0
IPv6 Security
Scott Hogg
Global Technology Resources, Inc.
Director of Technology Solutions
CCIE #5133, CISSP #4610
IPv6 Security – Latent Threat
• Even if you haven’t started using IPv6 yet, you probably have
some IPv6 running on your ne...
IPv6 Security Tools
• THC IPv6 Attack Toolkit
• SI6 Networks IPv6 Toolkit
• Evil FOCA
• Metasploit
• Nmap
• halfscan6, Sca...
Reconnaissance
• Ping sweeps, port scans, application vulnerability scans are
problematic given the large IPv6 address spa...
LAN Threats
• IPv6 uses ICMPv6 for many LAN operations
• Stateless auto-configuration (SLAAC)
• Neighbor Discovery Protoco...
IPv6 MITM Example
• Evil FOCA is a weaponized Win .EXE that can
perform dual-protocol MITM and DOS attacks and
DNS Hijacki...
Evil FOCA IPv6 MITM Attack
Evil FOCA IPv6 RA DOS
C:UsersMe>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-speci...
THC IPv6 Attack Toolkit
• THC IPv6 Attack Toolkit contains fake_router6
• Generates rogue RA to become default router
• Op...
Methods of Preventing Rogue RAs
• Prevent unauthorized LAN access (armed guards, malware defenses)
• Disable unused switch...
IPv6 First Hop Security
• Cisco C3750X switch running IOS version 15.2(1)S
ipv6 nd cache interface-limit 3 log 15
ipv6 nd ...
IPv6 First Hop Security (Cont.)
• Cisco C3750X switch running IOS version 15.2(1)S
interface GigabitEthernet2/0/1
switchpo...
IPv6 First Hop Security Results
• Switch successfully blocked RAs and rogue DHCPv6
Mar 30 06:37:31.743: %SISF-4-PAK_DROP: ...
IPv6 First Hop Security Results
• Switch successfully blocked RAs and rogue DHCPv6
Switch-1# show ipv6 snoop counter inter...
IPv6 First Hop Security Results
• Switch successfully blocked RAs and rogue DHCPv6
Switch-1# show ipv6 snoop counter inter...
IPv6 FHS with IPv6 ACL
• If you don’t have RA Guard on your switch you might be
able to configure a Cisco IPv6 Port-based ...
Extension Headers
• There are rules for the frequency and order of various
extension headers
• Hop-by-Hop and Destination ...
Layer-3/4 Spoofing
• Spoofing of IPv6 packets is easy
• IPv6 BOGON (Martians) Filtering is required
• Filter traffic from ...
Transition Mechanism Threats
• Dual Stack is the preferred transition method.
• You are only as strong as the weakest of t...
Threats Against Translation
• Manual Tunnels
• Preferred over dynamic tunnels
• Filter tunnel source/destination and use I...
IPv6 Firewalls
• Don’t just use your IPv4 policy for your IPv6 policy.
• Don’t blindly allow IPsec or IPv4 Protocol 41 (6i...
IPv6 Intrusion Prevention
• Few signatures exist for IPv6 packets or you have to build
your own using cryptic regular expr...
Summary of BCPs
• Perform IPv6 filtering at the perimeter (RFC2827 filtering
and Unicast RPF checks).
• Use manual tunnels...
RTFM – Read This Fine Manuscript
• IPv6 Security, By Scott Hogg and Eric Vyncke,
Cisco Press, 2009.
ISBN-10: 1-58705-594-5...
Questions and Answers
• Scott Hogg
• shogg@gtri.com
• www.hoggnet.com
• Twitter: @scotthogg
• Network World Blog
• http://...
IPv6 Security - Hacker Halted 2013
Upcoming SlideShare
Loading in...5
×

IPv6 Security - Hacker Halted 2013

1,046

Published on

GTRI's Scott Hogg discusses IPv6 security threats and solutions at the Hacker Halted 2013 conference held in Atlanta.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,046
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
39
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "IPv6 Security - Hacker Halted 2013"

  1. 1. IPv6 Security Scott Hogg Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610
  2. 2. IPv6 Security – Latent Threat • Even if you haven’t started using IPv6 yet, you probably have some IPv6 running on your networks already and didn’t know it. • Do you use Linux, Mac OS X, BSD, or Microsoft Windows 7/8/Win2K8/Win2012 systems in your environment? • They all come with IPv6 capability enabled by default and prefer IPv6 connectivity • They may try to use IPv6 first and then fall-back to IPv4 (+|- Happy Eyeballs, RFC 6555) • Or they may create IPv6-in-IPv4 tunnels to Internet resources to reach IPv6 content • Some of these techniques take place regardless of user input or configuration • If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist
  3. 3. IPv6 Security Tools • THC IPv6 Attack Toolkit • SI6 Networks IPv6 Toolkit • Evil FOCA • Metasploit • Nmap • halfscan6, Scan6, CHScanner • Scapy, SendIP, ISIC6, Packit, Spak6 • 6tunneldos, 4to6ddos, imps6-tools
  4. 4. Reconnaissance • Ping sweeps, port scans, application vulnerability scans are problematic given the large IPv6 address space. • Brute-force scanning even a single /64 is not practical. • There are methods of speeding up reconnaissance on LAN. • ping6 -I eth0 ff02::1 • [root@hat ~]# ./alive6 eth0 ff02::1 • Node Information Queries (RFC 4620) in BSD • Scanning for specific EUI-64 addresses using specific OUIs • Scanning IPv4 and getting IPv6 info • Metasploit Framework “ipv6_neighbor" auxiliary module can leverage IPv4 to find IPv6 hosts • Scanning 6to4, ISATAP, Teredo with embedded IPv4 addresses • Find one node and leverage the neighbor cache to find other nodes • DHCPv6 logs, DNS servers, server logs, NMSs, Google Hacking
  5. 5. LAN Threats • IPv6 uses ICMPv6 for many LAN operations • Stateless auto-configuration (SLAAC) • Neighbor Discovery Protocol (NDP) • IPv6 equivalent of IPv4 ARP – same attack types • Spoofed RAs can renumber hosts or launch a MITM attack • Forged NA/NS messages to confuse NDP • Redirects – same as ICMPv4 redirects • Forcing nodes to believe all addresses are on-link • These attacks presume the attacker is on-net or has compromised a local computer (Big Requirement!)
  6. 6. IPv6 MITM Example • Evil FOCA is a weaponized Win .EXE that can perform dual-protocol MITM and DOS attacks and DNS Hijacking (Released at DEFCON21) • Sends ICMPv6 RA on LAN (SLAAC) • Activates IPv6 on local dual-protocol nodes • Evil FOCA becomes active default gateway • Sends ICMPv6 NA to spoof local nodes • Sets up rogue DHCPv6 server • Performs WPAD attack and sets up proxy • Performs DNS Hijack • Can perform RA flood resulting in DOS Internet Download at: http://www.informatica64.com/evilfoca/download.aspx Demo on YouTube: http://www.youtube.com/watch?v=syLoQ4CNfSc
  7. 7. Evil FOCA IPv6 MITM Attack
  8. 8. Evil FOCA IPv6 RA DOS C:UsersMe>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 15c2:8297:e614:f45:bc4a:58b9:e948:33c6 . . . (100 of these in Windows 7) IPv6 Address. . . . . . . . . . . : fcae:a581:9bcb:e6bc:bc4a:58b9:e948:33c6 Temporary IPv6 Address. . . . . . : 15c2:8297:e614:f1f:1ce1:d49d:2ec8:e924 . . . (100 of these in Windows 7) Temporary IPv6 Address. . . . . . : fcae:a581:9bcb:e6bc:1ce1:d49d:2ec8:e924 Link-local IPv6 Address . . . . . : fe80::bc4a:58b9:e948:33c6%10 IPv4 Address. . . . . . . . . . . : 192.168.11.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::7888:860e:5352:5fec%10 fe80::8d99:1bc3:6f7a:5cf9%10 . . . fe80::a0cf:f7ad:821b:3343%10 192.168.11.1 C:UsersMe>
  9. 9. THC IPv6 Attack Toolkit • THC IPv6 Attack Toolkit contains fake_router6 • Generates rogue RA to become default router • Option –H adds a hop-by-hop header • fake_router6 –H eth0 2001:db8:11:11::/64 • Option –F adds a one-shot-fragmentation header • fake_router6 –F eth0 2001:db8:11:11::/64 • Flood_router26 floods RAs to create DOS • flood_router26 eth0 • fake_router26 -E H -A 2001:db8:1:1::/64 eth0 • fake_router26 -E 1 -A 2001:db8:1:1::/64 eth0 Download at: http://thc.org/download.php?t=r&f=thc-ipv6-2.3.tar.gz
  10. 10. Methods of Preventing Rogue RAs • Prevent unauthorized LAN access (armed guards, malware defenses) • Disable unused switch ports • Network Access Control (NAC), Network Admission Control (NAC) • IEEE 802.1AE (MACsec), Cisco TrustSec • IEEE 802.1X • RA Guard (RFC 6105) • NDPMon • Ramond • Kame rafixd • ipv6mon • 6Guard • addrwatch • Port Security • Cisco Port-based ACL (PACL) Allow Incoming RA Message Block Incoming RA Message Allow Sending RAs
  11. 11. IPv6 First Hop Security • Cisco C3750X switch running IOS version 15.2(1)S ipv6 nd cache interface-limit 3 log 15 ipv6 nd raguard policy HOST ! ipv6 snooping logging packet drop ipv6 snooping logging resolution-veto ipv6 snooping policy ND limit address-count 10 data-glean log-only destination-glean log-only ! ipv6 dhcp guard policy HOST ipv6 destination-guard policy destination ipv6 mld snooping
  12. 12. IPv6 First Hop Security (Cont.) • Cisco C3750X switch running IOS version 15.2(1)S interface GigabitEthernet2/0/1 switchport access vlan 1200 switchport mode access ipv6 nd raguard attach-policy HOST ipv6 dhcp guard attach-policy HOST ! interface Vlan1200 ip address 192.168.12.100 255.255.255.0 ipv6 enable ipv6 nd cache interface-limit 3 log 15 ! ipv6 neighbor binding logging ipv6 neighbor binding max-entries 100 ipv6 neighbor binding vlan 1200 2001:DB8:12::/64
  13. 13. IPv6 First Hop Security Results • Switch successfully blocked RAs and rogue DHCPv6 Mar 30 06:37:31.743: %SISF-4-PAK_DROP: Message dropped A=FE80::AC7F:B2F8:DCB8:F739 G=- V=1200 I=Gi2/0/2 P=NDP::RA Reason=Packet not authorized on port Mar 30 06:38:06.572: %SISF-4-PAK_DROP: Message dropped A=FE80::1EDF:FFF:FEBB:8944 G=- V=1200 I=Gi2/0/2 P=NDP::NA Reason=Packet accepted but not forwarded Mar 30 06:23:35.902: %SISF-4-PAK_DROP: Message dropped A=2001:DB8:1:3::1 G=- V=1200 I=Gi2/0/1 P=NDP::NA Reason=Address limit per policy reached Mar 30 06:38:06.572: %SISF-6-ENTRY_CREATED: Entry created A=FE80::1EDF:FFF:FEBB:8944 V=1200 I=Gi2/0/2 P=0005 M=5CFF.340A.F93D Mar 30 06:19:38.370: %SISF-6-ENTRY_MAX_ORANGE: Reaching 80% of max adr allowed per policy (10) V=1200 I=Gi2/0/1 M=3C97.0E86.74AD ! Mar 30 06:38:42.201: %SISF-4-PAK_DROP: Message dropped A=FE80::45B4:32FF:FE67:53 G=- V=100 I=Et0/0 P=NDP::NA Reason=Advertise while TENTATIVE Mar 30 06:38:45.923: %SISF-6-ENTRY_CREATED: Entry created A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/0 P=0005 M= Mar 30 06:38:52.523: %SISF-6-ENTRY_CHANGED: Entry changed A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/0 P=0005 M= Mar 30 06:38:58.471: %SISF-6-ENTRY_CHANGED: Entry changed A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/3 P=0005 M=45B4.3267.0053
  14. 14. IPv6 First Hop Security Results • Switch successfully blocked RAs and rogue DHCPv6 Switch-1# show ipv6 snoop counter interface gigabitethernet 2/0/2 Received messages on Gi2/0/2: Protocol Protocol message NDP RA[14734] DHCPv6 SOL[191] ADV[1] Bridged messages from Gi2/0/2: Protocol Protocol message NDP DHCPv6 SOL[191] Dropped messages on Gi2/0/2: Feature Protocol Msg [Total dropped] DHCP Guard DHCPv6 ADV [1] reason: Message type is not authorized by the policy on this port, device-role mismatch [1] RA guard NDP RA [14734] reason: Message unauthorized on port [14734] Switch-1#
  15. 15. IPv6 First Hop Security Results • Switch successfully blocked RAs and rogue DHCPv6 Switch-1# show ipv6 snoop counter interface gigabitethernet 2/0/1 Received messages on Gi2/0/1: Protocol Protocol message NDP RS[11] RA[2794] NS[51] NA[7031] DHCPv6 SOL[142] Bridged messages from Gi2/0/1: Protocol Protocol message NDP RS[11] NS[50] NA[15] DHCPv6 SOL[142] Dropped messages on Gi2/0/1: Feature Protocol Msg [Total dropped] RA guard NDP RA [2794] reason: Message unauthorized on port [2794] Snooping NDP NS [1] reason: Packet accepted but not forwarded [1] NA [7016] reason: Address limit per policy reached [7007] reason: Packet accepted but not forwarded [9] Switch-1#
  16. 16. IPv6 FHS with IPv6 ACL • If you don’t have RA Guard on your switch you might be able to configure a Cisco IPv6 Port-based ACL (PACL) • ipv6 access-list IPV6_PACL • remark Deny Rogue DHCPv6 • deny udp any eq 547 any eq 546 • remark Deny Rogue RA • deny icmp any any router-advertisement • permit ipv6 any any • ! • interface GigabitEthernet 1/2 • ipv6 traffic-filter IPV6_PACL in
  17. 17. Extension Headers • There are rules for the frequency and order of various extension headers • Hop-by-Hop and Destination Options • Header Manipulation – Crafted Packets • Large chains of extension headers • Separate payload into second fragment • Consume resources - DoS • Invalid Extension Headers – DoS • Routing Headers Type 0 – source routing • Routers can be configured to block RH0 • This is now the default on newer routers • Firewalls, Windows, Linux and MacOS all block RH0 by default
  18. 18. Layer-3/4 Spoofing • Spoofing of IPv6 packets is easy • IPv6 BOGON (Martians) Filtering is required • Filter traffic from unallocated space and filter router advertisements of bogus prefixes • Permit Legitimate Global Unicast Addresses • Unicast Reverse Path Forwarding (Unicast-RPF) • Don’t block FF00::/8 and FE80::/10 – these will block NDP (NS/NA) • Hierarchical addressing and ingress/egress filtering can catch packets with forged source addresses • Tracebacks may prove to be easier with IPv6
  19. 19. Transition Mechanism Threats • Dual Stack is the preferred transition method. • You are only as strong as the weakest of the two stacks. • Running dual stack will give you at least twice the number of vulnerabilities and require almost twice the work to secure. IPv4 IPv6
  20. 20. Threats Against Translation • Manual Tunnels • Preferred over dynamic tunnels • Filter tunnel source/destination and use IPsec • If spoofing, return traffic is not sent to attacker • Dynamic Tunnels • 6to4 Relay routers are “open relays” • Attackers can guess 6to4 addresses easily • ISATAP can have potential MITM attacks • Attackers can spoof source/dest IPv4/v6 addresses • Translation techniques are susceptible to DoS attacks • NAT prevents IPsec, DNSSEC, Geolocation and other applications from working • Consuming connection state (CPU resource consumption attack on ALG) • Consuming public IPv4 pool and port numbers (pool depletion attack)
  21. 21. IPv6 Firewalls • Don’t just use your IPv4 policy for your IPv6 policy. • Don’t blindly allow IPsec or IPv4 Protocol 41 (6in4 tunneled traffic) through the firewall unless you know the tunnel endpoints • Firewalls have improved their IPv6 capabilities, IPv6 addresses in the GUI, some logs, ability to filter on Extension Headers, Fragmentation, PMTUD, and granular filtering of ICMPv6 and multicast. • IPv6 firewalls may not have all the same full features as IPv4 firewalls • UTM/DPI/IPS/WAF/content filtering features may only work for IPv4.
  22. 22. IPv6 Intrusion Prevention • Few signatures exist for IPv6 packets or you have to build your own using cryptic regular expressions or byte-offset values. • IPSs should send out notifications when non-conforming IPv6 packets are observed having faulty parameters, bad extension headers, source address is a multicast address. • Many IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite). • IPv6 support varies greatly in modern IPS systems. • Talk with your vendor about what you need.
  23. 23. Summary of BCPs • Perform IPv6 filtering at the perimeter (RFC2827 filtering and Unicast RPF checks). • Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels and deny packets for transition techniques not used. • Use common access-network security measures (IPv6 FHS techniques, RA-Guard, 802.1X, disable unused switch ports, Ethernet port security, MACSec/TrustSec) . • Strive to achieve equal protections for IPv6 as with IPv4. • Continue to let vendors know what you expect in terms of IPv6 security features.
  24. 24. RTFM – Read This Fine Manuscript • IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009. ISBN-10: 1-58705-594-5 ISBN-13: 978-1-58705-594-2
  25. 25. Questions and Answers • Scott Hogg • shogg@gtri.com • www.hoggnet.com • Twitter: @scotthogg • Network World Blog • http://www.networkworld.com/community/hogg • Rocky Mountain IPv6 Task Force • www.rmv6tf.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×