ipv6 security challenges: technet augusta 2015

Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only

1

IPv6 Security Implications

Eric OostingVP, Core Routing Practice

[email protected] +1-404-941-6678

mailto:[email protected]

IPv4 and IPv6: Brief History• Internet Protocol version 4

– 1978: Developed for ARPANET– 4 billion addresses– Allocation based on documented need– Deployed globally and well entrenched

• Internet Protocol version 6– IETF forecasts IPv4 depletion between 2010 and 2017– 1996: IPv6 design begins– 340 undecillion addresses– 1999: Completed, tested, and available

⎻Management and use similar to IPv4⎻ Today: IPv4 address pool is already depleted for

many RIRs as of 2014.


The Case for IPv6Limitations of IPv4

• IPv4 address space exhaustion

• Exponential Internet growth

• Requirement for security at the IP level

• Need for simpler configuration

• Support for real-time delivery of data


Exponential Internet Growth• Internet Users or PC• Emerging

population/geopolitical and Address space

• PDA, Tablet, Notepad,…• Mobile phones• Transportation

• Planes, cars• Consumer devices• Billions of Home and

Industrial Appliances

Interim Solutions...• Drop address classes A, B,

and C• Assign addresses in power-

of-two chunks• Assign several Class C

addresses instead of one Class B address

• Assign providers large contiguous address block to be used for customers

• Advertise chunks instead of individual address assignments


Conservation Efforts• PPP / DHCP address

sharing• CIDR (classless inter-

domain routing)• NAT (network address

translation)• Address reclamation

Deployment Benefits

• Chance to eliminate some complexity in IP header• Improve per-hop processing• Chance to upgrade functionality

– Multicast, QoS, mobility• Chance to include new features• Binding updates


IPv6 Features• Larger address space• Simplified header format• Stateless and stateful address configuration• QoS:

– Hierarchical architecture for prioritized delivery– Integrated services (int-serv), Differentiated

Services (DiffServ)• Required IPSec header support• Multicast interaction• Support for mobility• Extensibility



IPv4 vs IPv6Length in Bits 32 128Amount of Addresses 232

4,294,967,2962128

340,282,366,920,939,463,374,607,431,768,211,456

Address Format Dotted Decimal192.168.100.1

Hexadecimal

Dynamic Addressing DHCP SLAAC/DHCPv6IPSec Optional MandatoryHeader Length Variable FixedMinimal Packet Size 576 bytes

(fragmented)1280 bytes

Header Checksum Yes NoHeader Options Yes No (extensions)Flow No Packet Flow Label

Packet Structure

IPv6 Format and Header


IPv6Header

Upper layerProtocol Data Unit

Payload

IPv6 Packet

ExtensionHeaders

Chain of Pointers from Next Header


IPv6 HeaderNext Header = 6 (TCP)

TCP Segment

IPv6 HeaderNext Header = 43 (Routing)

TCP SegmentRouting HeaderNext Header = 6 (TCP)

Authentication HeaderNext Header = 6 (TCP)

IPv6 HeaderNext Header = 43 (Routing)

Routing HeaderNext Header = 51 (AH)

TCP Segment

IPv6 FragmentationBroken into two pieces:• Unfragmentable Part

– Includes main header of original datagram + any extension headers that need to be present in each fragment. Must be present in each fragment • Hop-By-Hop Options, Destination Options (for options

processed by devices along route) and Routing• Fragmentable Part

– Data portion of the datagram + other extension headers if present• Authentication Header, Encapsulating Security Payload

and/or Destination Options (for options processed only by final destination)

– Split up among fragments Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012,

Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only

IPv6 Fragmentation


Unfragmentable part Fragmentable part

First fragmentFragment Hdr

Unfragmentable part Second fragmentFragment

Hdr

Unfragmentable part

Third fragment

Fragment Hdr

Original IPv6 Packet

Interface ID• Two Parts:

– 64-bit network prefix used for routing

– 64-bit interface identifier used to identify a host’s network interface

• 64 bits long – Derived from EUI-64

addresses• Combined with a network

prefix, (routing prefix and subnet ID), to determine a corresponding IPv6 address for the device

• Unique within subnet prefix Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012,

Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only

• Lowest-order 64-bit field of unicast address– Assignment:

• Auto-configured from a 64-bit EUI-64

• Expanded from a 48-bit MAC address (e.g.,Ethernet address)

• Auto-generated pseudo-random number (privacy concerns)

• Assigned via DHCP• Manually configured


00 22 b0 75 b5 99

00 22 b0 75 b5 99

FF FE

00 22 b0 75 b5 99FF FE

0000 00X0 X=1, X is universal bit

02 22 b0 75 b5 99FF FE

IEEE 802 48-bit MAC

IEEE 802 64-bit MAC

IEEE EUI-64

Converting MAC to EUI-64

• Split MAC address– First three octets of MAC: Company-ID– Last three octets of MAC: Node-ID

• 0xfffe inserted between Company-ID and Node-ID• Universal/Local-Bit (U/L-bit) is set to 1 for

global scope

ICMPv6

• Updated version of the Internet Control Message Protocol (ICMP) for IPv6

• Reports delivery or forwarding errors and a simple echo service for troubleshooting

• Provides a framework for:– Multicast Listener Discovery (MLD) – Neighbor Discovery (ND)– Mobile IPv6


Functions

• Router discovery• Prefix discovery• Autoconfiguration of address & other parameters• Duplicate address detection (DAD)• Neighbor unreachability detection (NUD)• Link-layer address resolution• First-hop redirect


16

Neighbor Discovery (NDP)• Messages and processes that determine relationships between

neighboring nodes


ND for Routers:• Advertise their presence, host

config parameters, routes and on-link preferences

• Inform hosts of best next-hop address for destination

ND for Hosts:• Address autoconfig of nodes• Find routers and DNS server

ND for Nodes:• Discover other nodes on link

and determine their link-layer addresses

• Determine if neighboring node’s link-layer address changes and if still reachable

Router Solicitation (RS)


• RS Message sent by hosts at system startup and in response to router solicitation messages – Immediately autoconfigure without needing to wait for

next scheduled RA message– Host does not have a configured unicast address– Source address in router solicitation messages is usually

unspecified IPv6 address (0:0:0:0:0:0:0:0)

Router Advertisement (RA)

• Periodically sent out each configured interface of an IPv6 router

• Used to announce network configuration information to local hosts

• Advertised prefix length in RA messages must always be 64 bits for autoconfiguration

• The RA messages are sent to the all-nodes multicast address


Router Discovery: Process1. IPv6 routers periodically send a Router Advertisement

message on the local link advertising their existence as routers. ● Also provide configuration parameters such as default hop limit,

MTU, and prefixes2. Active IPv6 hosts on local link receive the RA messages

● Use contents to maintain the default router list, the prefix list, and other configuration parameters

3. Starting up Host sends a Router Solicitation message 4. Receipt of RA message, all routers on the local link send

unicast RA message to node that sent the Router Solicitation 5. Node receives RA messages

● Use contents to build default router and prefix lists, set other configuration parameters


Autoconfiguration Overview• IPv6 interfaces can configure

themselves– Even without a stateful

configuration protocol (DHCPv6)

– Link-local address for each interface by default

• Host uses router discovery to determine:– Additional addresses– Router addresses– Other configuration

parameters• DHCP is available


• Hosts use RA to construct address

– Subnet prefix(es): learned from periodic multicast advertisement from neighboring router(s)

– Interface IDs: generated locally

– MAC addresses: pseudo-random temporary

• Other IP-layer parameters also learned from router adverts (router addresses, recommended hop limit, etc…)

• Higher-layer info discovered by multicast/ anycast-based service-location protocol

Types of Autoconfiguration

1. Stateless (SLAAC)– Receipt of Router Advertisement messages with one or more

Prefix Information options

2. Stateful– Use of a stateful address configuration protocol such as DHCPv6

3. Both– Receipt of Router Advertisement messages and stateful

configuration protocol For all types, a link-local address is always configured


Neighbor Solicitation (NS) Message• Determine link-layer address of another node

– Source address in an NS message is the IPv6 address of the node sending the neighbor solicitation message

• Destination (Target) address in NS message– Solicited-node multicast address corresponding to the IPv6

address of the destination node• Includes the link-layer address of the source node• Used to verify reachability of a neighbor after the

link-layer address of a neighbor is identified • To verify the reachability of a neighbor, destination address

in an NS message is the neighbor’s unicast address.


Neighbor Advertisement (NA) Message • Informs mapping of an IPv6 address to a link-layer address• Destination node replies to neighbor solicitation message

on the local link• Source and destination addresses are in the NA message

– Source: IPv6 address of the node interface sending the neighbor advertisement message

– Destination (Target): IPv6 address of the node that sent the neighbor solicitation message.

• Data portion of NA message includes link-layer address of the node sending the neighbor advertisement message

• NA messages are also sent in response to change in the link-layer address of node on local link


Address Resolution• An exchange of Neighbor Solicitation and Neighbor

Advertisement messages to resolve the link-layer address of the next-hop address

– Multicast Neighbor Solicitation message– Unicast Neighbor Advertisement message

• Both hosts update their neighbor caches• Unicast traffic can now be sent


Redirect Message• Router informs Inform hosts of better first hop for a

destination• Router must be able to determine link-local address for

each neighboring router – Ensure the target address in a redirect message identifies

the neighbor router by its link-local address


Neighbor Function EquivalentsIPv4 Neighbor Function IPv6 Neighbor FunctionARP Request message Neighbor Solicitation messageARP Reply message Neighbor Advertisement

messageARP cache Neighbor cacheGratuitous ARP Duplicate Address Detection

(DAD)Router Solicitation message (optional)

Router Solicitation (required)

Router Advertisement message (optional)

Router Advertisement (required)

Redirect message Redirect message


Neighbor Reachabilty• Host A acquires the link-layer address of neighbor

Host B • Host A can use NS and NA messages to check

whether Host B is reachable1. Host A sends an NS message whose destination address

is the IPv6 address of Host B2. If Host A receives an NA message from Host B, Host A

decides that Host B is reachable Otherwise, Host B is unreachable


DHCPv6


• DHCPv6 infrastructure – Clients, servers, relay agents

• Key Differences from IPv4– On-Link flag in the Prefix Information option

• Directly attached subnet route for a DHCPv6-assigned IPv6 address not configured by IPv6 hosts automatically

– Default route configured from RA• No default route assignment in DHCPv6

Provides stateful or stateless address configuration settings for IPv6 hosts

DHCPv6 Communication• User Datagram Protocol (UDP) messages

– DHCPv6 clients listen on UDP port 546– DHCPv6 servers and relay agents listen on UDP port 547

• Multicast addresses– DHCPv6 servers and relay agents listen on ff02::1:2– DHCPv6 client sends messages to ff02::1:2

• Relay agent forwards multicasts as unicasts to configured DHCPv6 servers



30

DUID• Clients use the DHCP Unique Identifier (DUID) to

get an IP address from a DHCPv6 server• 2 byte type field + type specific variable length data

– Minimum length of 12 bytes (96 bits) and a maximum length of 20 bytes (160 bits).

– Server compares DUID with its database and delivers configuration data (address, lease times, DNS servers, etc…) to the client

• Must be globally unique but easy to generate• Three types:

– LL: Link-layer address– LLT:Link-layer address + time– EN: Vendor-assigned unique ID based on

Enterprise number


31

DUID Types0 32 bits 31

15 16Hardware Type

Link Layer Address

DUID Type: 1Time

DUID LLT

Identifier

Enterprise Number

032 bits

DUID Type: 2

31

15 16

Enterprise Number (cont’d)

DUID EN

0 32 bits31

15 16

Link Layer Address

Hardware TypeDUID Type: 3

0 0

DUID LL

05/02/2023

Chris Grundemann 32

Attribution

The following slides are courtesy of Chris Grundemann - Internet Society

CO ISOC FounderNANOG-BCOP ChairIPv6 Author (Juniper Day One Books)IETF ContributorMore: http://chrisgrundemann.com

http://chrisgrundemann.com/

05/02/2023

Chris Grundemann 33

This section…• Aims to debunk the most common IPv6 security myths• Is NOT a comprehensive look at IPv6 security practices

• Should scare you a little• Should NOT discourage IPv6 Deployment

– The more you know…

05/02/2023

Chris Grundemann 34

SOME MYTHS…Let’s get to busting

05/02/2023

Chris Grundemann 35

MYTH:I’M NOT RUNNING IPV6, I DON’T

HAVE TO WORRY

05/02/2023

Chris Grundemann 36

Reality: Your Applications are Using IPv6 Already


HAVE TO WORRY

• Linux, Mac OS X, BSD, and Microsoft Vista/Windows 7 systems all come with IPv6 capability, some even have IPv6 enabled by default (IPv6 preferred)• They may try to use IPv6 first and then fall-back to IPv4

• If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist!

05/02/2023

Chris Grundemann 37

Reality: Your Users are Using IPv6 Already


HAVE TO WORRY

IPv4

IPv4 Firewall

05/02/2023

Chris Grundemann 38

Reality: Your Users are Using IPv6 Already

6to4 / Toredo


HAVE TO WORRY

IPv4 Firewall

IPv6 IPv6

05/02/2023

Chris Grundemann 39

MYTH:IPv6 Has Security Designed In

05/02/2023

Chris Grundemann 40


• IPsec exists for IPv4• IPsec mandates in IPv6 are no guarantee of security

– Also are no longer in place

REALITY:IPSEC IS NOT NEW

05/02/2023

Chris Grundemann 41


REALITY:IPV6 WAS DESIGNED 15-20 YEARS AGO

05/02/2023

Chris Grundemann 42

Reality:Extension Headers

http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html




05/02/2023

Chris Grundemann 43


• Routing Header Type 0 (RH0) – Source Routing– Deprecated in RFC 5095:The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic.

REALITY:

https://www.ietf.org/rfc/rfc5095.txt

https://www.ietf.org/rfc/rfc5095.txt

05/02/2023

Chris Grundemann 44


• Hop-by-Hop Options Header– Vulnerable to low bandwidth DOS attacks– Threat detailed in draft-krishnan-ipv6-hopbyhop

REALITY:

https://tools.ietf.org/html/draft-krishnan-ipv6-hopbyhop-05

05/02/2023

Chris Grundemann 45


• Extension Headers are vulnerable in general– Large extension headers– Lots of extension headers– Invalid extension headers

REALITY:

05/02/2023

Chris Grundemann 46


• Rogue Router Advertisements (RAs)– Can renumber hosts– Can launch a Man In The Middle attack– Problem documented in RFC 6104In this document, we summarise the scenarios in which rogue RAs may be observed and present a list of possible solutions to the problem.

REALITY:

https://tools.ietf.org/html/rfc6104

05/02/2023

Chris Grundemann 47


• Forged Neighbor Discovery messages• ICMP Redirects – just like IPv4 redirects• See RFC 6583 - Operational Neighbor Discovery Problems

REALITY:


05/02/2023

Chris Grundemann 48


• Buffer overflows

• SQL Injection

• Cross-site scripting

• E-mail/SPAM (open relays)

REALITY:MANY ATTACKS ARE ABOVE OR BELOW IP

05/02/2023

Chris Grundemann 49

Myth:NO IPv6 NAT Means Less Security

05/02/2023

Chris Grundemann 50

Myth:NO IPv6 NAT Means Less Security

REALITY:STATEFUL FIREWALLS PROVIDE SECURITY• NAT can actually reduce security

05/02/2023

Chris Grundemann 51

Myth:IPv6 Networks are too Big to Scan

05/02/2023

Chris Grundemann 52


• SLAAC - EUI-64 addresses (well known OUIs)– Tracking!

• DHCPv6 sequential addressing (scan low numbers)• 6to4, ISATAP, Teredo (well known addresses)• Manual configured addresses (scan low numbers, vanity addresses)• Exploiting a local node

– ff02::1 - all nodes on the local network segment– IPv6 Node Information Queries (RFC 4620)– Neighbor discovery

• Leveraging IPv4 (Metasploit Framework “ipv6_neighbor”)• IPv6 addresses leaked out by application-layer protocols (email)

REALITY:


http://www.metasploit.com/modules/auxiliary/scanner/discovery/ipv6_neighbor

05/02/2023

Chris Grundemann 53


• Privacy addresses use MD5 hash on EUI-64 and random number• Often temporary – rotate addresses

– Frequency varies– Often paired with dynamic DNS (firewall state updates?)

• Makes filtering, troubleshooting, and forensics difficult• Alternative: Randomized DHCPv6

– Host: Randomized IIDs– Server: Short leases, randomized assignments

REALITY:PRIVACY ADDRESSES (RFC 4941)

https://www.rfc-editor.org/rfc/rfc4941.txt

05/02/2023

Chris Grundemann 54

Myth:IPv6 is too New to be Attacked

05/02/2023

Chris Grundemann 55


• THC IPv6 Attack Toolkit• SI6 IPv6 Toolkit

• IPv6 port scan tools

• IPv6 packet forgery tools• IPv6 DoS tools

REALITY:TOOLS ARE ALREADY AVAILABLE

http://www.thc.org/thc-ipv6/

http://www.si6networks.com/tools/ipv6toolkit/

05/02/2023

Chris Grundemann 56


• Vendors

• Open source software

REALITY:BUGS AND VULNERABILITIES PUBLISHED

05/02/2023

Chris Grundemann 57


REALITY:SEARCH FOR “SECURITYFOCUS.COM INURL:BID IPV6”

05/02/2023

Chris Grundemann 58

Myth:96 more bits, no magic (It’s just like IPv4)

05/02/2023

Chris Grundemann 59


REALITY:IPV6 ADDRESS FORMAT IS DRASTICALLY NEW

• 128 bits vs. 32 bits

• Hex vs. Decimal

• Colon vs. Period

• Multiple possible formats (zero suppression, zero compression)

• Logging, grep, filters, etc.

05/02/2023

Chris Grundemann 60


REALITY:MULTIPLE ADDRESSES ON EACH HOST

• Same host appears in logs with different addresses

05/02/2023

Chris Grundemann 61


REALITY:SYNTAX CHANGES

• Training!

05/02/2023

Chris Grundemann 62

Myth:Configure IPv6 Filters Same AS IPv4

05/02/2023

Chris Grundemann 63

Myth:Configure IPv6 Filters Same As IPv4

REALITY:DHCPV6 && ND INTRODUCE NUANCE

• Neighbor Discovery uses ICMP

• DHCPv6 message exchange:

• Solicit: [your link local]:546 -> [ff02::1:2]:547

• Advertise: [upstream link local]:547 -> [your link local]:546

• and two more packets, both between your link locals.

05/02/2023

Chris Grundemann 64

Reality: Example Firewall Filter (mikrotik)Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Not just ping - ND runs over icmp6. chain=input action=accept protocol=icmpv6 in-interface=ether1-gateway

1 chain=input action=accept connection-state=established in-interface=ether1-gateway

2 ;;; related means stuff like FTP-DATA chain=input action=accept connection-state=related in-interface=ether1-gateway

3 ;;; for DHCP6 advertisement (second packet, first server response) chain=input action=accept protocol=udp src-address=fe80::/16 dst-address=fe80::/16 in-interface=ether1-gateway dst-port=546

4 ;;; ssh to this box for management (note non standard port) chain=input action=accept protocol=tcp dst-address=[myaddr]/128 dst-port=2222

5 chain=input action=drop in-interface=ether1-gateway

05/02/2023

Chris Grundemann 65

Myth:It supports IPv6

05/02/2023

Chris Grundemann 66

Myth:It supports IPv6

REALITY:IT PROBABLY DOESN’T

• Hardware, Software, Services, Applications (VM, Crypto, etc.)

• Detailed requirements (RFP)

• RIPE-554

• Lab testing

• Independent/outside verification

https://www.ripe.net/ripe/docs/ripe-554%23requirements5

05/02/2023

Chris Grundemann 67

Myth:There are no IPv6 Security BCPs yet

05/02/2023

Chris Grundemann 68

Myth:There are no IPv6 Security BCPs yet

• Perform IPv6 filtering at the perimeter• Use RFC2827 filtering and Unicast RPF checks throughout the network• Use manual tunnels (with IPsec whenever possible) instead of dynamic

tunnels and deny packets for transition techniques not used• Use common access-network security measures (NAC/802.1X, disable

unused switch ports, Ethernet port security, MACSec/TrustSec) because SeND won’t be available any time soon

• Strive to achieve equal protections for IPv6 as with IPv4• Continue to let vendors know what you expect in terms of IPv6 security

features

REALITY:THERE ARE!

05/02/2023

Chris Grundemann 69

Myth:There are no IPv6 Security Resources

05/02/2023

Chris Grundemann 70

Myth:There are no IPv6 Security Resources

• IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009• CPNI Viewpoint: Security Implications of IPv6• Operational Security Considerations for IPv6 Networks• IPv6 Hackers is a forum for IPv6 security researchers and

networking pros• Deploy360 has a section specifically on IPv6 Security• Search engines are your friends! There’s lots more info out there!

REALITY:THERE ARE!

http://www.amazon.com/gp/product/1587055945/ref=as_li_ss_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=1587055945&linkCode=as2&tag=dontpanic0f-20

https://www.cpni.gov.uk/documents/publications/2011/2011007-infosec-cpni_viewpoint_security_implications_of_ipv6.pdf?epslanguage=en-gb

https://tools.ietf.org/html/draft-ietf-opsec-v6

http://www.ipv6hackers.org/home

http://www.internetsociety.org/deploy360/ipv6/security/

05/02/2023

Chris Grundemann 71

The Reality of Dual-Stack

• Two sets of filters• Two sets of bugs

IPv6IPv4

05/02/2023

Chris Grundemann 72

Thank you!

@ChrisGrundemannhttp://chrisgrundemann.com

http://www.internetsociety.org/deploy360

/

Gratitude and Credit:• Scott Hogg – My IPv6 Security Guru• Fernando Gont – For review• Rob Seastrom – For the Mikrotik

example• The Internet – Lots of searching• You – Thanks for listening!

http://twitter.com/ChrisGrundemann

http://chrisgrundemann.com/

http://www.internetsociety.org/deploy360/



http://hoggnet.com/


73

Brandon Ross

[email protected] 404-635-6667

mailto:[email protected]

ipv6 security challenges: technet augusta 2015

Technology