IPv6 forum conference, Oslo 2012-04-25

1. IPv6 – Attacker’s perspective
Henrik Strøm
Telenor Norway

2. Who am I?
Henrik Strøm
Head of IT Security &
Telenor CERT manager
Telenor Norway

3. Agenda
• Types of networks & systems
• Attacker’s point of view
• Defense – What to do
• Further reading

4. What type of network?
• Home network
• Office network
• Coffee shop
• Mobile Broadband
• Datacenter
• ISP networks
• Mobile networks

5. What type of system?
• Mobile phone
• iPad / Tablet
• Laptop
• Desktop
• Service
• Server
• RG

6. Point #1 – IPv6 visibility
Why you don’t disappear in a vast pool of IPv6 addresses:
• bgp.he.net, DNS and Google gives a good starting point
• Humans use predictable names and addresses (::1)
• Search space for hosts within a net is limited (~2^24)
• Local multicast gives info on local hosts
• Running netstat on a compromised system

7. Point #2 – Local attacks
When the attacker is on your local network,
the IPv6 security model breaks down in a bad way.
It assumes that Local = Trusted!
• Use IPv6 addresses to bypass IPv4 access controls
• Spoof RAs to autoconfigure hosts that support IPv6
• Spoof RAs to become MITM (Gateway & DNS)

8. Point #3 – Internet connectivity (outbound)
Do you know about all the (IPv6) traffic
that is leaving your network?
Including what the traffic is doing,
and why it is there?
IPv4 traffic towards the Internet may be tightly
controlled, but is this the case for IPv6 traffic?
The attacker needs tomake outbound
communication. IPv6 could be his best option.

9. Point #4 – Internet connectivity (inbound)
In some networks, a system can be made accessible
from the Internet if you enable IPv6 on it.
It depends on how routing and filtering
is configured.
How does your current IPv6 firewall rule set look?
How do you handle fragments and extension headers?
Sometimes IPv6 is enabled on systems by accident…
or by (vendor’s) default… but without security.

10. Point #5 – Tunneling
There are many different IPv6 tunneling mechanisms,
meant to be used for transitioning from IPv4.
These can be used by an attacker as well.
Could give full inbound and outbound IPv6
connectivity between a compromised system
and any other IPv6 host on the Internet.
Unless you filter all types of IPv6 tunneling
in your firewalls.

11. Point #6 – Denial of Service
•RA flooding
Can be used to kill all local Windows machines
•Neighbor Cache Poisoning
replying with attacker’s MAC address
•Duplicate Address Detection DoS
claim that all addresses are taken
•RA spoofing
change default router or change DNS

12. Defense – What to do
1. Decide and know which networks use IPv6, and for what purpose
– disable it everywhere else! Both on the network and on the host
2. Monitor your networks for IPv6 traffic
3. Monitor IPv6 in your logs – e.g., (failed) logins over IPv6!
4. Decide how to do IPv6 network security on each of
your networks – e.g., where to put firewalls, what to filter, etc.
5. Do IPv6 hardening of clients, servers, routers, networks, etc.

13. my nm reading – Marc Heuse
e i s …
Further
IPv6 Vulnerabilities, Failures - and a Future?
123 slides on IPv6 hacking
http://www.ipv6hacking.info
THC-IPv6 Attack Toolkit
http://www.thc.org/thc-ipv6
“Critical issues are site-local only”
“Security model is from 1995: local = trusted”

14. Further reading – Fernando Gont
Recent Advances in IPv6 Security
HES 2012 Conference (April 14th)
http://2012.hackitoergosum.org
“There's an insanely large amount of work
to be done in the area of IPv6 firewalling”
“Many IPv4 vulnerabilities
have been re-implemented in IPv6”
“Still lots of work to be done in IPv6 security”

15. Conclusions
• IPv6 can be secured – but you must do the work!
• Security is not built-in or turned on by default
• Lots of security issues that you must deal with
• Makes it even more important to monitor logs
and analyze your network traffic
• Large network segments are still a bad idea…
• The attacker can use IPv6 even if you don’t!