• Save
Eric Vyncke - Layer-2 security, ipv6 norway
Upcoming SlideShare
Loading in...5
×
 

Eric Vyncke - Layer-2 security, ipv6 norway

on

  • 2,542 views

IKT-Norge's IPv6 forum conference, Oslo 2012-04-25

IKT-Norge's IPv6 forum conference, Oslo 2012-04-25

Statistics

Views

Total Views
2,542
Views on SlideShare
1,731
Embed Views
811

Actions

Likes
1
Downloads
0
Comments
0

1 Embed 811

http://ipv6forum.no 811

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Eric Vyncke - Layer-2 security, ipv6 norway Eric Vyncke - Layer-2 security, ipv6 norway Presentation Transcript

  • IPv6 First Hop Security:the IPv6 version ofDHCP snooping anddynamic ARP inspectionEric VynckeCisco, CTO/Consulting EngineeringDistinguished Engineerevyncke@cisco.com© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
  • Layer-7 Data and Attacker services Layer-2 FirewallCourtesy of Curt Smith© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
  • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 View slide
  • RA w/o Any Authentication Router Advertisements contains: Gives Exactly Same -Prefix to be used by hosts Level of Security as -Data-link layer address of the router DHCPv4 (None) -Miscellaneous options: MTU, DHCPv6 use, … MITM DoS 1. RS 2. RA 2. RA 1. RS: 2. RA: Data = Query: please send RA Data= options, prefix, lifetime, A+M+O flags© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 View slide
  • • Devastating: Denial of service: all traffic sent to a black hole Man in the Middle attack: attacker can intercept, listen, modify unprotected data• Also affects legacy IPv4-only network with IPv6-enabled hosts• Most of the time from non-malicious users• Requires layer-2 adjacency (some relief…)• The major blocking factor for enterprise IPv6 deployment© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  • Where What Routers Increase “legal” router preference Hosts Disabling Stateless Address Autoconfiguration Routers & Hosts SeND “Router Authorization” Switch (First Hop) Host isolation Switch (First Hop) Port Access List (PACL) Switch (First Hop) RA Guard© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
  • • RFC 3972 Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated from node public key • SeND adds a signature option to Neighbor Discovery Protocol Using node private key Node public key is sent in the clear (and linked to CGA) • Very powerful If MAC spoofing is prevented But, not a lot of implementations: Cisco IOS, Linux, some H3C, third party for Windows© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  • • Each devices has a RSA key pair (no need for cert) • Ultra light check for validity • Prevent spoofing a valid CGA address RSA Keys Priv Pub Modifier Public Key SHA-1 Subnet PrefixSignature CGA Params Subnet Interface Prefix Identifier SeNDMessages Crypto. Generated Address© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  • • Adding a X.509 certificate to RA • Subject Name contains the list of authorized IPv6 prefixes Trust Anchor X.509 cert X.509 Router Advertisement cert SourceAddr = CGA CGAparam block (incl pub key) Signed© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  • • Prevent Node-Node Layer-2 communication by using: 1 VLAN per host (SP access network with Broadband Network Gateway) Private VLANs (PVLAN) where node can only contact the official router • Link-local scope multicast (RA, DHCP request, etc) sent only to the local official router: no harm • Can also be used on Wireless in „AP Isolation Mode’ CPE PC (publicV6 ) PVLAN RA BNG CPE PVLAN PC (publicV6 )© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  • • Port ACL blocks all ICMPv6 Router Advertisements from hosts interface FastEthernet3/13 RA switchport mode access ipv6 traffic-filter ACCESS_PORT in RA access-group mode prefer port RA RA RA© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
  • host ? “I am the default gateway” Router Advertisement Option: prefix(s) • Configuration- based • Learning-based • Challenge-based Verification succeeded ? Bridge RA • Switch selectively accepts or rejects RAs based on various criteria‟s • Can be ACL based, learning based or challenge (SeND) based. • Hosts see only allowed RAs, and RAs with allowed content© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  • • Extension headers chain can be so large than it is fragmented! • RFC 3128 is not applicable to IPv6 • Layer 4 information could be in 2nd fragment IPv6 hdr HopByHop Routing Fragment1 Destination IPv6 hdr HopByHop Routing Fragment2 TCP Data Layer 4 header is in 2nd fragment© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • • RFC 3128 is not applicable to IPv6, extension header can be fragmented • ICMP header could be in 2nd fragment after a fragmented extension header • RA Guard works like a stateless ACL filtering ICMP type 134 • THC fake_router6 –FD implements this attack which bypasses RA Guard • Partial work-around: block all fragments sent to ff02::1 ‘undetermined-transport’ is even better Does not work in a SeND environment (larger packets) but then no need for RA-guard  IPv6 hdr HopByHop Routing Fragment1 Destination … IPv6 hdr HopByHop Routing Fragment2 … Destination ICMP type=134 ICMP header is in 2ndfragment, RA Guard has no clue where to find it!© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  • For Your Reference • Each FH feature provides a configuration mode to create and populate policies (+ one implicit “default” policy) ipv6 ndraguard policy MYHOST device-role host • Each FH feature provides commands to attach policies to targets: box, vlan, port vlan configuration 100 ipv6 ndraguard attach-policy MYHOST ipv6 snooping interface e 0/0 ipv6 ndraguard attach-policy MYROUTER • Packets are processed by the lowest-level matching policy for each feature − Packets received on e0/0 are processed by policy ra-guard “MYROUTER” AND policy snooping “default” − Packets received on any other port of vlan 100 are processed by policy ra-guard “MYHOST” AND policy snooping “default”© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  • For Your ReferenceStep1: Step2:Configures policies Attach policies to target Vlan Portipv6 ndraguard policy HOST vlan configuration 100-200 device-role host ipv6 ndraguard attach-policy HOSTipv6 ndraguard policy ROUTER interface Ethernet0/0device-role router ipv6 ndraguard attach-policy ROUTERipv6 snooping policy NODE vlan configuration 100,101 tracking enable ipv6 snooping attach-policy NODE limit address-count 10 security-level guardipv6 snooping policy SERVER interface Ethernet1/0 trusted-port ipv6 snooping attach-policytracking disable SERVER security-level glean © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  • vlan 100 HOST ROUTER PEER SWITCH VILLAIN CAT DUMB© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  • Internet 2) Sending RA 1) I with prefix for want auto- IPv6, s configuration end RA 3) 3) 3) 3) Yah Yaho Yah Yah oo! o! oo! oo! IPv6 IPv6 IPv6 IPv6     IPv4 protection: IPv4 protection: IPv4 Protection: iptables ipfw Security center IPv6 Protection: IPv6 Protection: IPv6 Protection: 4) Default protection… No ip6tables ✗ No ip6fw ✗ Security center ✔© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  • Internet 1) I 2) Sending RA want with “no auto- IPv6, s config” end RA 3) Yahoo! 3) No 3) No 3) No Static IPv6 IPv6 IPv6 IPv6 SLAA SLA SLA addres C AC AC s IPv4 protection: IPv4 protection: IPv4 Protection: iptables ipfw Security center© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  • • Pretty much like RA: no authentication Any node can „steal‟ the IP address of any other node Impersonation leading to denial of service or MITM• Requires layer-2 adjacency• IETF SAVI Source Address Validation Improvements (work in progress)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  • Where What Routers & Hosts configure static neighbor cache entries Routers & Hosts Use CryptoGraphic Addresses (SeND CGA) Switch (First Hop) Host isolation Switch (First Hop) Address watch • Glean addresses in NDP and DHCP • Establish and enforce rules for address ownership© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
  • • Objectives for Address ownership: Enable the ND message sender to provide proof of ownership of address and for the receiver to validate the proof Verify that the address is either the source of the ND message or the “target” for DAD messages (when source is UNSPEC) This is a SeND feature• Protocol overview Hosts (and routers) generate a pair of RSA keys The public key is hashed to create a Cryptographic address (CGA) The CGA address is signed by the private key Both the public key and signature are provided in ND messages Receivers must verify the signature and address/key consistency (address = hash(key)) No key distribution required!© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
  • • If a switch wants to enforce the mappings < IP address, MAC address> how to learn them?• Multiple source of information SeND: verify signature in NDP messages, then add the mapping DHCP: snoop all messages from DHCP server to learn mapping (same as in IPv4) NDP: more challenging, but „first come, first served‟ The first node claiming to have an address will have it© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
  • Binding table DHCP- ADR MAC VLAN IF serverH1 H2 H3 A1 MACH1 100 P1 A21 MACH2 100 P2 A22 MACH2 100 P2 NS [IP source=A1, LLA=MACH1] A3 MACH3 100 P3 REQUEST [XID, SMAC = MACH2] REPLY[XID, IP=A21, IP=A22] data [IP source=A3, SMAC=MACH3] DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY NA [IP source=A3, LLA=MACH3] DHCP LEASEQUERY_REPLY© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  • Binding table host Address glean –Arbitrate collisions, check ownership – Check against max allowed per box/vlan/port – Record & report changes Valid? bridge• Preference is a function of: configuration, learning method, credential provided• Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP preferred over dynamic, not_trusted, not_CGA, SLACC)• For collision with same preference, choose First Come, First Serve© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  • • IPv6 VLAN ACL & RA Guard: 12.2(54)SG, 3.2.0SG, 15.0(2)SG, 12.2(33)SXI4 • NDP inspection: 12.2(50)SY and 15.0(1)SY For more Information: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6- roadmap.html http://www.cisco.com/en/US/docs/ios-xml/ios/ipv6/configuration/15- 2mt/ip6-first-hop-security.html© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  • • DHCP Guard • Destination Guard • Source Guard • Prefix Guard • Multi Switch operation • DAD Proxy • RA Throttler • Binding Table Recovery • NDP Multicast Suppress • SVI support Several of those features are already in WLC 7.2© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  • Remote • Remote router CPU/memory DoS attack if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory • Local router DoS with NS/RS/… NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 2001:db8::/64© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  • • Mainly an implementation issue Rate limiter on a global and per interface Prioritize renewal (PROBE) rather than new resolution Maximum Neighbor cache entries per interface and per MAC address • Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only Allocate and configure a /64 but uses addresses fitting in a /120 in order to have a simple ingress ACL • Using a /64 on point-to-point links => a lot of addresses to scan! Using /127 could help (RFC 6164) • Using infrastructure ACL prevents this scanning iACL: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  • • Built-in rate limiter but no option to tune it Since 15.1(3)T: ipv6 nd cache interface-limit Or IOS-XE 2.6: ipv6 nd resolution data limit Destination-guard is coming with First Hop Security phase 3© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  • • Without a secure layer-2, there is no upper layer security• Rogue Router Advisement is the most common threat• Mitigation techniques Host isolation Secure Neighbor Discovery: but not a lot of implementations SAVI-based techniques: discovery the „right‟ information and dropping RA/NA with wrong information Last remaining issue: (overlapped) fragments => drop all fragments…• Neighbor cache exhaustion Use good implementation Expose only a small part of the addresses and block the rest via ACL• Products are now available implementing the techniques ;-)© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  • © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  • Thank you.