IPV6 Under the Hood


Published on

IPV6: Under the Hood - Mark Dowd

Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IPV6 Under the Hood

  1. 1. IPv6: Under The Hood Mark Dowd Principal Security Architect [email_address]
  2. 2. Overview <ul><li>IP version 4 (IPv4) is a core component of the Internet’s TCP/IP suite </li></ul><ul><li>Time-tested, well-understood and extensively studied protocol </li></ul><ul><li>Has some shortcomings when addressing the changing needs of the Internet (limited address space, security issues, functionality limitations, and inefficiencies) </li></ul><ul><li>IP version 6 (IPv6) is IPv4’s successor, and attempts to address these shortcomings </li></ul>
  3. 3. Why IPv6? <ul><li>IPv6 is the next-generation Internet workhorse-protocol </li></ul><ul><li>Many OS’s have IPv6 support (Linux, Windows XP2+/2k3/Vista, *BSD..) </li></ul><ul><li>IPv4 protocol stacks are time-tested and proven to work in untrusted and uncertain environments, IPv6 stacks are not </li></ul><ul><li>Many OS’s have fresh stacks that are ripe for the hacking </li></ul><ul><li>Same with firewall-based technologies targeted for IPv6 </li></ul><ul><li>IPv6 connectivity over the Internet is increasingly being made available </li></ul>
  4. 4. Covered in this Speech <ul><li>We will look at some of the basic building blocks of IPv6 </li></ul><ul><li>We will consider some of the inherent weaknesses in some of the IPv6 protocol design </li></ul><ul><li>Problem areas in host OS stack implementations </li></ul><ul><li>Firewall/IDS/IPS bypassing techniques </li></ul>
  5. 5. IPv6 Addressing <ul><li>IPv6 Addresses are 128-bit </li></ul><ul><li>Represented as 16-bit words separated by colons (‘:’) </li></ul><ul><li>Example: 0102:0304:0506:0708:090a:0b0c:0d0e:0f00 </li></ul><ul><li>Sequences of zeros compressed using “::” </li></ul><ul><li>Example: 0102:0000:0000:0000:090a:0b0c:0d0e:0f00 -> 0102::090a:0b0c:0d0e:0f00 </li></ul>
  6. 6. IPv6 Addressing <ul><li>Link-local addresses (fe80::/64) are only visible on a local physical link </li></ul><ul><li>Every IPv6-enabled network interface must have a link local address </li></ul><ul><li>Usually an interface will auto-configure its link-local address when it is enabled (more on this later) </li></ul><ul><li>Site-local addresses (fec0::/10) are for internal networks </li></ul><ul><li>Much like 192.168 and similar ranges for IPv4 </li></ul>
  7. 7. IPv6 Addressing <ul><li>Unique local addresses (FC00::/7) are unique network ranges within an organization </li></ul><ul><li>Global Unicast addresses (2000::/3) are public routable IP addresses </li></ul><ul><li>IPv6 has multicast addresses for sending packets to groups of nodes simultaneously. Multicasting is also used for broadcasts </li></ul><ul><li>There are also anycast addresses, which is like multicast except that a packet will be delivered to any one node in the group (the closest node) </li></ul>
  8. 8. IPv6 Packet Structure <ul><li>An IPv6 packet is composed of an IP header, followed by any number of optional extension headers, followed by an Upper-Layer (UL) protocol header + data </li></ul><ul><li>Each optional header can be from 8 bytes in length up to 2048 (1 byte length header is incremented and multiplied by 8) </li></ul><ul><li>There are a few fixed-length ones that don’t follow these rules (primarily the fragmentation header) </li></ul>
  9. 9. IPv6 Packet Structure
  10. 10. IPv6 Packet Structure
  11. 11. IPv6 Extension Headers <ul><li>Hop-by-Hop Header if present, is always first </li></ul><ul><li>Comprises a series of options that are processed by each routing hop </li></ul><ul><li>Has TLV-based options including router alerts (RSVP) and jumbo payload size for large packets </li></ul>
  12. 12. IPv6 Extension Headers <ul><li>Destination Options Header </li></ul><ul><li>Also has a series of TLV options, but they’re just processed by the destination, not intermediate routers </li></ul><ul><li>Fragmentation Header for fragmented packets (discussed later) </li></ul><ul><li>Routing Header – basically the IPv6 equivalent of source routing (we will look at this again later too) </li></ul><ul><li>AH/ESP Headers – for encrypted communications </li></ul><ul><li>IPv6 Headers – encapsulation </li></ul>
  13. 13. IPv6 Fragmentation <ul><li>IPv4 stacks and firewalls experienced a myriad of problems related to fragmentation </li></ul><ul><li>Since fragmentation is the basis of some of the attacks we will look at with IPv6 as well, the process is explained here </li></ul><ul><li>IP packets can have a series of option headers (the “non-fragmentable” part) followed by a fragment header, followed by fragmented data (“fragmentable part”) </li></ul>
  14. 14. IPv6 Fragmentation (expected traffic)
  15. 15. IPv6 Fragmentation (allowable traffic)
  16. 16. Address Discovery <ul><li>Local nodes can auto-configure themselves on a network to some extent </li></ul><ul><li>This is achieved with ICMPv6 Neighbour Advert/Solicitation requests </li></ul><ul><li>Replaces ARP </li></ul><ul><li>There are also related “Router Advertisement” / “Router Solicitation” exchanges to establish MTU’s, TTL’s, and more </li></ul>
  17. 17. Address Discovery <ul><li>This stuff isn’t performed with any level of authentication </li></ul><ul><li>Possible to do similar attacks to “ARP Spoofing” that was popular with IPv4 </li></ul><ul><li>Originally demonstrated by “Van Hauser” from THC (http://thc.segfault.net/releases.php) </li></ul>
  18. 18. OS Stacks <ul><li>Many OS’s now have IPv6 stacks </li></ul><ul><li>There are a number of problem areas that can be easy to get wrong </li></ul><ul><li>Focusing on these areas is a good place to start when conducting an audit of an IPv6 stack </li></ul>
  19. 19. OS Stacks - Basic Header Parsing <ul><li>In general, length manipulations are safer than in IPv4 </li></ul><ul><li>Length values for the IPv6 header and options headers never include the length of the header itself, so no math needs to be done on an untrusted length value </li></ul><ul><li>Less likely to have integer underflows </li></ul><ul><li>Special case: When length is 0 in the IPv6 header, a Hop-by-Hop header must follow with a Jumbogram options </li></ul><ul><li>What happens when a length exists in the IP header and a jumbogram option is supplied? </li></ul><ul><li>What about if there is no jumbogram option and the IP header length is 0? </li></ul>
  20. 20. OS Stacks - Basic Header Parsing <ul><li>Optional headers of course need their length verified to ensure that they don’t specify a length larger than the packet </li></ul><ul><li>Failure to do so would result in potential kernel panics or memory corruption </li></ul><ul><li>TLV parsing within Destination options and Hop-by-Hop options can also skip out of bounds if careful checks aren’t in place </li></ul><ul><li>This is possible on BSD, although it doesn’t seem to buy you anything (maybe an interesting evasion technique) </li></ul>
  21. 21. OS Stacks – Error Generation <ul><li>A number of checks are needed to ensure generated errors can’t create smurf-like scenarios </li></ul><ul><li>Destination should not be multicast </li></ul><ul><li>Source should not be multicast </li></ul><ul><li>IPv4 mapped addresses are also dangerous, exposing potential IPv4 multicast/broadcast addresses </li></ul>
  22. 22. OS Stacks - Routing <ul><li>Usually a host has to be configured to forward packets to perform the routing specified in the packet </li></ul><ul><li>Many special cases they need to be careful of </li></ul><ul><li>Multicast Destinations </li></ul><ul><li>Multicast Next Hops </li></ul><ul><li>IPv4-mapped Destinations </li></ul><ul><li>IPv4-mapped Next Hops </li></ul><ul><li>Link-local or site-local hops </li></ul><ul><li>Globally-unique local hops </li></ul>
  23. 23. OS Stacks - Fragmentation <ul><li>Fragmentation is interesting for a few reasons – errors in implementation, fingerprinting, and firewall/IDS de-synchronization </li></ul><ul><li>IPv4 stacks had a few major vulnerabilities due to incorrect reassembly </li></ul><ul><li>Errors in fragmentation either result in memory corruption, out of bounds kernel reads, mistakenly thinking fragments are complete and passing it to a higher layer, or accidentally including auxilary data </li></ul>
  24. 24. OS Stacks – Fragmentation Quirks <ul><li>Fragmentation also exposes unique behaviour of the OS </li></ul><ul><li>Windows will discard fragment queues if overlaps are found in most cases </li></ul><ul><li>BSD will discard an overlapped fragment, but keep the queue </li></ul><ul><li>Linux allows overlaps using the same algorithm as its IPv4 stack (favors earlier fragments) </li></ul><ul><li>Timeouts and thresholds will also differ </li></ul>
  25. 25. Firewalling <ul><li>IPv6 is a good target to undermine firewall rulesets </li></ul><ul><li>Simple packet filtering through to more complex state mechanisms </li></ul><ul><li>For packet filtering: want to block certain upper-layer protocols, extension headers, or more specific information (certain ports, or properties within extension headers) </li></ul>
  26. 26. Firewalling – Packet Filtering <ul><li>Extension Headers are desirable to filter </li></ul><ul><li>Things like routing extensions can be particularly useful in violating policy </li></ul><ul><li>Filtering packets containing them should be fairly easy, but there are some tricks to it </li></ul><ul><li>Based around handling fragmented packets </li></ul>
  27. 27. Firewalling – Packet Filtering <ul><li>One method we can employ is the “NUL fragment” technique </li></ul><ul><li>Set the offset to 0 and the MF bit also clear </li></ul><ul><li>OS stacks will all ignore this header and continue regular processing </li></ul><ul><li>Some packet filters will try to record it for reassembly and so forth </li></ul><ul><li>Linux IP’s conntrack netfilter module does this </li></ul>
  28. 28. Firewalling – Packet Filtering <ul><li>Otherwise, we can just fragment a datagram with a series of optional headers following </li></ul><ul><li>Put the optional header being filtered in a non 0-offset fragment </li></ul>
  29. 29. Firewalling – Packet Filtering <ul><li>Most packet filters only check the first (0-offset fragment) </li></ul><ul><li>For good reason – processing other datagrams is wrong because the data in the fragment might not even be options </li></ul><ul><li>The only way to detect extensions in these fragments is to reassemble the datagram first </li></ul><ul><li>Filters attempting to detect payloads in non-0 offset fragments are trivially bypassed </li></ul>
  30. 30. Firewalling – Packet Filtering <ul><li>What about upper layer protocols (TCP/UDP/ICMP/others) ? </li></ul><ul><li>We can do the same thing in some cases </li></ul><ul><li>Filling the first fragment with just extension headers make it hard for the packet filter to figure out what kind of data is in the packet </li></ul><ul><li>Dealing with non 0-offset packets is easy to get wrong – really can’t rely on anything after fragment header </li></ul>
  31. 31. Firewalling – Packet Filtering <ul><li>Why? Again, it might be halfway through another option or some data </li></ul><ul><li>Result: Parsing data as extension headers when they’re not </li></ul><ul><li>“Next Header” value in non 0-offset fragment is ultimately ignored </li></ul><ul><li>IPTables/IP6Fw actually pays attention to this next header to figure out upper-layer protocols, so you can match on pretty much arbitrary rules </li></ul>
  32. 32. Firewalling – Packet Filtering <ul><li>Fragmentation is a good way of desynchronizing a firewall or IDS </li></ul><ul><li>Using this technique, we make the firewall/packet filter see a different kind of packet than the end host </li></ul><ul><li>Result: incorrect match which could allow packets through that are meant to be blocked </li></ul><ul><li>Exploit variances in how the firewall reassembles packets and how the end host does </li></ul>
  33. 33. Firewalling – Duplicate Fragment Sets <ul><li>Duplicate Fragment Sets is sending two sets of fragments, both of which assemble and can pass a firewall inspection </li></ul><ul><li>Both fragment sets have the same ID field </li></ul><ul><li>We then want to have select fragments dropped from each assembled fragment set to create a new assembled packet that shouldn’t have been allowed </li></ul>
  34. 34. Firewalling – Duplicate Fragment Sets
  35. 35. Firewalling – Duplicate Fragment Sets <ul><li>How do we drop select fragments? </li></ul><ul><li>In IPv4 it was possible setting the TTL on some packets to a low value so they would expire after the firewall but before the end host </li></ul><ul><li>Thomas Lopatic used an inventive technique involving abuse of the timestamp IP option </li></ul><ul><li>In IPv6, it’s much easier because there are a lot of ways to invalidate a packet, especially if they’re not examined particularly closely by a firewall </li></ul>
  36. 36. Firewalling – Packet Invalidation <ul><li>Low TTL – easy technique but probably will be detected </li></ul><ul><li>Destination Option TLV’s can be used to force the host to drop fragments (as can HBH ones, but each hop will pick those up…) </li></ul><ul><li>Invalid routing options – not a 0-type route or has a multicast destination </li></ul><ul><li>Valid routing options that have multiple entries to deliver to the same host or router just before the end host, thus eating up TTL’s </li></ul><ul><li>Timing attacks </li></ul>
  37. 37. Firewalling – Packet Invalidation <ul><li>Sometimes packet filters/firewalls will let you have unknown headers too, whereas the end host will drop them </li></ul><ul><li>Firewalls/filters also often will allow you to put hop by hop option headers anywhere, whereas end hosts don’t </li></ul><ul><li>Insert a HBH option somewhere in the middle of the packet and it will never make it through processing </li></ul>
  38. 38. Firewalling – Fragment Stacking <ul><li>Fragment stacking is a technique where you put multiple fragment headers inside a single datagram </li></ul><ul><li>Alternatively, you have a fragment header somewhere inside a fragmented packet </li></ul><ul><li>When the packet is reassembled, the newly formed packet is still a fragment of another chain! </li></ul><ul><li>You can nest fragment headers arbitrarily deep </li></ul>
  39. 39. Firewalling – Fragment Stacking
  40. 40. Firewalling – Fragment Stacking <ul><li>Useful for messing with firewalls trying to reconstruct the packet stream </li></ul><ul><li>Firewalls packet filters record information about either the first fragment header they see, or the last one </li></ul><ul><li>This can lead to them making inaccurate decisions about what the packet really contains </li></ul><ul><li>Also useful for firewalls attempting to cache ID’s to prevent duplicate fragment set attacks </li></ul>
  41. 41. Firewalling – Stateful Inspection <ul><li>Stateful inspection firewalls are generally harder than packet filters </li></ul><ul><li>Fragment duplication and stacking can help to bypass them </li></ul><ul><li>Another thing they need to be careful of is TCP/UDP header processing </li></ul><ul><li>Some firewalls will inspect flags of a TCP packet to decide whether a connection is open or not </li></ul>
  42. 42. Firewalling – Stateful Inspection <ul><li>A trick here was to send an overlapping fragment at offset 1 in a TCP packet, overwriting the flags portion of the header </li></ul><ul><li>Lot’s of implementations check for this, even in IPv6 </li></ul><ul><li>That particular check is not useful in IPv6 though, because the TCP header doesn’t need to start at offset 0 </li></ul><ul><li>We can pad with extension headers, thus causing it to check potentially invalid flags </li></ul><ul><li>Pretty hard to pull off still though, due to the way most hosts to fragmentation </li></ul>
  43. 43. Firewalling – Stateful Inspection <ul><li>We can also supply TCP or UDP packets that are not going to ever get to the host </li></ul><ul><li>This might be useful if we want the firewall to maintain or teardown a connection entry </li></ul><ul><li>We can use the techniques for invalidating packets described earlier </li></ul><ul><li>TTL’s, routing headers, invalid destinations, and so on </li></ul>
  44. 44. Firewalling – Stateful Inspection <ul><li>Routing Headers might also provide some interesting possibilities </li></ul><ul><li>What if we route the packet around to a less protected interface on a target host? </li></ul><ul><li>Maybe we can use this to elicit some sort of response due to misplaced trust </li></ul><ul><li>Windows XP firewall seems to exhibit some behavior like this </li></ul><ul><li>What if we could entice a host/router to send a packet that was originated by us back to us? </li></ul><ul><li>Using the routing header with the attacking host as one of the hops can be used to accomplish this </li></ul>
  45. 45. Firewalling – Stateful Inspection
  46. 46. Firewalling – Stateful Inspection
  47. 47. Firewalling – Stateful Inspection <ul><li>Let’s say we wanted to contact a target machine on port 22, but the firewall only lets in port 80 </li></ul><ul><li>It has TCP connection awareness </li></ul><ul><li>We send a packet (src port: 22, dest port: 80) with their IP as a source address and destination </li></ul><ul><li>They get it, inspect the routing header and send it back </li></ul><ul><li>Should redirect in this case really, but at least Windows and BSD seem to route wherever you want (Linux will send a redirect) </li></ul>
  48. 48. Firewalling – Stateful Inspection <ul><li>Firewall sees packet (source port: 22, dest port: 80) and makes a new connection entry </li></ul><ul><li>We now have the possibility of contacting the target on port 22 </li></ul><ul><li>Potential problems: careful flags checks might detect something is up </li></ul><ul><li>Anti-spoofing will see source and destination address the same, or at least source address not valid for receiving interface </li></ul><ul><li>Tunneling can come in handy here </li></ul>
  49. 49. Tunneling Data <ul><li>Tunneling is a big issue in IPv6, especially for nodes that do both IPv4 and IPv6 </li></ul><ul><li>IPv6 over IPv4 </li></ul><ul><li>IPv4 over IPv6 </li></ul><ul><li>IPv6 over IPv6 (supported by default on Windows) </li></ul><ul><li>Arbitrary levels of nesting </li></ul><ul><li>Combined with fragmentation tricks, firewalls have their work cut out for them </li></ul>
  50. 50. Tunneling Data <ul><li>Tunneling to hosts has several uses </li></ul><ul><li>Bypassing firewall rules </li></ul><ul><li>Contacting hosts behind a firewall using routing combined with tunneling </li></ul><ul><li>Contacting non-routable (link-local/site-local) addresses using routing headers </li></ul><ul><li>Additional bonus that your tunneled IP data is not going to be subject to anti-spoofing and other validation in many cases </li></ul><ul><li>Special Address Classes are also useful – we could route over to their IPv4 accessible network for example </li></ul>
  51. 51. Questions? <ul><li>Any Questions? </li></ul>