Who am I? Henrik Strøm Head of IT Security & Telenor CERT manager Telenor Norway
Agenda • Types of networks & systems • Attacker’s point of view • Defense – What to do • Further reading
What type of network?• Home network• Office network• Coffee shop• Mobile Broadband• Datacenter• ISP networks• Mobile networks
What type of system?• Mobile phone• iPad / Tablet• Laptop• Desktop • Service• Server• RG
Point #1 – IPv6 visibility Why you don’t disappear in a vast pool of IPv6 addresses: • bgp.he.net, DNS and Google gives a good starting point • Humans use predictable names and addresses (::1) • Search space for hosts within a net is limited (~2^24) • Local multicast gives info on local hosts • Running netstat on a compromised system
Point #2 – Local attacksWhen the attacker is on your local network,the IPv6 security model breaks down in a bad way.It assumes that Local = Trusted!• Use IPv6 addresses to bypass IPv4 access controls• Spoof RAs to autoconfigure hosts that support IPv6• Spoof RAs to become MITM (Gateway & DNS)
Point #3 – Internet connectivity (outbound)Do you know about all the (IPv6) trafficthat is leaving your network?Including what the traffic is doing,and why it is there?IPv4 traffic towards the Internet may be tightlycontrolled, but is this the case for IPv6 traffic?The attacker needs tomake outboundcommunication. IPv6 could be his best option.
Point #4 – Internet connectivity (inbound) In some networks, a system can be made accessible from the Internet if you enable IPv6 on it. It depends on how routing and filtering is configured. How does your current IPv6 firewall rule set look? How do you handle fragments and extension headers? Sometimes IPv6 is enabled on systems by accident… or by (vendor’s) default… but without security.
Point #5 – TunnelingThere are many different IPv6 tunneling mechanisms,meant to be used for transitioning from IPv4.These can be used by an attacker as well.Could give full inbound and outbound IPv6connectivity between a compromised systemand any other IPv6 host on the Internet.Unless you filter all types of IPv6 tunnelingin your firewalls.
Point #6 – Denial of Service•RA flooding Can be used to kill all local Windows machines•Neighbor Cache Poisoning replying with attacker’s MAC address•Duplicate Address Detection DoS claim that all addresses are taken•RA spoofing change default router or change DNS
Defense – What to do1. Decide and know which networks use IPv6, and for what purpose – disable it everywhere else! Both on the network and on the host2. Monitor your networks for IPv6 traffic3. Monitor IPv6 in your logs – e.g., (failed) logins over IPv6!4. Decide how to do IPv6 network security on each of your networks – e.g., where to put firewalls, what to filter, etc.5. Do IPv6 hardening of clients, servers, routers, networks, etc.
my nm reading – Marc Heuse e i s … Further IPv6 Vulnerabilities, Failures - and a Future? 123 slides on IPv6 hacking http://www.ipv6hacking.info THC-IPv6 Attack Toolkit http://www.thc.org/thc-ipv6 “Critical issues are site-local only” “Security model is from 1995: local = trusted”
Further reading – Fernando GontRecent Advances in IPv6 SecurityHES 2012 Conference (April 14th)http://2012.hackitoergosum.org“Theres an insanely large amount of workto be done in the area of IPv6 firewalling”“Many IPv4 vulnerabilitieshave been re-implemented in IPv6”“Still lots of work to be done in IPv6 security”
Conclusions• IPv6 can be secured – but you must do the work!• Security is not built-in or turned on by default• Lots of security issues that you must deal with• Makes it even more important to monitor logs and analyze your network traffic• Large network segments are still a bad idea…• The attacker can use IPv6 even if you don’t!