Presentation from APRICOT 2018

1. Presentation on
IPV4 VS IPV6
SECURITY AND THREAT COMPARISONS

2. Group Name
• Konda Reddy
• Suman KC
• Farha Diba
• Bikram Shrestha
• Rajwinder kaur

3. IPv6 Address Representation
 128 bits.
 Represented by 8 colon-separated segments.
 Each 16-bit segment written in hexadecimal.
EXAMPLE:
3ffe:3700:1100:0001:d9e6:0b9d:14c6:45ee

4. IPv6 Address Compaction
Leading zeroes in a 16-bit segment can be compacted
Example:
fe80:0210:1100:0006:0030:a4ff:000c:0097
Becomes:
fe80:210:1100:6:30:a4ff:c:97

5. IPv6 Address Compaction
All zeroes in one or more contiguous 16-bit segments can be represented with a
double colon (::)
Example:
ff02:0000:0000:0000:0000:0000:0000:0001
Becomes:
ff02::1
But…

6. IPv6 Address Compaction
Double colons can only be used once
Example:
2001:0000:0000:0013:0000:0000:0b0c:3701
Can be:
2001::13:0:0:b0c:3701
Or:
2001:0:0:13::b0c:3701
But not:
2001::13::b0c:3701

7. IPv6 Address Types
Unicast
 Identifies a single interface
 Packet sent to a unicast address is delivered to the interface identified by that address
Multicast
 Identifies a set of interfaces
 Packet sent to a multicast address is delivered to all interfaces identified by that address
Anycast
 Identifies a set of interfaces
 Packet sent to an anycast address is delivered to the nearest interface identified by that address (as
defined by the routing protocol)
IPv6 has no broadcast addresses
 IPv6 uses "all-nodes" multicast instead
(ff01:0:0:0:0:0:1)

8. Interface ID
 Unique to the link
 Identifies interface on a specific link
 Can be automatically derived
- IEEE addresses use MAC-to-EUI-64 conversion
- Other addresses use other automatic means
 Can be used to form link-local address
 Can be used to form global address with stateless autoconfiguration

9. MAC-to-EUI-64 Conversion
 First three octets of MAC becomes Company-ID
 Last three octets of MAC becomes Node-ID
 0xfffe inserted between Company-ID and Node-ID
 Universal/Local-Bit (U/L-bit) is set to 1 for global scope

10. MAC-to-EUI-64 Conversion Example
 MAC Address: 0000:0b0a:2d51
 In binary:
 00000000 00000000 00001011 00001010 00101101 01010001
 Insert fffe between Company-ID and Node-ID
 00000000 00000000 00001011 11111111 11111110 00001010 00101101 01010001
 Set U/L bit to 1
 00000010 00000000 00001011 11111111 11111110 00001010 00101101 01010001
 Resulting EUI-64 Address: 0200:0bff:fe0a:2d51

11. Using the EUI-64 Interface ID
EUI-64 Address:
200:bff:fe0a:2d51
Link-Local Address:
fe80::200:bff:fe0a:2d51
Global Unicast Address:
3ffe:3700:1100:1:200:bff:fe0a:2d51

12. IPv4 vs. IPv6 Header Formats

13. How IPV6 process start from Host
 When a host joins the network, it sends an ICMPv6 Neighbor Solicitation (NS) packet
to perform Duplicate Address Detection (DAD) for its link-local address.
 After the host determines its link-local address is safe to use, it then sends an ICMPv6
Type 133 Router Solicitation (RS) message to attempt to learn details about the
network from the local router.
 Upon receiving this RS, the router sends out an ICMPv6 type 134 Router
Advertisement (RA) message so that the requesting host, and all others on that LAN
segment, will have information about the LAN and how they should go about
obtaining their global unicast address.
 The router also periodically sends out the RA messages, typically every 200 seconds,
to make sure all the nodes on the LAN have the current information about the local
IPv6 prefix

14. How RA works / disable RA
 The ICMPv6 Router Advertisement (RA) that the router sends to the IPv6 all-nodes link-local
multicast group address (FF02::1) will be received and processed by all the nodes on the
LAN. The RA contains a variety of valuable information within it, in addition to guidance to the
nodes on the LAN about how they will obtain their IPv6 address. The RA contains several bits that
tell the node how it should behave:
 Address Auto configuration Flag (A flag) indicates if stateless auto-configuration (SLAAC) should
be used.
 On-Link Flag (L flag) indicates that the prefix is “on-link” and local to this network.
 Managed Address Configuration Flag (M flag) indicates that the nodes should use DHCPv6 to
determine their interface identifier.
 Other Stateful Configuration Flag (O flag) indicates that other information is available to help the
node (e.g. DNS server information).

15. PATHMTU
 IPv6 defines a standard mechanism called path MTU discovery that a source node can use to
learn the path MTU of a path that a packet is likely to traverse. If any of the packets sent on that
path are too large to be forwarded by a node along the path, that node discards the packet and
returns an ICMPv6 Packet Too Big message. The source node can then adjust the MTU size to be
smaller than that of the node that dropped it and sent the ICMPv6 message, and then retransmit
the packet. A source node might receive Packet Too Big messages repeatedly until its packet
traverses all nodes along the path successfully.
 Initially, the PMTU value for a path is assumed to be the (known) MTU of the first-hop link. When
a Packet Too Big message is received, the node determines which path the message applies to
based on the contents of the Packet Too Big message. For example, if the destination address is
used as the local representation of a path, the destination address from the original packet would
be used to determine which path the message applies to
 NOTE: Routing header determine the location of the destination address within the original
packet.

16. Typical IPv6 Security Issues
Almost identical to IPv4 security issues
• First-hop protocol vulnerabilities
• Denial-of-Service attacks
• User authentication and authorization
• Eavesdropping, session hijacking, DNS spoofing • Routing security
 Dual stack exposures.(If enabled IPV6 but missed to enforce polices/firewall
filters)

17. IPV6 similarities with IPV4
The majority of vulnerabilities on the Internet today are at the application layer, even ipsec
will do nothing to prevent.
Rogue devices will be as easy to insert into an IPv6 network as in IPv4
Without strong mutual authentication, any attacks utilizing MITM will have the same
likelihood in IPv6 as in IPv4
Flooding attacks are identical between IPv4 and IPv6
IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4

18. Reconnaissance
 Default subnets in IPv6 have 2 power 64 addresses ie., 10 Mpps
 Today there is no known ping sweep tool for IPv6. Nmap, which supports ping sweeping in v4,
elected not to support it in IPv6, most likely for some reasons.
 Mostly importantly, public servers needs to be dns reachable.
 scanning-based attacks will effectively fail. This protection exists if the attacker has no direct
access to the specific subnet and therefore is trying to scan it remotely. If an attacker has local
access, then he could use Neighbor Discovery (ND) and ping6 to the link-scope multicast
ff02::1 to detect the IEEE-based address of local neighbors, then apply the global prefix to those
to simplify its search (of course, a locally connected attacker has many scanning options with IPv4
as well).
 By compromising hosts in a network, an attacker can learn new addresses to scan
 Transition techniques (see further) derive IPv6 address from IPv4 address

19. More on reconnaissance
 The first category of attack is reconnaissance, which also is generally the first
attack executed by an adversary. In this attack the adversary attempts to learn as
much as possible about the victim network. This includes both active network
methods such as scanning as well as more passive data mining such as through
search engines or public documents.
 Ping sweeps, port scans, Application and vulnerability scans; Some tools such as
Nmap can perform elements of all these scan types at the same time.

20. FHS: First Hop Security
 RA guard use-case
 IPv6 device tracking
 IPv6 snooping logging
 IPv6 source guard
 IPv6 snooping
 PortACL blocks all ICMPv6 RA from hosts
 Fake DHCPv6 Replies
 Selectively filter ICMP
 Disable RH0
.

21. RA Guard
RA Guard is a feature that allows the operator of a Layer 2 switch to predetermine which
switch ports are actually router facing.
RA guard can also validate the source of the RA, the prefix list, the preference and any
other information carried within it. It can validate the cryptographic credentials when
provided (as defined in Secure Neighbor Discovery specification, i.e. SeND) to provide
nodes that don’t support SeND with a level of security equivalent to those that do
support it.
How it help with rogue DHCP :permit RAs only if they have the M and O bits set, and
enforce that the subsequent DHCP advertised prefix is within the company's range.
Enable logging on the network device for auditing

22. IPv6 snooping
 RA guard / DHCP guard
 IPv6 address gleaning
 IPv6 ND inspection
IPv6 snooping included the guard functions, if you enable IPv6 snooping, you do not need to explicitly configure RA guard / DHCP guard
on the same port.
 IPv6 address gleaning
 Address gleaning learns the IPv6 addresses of devices connected to that link and is a prerequisite for more advanced FHS features
like Source-Guard. The learning is done by examining information in the ND and DHCPv6 packets, (in particular the addresses carried
in them). However, by default the DHCPv6 server messages are dropped - so in order to glean from DHCPv6 messages the guard
policy must be applied on the port connecting the valid DHCPv6 server, that allows the DHCPv6 messages.
 The FHS code learns the addresses and installs them into the binding table. Each entry contains the source the address was learned
from, the address itself, the MAC address, interface, vlan, priority level, age, state and time left.
 IPv6 ND inspection
 ND inspection verifies the sanity of the ND messages that pass through the device. It can also enforce limits on the number of the
addresses per port. This feature enforces the ND process by ensuring that all parties are stepping through all the correct steps in the
ND process. The ND inspection process builds the neighbor binding table.

23. Fake RA Messages
 • Traffic interception
• DNS IPv6 address injection (DNS interception)
• Denial-of-service attack(bogusprefixes)

24. Fake DHCPv6 Replies
 Intruder responds to DHCPv6 requests
• DNS IPv6 addressinjection
• Denial-of-service attack
Solution should be enabling :DHCPv6 guard

25. Fake Neighbor Advertisement Messages
Intruder responds to ICMPv6 Neighbor Solicitation requests • Trafficinterception
• Denial-of-serviceattack
 Enable DHCPv6 snooping, ND inspection, SEND

26. ARP spoofing (V4) = NDP spoofing(V6)
Dynamic ARP inspection for IPv6 is available
Secure Neighbor Discovery (Cryptographic NDP); IPv6 addresses whose interface
identifiers are cryptographically generated.
Prevent replay attacks by timestamp and nonce options.
IPV6 supports all the features Dot1x,private Vlan ,port security

27. Attacks(Continuation)
 Remote Neighbor Discovery Attacks
 How to prevent: Tight ingress ACLs(check the forwarding path order-of-
operation)
 Control-plane policing(CoPP)
 ND cache limits (globally and per-box)
 Prefixes longer than /64 (extreme measure, use with care)

28. DAD Attacks
 Effectively disables SLAAC
 Might interfere with DHCPv6-based address assignment.
 IPv6 Extension Headers
All networking gear should drop packets with RH0 by default
• Firewalls and ACLs should be able to filter on extension headers Firewalls should
limit the number of extension headers
• Firewalls/ACLs should be able to drop fragmented headers

29. More on RH0
 The IPv6 Type 0 Routing header is similar in function to the Loose Source and
Record Route IP options. The IPv6 Routing header is identified by a Next Header
(NH) value of 43 in the immediately preceding header.
 Attackers can maliciously use IPv6 Type 0 Routing headers to bypass packet filters
(IPv6 access-list policies) or anycast addressing and routing. These headers can
also be used to perform reflected denial of service (DoS) attacks, spoofing,
double spoofing, and amplification attacks (ping-pong attacks that can cause link
saturation and potential performance issues through added CPU processing).

30. Routing Security with IPv6
 Challenges and solutions almost identical to IPv4:
• Don’t run routing protocols on customer-facing interfaces
• Use IPsec with OSPFv3
• Use MD5 authentication with other routing protocols
 best practices:
 • Network Ingress Filtering (BCP38) for IPv4 and IPv6
• TTL security (BGP)
• Route filters in distance- and path vector protocols

31. Challenge in implementing V6 in DMZ’s
 Normally, servers connected to a network device on single NIC or
bond(ACTIVE/STANDBY,ACTIVE/ACTIVE)
 Switch connected port might be a access vlan or trunk vlan.
 If it is access port , then Tag host interface with new external vlan for V6 communication.
TASKS:
1. Configure external vlan on firewall
2. Need to tag new vlan to respective switch and change host port config to trunk
3. configure servers port as trunk and test connectivity.
Advantages:
 No physical movement of host
 Logical configuration
 Sysops and Network need to work together to test connectivity
 Unblock IPv6 implementation to faster rollout