SlideShare a Scribd company logo

IPv6 Security Overview by QS Tahmeed, APNIC RCT

Bangladesh Network Operators Group
Bangladesh Network Operators Group

IPv6 Security Overview

Internet
1 of 30
Download to read offline
1 IPv6 Security Overview Q S Tahmeed, APNIC RCT, BD
2 IPv4: Current Status
3 3 IPv6: Global End User Readiness https://stats.labs.apnic.net/ipv6
4 4 IPv6: Globally Top 1000 Websites https://pulse.internetsociety.org/technologies
5 IPV6: ADDRESS TYPES & HEADERS
6 6 IPv6: Address Spaces Prefix Designation IPv4 equivalent ::/128 Unspecified This address may only be used as a source address by an initializing host before it has learned its own addresses. 0.0.0.0 ::1/128 Loopback This address is used when a host talks to itself over IPv6. This often happens when one program sends data to another. 127.0.0.1 fc00::/7 Example: fdf8:f535:82e4::53 Unique Local Addresses (ULAs) Reserved for local use in home and enterprise environments (not public address space). Private, or RFC 1918 address space: •10.0.0.0/8 •172.16.0.0/12 •192.168.0.0/16 fe80::/10 Example: fe80::200:5aee:feaa:20a2 Link-Local Addresses Used on a single link or a non-routed common access network, such as an Ethernet LAN. They do not need to be unique outside of that link. 169.254.0.0/16 2001:db8::/32 Example: 2001:db8:8:4::2 Documentation used in examples and documentation. These should never be source or destination addresses. •192.0.2.0/24 •198.51.100.0/24 •203.0.113.0/24 2000::/3 Global Unicast The operators of networks using these addresses can be found using the RIR Whois servers listed in the IANA registry. No equivalent single IPv4 block ff00::/8 Example: ff01:0:0:0:0:0:0:2 Multicast Used to identify multicast groups. They should only be used as destination addresses, never as source addresses. 224.0.0.0/4 The above is a partial list. The full list can be found below: https://www.apnic.net/get-ip/faqs/what-is-an-ip-address/ipv6-address-types/
7 7 IPv6: Protocol Headers IPv6 IPv4
8 8 IPv6: Protocol Headers IPv6 IPv4
9 IPV6: KEY SECURITY FEATURES
10 10 IPv6: Security Statements Statements Reason Reality IPv6 is more secure and it’s built-in RFC4294 – states that IPsec is a MUST - RFC 8504 – states IPsec SHOULD. - IPsec is available. IPv6 has no NAT and we are exposed to attacks from Internet E2E paradigm. Global addresses & No NAT Global addressing doesn’t imply global rechability and each organization is responsible for FILTERING its own traffic. IPv6 Networks are too big to SCAN Standard LAN/VLAN allocation is /64 network prefix Brute-force scan is not possible but there are new scanning techniques available. IPv6 is too new to be attacked Lack of updated information 20% of overall Malicious Traffic is over IPv6. IPv6 is not a security problem in IPv4 only networks Networks having IPv4 services only IPv6 is by default enabled in modern OS and can lead to problems if unchecked. IPv6 security lacks adequate resources and policies Considering that there are no BCPs, resources or features BCPs, Resources & Features are there and regularly updated. ORGs can implement own security policy in accordance.
11 IPv6: How to Approach A change of mindset is necessary q IPv6 has its own security features and risks & need to be addressed accordingly q IPv6 protocol knowledge development is the best security measures
12 IPv6: What’s actually happening out there • 2003 : First IPv6 DDoS - approx. 1Gbps • 2022 October : 10% of all attacks • 2023 June : 20% of all attacks (doubled in less than a year) • 2023 May-June : Spiked to 35% of all attacks (co-insides with the ongoing scanning attacks) • In just 2022 IPv6 overall DDoS traffic volume increased by 600% !!! References: – https://www.juniper.net/content/dam/www/assets/analyst-reports/us/en/2023/corero-ddos-threat-intelligence-report.pdf – https://majorityreport.crowdsec.net – https://www.radware.com/2023-h1-global-threat-analysis-report/ – June 15, 2023: ipv6-exploitation-in-ad-environment – February 14, 2023: MITM6
13 IPv6 Threats: Spoofing • IP Spoofing: – Using a fake IPv6 source address • Solution: – ingress filtering and uRFP (unicast reverse path forwarding) • uRPF : – BCP38 (RFC2827) • Since 1998! – Router verifies if the source address of packets received is in the FIB table and reachable (routing table) • Else DROP! pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 FIB: 2400:6400:100:/48 ge0/0 2400:6400:200:/48 fa0/0 pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
14 IPv6 Threats: BOGONs What is BOGON • Not all IP (v4 and v6) are allocated by IANA to the RIRs • Addresses that should not be seen on the Internet are called “Bogons” (also called “Martians”) – RFC1918s + Reserved space • IANA publishes list of number resources that have been allocated/assigned to RIRs/end-users • IANA - IPv6 Assignment List • IANA - IPv4 Assignment List Impact & Mitigation • Commonly found as source address of DDOS packets • Implement ingress BOGON filters – Should not route them or accept traffic from them – Manually implement from IANA BOGON list – Autoconfig via TeamCymru BOGON route server project
15 IPv6: Extension Headers IPv6 allows an optional Extension Header in between the IPv6 headers and Upper Layer (TCP/UDP) headers – Allows adding new features to IPv6 protocol without major re-engineering RFC8200: – “Extension headers (except for Hop-by-Hop Options header) are not processed, inserted, or deleted by any node along a packet's delivery path, until the packet reaches the node” – But destination nodes must accept and process EH…“any order and occurring any number of times in the same packet” Key Features – Flexible (use is optional) – Fixed (types and orders) – Processed only at end-points (except for Hop-by- Hop & Routing options) IPv6 Header Next Header = 6 TCP header + data IPv6 Header Next Header = 44 Fragment header Next header = 6 TCP header + data Next Header values: 0 Hop-by-hop option 6 TCP 17 UDP 43 Source routing (RFC5095) 44 Fragmentation 50 Encrypted security payload 51 Authentication 58 ICMPv6 59 Null (No next header) 60 Destination option Extension Header
16 16 IPv6: Extension Headers Challenges q Flexibility is a synnonym of Complexity q Security devices/softwares now must process full chain of hearders q Firewalls must be able to filter based on Extension Headers
17 17 IPv6 Threats: EH Threat: • EH as a covert-channel to pass payload (data) • Use extensive number of EH headers – EH chain itself is fragmented and the TCP headers can be at the Nth -fragment … walla! Lets insert a whole bunch of new fragmented packets and overload the destination. Impact: • Bypass IPS/IDP/Firewall • Overwhelm the destination node (DOS/DDOS) Mitigation & Challenges: • Inspect & Filter unwanted EH Packets IPv6 Header Next Header = 44 TCP header + data EH Hidden Data EH Next header
18 IPv6 Threats: EH - Routing Headers • Include one or more IPs that should be visited in the path – Processed by the visited router • Routing Header (Type 0): – RH0 can be used for traffic amplification over a remote path • RH0 Deprecated [RFC5095] – Disable IPv6 Source Routing – Filter RH0 Packets A B Attacker DST RH0 Fields Addr[S] S D E F Addr[A] Addr[B] Addr[A] Addr[B] Addr[A] Addr[B] Addr[D] DST Targetted Link – BW usage
19 IPv6: ICMPv6 – integral part of IPv6 • Filtering ICMPv6 is not a straight-forward task – Drop ICMPv6 à Completely Break IPv6 • RFC4890: “ICMPv6 Filtering Recommendations” – Permit Error messages • Destination Unreachable (Type 1) - All codes • Packet Too Big (Type 2) • Time Exceeded (Type 3) - Code 0 only • Parameter Problem (Type 4) - Codes 1 and 2 only – Permit Connectivity check messages • Echo Request (Type 128) • Echo Response (Type 129) https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
20 20 IPv6 Threats: NDP • Neighbor Discovery (ND): – NDP Spoofing – Duplicate Address Detection (DAD) DoS • Router Advertisement (RA) – Rouge RA – RA flooding • Neighbor Solitation/Advertisement Spoofing – NS with “source link-layer” option chaged – NA with “target link-layer” option changed • Can send unsicited NA or as an answer to NS
21 IPv6 Threats: DAD - DOS Information: q No ARP Table in IPv6 q Remember IP Conflict? IPv6 Approach: q Stateless Address Auto-Configuration (SLAAC) is the feature to configure Unique Link-Local Address q It uses EUI64 Interface Identifier in conbination with the Link-Local prefix FE80::/64 Threat: q Duplicate Address Detection – DoS attacks Neighbor Solicitation (NS) : ICMPv6 Type 135 Neighbor Advertisement (NA) : ICMPv6 Type 136 Attacker Is this address unique? Client sends Neighbor Solicitation (NS) Attacker sends Neighbor Advertisement (NA) for each NS This address is MINE! 1 2
22 IPv6 Threats: ND Spoofing Attacker What is Host B’s MAC address? Client sends Neighbor Solicitation (NS) asking for Host B’s link layer address Attacker Neighbor Advertisement (NA) Spoofs Host B, sends his own MAC I am Host B. This is my MAC. Neighbor Solicitation (NS) : ICMPv6 Type 135 Neighbor Advertisement (NA) : ICMPv6 Type 136 1 2
23 IPv6 Threats: Rogue RA Attacker Client sends Router Solicitation (RS) Attacker sends Route Advertisement (RA) Attacker default router Hosts autoconfigure IPv6 based on spoofed RA including default router (as well as other info - DNS) Global Internet • Attacker can now intercept, listen and modify the packets coming from Host A and B – MITM • Or redirect to a site they control Start of data transfer 1 2
24 24 IPv6: Threat Detection tools • NDPMon – Can detect anomalies in RAs and NAs • Compares against expected/valid behavior (config file – MAC/LLA of routers, prefixes, DNS, flags, parameters) – Can generate syslog events and/or email alerts, or run custom scripts – http://ndpmon.sourceforge.net/index.php
25 25 IPv6: Threat Mitigation Tools • RA Guard (RFC6105/7113) – messages between IPv6 devices traverse the controlled L2 networking device – first-hop security • Allow or drop RA messages based on policies
26 26 IPv6: Threat Mitigation Tools • SeND (RFC3971) – Uses crypto to secure NDP messages • Uses CGA and a set of NDP options • CGA (crypto–generated address): – CGA associates a public key with a IPv6 address • RSA signature option – Node computes interface-ID • Using hash-function of the node’s public key – and appends to the IPv6 prefix - CGA
27 27 IPv6: Threat Mitigation Tools • SeND (RFC3971) – The receiver recomputes the hash and compares with the interface- ID • Verifies the public key binding – Messages sent from a CGA address can be protected by attaching the public key and signing the message with private key.
28 28 IPv6: What Else? • Viruses/Worms – IPv6 any secure? • IMs, emails higher up the stack still same L • Train your people • Assess your network - security nodes must understand IPv6 • Do what you did for IPv4 traffic with IPv6 – ACLs/filters – Harden hosts and applications – Use crypto protections where necessary/critical
29 29 References: • https://www.first.org/resources/papers/conf2015/first_2015-herberg-frank_ipv6- security_20150618.pdf • https://tools.ietf.org/html/rfc2460 • https://tools.ietf.org/html/rfc7112 • https://tools.ietf.org/html/rfc7113 • https://tools.ietf.org/html/rfc8200 • https://labs.ripe.net/Members/ahmad_alsadeh/isend • https://blog.compass-security.com/wp- content/uploads/2015/01/ipv6_secure_neighbor_discovery_1.2.pdf
30

Recommended

APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC
 
Ipv6
Ipv6Ipv6
Ipv6maha5960
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhsTim Martin
 
IPv6 Addressing Architecture
IPv6 Addressing ArchitectureIPv6 Addressing Architecture
IPv6 Addressing ArchitectureShreehari Dhat
 
APNIC Update
APNIC Update APNIC Update
APNIC Update APNIC
 
Tech f42
Tech f42Tech f42
Tech f42SelectedPresentations
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 

Recommended

APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC
 
Ipv6
Ipv6Ipv6
Ipv6maha5960
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhsTim Martin
 
IPv6 Addressing Architecture
IPv6 Addressing ArchitectureIPv6 Addressing Architecture
IPv6 Addressing ArchitectureShreehari Dhat
 
APNIC Update
APNIC Update APNIC Update
APNIC Update APNIC
 
Tech f42
Tech f42Tech f42
Tech f42SelectedPresentations
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013Zivaro Inc
 
IPv6
IPv6IPv6
IPv6Talal Alsubaie
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
I pv6 for cmu
I pv6 for cmuI pv6 for cmu
I pv6 for cmuNaranont Atima
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3Shane Duffy
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideParthiban Nallathambi
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planningTim Martin
 
IPv6
IPv6IPv6
IPv6edgarjgonzalezg
 
IPv6
IPv6IPv6
IPv6Deepraj Bhujel
 
10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptxJoshuaAnnan5
 
Ipv6 questions
Ipv6 questionsIpv6 questions
Ipv6 questionsKundan Prasad
 
Ipv6
Ipv6Ipv6
Ipv6satish 486
 
Apnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopApnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopNguyen Minh Thu
 
IPV6
IPV6 IPV6
IPV6 Arnold Derrick Kinney
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJBangladesh Network Operators Group
 

More Related Content

Similar to IPv6 Security Overview by QS Tahmeed, APNIC RCT

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013Zivaro Inc
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3Shane Duffy
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planningTim Martin
 
10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptxJoshuaAnnan5
 
Apnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopApnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopNguyen Minh Thu
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 

Similar to IPv6 Security Overview by QS Tahmeed, APNIC RCT (20)

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 
IPv6
IPv6IPv6
IPv6
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
I pv6 for cmu
I pv6 for cmuI pv6 for cmu
I pv6 for cmu
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
 
IPv6
IPv6IPv6
IPv6
 
IPv6
IPv6IPv6
IPv6
 
10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx
 
Ipv6 questions
Ipv6 questionsIpv6 questions
Ipv6 questions
 
Ipv6
Ipv6Ipv6
Ipv6
 
Apnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopApnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshop
 
IPV6
IPV6 IPV6
IPV6
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
 

Recently uploaded

Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Dewi Agency
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsrahman018755
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirtrahman018755
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理AS
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样AS
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformonhackersuli
 
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...mikehavy0
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理F
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证hfkmxufye
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样AS
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理A
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样ayvbos
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 

Recently uploaded (20)

Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
 
原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样原版定制英国赫瑞瓦特大学毕业证原件一模一样
原版定制英国赫瑞瓦特大学毕业证原件一模一样
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UCLA毕业证)加州大学洛杉矶分校毕业证成绩单本科硕士学位证留信学历认证
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 

IPv6 Security Overview by QS Tahmeed, APNIC RCT

  • 1. 1 IPv6 Security Overview Q S Tahmeed, APNIC RCT, BD
  • 3. 3 3 IPv6: Global End User Readiness https://stats.labs.apnic.net/ipv6
  • 4. 4 4 IPv6: Globally Top 1000 Websites https://pulse.internetsociety.org/technologies
  • 6. 6 6 IPv6: Address Spaces Prefix Designation IPv4 equivalent ::/128 Unspecified This address may only be used as a source address by an initializing host before it has learned its own addresses. 0.0.0.0 ::1/128 Loopback This address is used when a host talks to itself over IPv6. This often happens when one program sends data to another. 127.0.0.1 fc00::/7 Example: fdf8:f535:82e4::53 Unique Local Addresses (ULAs) Reserved for local use in home and enterprise environments (not public address space). Private, or RFC 1918 address space: •10.0.0.0/8 •172.16.0.0/12 •192.168.0.0/16 fe80::/10 Example: fe80::200:5aee:feaa:20a2 Link-Local Addresses Used on a single link or a non-routed common access network, such as an Ethernet LAN. They do not need to be unique outside of that link. 169.254.0.0/16 2001:db8::/32 Example: 2001:db8:8:4::2 Documentation used in examples and documentation. These should never be source or destination addresses. •192.0.2.0/24 •198.51.100.0/24 •203.0.113.0/24 2000::/3 Global Unicast The operators of networks using these addresses can be found using the RIR Whois servers listed in the IANA registry. No equivalent single IPv4 block ff00::/8 Example: ff01:0:0:0:0:0:0:2 Multicast Used to identify multicast groups. They should only be used as destination addresses, never as source addresses. 224.0.0.0/4 The above is a partial list. The full list can be found below: https://www.apnic.net/get-ip/faqs/what-is-an-ip-address/ipv6-address-types/
  • 10. 10 10 IPv6: Security Statements Statements Reason Reality IPv6 is more secure and it’s built-in RFC4294 – states that IPsec is a MUST - RFC 8504 – states IPsec SHOULD. - IPsec is available. IPv6 has no NAT and we are exposed to attacks from Internet E2E paradigm. Global addresses & No NAT Global addressing doesn’t imply global rechability and each organization is responsible for FILTERING its own traffic. IPv6 Networks are too big to SCAN Standard LAN/VLAN allocation is /64 network prefix Brute-force scan is not possible but there are new scanning techniques available. IPv6 is too new to be attacked Lack of updated information 20% of overall Malicious Traffic is over IPv6. IPv6 is not a security problem in IPv4 only networks Networks having IPv4 services only IPv6 is by default enabled in modern OS and can lead to problems if unchecked. IPv6 security lacks adequate resources and policies Considering that there are no BCPs, resources or features BCPs, Resources & Features are there and regularly updated. ORGs can implement own security policy in accordance.
  • 11. 11 IPv6: How to Approach A change of mindset is necessary q IPv6 has its own security features and risks & need to be addressed accordingly q IPv6 protocol knowledge development is the best security measures
  • 12. 12 IPv6: What’s actually happening out there • 2003 : First IPv6 DDoS - approx. 1Gbps • 2022 October : 10% of all attacks • 2023 June : 20% of all attacks (doubled in less than a year) • 2023 May-June : Spiked to 35% of all attacks (co-insides with the ongoing scanning attacks) • In just 2022 IPv6 overall DDoS traffic volume increased by 600% !!! References: – https://www.juniper.net/content/dam/www/assets/analyst-reports/us/en/2023/corero-ddos-threat-intelligence-report.pdf – https://majorityreport.crowdsec.net – https://www.radware.com/2023-h1-global-threat-analysis-report/ – June 15, 2023: ipv6-exploitation-in-ad-environment – February 14, 2023: MITM6
  • 13. 13 IPv6 Threats: Spoofing • IP Spoofing: – Using a fake IPv6 source address • Solution: – ingress filtering and uRFP (unicast reverse path forwarding) • uRPF : – BCP38 (RFC2827) • Since 1998! – Router verifies if the source address of packets received is in the FIB table and reachable (routing table) • Else DROP! pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 FIB: 2400:6400:100:/48 ge0/0 2400:6400:200:/48 fa0/0 pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
  • 14. 14 IPv6 Threats: BOGONs What is BOGON • Not all IP (v4 and v6) are allocated by IANA to the RIRs • Addresses that should not be seen on the Internet are called “Bogons” (also called “Martians”) – RFC1918s + Reserved space • IANA publishes list of number resources that have been allocated/assigned to RIRs/end-users • IANA - IPv6 Assignment List • IANA - IPv4 Assignment List Impact & Mitigation • Commonly found as source address of DDOS packets • Implement ingress BOGON filters – Should not route them or accept traffic from them – Manually implement from IANA BOGON list – Autoconfig via TeamCymru BOGON route server project
  • 15. 15 IPv6: Extension Headers IPv6 allows an optional Extension Header in between the IPv6 headers and Upper Layer (TCP/UDP) headers – Allows adding new features to IPv6 protocol without major re-engineering RFC8200: – “Extension headers (except for Hop-by-Hop Options header) are not processed, inserted, or deleted by any node along a packet's delivery path, until the packet reaches the node” – But destination nodes must accept and process EH…“any order and occurring any number of times in the same packet” Key Features – Flexible (use is optional) – Fixed (types and orders) – Processed only at end-points (except for Hop-by- Hop & Routing options) IPv6 Header Next Header = 6 TCP header + data IPv6 Header Next Header = 44 Fragment header Next header = 6 TCP header + data Next Header values: 0 Hop-by-hop option 6 TCP 17 UDP 43 Source routing (RFC5095) 44 Fragmentation 50 Encrypted security payload 51 Authentication 58 ICMPv6 59 Null (No next header) 60 Destination option Extension Header
  • 16. 16 16 IPv6: Extension Headers Challenges q Flexibility is a synnonym of Complexity q Security devices/softwares now must process full chain of hearders q Firewalls must be able to filter based on Extension Headers
  • 17. 17 17 IPv6 Threats: EH Threat: • EH as a covert-channel to pass payload (data) • Use extensive number of EH headers – EH chain itself is fragmented and the TCP headers can be at the Nth -fragment … walla! Lets insert a whole bunch of new fragmented packets and overload the destination. Impact: • Bypass IPS/IDP/Firewall • Overwhelm the destination node (DOS/DDOS) Mitigation & Challenges: • Inspect & Filter unwanted EH Packets IPv6 Header Next Header = 44 TCP header + data EH Hidden Data EH Next header
  • 18. 18 IPv6 Threats: EH - Routing Headers • Include one or more IPs that should be visited in the path – Processed by the visited router • Routing Header (Type 0): – RH0 can be used for traffic amplification over a remote path • RH0 Deprecated [RFC5095] – Disable IPv6 Source Routing – Filter RH0 Packets A B Attacker DST RH0 Fields Addr[S] S D E F Addr[A] Addr[B] Addr[A] Addr[B] Addr[A] Addr[B] Addr[D] DST Targetted Link – BW usage
  • 19. 19 IPv6: ICMPv6 – integral part of IPv6 • Filtering ICMPv6 is not a straight-forward task – Drop ICMPv6 à Completely Break IPv6 • RFC4890: “ICMPv6 Filtering Recommendations” – Permit Error messages • Destination Unreachable (Type 1) - All codes • Packet Too Big (Type 2) • Time Exceeded (Type 3) - Code 0 only • Parameter Problem (Type 4) - Codes 1 and 2 only – Permit Connectivity check messages • Echo Request (Type 128) • Echo Response (Type 129) https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
  • 20. 20 20 IPv6 Threats: NDP • Neighbor Discovery (ND): – NDP Spoofing – Duplicate Address Detection (DAD) DoS • Router Advertisement (RA) – Rouge RA – RA flooding • Neighbor Solitation/Advertisement Spoofing – NS with “source link-layer” option chaged – NA with “target link-layer” option changed • Can send unsicited NA or as an answer to NS
  • 21. 21 IPv6 Threats: DAD - DOS Information: q No ARP Table in IPv6 q Remember IP Conflict? IPv6 Approach: q Stateless Address Auto-Configuration (SLAAC) is the feature to configure Unique Link-Local Address q It uses EUI64 Interface Identifier in conbination with the Link-Local prefix FE80::/64 Threat: q Duplicate Address Detection – DoS attacks Neighbor Solicitation (NS) : ICMPv6 Type 135 Neighbor Advertisement (NA) : ICMPv6 Type 136 Attacker Is this address unique? Client sends Neighbor Solicitation (NS) Attacker sends Neighbor Advertisement (NA) for each NS This address is MINE! 1 2
  • 22. 22 IPv6 Threats: ND Spoofing Attacker What is Host B’s MAC address? Client sends Neighbor Solicitation (NS) asking for Host B’s link layer address Attacker Neighbor Advertisement (NA) Spoofs Host B, sends his own MAC I am Host B. This is my MAC. Neighbor Solicitation (NS) : ICMPv6 Type 135 Neighbor Advertisement (NA) : ICMPv6 Type 136 1 2
  • 23. 23 IPv6 Threats: Rogue RA Attacker Client sends Router Solicitation (RS) Attacker sends Route Advertisement (RA) Attacker default router Hosts autoconfigure IPv6 based on spoofed RA including default router (as well as other info - DNS) Global Internet • Attacker can now intercept, listen and modify the packets coming from Host A and B – MITM • Or redirect to a site they control Start of data transfer 1 2
  • 24. 24 24 IPv6: Threat Detection tools • NDPMon – Can detect anomalies in RAs and NAs • Compares against expected/valid behavior (config file – MAC/LLA of routers, prefixes, DNS, flags, parameters) – Can generate syslog events and/or email alerts, or run custom scripts – http://ndpmon.sourceforge.net/index.php
  • 25. 25 25 IPv6: Threat Mitigation Tools • RA Guard (RFC6105/7113) – messages between IPv6 devices traverse the controlled L2 networking device – first-hop security • Allow or drop RA messages based on policies
  • 26. 26 26 IPv6: Threat Mitigation Tools • SeND (RFC3971) – Uses crypto to secure NDP messages • Uses CGA and a set of NDP options • CGA (crypto–generated address): – CGA associates a public key with a IPv6 address • RSA signature option – Node computes interface-ID • Using hash-function of the node’s public key – and appends to the IPv6 prefix - CGA
  • 27. 27 27 IPv6: Threat Mitigation Tools • SeND (RFC3971) – The receiver recomputes the hash and compares with the interface- ID • Verifies the public key binding – Messages sent from a CGA address can be protected by attaching the public key and signing the message with private key.
  • 28. 28 28 IPv6: What Else? • Viruses/Worms – IPv6 any secure? • IMs, emails higher up the stack still same L • Train your people • Assess your network - security nodes must understand IPv6 • Do what you did for IPv4 traffic with IPv6 – ACLs/filters – Harden hosts and applications – Use crypto protections where necessary/critical
  • 29. 29 29 References: • https://www.first.org/resources/papers/conf2015/first_2015-herberg-frank_ipv6- security_20150618.pdf • https://tools.ietf.org/html/rfc2460 • https://tools.ietf.org/html/rfc7112 • https://tools.ietf.org/html/rfc7113 • https://tools.ietf.org/html/rfc8200 • https://labs.ripe.net/Members/ahmad_alsadeh/isend • https://blog.compass-security.com/wp- content/uploads/2015/01/ipv6_secure_neighbor_discovery_1.2.pdf
  • 30. 30