ipv6 security challenges: technet augusta 2015
TRANSCRIPT
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
1
IPv6 Security Implications
Eric OostingVP, Core Routing Practice
[email protected] +1-404-941-6678
IPv4 and IPv6: Brief History• Internet Protocol version 4
– 1978: Developed for ARPANET– 4 billion addresses– Allocation based on documented need– Deployed globally and well entrenched
• Internet Protocol version 6– IETF forecasts IPv4 depletion between 2010 and 2017– 1996: IPv6 design begins– 340 undecillion addresses– 1999: Completed, tested, and available
⎻Management and use similar to IPv4⎻ Today: IPv4 address pool is already depleted for
many RIRs as of 2014.
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
The Case for IPv6Limitations of IPv4
• IPv4 address space exhaustion
• Exponential Internet growth
• Requirement for security at the IP level
• Need for simpler configuration
• Support for real-time delivery of data
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Exponential Internet Growth• Internet Users or PC• Emerging
population/geopolitical and Address space
• PDA, Tablet, Notepad,…• Mobile phones• Transportation
• Planes, cars• Consumer devices• Billions of Home and
Industrial Appliances
Interim Solutions...• Drop address classes A, B,
and C• Assign addresses in power-
of-two chunks• Assign several Class C
addresses instead of one Class B address
• Assign providers large contiguous address block to be used for customers
• Advertise chunks instead of individual address assignments
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Conservation Efforts• PPP / DHCP address
sharing• CIDR (classless inter-
domain routing)• NAT (network address
translation)• Address reclamation
Deployment Benefits
• Chance to eliminate some complexity in IP header• Improve per-hop processing• Chance to upgrade functionality
– Multicast, QoS, mobility• Chance to include new features• Binding updates
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
IPv6 Features• Larger address space• Simplified header format• Stateless and stateful address configuration• QoS:
– Hierarchical architecture for prioritized delivery– Integrated services (int-serv), Differentiated
Services (DiffServ)• Required IPSec header support• Multicast interaction• Support for mobility• Extensibility
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
IPv4 vs IPv6Length in Bits 32 128Amount of Addresses 232
4,294,967,2962128
340,282,366,920,939,463,374,607,431,768,211,456
Address Format Dotted Decimal192.168.100.1
Hexadecimal
Dynamic Addressing DHCP SLAAC/DHCPv6IPSec Optional MandatoryHeader Length Variable FixedMinimal Packet Size 576 bytes
(fragmented)1280 bytes
Header Checksum Yes NoHeader Options Yes No (extensions)Flow No Packet Flow Label
Packet Structure
IPv6 Format and Header
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
IPv6Header
Upper layerProtocol Data Unit
Payload
IPv6 Packet
ExtensionHeaders
Chain of Pointers from Next Header
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
IPv6 HeaderNext Header = 6 (TCP)
TCP Segment
IPv6 HeaderNext Header = 43 (Routing)
TCP SegmentRouting HeaderNext Header = 6 (TCP)
Authentication HeaderNext Header = 6 (TCP)
IPv6 HeaderNext Header = 43 (Routing)
Routing HeaderNext Header = 51 (AH)
TCP Segment
IPv6 FragmentationBroken into two pieces:• Unfragmentable Part
– Includes main header of original datagram + any extension headers that need to be present in each fragment. Must be present in each fragment • Hop-By-Hop Options, Destination Options (for options
processed by devices along route) and Routing• Fragmentable Part
– Data portion of the datagram + other extension headers if present• Authentication Header, Encapsulating Security Payload
and/or Destination Options (for options processed only by final destination)
– Split up among fragments Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012,
Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
IPv6 Fragmentation
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Unfragmentable part Fragmentable part
First fragmentFragment Hdr
Unfragmentable part Second fragmentFragment
Hdr
Unfragmentable part
Third fragment
Fragment Hdr
Original IPv6 Packet
Interface ID• Two Parts:
– 64-bit network prefix used for routing
– 64-bit interface identifier used to identify a host’s network interface
• 64 bits long – Derived from EUI-64
addresses• Combined with a network
prefix, (routing prefix and subnet ID), to determine a corresponding IPv6 address for the device
• Unique within subnet prefix Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012,
Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
• Lowest-order 64-bit field of unicast address– Assignment:
• Auto-configured from a 64-bit EUI-64
• Expanded from a 48-bit MAC address (e.g.,Ethernet address)
• Auto-generated pseudo-random number (privacy concerns)
• Assigned via DHCP• Manually configured
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
00 22 b0 75 b5 99
00 22 b0 75 b5 99
FF FE
00 22 b0 75 b5 99FF FE
0000 00X0 X=1, X is universal bit
02 22 b0 75 b5 99FF FE
IEEE 802 48-bit MAC
IEEE 802 64-bit MAC
IEEE EUI-64
Converting MAC to EUI-64
• Split MAC address– First three octets of MAC: Company-ID– Last three octets of MAC: Node-ID
• 0xfffe inserted between Company-ID and Node-ID• Universal/Local-Bit (U/L-bit) is set to 1 for
global scope
ICMPv6
• Updated version of the Internet Control Message Protocol (ICMP) for IPv6
• Reports delivery or forwarding errors and a simple echo service for troubleshooting
• Provides a framework for:– Multicast Listener Discovery (MLD) – Neighbor Discovery (ND)– Mobile IPv6
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Functions
• Router discovery• Prefix discovery• Autoconfiguration of address & other parameters• Duplicate address detection (DAD)• Neighbor unreachability detection (NUD)• Link-layer address resolution• First-hop redirect
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
16
Neighbor Discovery (NDP)• Messages and processes that determine relationships between
neighboring nodes
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
ND for Routers:• Advertise their presence, host
config parameters, routes and on-link preferences
• Inform hosts of best next-hop address for destination
ND for Hosts:• Address autoconfig of nodes• Find routers and DNS server
ND for Nodes:• Discover other nodes on link
and determine their link-layer addresses
• Determine if neighboring node’s link-layer address changes and if still reachable
Router Solicitation (RS)
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
• RS Message sent by hosts at system startup and in response to router solicitation messages – Immediately autoconfigure without needing to wait for
next scheduled RA message– Host does not have a configured unicast address– Source address in router solicitation messages is usually
unspecified IPv6 address (0:0:0:0:0:0:0:0)
Router Advertisement (RA)
• Periodically sent out each configured interface of an IPv6 router
• Used to announce network configuration information to local hosts
• Advertised prefix length in RA messages must always be 64 bits for autoconfiguration
• The RA messages are sent to the all-nodes multicast address
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Router Discovery: Process1. IPv6 routers periodically send a Router Advertisement
message on the local link advertising their existence as routers. ● Also provide configuration parameters such as default hop limit,
MTU, and prefixes2. Active IPv6 hosts on local link receive the RA messages
● Use contents to maintain the default router list, the prefix list, and other configuration parameters
3. Starting up Host sends a Router Solicitation message 4. Receipt of RA message, all routers on the local link send
unicast RA message to node that sent the Router Solicitation 5. Node receives RA messages
● Use contents to build default router and prefix lists, set other configuration parameters
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Autoconfiguration Overview• IPv6 interfaces can configure
themselves– Even without a stateful
configuration protocol (DHCPv6)
– Link-local address for each interface by default
• Host uses router discovery to determine:– Additional addresses– Router addresses– Other configuration
parameters• DHCP is available
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
• Hosts use RA to construct address
– Subnet prefix(es): learned from periodic multicast advertisement from neighboring router(s)
– Interface IDs: generated locally
– MAC addresses: pseudo-random temporary
• Other IP-layer parameters also learned from router adverts (router addresses, recommended hop limit, etc…)
• Higher-layer info discovered by multicast/ anycast-based service-location protocol
Types of Autoconfiguration
1. Stateless (SLAAC)– Receipt of Router Advertisement messages with one or more
Prefix Information options
2. Stateful– Use of a stateful address configuration protocol such as DHCPv6
3. Both– Receipt of Router Advertisement messages and stateful
configuration protocol For all types, a link-local address is always configured
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Neighbor Solicitation (NS) Message• Determine link-layer address of another node
– Source address in an NS message is the IPv6 address of the node sending the neighbor solicitation message
• Destination (Target) address in NS message– Solicited-node multicast address corresponding to the IPv6
address of the destination node• Includes the link-layer address of the source node• Used to verify reachability of a neighbor after the
link-layer address of a neighbor is identified • To verify the reachability of a neighbor, destination address
in an NS message is the neighbor’s unicast address.
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Neighbor Advertisement (NA) Message • Informs mapping of an IPv6 address to a link-layer address• Destination node replies to neighbor solicitation message
on the local link• Source and destination addresses are in the NA message
– Source: IPv6 address of the node interface sending the neighbor advertisement message
– Destination (Target): IPv6 address of the node that sent the neighbor solicitation message.
• Data portion of NA message includes link-layer address of the node sending the neighbor advertisement message
• NA messages are also sent in response to change in the link-layer address of node on local link
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Address Resolution• An exchange of Neighbor Solicitation and Neighbor
Advertisement messages to resolve the link-layer address of the next-hop address
– Multicast Neighbor Solicitation message– Unicast Neighbor Advertisement message
• Both hosts update their neighbor caches• Unicast traffic can now be sent
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Redirect Message• Router informs Inform hosts of better first hop for a
destination• Router must be able to determine link-local address for
each neighboring router – Ensure the target address in a redirect message identifies
the neighbor router by its link-local address
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Neighbor Function EquivalentsIPv4 Neighbor Function IPv6 Neighbor FunctionARP Request message Neighbor Solicitation messageARP Reply message Neighbor Advertisement
messageARP cache Neighbor cacheGratuitous ARP Duplicate Address Detection
(DAD)Router Solicitation message (optional)
Router Solicitation (required)
Router Advertisement message (optional)
Router Advertisement (required)
Redirect message Redirect message
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Neighbor Reachabilty• Host A acquires the link-layer address of neighbor
Host B • Host A can use NS and NA messages to check
whether Host B is reachable1. Host A sends an NS message whose destination address
is the IPv6 address of Host B2. If Host A receives an NA message from Host B, Host A
decides that Host B is reachable Otherwise, Host B is unreachable
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
DHCPv6
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
• DHCPv6 infrastructure – Clients, servers, relay agents
• Key Differences from IPv4– On-Link flag in the Prefix Information option
• Directly attached subnet route for a DHCPv6-assigned IPv6 address not configured by IPv6 hosts automatically
– Default route configured from RA• No default route assignment in DHCPv6
Provides stateful or stateless address configuration settings for IPv6 hosts
DHCPv6 Communication• User Datagram Protocol (UDP) messages
– DHCPv6 clients listen on UDP port 546– DHCPv6 servers and relay agents listen on UDP port 547
• Multicast addresses– DHCPv6 servers and relay agents listen on ff02::1:2– DHCPv6 client sends messages to ff02::1:2
• Relay agent forwards multicasts as unicasts to configured DHCPv6 servers
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
30
DUID• Clients use the DHCP Unique Identifier (DUID) to
get an IP address from a DHCPv6 server• 2 byte type field + type specific variable length data
– Minimum length of 12 bytes (96 bits) and a maximum length of 20 bytes (160 bits).
– Server compares DUID with its database and delivers configuration data (address, lease times, DNS servers, etc…) to the client
• Must be globally unique but easy to generate• Three types:
– LL: Link-layer address– LLT:Link-layer address + time– EN: Vendor-assigned unique ID based on
Enterprise number
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
31
DUID Types0 32 bits 31
15 16Hardware Type
Link Layer Address
DUID Type: 1Time
DUID LLT
Identifier
Enterprise Number
032 bits
DUID Type: 2
31
15 16
Enterprise Number (cont’d)
DUID EN
0 32 bits31
15 16
Link Layer Address
Hardware TypeDUID Type: 3
0 0
DUID LL
05/02/2023
Chris Grundemann 32
Attribution
The following slides are courtesy of Chris Grundemann - Internet Society
CO ISOC FounderNANOG-BCOP ChairIPv6 Author (Juniper Day One Books)IETF ContributorMore: http://chrisgrundemann.com
05/02/2023
Chris Grundemann 33
This section…• Aims to debunk the most common IPv6 security myths• Is NOT a comprehensive look at IPv6 security practices
• Should scare you a little• Should NOT discourage IPv6 Deployment
– The more you know…
05/02/2023
Chris Grundemann 34
SOME MYTHS…Let’s get to busting
05/02/2023
Chris Grundemann 35
MYTH:I’M NOT RUNNING IPV6, I DON’T
HAVE TO WORRY
05/02/2023
Chris Grundemann 36
Reality: Your Applications are Using IPv6 Already
MYTH:I’M NOT RUNNING IPV6, I DON’T
HAVE TO WORRY
• Linux, Mac OS X, BSD, and Microsoft Vista/Windows 7 systems all come with IPv6 capability, some even have IPv6 enabled by default (IPv6 preferred)• They may try to use IPv6 first and then fall-back to IPv4
• If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist!
05/02/2023
Chris Grundemann 37
Reality: Your Users are Using IPv6 Already
MYTH:I’M NOT RUNNING IPV6, I DON’T
HAVE TO WORRY
IPv4
IPv4 Firewall
05/02/2023
Chris Grundemann 38
Reality: Your Users are Using IPv6 Already
6to4 / Toredo
MYTH:I’M NOT RUNNING IPV6, I DON’T
HAVE TO WORRY
IPv4 Firewall
IPv6 IPv6
05/02/2023
Chris Grundemann 39
MYTH:IPv6 Has Security Designed In
05/02/2023
Chris Grundemann 40
MYTH:IPv6 Has Security Designed In
• IPsec exists for IPv4• IPsec mandates in IPv6 are no guarantee of security
– Also are no longer in place
REALITY:IPSEC IS NOT NEW
05/02/2023
Chris Grundemann 41
MYTH:IPv6 Has Security Designed In
REALITY:IPV6 WAS DESIGNED 15-20 YEARS AGO
05/02/2023
Chris Grundemann 42
Reality:Extension Headers
http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html
05/02/2023
Chris Grundemann 43
MYTH:IPv6 Has Security Designed In
• Routing Header Type 0 (RH0) – Source Routing– Deprecated in RFC 5095:The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic.
REALITY:
05/02/2023
Chris Grundemann 44
MYTH:IPv6 Has Security Designed In
• Hop-by-Hop Options Header– Vulnerable to low bandwidth DOS attacks– Threat detailed in draft-krishnan-ipv6-hopbyhop
REALITY:
05/02/2023
Chris Grundemann 45
MYTH:IPv6 Has Security Designed In
• Extension Headers are vulnerable in general– Large extension headers– Lots of extension headers– Invalid extension headers
REALITY:
05/02/2023
Chris Grundemann 46
MYTH:IPv6 Has Security Designed In
• Rogue Router Advertisements (RAs)– Can renumber hosts– Can launch a Man In The Middle attack– Problem documented in RFC 6104In this document, we summarise the scenarios in which rogue RAs may be observed and present a list of possible solutions to the problem.
REALITY:
05/02/2023
Chris Grundemann 47
MYTH:IPv6 Has Security Designed In
• Forged Neighbor Discovery messages• ICMP Redirects – just like IPv4 redirects• See RFC 6583 - Operational Neighbor Discovery Problems
REALITY:
05/02/2023
Chris Grundemann 48
MYTH:IPv6 Has Security Designed In
• Buffer overflows
• SQL Injection
• Cross-site scripting
• E-mail/SPAM (open relays)
REALITY:MANY ATTACKS ARE ABOVE OR BELOW IP
05/02/2023
Chris Grundemann 49
Myth:NO IPv6 NAT Means Less Security
05/02/2023
Chris Grundemann 50
Myth:NO IPv6 NAT Means Less Security
REALITY:STATEFUL FIREWALLS PROVIDE SECURITY• NAT can actually reduce security
05/02/2023
Chris Grundemann 51
Myth:IPv6 Networks are too Big to Scan
05/02/2023
Chris Grundemann 52
Myth:IPv6 Networks are too Big to Scan
• SLAAC - EUI-64 addresses (well known OUIs)– Tracking!
• DHCPv6 sequential addressing (scan low numbers)• 6to4, ISATAP, Teredo (well known addresses)• Manual configured addresses (scan low numbers, vanity addresses)• Exploiting a local node
– ff02::1 - all nodes on the local network segment– IPv6 Node Information Queries (RFC 4620)– Neighbor discovery
• Leveraging IPv4 (Metasploit Framework “ipv6_neighbor”)• IPv6 addresses leaked out by application-layer protocols (email)
REALITY:
05/02/2023
Chris Grundemann 53
Myth:IPv6 Networks are too Big to Scan
• Privacy addresses use MD5 hash on EUI-64 and random number• Often temporary – rotate addresses
– Frequency varies– Often paired with dynamic DNS (firewall state updates?)
• Makes filtering, troubleshooting, and forensics difficult• Alternative: Randomized DHCPv6
– Host: Randomized IIDs– Server: Short leases, randomized assignments
REALITY:PRIVACY ADDRESSES (RFC 4941)
05/02/2023
Chris Grundemann 54
Myth:IPv6 is too New to be Attacked
05/02/2023
Chris Grundemann 55
Myth:IPv6 is too New to be Attacked
• THC IPv6 Attack Toolkit• SI6 IPv6 Toolkit
• IPv6 port scan tools
• IPv6 packet forgery tools• IPv6 DoS tools
REALITY:TOOLS ARE ALREADY AVAILABLE
05/02/2023
Chris Grundemann 56
Myth:IPv6 is too New to be Attacked
• Vendors
• Open source software
REALITY:BUGS AND VULNERABILITIES PUBLISHED
05/02/2023
Chris Grundemann 57
Myth:IPv6 is too New to be Attacked
REALITY:SEARCH FOR “SECURITYFOCUS.COM INURL:BID IPV6”
05/02/2023
Chris Grundemann 58
Myth:96 more bits, no magic (It’s just like IPv4)
05/02/2023
Chris Grundemann 59
Myth:96 more bits, no magic (It’s just like IPv4)
REALITY:IPV6 ADDRESS FORMAT IS DRASTICALLY NEW
• 128 bits vs. 32 bits
• Hex vs. Decimal
• Colon vs. Period
• Multiple possible formats (zero suppression, zero compression)
• Logging, grep, filters, etc.
05/02/2023
Chris Grundemann 60
Myth:96 more bits, no magic (It’s just like IPv4)
REALITY:MULTIPLE ADDRESSES ON EACH HOST
• Same host appears in logs with different addresses
05/02/2023
Chris Grundemann 61
Myth:96 more bits, no magic (It’s just like IPv4)
REALITY:SYNTAX CHANGES
• Training!
05/02/2023
Chris Grundemann 62
Myth:Configure IPv6 Filters Same AS IPv4
05/02/2023
Chris Grundemann 63
Myth:Configure IPv6 Filters Same As IPv4
REALITY:DHCPV6 && ND INTRODUCE NUANCE
• Neighbor Discovery uses ICMP
• DHCPv6 message exchange:
• Solicit: [your link local]:546 -> [ff02::1:2]:547
• Advertise: [upstream link local]:547 -> [your link local]:546
• and two more packets, both between your link locals.
05/02/2023
Chris Grundemann 64
Reality: Example Firewall Filter (mikrotik)Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Not just ping - ND runs over icmp6. chain=input action=accept protocol=icmpv6 in-interface=ether1-gateway
1 chain=input action=accept connection-state=established in-interface=ether1-gateway
2 ;;; related means stuff like FTP-DATA chain=input action=accept connection-state=related in-interface=ether1-gateway
3 ;;; for DHCP6 advertisement (second packet, first server response) chain=input action=accept protocol=udp src-address=fe80::/16 dst-address=fe80::/16 in-interface=ether1-gateway dst-port=546
4 ;;; ssh to this box for management (note non standard port) chain=input action=accept protocol=tcp dst-address=[myaddr]/128 dst-port=2222
5 chain=input action=drop in-interface=ether1-gateway
05/02/2023
Chris Grundemann 65
Myth:It supports IPv6
05/02/2023
Chris Grundemann 66
Myth:It supports IPv6
REALITY:IT PROBABLY DOESN’T
• Hardware, Software, Services, Applications (VM, Crypto, etc.)
• Detailed requirements (RFP)
• RIPE-554
• Lab testing
• Independent/outside verification
05/02/2023
Chris Grundemann 67
Myth:There are no IPv6 Security BCPs yet
05/02/2023
Chris Grundemann 68
Myth:There are no IPv6 Security BCPs yet
• Perform IPv6 filtering at the perimeter• Use RFC2827 filtering and Unicast RPF checks throughout the network• Use manual tunnels (with IPsec whenever possible) instead of dynamic
tunnels and deny packets for transition techniques not used• Use common access-network security measures (NAC/802.1X, disable
unused switch ports, Ethernet port security, MACSec/TrustSec) because SeND won’t be available any time soon
• Strive to achieve equal protections for IPv6 as with IPv4• Continue to let vendors know what you expect in terms of IPv6 security
features
REALITY:THERE ARE!
05/02/2023
Chris Grundemann 69
Myth:There are no IPv6 Security Resources
05/02/2023
Chris Grundemann 70
Myth:There are no IPv6 Security Resources
• IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009• CPNI Viewpoint: Security Implications of IPv6• Operational Security Considerations for IPv6 Networks• IPv6 Hackers is a forum for IPv6 security researchers and
networking pros• Deploy360 has a section specifically on IPv6 Security• Search engines are your friends! There’s lots more info out there!
REALITY:THERE ARE!
05/02/2023
Chris Grundemann 71
The Reality of Dual-Stack
• Two sets of filters• Two sets of bugs
IPv6IPv4
05/02/2023
Chris Grundemann 72
Thank you!
@ChrisGrundemannhttp://chrisgrundemann.com
http://www.internetsociety.org/deploy360
/
Gratitude and Credit:• Scott Hogg – My IPv6 Security Guru• Fernando Gont – For review• Rob Seastrom – For the Mikrotik
example• The Internet – Lots of searching• You – Thanks for listening!
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- [email protected] © 2012, Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only
73
Brandon Ross
[email protected] 404-635-6667