

If your ISP (like most of them) does not allocate IPv6 addresses, free tunnel

brokers are widely available and work fine with Nmap. For e.g., the free

IPv6 tunnel broker service at http://www.tunnelbroker.net. 6to4 tunnels are

another popular, free approach. The scan O/P looks the same as with IPv4,

with IPv6 address on an ―interesting ports‖ line being the only showed away.

CH

Scanner

An ARP, IPv4 & IPv6 network scanner with 31 scan methods: it scans for

open ports, protocols, NetBIOS information & Windows shares, SNMP

information, & WMI (WBEM) information. It also has the ability to turn on

(using Wake-On-LAN) & to shutdown or reboot a remote Windows host.

Features an automatic (scriptable) working mode, a hunt mode, a passive

mode &normal scanning mode.

Hyenae

It allows you to reproduce low level Ethernet attack scenarios (such as

MITM, & DDoS) to reveal the potential security vulnerabilities in a network.


http://www.tunnelbroker.net/





Tool Usage

Alive6

Find all local IPv6 systems &

checks aliveness of remote

systems

• For Local / Remote unicast

targets, & local multicast

addresses

• Sends three different type of

packets:

– ICMP6 Echo Request

– IP6 packet with unknown

header

– IP6 packet with unknown

hop-by-hop option




Routing header attack , (like IPv4

Source Routing):

Use alive6 for checking if routing

headers are allowed to target

1. Check if your ISP does ingress

filtering: Send a packet from yourself to

yourself via a remote system:

alive6 eth0 YOUR-IP VICTIM-IP2. Find all servers in the world for an

anycast address: Send packets to an

anycast address via several remote

systems:

- alive6 eth0 AnyCastAddr VICTIM-IP1;- alive6 eth0 AnyCastAddr VICTIM-IP2; … etc.








Tool UsageREDIR6 Redirect traffic to your system on a LAN

Route Implanting with ICMP6 Redirects

1. (A)ttacker sends Echo Request:

Source: (T)arget, Destination: (V)ictim

2. (V)ictim received Echo Request, and send a Reply to (T)

3. (A)ttacker crafts Redirect,

Source: (R)outer, Destination: (V)ictim,

redirects all traffic for (T) to (A)







Tool Usage

SMURF6 Local Smurf Tool (attack you own

LAN)

RSMURF6 Remote Smurf Tool (attack a

remote LAN)

• Source is target, destination is local

multicast Address

• Generates lots of local traffic that is

sent to source

Tool Usage

• Source is local All-Nodes multicast

address, destination is our target

• If target has mis-implemented IPv6, it

responds with an Echo Reply to the All-

Nodes multicast address


Tool UsageFAKE_

MIPv6

Reroute mobile IPv6 nodes

where you want them if no

IPSEC is required

• Protocol specification is

secure L because IPSEC is

mandatory

• All implementations have the

option to disable IPSEC

requirement

• If this is the done, use

fake_mipv6 to redirect traffic

for any mobile IPv6 node to a

destination of your choice






7 Some IPSec Tools

Tool Usage PublisherIPSec

Diagnostic Tool 1.0

Assists Network admin. with troubleshooting network

related failures; Applicable on Windows XP, Windows

Server 2003, Windows Vista & Windows Server 2008.

www.microsoft.com

IPSecuritas

3.3

A client for Mac OS X. It supports virtually every available

IPSec compliant firewall, allowing you to Connect safely

to your office or home network from any location

www.lobotomo.com

IPSecScan 1.1

Scans either a single IP address or a range of IP

addresses looking for systems that are IPSec enabled

www.ntsecurity.nu

IPSec VPN

Client 4.70.001

Compliant with most of popular VPN gateways allowing

fast integration in existing networks. Full IPSec

standards, full IKE NAT Traversal, IP address emulation,

strong encryption (X509, AES...), strong authentication

mechanisms, high performances, no system overhead,

DNS and WINS resolutions supported, operates as a

Service, allowing the use on unattended Servers,

accepts incoming IPSec Tunnels, optional 'IPSec only'

traffic filtering.

www.thegreenbow.com

IPSec-Tools 0.8.0

A port of KAME's IPSec utilities to the Linux-2.6 IPSec

implementation. It supports NetBSD and FreeBSD as

well

www.sourceforge.net

http://www.microsoft.com/

http://www.microsoft.com/

http://www.lobotomo.com/

http://www.lobotomo.com/

http://www.ntsecurity.nu/

http://www.thegreenbow.com/

http://www.sourceforge.net/


IPv6 Security

Road-Map & How-ToWrap-up

• Gap the IPv6 Security-Perspectives knowledge: Training !

• Have an understood & enforced IPv6 Security Plan

• Configure Security Parameters (i.e. NOT implementing Security ONLY)

• Allow for full IPSec + Use IPSec to secure OSPFv3 & RIPng

• Ingress / Egress IPv6 Filtering @ the perimeter

• Use manual tunnels instead of dynamic tunnels

• Program Routers / Switches to Disable IPv6 Tunnels

• Filter internal-use IPv6 at the enterprise border routers

• Filter ICMP & Determine which ICMPv6 messages are required

• Use IPv6 Network Protection Tools & Enable IPv6 IDS / IPS

• Drop all fragments with less than 1280 octets

• Use cryptographic protections where critical

• Use static neighbor entries for critical systems

• Use IPv6 hop limits to protect network devices

• Separate Routing Registry for IPv4 and IPv6


IPv6 is NO more secure than IPv4 if we do NOT ::

Friday, May 13, 2011 Alaa Al-Din Al-Radhi88

IPv6 Security Issues To Be Kept In Mind !

OSI Layers & IPv6 Security Issues


IPv6 Security Issues To Be Kept In Mind !

Defense Used ForSEND:

Secure

Neighbor

Discovery

a security extension of the Neighbor Discovery Protocol (NDP) in

IPv6. NDP replaces IPv4 ARP and is responsible for discovery of

other nodes on the link, determining the link layer addresses of other

nodes, finding available routers, and maintaining reachability

information about the paths to other active neighbor nodes.

CGA:

Crypto-

Generated

Address

A method for binding a public signature key to an IPv6 address in the

Secure Neighbor Discovery Protocol (SEND).

ULAs:

Unique Local

Addresses

An IPv6 address in the block fc00::/7 defined in RFC 4193. They are

supposed to be used for systems that are NOT connected to the

Internet.

IPSec

IPSec with Authentication Header (AH) & Encrypted Security

Payload (ESP) can protect IPv6 hosts from all kinds of DoS attacks &

have the ability to recognize the spoofed source address (or original

identity) of the malicious packets received. IPSec also able to protect

the IPv6 hosts from DDoS attacks with the spoofed address.

IPv6 Defenses

• 6 to 4 does NOT support

source address filtering

• Teredo = holes into the

NAT device

• Any Tunneling-Mechanism

may be prone to spoofing

• With any Tunneling-

Mechanism you trust the

relay-servers.


• Do NOT just use your IPv4 FW

for IPv6 rules

• Do NOT just allow IPSec or IPv4

Protocol 41 through FW

• On networks that are IPv4-only,

block all IPv6 traffic

• Procure FW for IPv6 policy

• Look for vendor support of

Extension Headers

• FW should have granular filtering

of ICMPv6 & multicast

• Layer-2 FW are trickier with IPv6

because of ICMPv6 ND / NS /

RA / RS messages

Avoid IPv6

Tunneling

IPv6 FW

PoliciesA MUST: A MUST:


Some IPv6 Security Recommendations

If NOT deploying IPv6 Completely:1

1. Block all IPv6 traffic, native & tunneled, @

organization's FW. Both incoming & outgoing

traffic should be blocked.

2. Disable all IPv6-compatible ports, protocols &

services on all software and hardware.

3. Begin to acquire familiarity and expertise with

IPv6, through laboratory experimentation &/or

limited pilot deployments.

4. Make organization web servers, located

outside of the organizational FW, accessible

via IPv6 connections. This will enable IPv6-only

users to access the servers & aid organization

in acquiring familiarity with some aspects of

IPv6 deployment.


Some IPv6 Security Recommendations

2

Apply an appropriate mix of different types of IPv6 addressing (privacy

addressing, ULA, etc) to limit access & knowledge of IPv6-addressed

environments. Leverage IPSec to secure IPv6 when suitable

Use automated address management tools to avoid manual entry of

IPv6 addresses, which is prone to error because of their length.

Develop ICMPv6 filtering policy. Ensure that ICMPv6 messages that

are essential to IPv6 operation are allowed, but others are blocked

Use IPSec to authenticate & provide confidentiality to critical assets

Enable controls that might not have been used in IPv4 due to a lower

threat level during initial deployment (implementing default deny

access control policies, implementing routing protocol security, etc).

Pay close attention to the security aspects of transition (tunneling, etc)

Ensure that IPv6routers, packet filters, firewalls, and tunnel endpoints

enforce multicast scope boundaries and make sure that Multicast

Listener Discovery (MLD) packets are not inappropriately routable

If deploying IPv6 :

• Always null route unused address space within your network: If you have

prefixes you know are unused, route them towards null0 on your routers.

• Enable port security & limit the number of MACs on customer ports

• Always filter ingress traffic from customers with uRPF or ACLs

• Authenticate All of your network protocols

• ALWAYS ENCRYPT YOUR MANAGEMENT TRAFFIC!

• Filter BGP sessions ingress and egress

• Set maximum-prefix/prefix-limit on BGP sessions (including customers,

transits, and peers)

• Give high priority to network control traffic

• Ideally, have an out-of-band management path to all POPs.

• Restrict DHCP & Router Advertisements on customer ports

• Separate customers into separate VLANs if you can

• Monitor critical network element resources, e.g. memory, bandwidth, etc

• Keep Patching up-to-date

• Have a security plan that includes incident management processes:

Identify who, what, and how; Practice and test the plan; Make sure you

know how to reach your peers and transit providers, and how their

security plans work!Friday, May 13, 2011 Alaa Al-Din Al-Radhi 93

Some IPv6 Simple Best Security Practices


IPv6 Compliance

Mandatory Support

RFCStandard

Network Security:

Firewalls, IDS, IPS,etc

IPv6 Basic specification 2460

IPv6 Addressing Architecture 4291

Default Address Selection 3484

ICMPv6 4443

SLAAC 4862

Router-Alert option 2711

Path MTU Discovery 1981

Neighbor Discovery 4861

BGP4 protocol 4760

OSPF-v3 4552

RIPng 2080

IS-IS 5308

Support for QoS 3140

Basic Transition Mechanisms for IPv6 Hosts and Routers

4213

Using IPsec to Secure IPv6-in-IPv4 Tunnels 4891

Check IPv6-Ready Compliance Requirements 1


IPv6

Compliance

Mandatory

Support

RFC

Standard

Router /

Layer 3Switch


IPv6 Addressing Architecture 4291Default Address Selection 3484

ICMPv6 4443SLAAC 4862

MLDv2 snooping 4541Router-Alert option 2711Path MTU Discovery 1981Neighbor Discovery 4861

Classless Inter-domain Routing 4632Dynamic Internal Guidance Protocol (IGP) RIPng 2080

OSPF-v3 5340IS-IS 5308

BGP4 2545Support for QoS 3140

Basic Transition Mechanisms for IPv6 Hosts and Routers 4213

Using IPsec to Secure IPv6-in-IPv4 tunnels 4891

Generic Packet Tunneling and IPv6 2473Mobile IPv6 (MIPv6) 4877MPLS functionality 4798

Layer-3 VPN functionality 4659MPLS Traffic Engineering 5120



IPv6

Compliance

Mandatory

Support

RFC

Standard

Host:

Client

/

Server


IPv6 Addressing Architecture 4291

Default Address Selection 3484

ICMPv6 4443

DHCPv6 client 3315

SLAAC 4862

Path MTU Discovery 1981

Neighbor Discovery 4861

Basic Transition Mechanisms for IPv6 Hosts and Routers 4213

IPsec-v2 2406

IKE version 2 (IKEv2) 4718

Mobile IPv6 (MIPv6) 4877

DNS protocol extensions for incorporating IPv6 DNS

resource records

3596

DNS message extension mechanism 2671

DNS message size requirements 3226



IPv6

Compliance

Mandatory

Support

RFC

Standard

Layer

2

Switch

MLDv2 snooping 4541

DHCPv6 snooping 3315

Router Advertisement (RA) filtering 5006

Dynamic "IPv6 NA / NS inspection 4861

Neighbor Un-Reachability Detection NUD 4861

Duplicate Address Detection 4429

IPv6

support

in

software

All software must support IPv4 and IPv6 and be able to

communicate over both types of Networks. If software includes

network parameters in its local or remote server settings, it

should also support configuration of IPv6 parameters.

Functional differences must not be significantly different

between IPv4 and IPv6. The user should not experience any

significant difference when software is communicating over IPv4

or IPv6.


So: Is IPv6 more secure ? Yes & No !

• IPSec (Authentication

+ Encryption)

• Secure Neighbor

Discovery (SEND)

• Crypto-generated

Address (CGA)

• Unique Local

Addresses (ULAs)

• Privacy Addresses


• Automated Tunneling

• Neighbor Discovery &

Auto-Configuration

• End-To-End-Model

• Newness & Complexity

• Lack of Guidance, Policy

& Training

• Tools Using

Yes: NO:


IPv6 Security Issues Are

Evolving & In Continous

Progress…

Stay Tuned !

ipv6 promised friday 13 may 2011 11:30 - 12:15 really it’s ... · access control digital...

Documents