6. 6
6
IPv6: Address Spaces
Prefix Designation IPv4 equivalent
::/128 Unspecified
This address may only be used as a source address by an initializing host before it has learned its
own addresses.
0.0.0.0
::1/128 Loopback
This address is used when a host talks to itself over IPv6. This often happens when one program
sends data to another.
127.0.0.1
fc00::/7
Example: fdf8:f535:82e4::53
Unique Local Addresses (ULAs)
Reserved for local use in home and enterprise environments (not public address space).
Private, or RFC 1918 address space:
•10.0.0.0/8
•172.16.0.0/12
•192.168.0.0/16
fe80::/10
Example: fe80::200:5aee:feaa:20a2
Link-Local Addresses
Used on a single link or a non-routed common access network, such as an Ethernet LAN. They do
not need to be unique outside of that link.
169.254.0.0/16
2001:db8::/32
Example: 2001:db8:8:4::2
Documentation
used in examples and documentation. These should never be source or destination addresses.
•192.0.2.0/24
•198.51.100.0/24
•203.0.113.0/24
2000::/3 Global Unicast
The operators of networks using these addresses can be found using the RIR Whois servers listed
in the IANA registry.
No equivalent single IPv4 block
ff00::/8
Example: ff01:0:0:0:0:0:0:2
Multicast
Used to identify multicast groups. They should only be used as destination addresses, never as
source addresses.
224.0.0.0/4
The above is a partial list. The full list can be found below:
https://www.apnic.net/get-ip/faqs/what-is-an-ip-address/ipv6-address-types/
10. 10
10
IPv6: Security Statements
Statements Reason Reality
IPv6 is more secure and it’s built-in RFC4294 – states that IPsec is a MUST - RFC 8504 – states IPsec SHOULD.
- IPsec is available.
IPv6 has no NAT and we are exposed to
attacks from Internet
E2E paradigm. Global addresses & No
NAT
Global addressing doesn’t imply global
rechability and each organization is
responsible for FILTERING its own traffic.
IPv6 Networks are too big to SCAN Standard LAN/VLAN allocation is /64
network prefix
Brute-force scan is not possible but there
are new scanning techniques available.
IPv6 is too new to be attacked Lack of updated information 20% of overall Malicious Traffic is over
IPv6.
IPv6 is not a security problem in IPv4 only
networks
Networks having IPv4 services only IPv6 is by default enabled in modern OS
and can lead to problems if unchecked.
IPv6 security lacks adequate resources
and policies
Considering that there are no BCPs,
resources or features
BCPs, Resources & Features are there
and regularly updated. ORGs can
implement own security policy in
accordance.
11. 11
IPv6: How to Approach
A change of mindset is necessary
q IPv6 has its own security features and risks & need to be
addressed accordingly
q IPv6 protocol knowledge development is the best security
measures
12. 12
IPv6: What’s actually happening out there
• 2003 : First IPv6 DDoS - approx. 1Gbps
• 2022 October : 10% of all attacks
• 2023 June : 20% of all attacks (doubled in less than a year)
• 2023 May-June : Spiked to 35% of all attacks (co-insides with the ongoing scanning attacks)
• In just 2022 IPv6 overall DDoS traffic volume increased by 600% !!!
References:
– https://www.juniper.net/content/dam/www/assets/analyst-reports/us/en/2023/corero-ddos-threat-intelligence-report.pdf
– https://majorityreport.crowdsec.net
– https://www.radware.com/2023-h1-global-threat-analysis-report/
– June 15, 2023: ipv6-exploitation-in-ad-environment
– February 14, 2023: MITM6
13. 13
IPv6 Threats: Spoofing
• IP Spoofing:
– Using a fake IPv6 source address
• Solution:
– ingress filtering and uRFP (unicast
reverse path forwarding)
• uRPF :
– BCP38 (RFC2827)
• Since 1998!
– Router verifies if the source address
of packets received is in the FIB
table and reachable (routing table)
• Else DROP!
pos0/0
ge0/0
Src = 2406:6400:100::1
Src = 2406:6400:200::1
FIB:
2400:6400:100:/48 ge0/0
2400:6400:200:/48 fa0/0
pos0/0
ge0/0
Src = 2406:6400:100::1
Src = 2406:6400:200::1
Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
14. 14
IPv6 Threats: BOGONs
What is BOGON
• Not all IP (v4 and v6) are allocated by
IANA to the RIRs
• Addresses that should not be seen on the
Internet are called “Bogons” (also called
“Martians”)
– RFC1918s + Reserved space
• IANA publishes list of number resources
that have been allocated/assigned to
RIRs/end-users
• IANA - IPv6 Assignment List
• IANA - IPv4 Assignment List
Impact & Mitigation
• Commonly found as source address of DDOS
packets
• Implement ingress BOGON filters
– Should not route them or accept traffic from
them
– Manually implement from IANA BOGON list
– Autoconfig via TeamCymru BOGON route
server project
15. 15
IPv6: Extension Headers
IPv6 allows an optional Extension Header in between the
IPv6 headers and Upper Layer (TCP/UDP) headers
– Allows adding new features to IPv6 protocol without
major re-engineering
RFC8200:
– “Extension headers (except for Hop-by-Hop Options
header) are not processed, inserted, or deleted by any
node along a packet's delivery path, until the packet
reaches the node”
– But destination nodes must accept and process
EH…“any order and occurring any number of times in the
same packet”
Key Features
– Flexible (use is optional)
– Fixed (types and orders)
– Processed only at end-points (except for Hop-by-
Hop & Routing options)
IPv6 Header
Next Header = 6
TCP header + data
IPv6 Header
Next Header = 44
Fragment header
Next header = 6
TCP header + data
Next Header values:
0 Hop-by-hop option
6 TCP
17 UDP
43 Source routing (RFC5095)
44 Fragmentation
50 Encrypted security payload
51 Authentication
58 ICMPv6
59 Null (No next header)
60 Destination option
Extension Header
16. 16
16
IPv6: Extension Headers Challenges
q Flexibility is a synnonym of Complexity
q Security devices/softwares now must process full chain of hearders
q Firewalls must be able to filter based on Extension Headers
17. 17
17
IPv6 Threats: EH
Threat:
• EH as a covert-channel to pass payload (data)
• Use extensive number of EH headers
– EH chain itself is fragmented and the TCP headers can be at the Nth
-fragment … walla! Lets insert a
whole bunch of new fragmented packets and overload the destination.
Impact:
• Bypass IPS/IDP/Firewall
• Overwhelm the destination node (DOS/DDOS)
Mitigation & Challenges:
• Inspect & Filter unwanted EH Packets
IPv6 Header
Next Header = 44
TCP header + data
EH
Hidden Data
EH
Next header
18. 18
IPv6 Threats: EH - Routing Headers
• Include one or more IPs that
should be visited in the path
– Processed by the visited router
• Routing Header (Type 0):
– RH0 can be used for traffic
amplification over a remote path
• RH0 Deprecated [RFC5095]
– Disable IPv6 Source Routing
– Filter RH0 Packets
A B
Attacker
DST
RH0 Fields Addr[S]
S D
E F
Addr[A]
Addr[B]
Addr[A]
Addr[B]
Addr[A]
Addr[B]
Addr[D] DST
Targetted Link – BW usage
19. 19
IPv6: ICMPv6 – integral part of IPv6
• Filtering ICMPv6 is not a straight-forward
task
– Drop ICMPv6 à Completely Break IPv6
• RFC4890: “ICMPv6 Filtering
Recommendations”
– Permit Error messages
• Destination Unreachable (Type 1) - All codes
• Packet Too Big (Type 2)
• Time Exceeded (Type 3) - Code 0 only
• Parameter Problem (Type 4) - Codes 1 and 2
only
– Permit Connectivity check messages
• Echo Request (Type 128)
• Echo Response (Type 129)
https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
20. 20
20
IPv6 Threats: NDP
• Neighbor Discovery (ND):
– NDP Spoofing
– Duplicate Address Detection (DAD) DoS
• Router Advertisement (RA)
– Rouge RA
– RA flooding
• Neighbor Solitation/Advertisement Spoofing
– NS with “source link-layer” option chaged
– NA with “target link-layer” option changed
• Can send unsicited NA or as an answer to NS
21. 21
IPv6 Threats: DAD - DOS
Information:
q No ARP Table in IPv6
q Remember IP Conflict?
IPv6 Approach:
q Stateless Address Auto-Configuration
(SLAAC) is the feature to configure
Unique Link-Local Address
q It uses EUI64 Interface Identifier in conbination
with the Link-Local prefix FE80::/64
Threat:
q Duplicate Address Detection – DoS
attacks
Neighbor Solicitation (NS) : ICMPv6 Type 135
Neighbor Advertisement (NA) : ICMPv6 Type 136
Attacker
Is this address
unique?
Client sends Neighbor Solicitation (NS)
Attacker sends Neighbor Advertisement (NA)
for each NS
This address is
MINE!
1
2
22. 22
IPv6 Threats: ND Spoofing
Attacker
What is Host B’s
MAC address?
Client sends Neighbor Solicitation (NS)
asking for Host B’s link layer address
Attacker Neighbor Advertisement (NA)
Spoofs Host B, sends his own MAC
I am Host B. This is
my MAC.
Neighbor Solicitation (NS) : ICMPv6 Type 135
Neighbor Advertisement (NA) : ICMPv6 Type 136
1
2
23. 23
IPv6 Threats: Rogue RA
Attacker
Client sends Router Solicitation (RS)
Attacker sends Route Advertisement (RA)
Attacker
default router
Hosts autoconfigure IPv6 based on
spoofed RA including default router
(as well as other info - DNS)
Global Internet
• Attacker can now intercept, listen and modify the packets
coming from Host A and B – MITM
• Or redirect to a site they control
Start of data transfer
1
2
24. 24
24
IPv6: Threat Detection tools
• NDPMon
– Can detect anomalies in RAs and NAs
• Compares against expected/valid behavior (config file – MAC/LLA of routers, prefixes, DNS,
flags, parameters)
– Can generate syslog events and/or email alerts, or run custom scripts
– http://ndpmon.sourceforge.net/index.php
25. 25
25
IPv6: Threat Mitigation Tools
• RA Guard (RFC6105/7113)
– messages between IPv6 devices traverse the controlled L2 networking device
– first-hop security
• Allow or drop RA messages based on policies
26. 26
26
IPv6: Threat Mitigation Tools
• SeND (RFC3971)
– Uses crypto to secure NDP messages
• Uses CGA and a set of NDP options
• CGA (crypto–generated address):
– CGA associates a public key with a IPv6 address
• RSA signature option
– Node computes interface-ID
• Using hash-function of the node’s public key
– and appends to the IPv6 prefix - CGA
27. 27
27
IPv6: Threat Mitigation Tools
• SeND (RFC3971)
– The receiver recomputes the hash and compares with the interface-
ID
• Verifies the public key binding
– Messages sent from a CGA address can be protected by attaching
the public key and signing the message with private key.
28. 28
28
IPv6: What Else?
• Viruses/Worms
– IPv6 any secure?
• IMs, emails higher up the stack still same L
• Train your people
• Assess your network - security nodes must understand IPv6
• Do what you did for IPv4 traffic with IPv6
– ACLs/filters
– Harden hosts and applications
– Use crypto protections where necessary/critical