so your ipv6 is public…now what? - iit school … your ipv6 is public…now what? by joe sullivan...
TRANSCRIPT
SO YOUR IPV6 IS PUBLIC…NOW WHAT?
BY JOE SULLIVAN
JOLIET JUNIOR COLLEGE, PROFESSOR
APRIL 27TH 2017
CCNP, Palo Alto ACE, CCNA Video, CCNA Voice, CVNS, CVNR, CCNA Collaboration, H.E. IPv6 Sage, Linux Essentials, ECSVRv1, ECSERv2, CCNA Security, CCAI, CWTS
Background• IPv4 as a free pool has been depleted as of September 24, 2015, people can apply on the
waitlist for unmet requests https://www.arin.net/resources/request/waiting_list.html
• Conservation of IPv4 addresses began early on with the introduction of VLSM and private address RFC 1918.
• Since private addresses are used NAT has been in place to accommodate. Quickly we have found that this model necessitates a performance degradation and is challenging to work with real-time services and end-to-end applications.
Source: https://www.arin.net/resources/request/waiting_list.html
EXPLORING MYTHS: NAT SECURITY
• NAT didn’t provide security. NAT actually hindered security by hindering Geolocation, DNSSEC and IPsec.
• Reality is that stateful firewalls have provided security. The purpose of the stateful packet inspection is to remember which packets left the network and provide a mapping to the return traffic flags or headers.
(NAT Overview clipping source: ) http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/6209-5.html
DEPLOYMENT MODELS
• ISP’s have been resourceful in obtaining new address spaces in IPv6. Comcast has been starting since 2011 and has a deployment model in place. (Source: http://corporate.comcast.com/comcast-voices/ipv6-deployment-technology)
• Comcast for instance, is very proactive by deployment of Native dual stack, which means a customer gets both IPv6 and IPv4 addresses. Avoids the use of tunneling and NAT.
• Native Dual stack avoids breaking or slowing applications and maintains a faster broadband internet without the complications of NAT.
• With the removal of NAT, new tools have been developed to deploy address prefix's to customers, we will look at a Dual stack device running Prefix Delegation (PD) along with local link device issued with a /64 and using SLAAC
IPV6 DEPLOYMENT
• This research is not intended to detract from IPv6 merits, but merely to shed light on important deployment scenarios.
• IPv6 is different than IPv4 this we understand. There are several attacks that exist in both IPv4 and IPv6 such as:
• Application layer attacks such as: cross-site scripting and sql injection.
• Rogue devices such as, WiFi, Router with higher priority, and flooding and DoS attacks.
• Man in-the-middle attacks
• Redirection, Spoofing, False advertisements
BACKGROUND ON IPV6 STRUCTURE
• Link Local: FE80::7ADA:6EFF:FE5B:ACE0
• Global Unicast: 2010:AB8:0:1:7ADA:6EFF:FE5B:B478
• Mulitcast Groups: Joined group address(es):
• FF02::1
• FF02::2
• FF02::A
INVESTIGATIVE TOOLS USED• KALI
• THC-IPV6(8) https://manned.org/thc-ipv6.8
• Investigation focused on IPv6 Prefix Delegation security concerns
NETWORK ATTACKSNew neighbor found, possible gateway attack successful
FLOOD ROUTERSFlood_router6 successful
• Quickly send thousands of routers as neighbors within seconds we had thousands.
• Memory attack on router.
FRAGMENTATION ATTACK ON FIREWALL• High CPU usage
• Investigate firewall probe
PRINT ROUTER INFORMATION• Information on Adjacency's
ASSESS DEVICE CAPABILITIES• Scans devices system services
• Accessible through the WAN
FIREWALL PROBING• Sniffer Detection packets
• Scanning for systems responses
• Fragmentation and Maximum Segment size attacks
PROBE ROUTER• Send a series of known exploits to a
intermediate device.
• Actively probing devices.
NEIGHBOR DISCOVERY
• NMAP discovers about 1 discovery every second.
• Host machines do not start at ::1 and work upward
• At /64 or 18 quad trillion hosts this can take years for full discovery.
• Once you go to a corrupt site they will have your address, so you still need a firewall.
ATTACKS INSIDE LAN REMAIN DEVASTATING• Raises concerns for businesses.
• With dual stack, an administrator has to defend both protocols. The logical footprint effectively doubles.
HOW TO PLAN FOR IPV6Start with ARIN
https://www.arin.net/resources/ipv6_planning.html
Check with ISP for compatible modems to obtain best performance. For example, http://mynewmodemcomcast.net/
Get IPv6 Certified for Free with Hurricane Electric (free T-shirt at Sage level) https://ipv6.he.net/certification/
Research guidelines https://www.apnic.net/community/ipv6-program/ipv6-bcp/
BASIC STEPS BEFORE CONSIDERATION OF IPV6 DEPLOYMENT (SOURCE: HTTP://BLOGS.CISCO.COM/SMALLBUSINESS/3-STEPS-FOR-PREPARING-YOUR-NETWORK-FOR-IPV6)
1. Audit to include routers and switches as well as security appliances, firewalls, and intrusion prevention systems.
2. Gradually migrate your core networking components then all of your endpoints, don’t forget applications that run on PC’s
3. Ensure outward facing services are IPv6 Compliant.• Audit existing infrastructure for
compliance.
• Make a planned migration
• Validate external services
IMPLICATIONS FOR DUAL STACK DEVICES
• IPv6 has an abundance of hosts and exhibits an inherent “herd mentality” for protection.
• Once discovered a host is directly communicable unless firewall rules are provisioned.
• For IoT devices protection will lie solely in the front-end device protecting it. Due to low battery consumption and singular purpose design they leave little in the way of security.
• Provisioning systems for Dual-Stack does require a router or security device appropriate for each protocol.
• Multicast traffic is detrimental to switches, recommendations are to have storm control and multicast routing provisioned.
• Devices inside the LAN may suffer severely from attacks. Workstations should have firewalls and IoT devices require protection of hardware firewall at L2.
• Direct reachability for IPv6 is possible without a stateful firewall, ensure one is operational
FINDINGS• Getting back to Comcast provisioning a native dual stack over DOCSIS. The logic of the move is that
during our growing pains to IPv6 from our depleted IPv4 state, content providers have not readily adopted IPv6. Websites may draw on both IPv4 and IPv6 content.
• Having a dual-stack configuration allows us to see an Internet page with both protocols. Miss one protocol and the content changes.
• There are browser add-ons to check for dualprotocol support on websites (see link).
• Supporting both protocols isnecessary until every service provider and website transitions to IPv6.
https://chrome.google.com/webstore/detail/ipvfoo/ecanpcehffngcegjmadlcijfolapggal?hl=en
FINDINGS CONTINUED• DNS lookups return both protocol
options.
• AAAA record (the DNS A record for IPv6). If it exists, it tries using IPv6, falling back to the A record and IPv4
IDENTIFIERS OF IPV6 WEBSITES• Logo may be included on a website to
show IPv6 compliance, such as: World IPv6 Launch http://www.worldipv6launch.org/
• Test your IPv6: http://ipv6test.google.com/
SETUP FIREWALL FOR NEW PROTOCOL• Certified IPv6 Ready devices for small
business: https://www.ipv6ready.org/
WAN SIDE BUSINESS CLASS SERVICES
• Fragmented Packet Inspection and reorder
• IPv6 DoS mitigation
• Tunneled packet inspection at tunnel endpoint
• Stateful packet inspection
• Stateful packet inspection for IPv4-to-IPv6 originations
• ACL pertaining to extension header information
• Port to Application mapping.
• Firewall Alerts, Audit trails, system logging, netflow
• Router hardening for routing protocols
• Multicast thresholds
• Neighbor Advertisement, Cryptographically Generated Addresses using SEcure Neighbor Discovery (SEND)
LAN SIDE BUSINESS CLASS IPV6 PRECAUTIONS
• Stateful packet failover, FHRP
• Control plane policing per-user microflow
• Use of Protocol Independent Multicast V2 and Multicast Listener Discovery V2
• Use of General Prefix names to simplify deployment.
• Standard fare:
• DHCP snooping
• QoS mechanisms
• Load budget under dual protocol environment, consider multi-protocol aggregation
SCANNING VALIDATION TOOLSHome Tools for IPv6
http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-tracepath.php
http://www.ipv6scanner.com/cgi-bin/main.py
ADDITIONAL RESOURCES
router configurations.txt