Eric Vyncke - IPv6 Security Vendor Point of View

ARP Spoofing is now NDP Spoofing: Threats  ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones  Stateless Address Autoconfiguration rogue RA (malicious or not) All nodes badly configured DoS Traffic interception (Man In the Middle Attack)  Attack tools exist (from THC – The Hacker Choice) Parasit6 Fakerouter6 ...Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 2

ARP Spoofing is now NDP Spoofing: Mitigation  BAD NEWS: nothing like dynamic ARP inspection for IPv6 Will require new hardware on some platforms Not available now  GOOD NEWS: Secure Neighbor Discovery SEND = NDP + crypto IOS 12.4(24)T But not in Windows Vista, 2008 and 7 Crypto means slower...  Other GOOD NEWS: Private VLAN works with IPv6 Port security works with IPv6 801.x works with IPv6 For FTTH & other broadband, DHCP-PD means not need to NDP-proxyPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 3

Securing Link Operations: Cisco Future First Hop Trusted Device Certificate  Advantages server – central administration, central operation – Complexity limited to first hop – Transitioning lot easier – Efficient for threats coming from the link – Efficient for threats coming from outside Time server  Disadvantages – Applicable only to certain topologies – Requires first-hop to learn about end-nodes – First-hop is a bottleneck and single-point of failurePresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 4

IPv6 Header Manipulation  Unlimited size of header chain (spec-wise) can make filtering difficult  Potential DoS with poor IPv6 stack implementations More boundary conditions to exploit Can I overrun buffers with a lot of extension headers? Perfectly Valid IPv6 Packet According to the Sniffer Header Should Only Appear Once Destination Header Which Should Occur at Most Twice Destination Options Header Should Be the Last See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.htmlPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Parsing the Extension Header Chain  Finding the layer 4 information is not trivial in IPv6 Skip all known extension header Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE IPv6 hdr HopByHop Routing AH TCP data IPv6 hdr HopByHop Routing AH Unknown L4 ??? IPv6 hdr HopByHop Unk. ExtHdr AH TCP dataPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 6

The IPsec Myth: IPsec End-to-End will Save the World  IPv6 mandates the implementation of IPsec  IPv6 does not require the use of IPsec  Some organizations believe that IPsec should be used to secure all flows... Interesting scalability issue (n2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall IOS 12.4(20)T can parse the AH Network telemetry is blinded: NetFlow of little use Network services hindered: what about QoS? Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets.Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 7

PCI DSS Compliance and IPv6  Payment Card Industry Data Security Standard requires the use of NAT for security Yes, weird isn’t it? There is no NAT IPv6 <-> IPv6 in most of the firewalls IETF has just started to work on NAT66   PCI DSS compliance cannot be achieved for IPv6 ?  How important is NAT for ‘security’? Not clear feedback from customers.Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 8

The security ‘value’ of NAT-PT Does it really bring something?  Block connection from the outside Same as a stateful firewall  Topology hiding ? Dubious utility Techniques exist to by-pass Counting host by ID field (Steve Bellovin 2002) Counting host by TCP timestamps (Ellie Lupin 2010) Analysis of the TTL field Analysis of e-mail RFC 822 headers  Multiple users hidden behind a single address Forensic is more complexPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 9

What Default Security Policy for CPE? Do we need to do same IPv4 NAT?  Allow only all inside initiated connections?  IPv6 hosts are usually more secure than legacy OS  IPv6 has the benefit of end-to-end connectivity  Even IETF is unclear Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 10

Anti-Spam Challenges  Little SMTPv6 emails…  Not a lot of data to test heuristics  How to build an address reputation database? Based on /128? /64 ? /56 ?  Need more customers, more SMTPv6Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 12

Summary of Cisco IPv6 Security Products  ASA Firewall Since version 7.0 (released 2005) Flexibility: Dual stack, IPv6 only, IPv4 only SSL VPN for IPv6 (ASA 8.0) Stateful-Failover (ASA 8.2.2)  IOS Firewall IOS 12.3(7)T (released 2005)  IPS Since 6.2 (released 2008)  Email Security Appliance (ESA) under beta testing early 2010  Web Security Appliance (WSA) end 2011Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 13

Key Take Away  So, nothing really new in IPv6  Lack of operation experience may hinder security for a while: training is required  Security enforcement is possible, most vendors have IPv6-enabled security features/appliances Control your IPv6 traffic as you do for IPv4  Leverage IPsec to secure IPv6 when suitablePresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 14

Secure Neighbor Discovery (SEND) RFC 3971  Certification paths Anchored on trusted parties, expected to certify the authority of the routers on some prefixes  Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated  RSA signature option Protect all messages relating to neighbor and router discovery  Timestamp and nonce options Prevent replay attacks  Requires IOS 12.4(24)TPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 17

Cryptographically Generated Addresses CGA RFC 3972 (Simplified)  Each devices has a RSA key pair (no need for cert)  Ultra light check for validity  Prevent spoofing a valid CGA address RSA Keys Modifier Priv Pub Public Key SHA-1 Subnet Prefix Signature CGA Params Subnet Interface Prefix Identifier SEND Messages Crypto. Generated AddressPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 18

Securing Neighbor and Router Advertisements with SEND  Adding a X.509 certificate to RA  Subject Name contains the list of authorized IPv6 prefixes Neighbor Advertisement Trust Source Addr = CGA Anchor CGA param block (incl pub key) X.509 cert Signed X.509 Router Advertisement cert Source Addr = CGA CGA param block (incl pub key) SignedPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Eric Vyncke - IPv6 Security Vendor Point of View

by IPv6 Conference

Accessibility

Upload Details

Usage Rights

2 Embeds 2

Statistics

Eric Vyncke - IPv6 Security Vendor Point of View Presentation Transcript

http://www.techgig.com	1
http://www.m.techgig.com	1