IPv6 Security Challenges: TechNet Augusta 2015

IPv6 Security Implications
Eric Oosting
VP, Core Routing Practice
eoosting@netuf.net +1-404-941-6678
1Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- sales@netuf.net © 2012,
Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only

IPv4 and IPv6: Brief History
• Internet Protocol version 4
– 1978: Developed for ARPANET
– 4 billion addresses
– Allocation based on documented need
– Deployed globally and well entrenched
• Internet Protocol version 6
– IETF forecasts IPv4 depletion between 2010 and 2017
– 1996: IPv6 design begins
– 340 undecillion addresses
– 1999: Completed, tested, and available
⎻ Management and use similar to IPv4
⎻ Today: IPv4 address pool is already depleted for
many RIRs as of 2014.
Network Utility Force LLC, 15 Wieuca Trace Northeast, Atlanta, Georgia, 30342 -- +1-404-635-6667 -- sales@netuf.net © 2012,

The Case for IPv6
Limitations of IPv4
• IPv4 address space
exhaustion
• Exponential Internet
growth
• Requirement for
security at the IP level
• Need for simpler
configuration
• Support for real-time
delivery of data
Exponential Internet Growth
• Internet Users or PC
• Emerging
population/geopolitical
and Address space
• PDA, Tablet, Notepad,…
• Mobile phones
• Transportation
• Planes, cars
• Consumer devices
• Billions of Home and
Industrial Appliances

Interim Solutions...
• Drop address classes A, B,
and C
• Assign addresses in power-
of-two chunks
• Assign several Class C
addresses instead of one
Class B address
• Assign providers large
contiguous address block to
be used for customers
• Advertise chunks instead of
individual address
assignments
Conservation Efforts
• PPP / DHCP address
sharing
• CIDR (classless inter-
domain routing)
• NAT (network address
translation)
• Address reclamation

Deployment Benefits
• Chance to eliminate some complexity in IP header
• Improve per-hop processing
• Chance to upgrade functionality
– Multicast, QoS, mobility
• Chance to include new features
• Binding updates

IPv6 Features
• Larger address space
• Simplified header format
• Stateless and stateful address configuration
• QoS:
– Hierarchical architecture for prioritized delivery
– Integrated services (int-serv), Differentiated
Services (DiffServ)
• Required IPSec header support
• Multicast interaction
• Support for mobility
• Extensibility

IPv4 vs IPv6
Length in Bits 32 128
Amount of Addresses 232
4,294,967,296
2128
340,282,366,920,939,463,374,607,43
1,768,211,456
Address Format Dotted Decimal
192.168.100.1
Hexadecimal
Dynamic Addressing DHCP SLAAC/DHCPv6
IPSec Optional Mandatory
Header Length Variable Fixed
Minimal Packet Size 576 bytes
(fragmented)
1280 bytes
Header Checksum Yes No
Header Options Yes No (extensions)
Flow No Packet Flow Label

Packet Structure
IPv6 Format and Header
IPv6
Header
Upper layer
Protocol Data Unit
Payload
IPv6 Packet
Extension
Headers

Chain of Pointers from Next Header
IPv6 Header
Next Header = 6
(TCP)
TCP Segment
IPv6 Header
Next Header = 43
(Routing)
TCP SegmentRouting Header
Next Header = 6
(TCP)
Authentication Header
Next Header = 6 (TCP)
IPv6 Header
Next Header = 43
(Routing)
Routing Header
Next Header = 51
(AH)
TCP Segment

IPv6 Fragmentation
Broken into two pieces:
• Unfragmentable Part
– Includes main header of original datagram + any
extension headers that need to be present in each
fragment. Must be present in each fragment
• Hop-By-Hop Options, Destination Options (for options
processed by devices along route) and Routing
• Fragmentable Part
– Data portion of the datagram + other extension headers
if present
• Authentication Header, Encapsulating Security Payload
and/or Destination Options (for options processed
only by final destination)
– Split up among fragments

IPv6 Fragmentation
Unfragmentable
part
Fragmentable part
First fragment
Fragment
Hdr
Unfragmentable
part
Second fragment
Fragment
Hdr
Unfragmentable
part
Third
fragment
Fragment
Hdr
Original IPv6 Packet

Interface ID
• Two Parts:
– 64-bit network prefix
used for routing
– 64-bit interface identifier
used to identify a host’s
network interface
• 64 bits long
– Derived from EUI-64
addresses
• Combined with a network
prefix, (routing prefix and
subnet ID), to determine a
corresponding IPv6 address
for the device
• Unique within subnet prefix
• Lowest-order 64-bit field of
unicast address
– Assignment:
• Auto-configured from a 64-
bit EUI-64
• Expanded from a 48-bit
MAC address (e.g.,Ethernet
address)
• Auto-generated pseudo-
random number (privacy
concerns)
• Assigned via DHCP
• Manually configured

00 22 b0 75 b5 99
00 22 b0 75 b5 99
FF FE
00 22 b0 75 b5 99FF FE
0000 00X0 X=1, X is universal bit
02 22 b0 75 b5 99FF FE
IEEE 802 48-
bit MAC
IEEE 802 64-
bit MAC
IEEE EUI-64
Converting MAC to EUI-64
• Split MAC address
– First three octets of MAC: Company-ID
– Last three octets of MAC: Node-ID
• 0xfffe inserted between Company-ID and Node-ID
• Universal/Local-Bit (U/L-bit) is set to 1 for
global scope

ICMPv6
• Updated version of the Internet Control Message
Protocol (ICMP) for IPv6
• Reports delivery or forwarding errors and a simple
echo service for troubleshooting
• Provides a framework for:
– Multicast Listener Discovery (MLD)
– Neighbor Discovery (ND)
– Mobile IPv6

Functions
• Router discovery
• Prefix discovery
• Autoconfiguration of address & other parameters
• Duplicate address detection (DAD)
• Neighbor unreachability detection (NUD)
• Link-layer address resolution
• First-hop redirect

Neighbor Discovery (NDP)
• Messages and processes that determine relationships between
neighboring nodes
ND for Routers:
• Advertise their presence, host
config parameters, routes and
on-link preferences
• Inform hosts of best next-hop
address for destination
ND for Hosts:
• Address autoconfig of nodes
• Find routers and DNS server
ND for Nodes:
• Discover other nodes on link
and determine their link-layer
addresses
• Determine if neighboring
node’s link-layer address
changes and if still reachable
16

Router Solicitation (RS)
• RS Message sent by hosts at system startup and in
response to router solicitation messages
– Immediately autoconfigure without needing to wait for
next scheduled RA message
– Host does not have a configured unicast address
– Source address in router solicitation messages is usually
unspecified IPv6 address (0:0:0:0:0:0:0:0)

Router Advertisement (RA)
• Periodically sent out each configured interface of an
IPv6 router
• Used to announce network configuration information to
local hosts
• Advertised prefix length in RA messages must always
be 64 bits for autoconfiguration
• The RA messages are sent to the all-nodes multicast
address

Router Discovery: Process
1. IPv6 routers periodically send a Router Advertisement
message on the local link advertising their existence as
routers.
● Also provide configuration parameters such as default hop limit,
MTU, and prefixes
2. Active IPv6 hosts on local link receive the RA messages
● Use contents to maintain the default router list, the prefix list,
and other configuration parameters
3. Starting up Host sends a Router Solicitation message
4. Receipt of RA message, all routers on the local link send
unicast RA message to node that sent the Router Solicitation
5. Node receives RA messages
● Use contents to build default router and prefix lists, set other
configuration parameters

Autoconfiguration Overview
• IPv6 interfaces can configure
themselves
– Even without a stateful
configuration protocol
(DHCPv6)
– Link-local address for
each interface by default
• Host uses router discovery to
determine:
– Additional addresses
– Router addresses
– Other configuration
parameters
• DHCP is available
• Hosts use RA to construct
address
– Subnet prefix(es): learned
from periodic multicast
advertisement from
neighboring router(s)
– Interface IDs: generated
locally
– MAC addresses: pseudo-
random temporary
• Other IP-layer parameters also
learned from router adverts
(router addresses,
recommended hop limit,
etc…)
• Higher-layer info discovered
by multicast/ anycast-based
service-location protocol

Types of Autoconfiguration
1. Stateless (SLAAC)
– Receipt of Router Advertisement messages with one or more
Prefix Information options
2. Stateful
– Use of a stateful address configuration protocol such as DHCPv6
3. Both
– Receipt of Router Advertisement messages and stateful
configuration protocol
For all types, a link-local address is always configured

Neighbor Solicitation (NS) Message
• Determine link-layer address of another node
– Source address in an NS message is the IPv6 address of the
node sending the neighbor solicitation message
• Destination (Target) address in NS message
– Solicited-node multicast address corresponding to the IPv6
address of the destination node
• Includes the link-layer address of the source node
• Used to verify reachability of a neighbor after the
link-layer address of a neighbor is identified
• To verify the reachability of a neighbor, destination
address in an NS message is the neighbor’s unicast
address.

Neighbor Advertisement (NA) Message
• Informs mapping of an IPv6 address to a link-layer address
• Destination node replies to neighbor solicitation message
on the local link
• Source and destination addresses are in the NA message
– Source: IPv6 address of the node interface sending the
neighbor advertisement message
– Destination (Target): IPv6 address of the node that sent the
neighbor solicitation message.
• Data portion of NA message includes link-layer address of
the node sending the neighbor advertisement message
• NA messages are also sent in response to change
in the link-layer address of node on local link

Address Resolution
• An exchange of Neighbor Solicitation and Neighbor
Advertisement messages to resolve the link-layer
address of the next-hop address
– Multicast Neighbor Solicitation message
– Unicast Neighbor Advertisement message
• Both hosts update their neighbor caches
• Unicast traffic can now be sent

Redirect Message
• Router informs Inform hosts of better first hop for a
destination
• Router must be able to determine link-local address for
each neighboring router
– Ensure the target address in a redirect message identifies
the neighbor router by its link-local address

Neighbor Function Equivalents
IPv4 Neighbor Function IPv6 Neighbor Function
ARP Request message Neighbor Solicitation message
ARP Reply message Neighbor Advertisement
message
ARP cache Neighbor cache
Gratuitous ARP Duplicate Address Detection
(DAD)
Router Solicitation message
(optional)
Router Solicitation (required)
Router Advertisement message
(optional)
Router Advertisement
(required)
Redirect message Redirect message

Neighbor Reachabilty
• Host A acquires the link-layer address of neighbor
Host B
• Host A can use NS and NA messages to check
whether Host B is reachable
1. Host A sends an NS message whose destination address
is the IPv6 address of Host B
2. If Host A receives an NA message from Host B, Host A
decides that Host B is reachable Otherwise, Host B is
unreachable

DHCPv6
• DHCPv6 infrastructure
– Clients, servers, relay agents
• Key Differences from IPv4
– On-Link flag in the Prefix Information option
• Directly attached subnet route for a DHCPv6-assigned IPv6
address not configured by IPv6 hosts automatically
– Default route configured from RA
• No default route assignment in DHCPv6
Provides stateful or stateless address configuration
settings for IPv6 hosts

DHCPv6 Communication
• User Datagram Protocol (UDP) messages
– DHCPv6 clients listen on UDP port 546
– DHCPv6 servers and relay agents listen on UDP port 547
• Multicast addresses
– DHCPv6 servers and relay agents listen on ff02::1:2
– DHCPv6 client sends messages to ff02::1:2
• Relay agent forwards multicasts as unicasts to configured
DHCPv6 servers

DUID
• Clients use the DHCP Unique Identifier (DUID) to
get an IP address from a DHCPv6 server
• 2 byte type field + type specific variable length data
– Minimum length of 12 bytes (96 bits) and a maximum
length of 20 bytes (160 bits).
– Server compares DUID with its database and delivers
configuration data (address, lease times, DNS servers,
etc…) to the client
• Must be globally unique but easy to generate
• Three types:
– LL: Link-layer address
– LLT:Link-layer address + time
– EN: Vendor-assigned unique ID based on
Enterprise number
Network Utility Force LLC Companyconfidential information, transmittal to third parties by prior permission only 30

DUID Types
0 32 bits 31
15 16
Hardware Type
Link Layer Address
DUID Type: 1
Time
DUID LLT
Identifier
Enterprise Number
0
32 bits
DUID Type: 2
31
15 16
Enterprise Number (cont’d)
DUID EN
0
32 bits
31
15 16
Link Layer Address
Hardware TypeDUID Type: 3
0
0
DUID LL

Attribution
32
The following slides are courtesy of Chris
Grundemann - Internet Society
CO ISOC Founder
NANOG-BCOP Chair
IPv6 Author (Juniper Day One Books)
IETF Contributor
More: http://chrisgrundemann.com
9/3/2015 Chris Grundemann

This section…
33
• Aims to debunk the most common IPv6 security myths
• Is NOT a comprehensive look at IPv6 security practices
• Should scare you a little
• Should NOT discourage IPv6 Deployment
– The more you know…

SOME MYTHS…
Let’s get to busting

MYTH:
I’M NOT RUNNING IPV6, I DON’T
HAVE TO WORRY

Reality:
Your Applications are Using IPv6
Already
36
MYTH:
HAVE TO WORRY
• Linux, Mac OS X, BSD, and Microsoft Vista/Windows 7
systems all come with IPv6 capability, some even have
IPv6 enabled by default (IPv6 preferred)
• They may try to use IPv6 first and then fall-back to IPv4
• If you are not protecting your IPv6 nodes then you have just
allowed a huge back-door to exist!

Reality:
Your Users are Using IPv6 Already
37
MYTH:
HAVE TO WORRY
IPv4
IPv4 Firewall

Reality:
Your Users are Using IPv6 Already
6to4 / Toredo
38
MYTH:
HAVE TO WORRY
IPv4 Firewall
IPv6 IPv6

MYTH:
IPv6 Has Security Designed In

MYTH:
40
• IPsec exists for IPv4
• IPsec mandates in IPv6 are no guarantee of security
– Also are no longer in place
REALITY:
IPSEC IS NOT NEW

MYTH:
41
REALITY:
IPV6 WAS DESIGNED 15-20 YEARS AGO

Reality:
Extension Headers
42http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd
8054d37d.html

MYTH:
43
• Routing Header Type 0 (RH0) – Source Routing
– Deprecated in RFC 5095:
The functionality provided by IPv6's Type 0 Routing Header can be
exploited in order to achieve traffic amplification over a remote path
for the purposes of generating denial-of-service traffic.
REALITY:

MYTH:
44
• Hop-by-Hop Options Header
– Vulnerable to low bandwidth DOS attacks
– Threat detailed in draft-krishnan-ipv6-hopbyhop
REALITY:

MYTH:
45
• Extension Headers are vulnerable in general
– Large extension headers
– Lots of extension headers
– Invalid extension headers
REALITY:

MYTH:
46
• Rogue Router Advertisements (RAs)
– Can renumber hosts
– Can launch a Man In The Middle attack
– Problem documented in RFC 6104
In this document, we summarise the scenarios in which rogue RAs may
be observed and present a list of possible solutions to the problem.
REALITY:

MYTH:
47
• Forged Neighbor Discovery messages
• ICMP Redirects – just like IPv4 redirects
• See RFC 6583 - Operational Neighbor Discovery Problems
REALITY:

MYTH:
48
• Buffer overflows
• SQL Injection
• Cross-site scripting
• E-mail/SPAM (open relays)
REALITY:
MANY ATTACKS ARE ABOVE OR BELOW IP

Myth:
NO IPv6 NAT Means Less Security

Myth:
NO IPv6 NAT Means Less Security
50
REALITY:
STATEFUL FIREWALLS PROVIDE SECURITY
• NAT can actually reduce security

Myth:
IPv6 Networks are too Big to Scan

Myth:
52
• SLAAC - EUI-64 addresses (well known OUIs)
– Tracking!
• DHCPv6 sequential addressing (scan low numbers)
• 6to4, ISATAP, Teredo (well known addresses)
• Manual configured addresses (scan low numbers, vanity
addresses)
• Exploiting a local node
– ff02::1 - all nodes on the local network segment
– IPv6 Node Information Queries (RFC 4620)
– Neighbor discovery
• Leveraging IPv4 (Metasploit Framework “ipv6_neighbor”)
• IPv6 addresses leaked out by application-layer protocols (email)
REALITY:

Myth:
53
• Privacy addresses use MD5 hash on EUI-64 and random number
• Often temporary – rotate addresses
– Frequency varies
– Often paired with dynamic DNS (firewall state updates?)
• Makes filtering, troubleshooting, and forensics difficult
• Alternative: Randomized DHCPv6
– Host: Randomized IIDs
– Server: Short leases, randomized assignments
REALITY:
PRIVACY ADDRESSES (RFC 4941)

Myth:
IPv6 is too New to be Attacked

Myth:
55
• THC IPv6 Attack Toolkit
• SI6 IPv6 Toolkit
• IPv6 port scan tools
• IPv6 packet forgery tools
• IPv6 DoS tools
REALITY:
TOOLS ARE ALREADY AVAILABLE

Myth:
56
• Vendors
• Open source software
REALITY:
BUGS AND VULNERABILITIES PUBLISHED

Myth:
57
REALITY:
SEARCH FOR “SECURITYFOCUS.COM INURL:BID IPV6”

Myth:
96 more bits, no magic (It’s just like
IPv4)

Myth:
IPv4)
59
REALITY:
IPV6 ADDRESS FORMAT IS DRASTICALLY NEW
• 128 bits vs. 32 bits
• Hex vs. Decimal
• Colon vs. Period
• Multiple possible formats (zero suppression, zero
compression)
• Logging, grep, filters, etc.

Myth:
IPv4)
60
REALITY:
MULTIPLE ADDRESSES ON EACH HOST
• Same host appears in logs with different addresses

Myth:
IPv4)
61
REALITY:
SYNTAX CHANGES
• Training!

Myth:
Configure IPv6 Filters Same AS IPv4

Myth:
Configure IPv6 Filters Same As IPv4
63
REALITY:
DHCPV6 && ND INTRODUCE NUANCE
• Neighbor Discovery uses ICMP
• DHCPv6 message exchange:
• Solicit: [your link local]:546 -> [ff02::1:2]:547
• Advertise: [upstream link local]:547 -> [your link
local]:546
• and two more packets, both between your link locals.

Reality: Example Firewall Filter (mikrotik)
64
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Not just ping - ND runs over icmp6.
chain=input action=accept protocol=icmpv6 in-interface=ether1-gateway
1 chain=input action=accept connection-state=established in-interface=ether1-
gateway
2 ;;; related means stuff like FTP-DATA
chain=input action=accept connection-state=related in-interface=ether1-
gateway
3 ;;; for DHCP6 advertisement (second packet, first server response)
chain=input action=accept protocol=udp src-address=fe80::/16 dst-
address=fe80::/16
in-interface=ether1-gateway dst-port=546
4 ;;; ssh to this box for management (note non standard port)
chain=input action=accept protocol=tcp dst-address=[myaddr]/128 dst-
port=2222
5 chain=input action=drop in-interface=ether1-gateway

Myth:
It supports IPv6

Myth:
It supports IPv6
66
REALITY:
IT PROBABLY DOESN’T
• Hardware, Software, Services, Applications (VM, Crypto, etc.)
• Detailed requirements (RFP)
• RIPE-554
• Lab testing
• Independent/outside verification

Myth:
There are no IPv6 Security BCPs yet

Myth:
There are no IPv6 Security BCPs yet
68
• Perform IPv6 filtering at the perimeter
• Use RFC2827 filtering and Unicast RPF checks throughout the network
• Use manual tunnels (with IPsec whenever possible) instead of dynamic
tunnels and deny packets for transition techniques not used
• Use common access-network security measures (NAC/802.1X, disable
unused switch ports, Ethernet port security, MACSec/TrustSec) because
SeND won’t be available any time soon
• Strive to achieve equal protections for IPv6 as with IPv4
• Continue to let vendors know what you expect in terms of IPv6 security
features
REALITY:
THERE ARE!

Myth:
There are no IPv6 Security Resources

Myth:
There are no IPv6 Security Resources
70
• IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009
• CPNI Viewpoint: Security Implications of IPv6
• Operational Security Considerations for IPv6 Networks
• IPv6 Hackers is a forum for IPv6 security researchers and networking
pros
• Deploy360 has a section specifically on IPv6 Security
• Search engines are your friends! There’s lots more info out there!
REALITY:
THERE ARE!

The Reality of Dual-Stack
71
• Two sets of filters
• Two sets of bugs
IPv6IPv4

Thank you!
72
@ChrisGrundemann
http://chrisgrundemann.com
http://www.internetsociety.org/deploy3
60/
Gratitude and Credit:
• Scott Hogg – My IPv6 Security Guru
• Fernando Gont – For review
• Rob Seastrom – For the Mikrotik
example
• The Internet – Lots of searching
• You – Thanks for listening!

Brandon Ross
bross@netuf.net
404-635-6667

IPv6 Security Challenges: TechNet Augusta 2015

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a IPv6 Security Challenges: TechNet Augusta 2015

Semelhante a IPv6 Security Challenges: TechNet Augusta 2015 (20)

Mais de AFCEA International

Mais de AFCEA International (20)

Último

Último (20)

IPv6 Security Challenges: TechNet Augusta 2015