• Share
  • Email
  • Embed
  • Like
  • Private Content
Gaweł mikołajczyk. i pv6 insecurities at first hop

Gaweł mikołajczyk. i pv6 insecurities at first hop






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Gaweł mikołajczyk. i pv6 insecurities at first hop Gaweł mikołajczyk. i pv6 insecurities at first hop Presentation Transcript

    • IPv6 insecuritiesat First Hop Gaweł Mikołajczyk gmikolaj@cisco.com
    • IPv6 Neighbor Discovery Fundamentals RFC 4861, Neighbor Discovery for IP Version 6 (IPv6) RFC 4862, IPv6 Stateless Address Autoconfiguration Used for: Router discovery IPv6 Stateless Address Auto Configuration (SLAAC) IPv6 address resolution (replaces ARP) Neighbor Unreachability Detection (NUD) Duplicate Address Detection (DAD) Redirection Operates above ICMPv6 Relies heavily on multicast (including L2-multicast) Works with ICMP messages and messages “options”
    • IPv4 to IPv6 – Link model shift Announces default router Announces link parameters Router DHCP server „An IPv6 link” DHCP „An IPv4 link” server Assign addresses – Assign addresses IPv4 link model is DHCP-centric IPv6 link model is essentially distributed, with DHCP playing a Assign addresses minor role Announces default router Announces link parameters
    • Cisco Current RoadmapSecuring Link Operations: IETF SAVI WGFirst Hop Trusted Device CertificateAdvantages server – central administration, central operation – Complexity limited to first hop – Transitioning lot easier – Efficient for threats coming from the link – Efficient for threats coming from outside Time serverDisadvantages – Applicable only to certain topologies – Requires first-hop to learn about end-nodes – First-hop is a bottleneck and single-point of failure
    • IPv6 Address Resolution – comparing with IPv4 ARPCreates neighbor cache entry, resolving IPv6 address into MAC address.Messages: Neighbor Solicitation (NS), Neighbor Advertisement (NA) A B C ICMP type = 135 (Neighbor Solicitation) Src = A NS Dst = Solicited-node multicast address of B Data = B Option = link-layer address of A Query = what is B’s link-layer address? ICMP type = 136 (Neighbor Advertisement) Src = one B’s IF address NA Dst = A Data = B Option = link-layer address of B A and B can now exchange packets on this link
    • Attacking IPv6 Address Resolution Attacker can claim victims IPv6 address. A B C NSDst = Solicited-node multicast address of BQuery = what is B’s link-layer address? NS Src = B or any C’s IF address NA Dst = A Data = B Option = link-layer address of C Countermeasures: Static Cache Entries, Address GLEAN, SeND (CGA) on routers, Integrity Guard (Address-Watch).
    • Address GLEANGleaning means inspecting the Binding table DHCP- IPv6 MAC VLAN IF server H1 H2 H3 A1 MACH1 100 P1 A21 MACH2 100 P2 A22 MACH2 100 P2 NS [IP source=A1, LLA=MACH1] A3 MACH3 100 P3 REQUEST [XID, SMAC = MACH2] REPLY[XID, IPA21, IPA22] data [IP source=A3, SMAC=MACH3] DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY NA [IP source=A1, LLA=MACH3] DHCP LEASEQUERY_REPLY H1 H2 H3
    • IPv6 Duplicate Address Detection (DAD)Verify IPv6 address uniqueness, verify no neighbors claims the addressRequired (MUST) by SLAAC, recommended (SHOULD) by DHCPMessages: Neighbor Solicitation, Neighbor Advertisement A B C ICMP type = 135 (Neighbor Solicitation) Src = UNSPEC = 0::0 NS Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? Node A starts using the address
    • Attack On DADAttacker hacks any victims DAD attempts.Victim cant configure IP address and cant communicate. DoS condition. A CSrc = UNSPECDst = Solicited-node multicast address of AData = A NSQuery = Does anybody use A already? Src = any C’s IF address NA “it’s mine !” Dst = A Data = A Option = link-layer address of C
    • Device tracking Goal: to track active addresses (devices) on the link IPv6 MAC VLAN IF STATE A1 1 MACH1 H1 100 P1 REACH STALEH1 H2 H3 A21 21 MACH2 H2 100 P2 REACH A22 22 MACH2 H2 100 P2 REACH Address A3 MACH3 100 P3 STALE GLEAN Binding table – Keep track of device state – Probe devices when becoming stale – Remove inactive devices from the binding table – Record binding creation/deletion/changes DAD NS [IP source=UNSPEC, target = A1] NA [target = A1LLA=MACH1] DAD NS [IP source=UNSPEC, target = A3]
    • IPv6 Source GuardValidating the source address of IPv6 traffic sourced from the link IPv6 MAC VLAN IF Binding table A1 MACA1 100 P1 H1 H2 H3 A21 MACA21 100 P2 A22 MACA22 100 P2 A3 MACA3 100 P3 Address GLEAN DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY NA [target = A1LLA=MACA3] DHCP LEASEQUERY_REPLY P3 ::A3, MACA3 P1:: data, src= A1, SMAC = MACA1 – Allow traffic sourced with known IP/SMAC P2:: data src= A21, SMAC = MACA21 – Deny traffic sources P3:: data src= A3, SMAC = MACA3 with unknown IP/SMAC
    • Why should you care about router stealing?$ ifconfig en1en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether 00:26:bb:xx:xx:xx inet6 fe80::226:bbff:fexx:xxxx%en1 IPv6 Network? Is there an prefixlen 64 scopeid 0x6 inet netmask 0xfffffe00 broadcast media: autoselect status: active$ ping6 -I en1 ff02::1%en1PING6(56=40+8+8 bytes) fe80::226:bbff:fexx:xxxx%en1 --> ff02::116 bytes from fe80::226:bbff:fexx:xxxx%en1, icmp_seq=0 hlim=64 time=0.140 ms. . . Are there any IPv6 peers?16 bytes from fe80::cabc:c8ff:fec3:fdef%en1, icmp_seq=3 hlim=64 time=402.112 ms^C--- ff02::1%en1 ping6 statistics ---4 packets transmitted, 4 packets received, +142 duplicates, 0.0% packet lossround-trip min/avg/max/std-dev = 0.140/316.721/2791.178/412.276 ms$ ndp -anNeighbor Linklayer Address Netif Expire St Flgs Prbs Configure a tunnel, enable forwarding, transmit RA2001:xxxx:xxxx:1:3830:abff:9557:e33c 0:24:d7:5:6b:f0 en1 23h59m30s S. . .$ ndp -an | wc -l 64
    • IPv6 Router Discovery Find default/first-hop routers Discover on-link prefixes => which destinations are neighbors Messages: Router Advertisements (RA), Router Solicitations (RS) B A InternetICMP Type = 133 (Router Solicitation) RSSrc = UNSPEC (or Host link-local address)Dst = All-routers multicast address (FF02::2)Query = please send RA ICMP Type = 134 (Router Advertisement) RA Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Option = Prefix, lifetime Use B as default gateway
    • Attacking IPv6 Router DiscoveryAttacker tricks victim into accepting him as default routerBased on rogue Router AdvertisementsThe most frequent threat by non-malicious user B A C Internet RA Src = B’s link-local address Dst = All-nodes Data = router lifetime=0 Src = C’s link-local address RA Dst = All-nodes Data = router lifetime, autoconfig flag Options = subnet prefix, slla Node A sending off-link traffic to C
    • IPv6 RA-Guard – Securing Router Discovery A C RA “I am the default gateway” Verification Router Advertisement Option: succeeded? prefix(s) Forward RA Switch selectively accepts or rejects RAs based on various criteria – ACL (configuration) based, learning-based or challenge (SeND) based. Hosts see only allowed RAs, and RAs with allowed content. More countermeasures: static routing, SeND, VLAN segmentation, PACL.
    • IPv6 Stateless Address Auto-Configuration (SLAAC)Stateless, based on prefix information delivered in Router Advertisements.Messages: Router Advertisements, Router Solicitations B A Internet ICMP Type = 133 (Router Solicitation) RS Src = UNSPEC (or Host link-local address) Dst = All-routers multicast address (FF02::2) Query = please send RA ICMP Type = 134 (Router Advertisement) RA Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Computes X::x, Y::y, Z::z Data = router lifetime, retranstime, autoconfig flag and DADs them Options = Prefix X,Y,Z, lifetime NS Source traffic with X::x, Y::y, Z::z
    • Attacking IPv6 Stateless Address Auto-Configuration Attacker spoofs Router Advertisement with false on-link prefix Victim generates IP address with this prefix Access router drops outgoing packets from victim (ingress filtering) Incoming packets cant reach victim B A C Internet Src = B’s link-local address RA Dst = All-nodes Options = prefix X Preferred lifetime = 0Deprecates X::A Src = B’s link-local addressComputes BAD::A RA Dst = All-nodesand DAD it Options = prefix BAD, Preferred lifetime Node A sourcing off-link traffic to B with BAD::A Router B filters out BAD::A
    • Cryptographically Generated Addresses CGA RFC 3972 (Simplified) Each devices has a RSA key pair (no need for cert) Ultra light check for validity Prevent spoofing a valid CGA address RSA Keys Priv Pub Modifier Public Key SHA-1 Subnet PrefixSignature CGA Params Subnet Interface Prefix Identifier SeND Messages Crypto. Generated Address
    • Using SeND for router authorization Subject Name Certificate Authority Certificate Authority CA0 contains the list of authorized IPv6 Certificate C0 prefixes 1 provision Router certificate CR Router certificate 3 request provision 2 A Router Rhost ROUTER ADVERTISEMENT (SRC = R) Certificate Path Solicit (CPS): I trust CA0, who are you R? 4 5 Certificate Path Advertise (CPA): I am R, this is my certificate CR signed by CA0 6 Verify CR against CA0 Each node takes care of its own security 7 Verifies router legitimacy Insert R as default route Verifies address ownership
    • SeND Deployment Challenges with boundaries ADMINISTRATIVE BOUNDARY CA CA CA Router Router Host Host Nodes must be provisioned with CA certificate(s) A chain of trust is easy to establish within the administrative boundaries, but very hard outside Very few IPv6 stacks support SeND today
    • Reconnaissance in IPv6?Easy with Multicast. No need for reconnaissance anymore 3 site-local multicast addresses (not enabled by default) FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers Several link-local multicast addresses (enabled by default) FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP, … Source Destination Payload Attacker FF05::1:3 DHCP Attack 2001:db8:2::50 2001:db8:1::60 2001:db8:3::70 http://www.iana.org/assignments/ipv6-multicast-addresses/
    • Remote address resolution cache exhaustion X Gateway PFX::/64 X scanning 2 64 addresses (ping PFX::a, PFX::b, …PFX::z) Dst = Solicited-node multicast address of PFX::a Query = what is PFX::a ’s link-layer address? NS 3 seconds history Dst = Solicited-node multicast address of PFX::b Query = what is PFX::b ’s link-layer address? NS Dst = Solicited-node multicast address of PFX::z Query = what is PFX::z’s link-layer address? NS Countermeasures: address provisioning mechanisms and filtering on routers, Destination Guard on switches
    • Destination guard – mitigating cache exhaustion L3 switch host B Internet Binding table Neighbor cache Address glean Scanning {P/64} Src=D1 Src=Dn Lookup D1 NO found Forward packet Mitigate prefix-scanning attacks and Protect ND cache Useful at last-hop router and L3 distribution switch Drops packets for destinations without a binding entry
    • Mitigating Remote Neighbor Cache Exhaustion Built-in rate limiter but no option to tune it Since 15.1(3)T: ipv6 nd cache interface-limit Or IOS-XE 2.6: ipv6 nd resolution data limit Destination-guard is coming with First Hop Security phase 3 Using a /64 on point-to-point links => a lot of addresses to scan! Using /127 could help (RFC 6164) Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only Using infrastructure ACL prevents this scanning iACL: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done 
    • Detecting native IPv6 TrafficExample:ICMPv6 Traffic for Neigbor discovery / Router advertisements
    • Usage of Dual-Stack on all EnginesService HTTP
    • What your IPS should support now Can detect IPv6 tunnels in IPv4 IPv6 in IPv4 IPv6 in MPLS tunnel Teredo destination IP address Teredo source port Teredo destination port Teredo data packet And more? Detect DNS request for ISATAP Detect traffic to 6to4 anycast server
    • Intrusion Prevention for L2 SecurityICMPv6 Signatures for Attack mitigation and visibility, including NA, NS, RA, RS.
    • IPS for Virtual Switching with ERSPANExtends the Local SPAN to send packetsoutside local host (VEM)Can be used to monitor the traffic on ERSPAN DSTVirtual Switch remotely ID:2 ID:1One or more source: NAM Type: Ethernet, Vethernet, Port-Channel, VLAN Direction: Receive (Ingress) / Transmit (Egress) / Both ManagementIP based destination Console ERSPAN VMkernelERSPAN ID provides segmentation NEXUS 1000vPermit protocol type header 0x88be forERSPAN GRE VM VM VM VM ESXi
    • Features for IPv6 First-Hop SecuritySwitches do/will integrate a set of monitoring, inspection and guard features for a variety of security-centric purposes: 1. RA-guard 2. Address NDP address glean/inspection (NDP+DHCP+data) 3. Integrity guard (Address watch/ownership enforcement) 4. Device Tracking 5. DHCP-guard 6. DAD/Resolution proxy 7. Source-guard (SAVI) 8. Destination-guard 9. DHCP L2 relay Ask your vendor.for current support and serious roadmap. cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html
    • First Hop Security Phase I in 2010Protecting against Rogue RA Port ACL (see later) blocks all ICMPv6 Router Advertisements from hosts interface FastEthernet3/13 RA switchport mode access ipv6 traffic-filter ACCESS_PORT in RA access-group mode prefer port RA-guard feature in host mode (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port interface FastEthernet3/13 RA switchport mode access RA ipv6 nd raguard access-group mode prefer port RA
    • IPv6 Snooping Phase II and IIIPhase II Phase III DHCP Guard  Destination Guard Source Guard  Prefix Guard Multi Switch operation  DAD Proxy RA Throttler  Binding Table Recovery NDP Multicast Suppress  SVI support
    • The bottom lineLook inside NetFlow records Protocol 41: IPv6 over IPv4 or 6to4 tunnels IPv4 address: (6to4 anycast server) UDP 3544, the public part of Teredo, yet another tunnelLook into DNS server log for resolution of ISATAPBeware of the IPv6 latent threat: Your IPv4-only network may be vulnerable to IPv6 attacks now.
    • THANK YOU.