IPv6 Can No Longer Be Ignored

IPv6 Can No Longer Be Ignored
1Copyright 2010 - ISecure LLC
Prepared for Attendees
of the
2010 ISSA Rochester Security Summit

Presenters
• Kevin Wilkins, CISSP – Sr. Network Engineer, iSecure LLC
– My professional experience includes 12 years of ISP and
VOIP operations. In the last few years, a focus on
information security at iSecure has brought my
experiences together into a consolidated viewpoint of
enterprise-wide security policy and implementation.

Presenters
• Peter Rounds – Sr. Network Engineer, Syracuse University
– Senior network engineer at Syracuse University for 11
years. Responsible for maintaining core network
infrastructure, including Internet traffic management
implementation and security profiles.

Synopsis
• Hidden risks to enterprise network resources may exist
through unmonitored use of IPv6 and IPv4-to-IPv6 transition
mechanisms like encapsulated IPv6 protocols 6to4, Intrasite
Automatic Tunnel Addressing Protocol (ISATAP or IP Protocol
41) , and Teredo. This discussion includes an introduction to
IPv6, the identification of encapsulated IPv6 protocols, their
potential threats to enterprise resources, and mitigation
strategies designed to protect enterprise resources from
these potential threats.

What is IPv6?
• IPv6 is a revised IP protocol intended to supplement and
replace IPv4.
• IPv6 was ratified in 1998 as RFC 2460.
• IPv6 addresses use a 128 bit value, vs. IPv4's 32 bits. This
provides an address space on the order of 3.4x10^38
addresses. (Nearly a "duodecillion"!!)

What is IPv6 for?
• IPv6 has this large address space as a necessary enhancement
to IPv4's much more limited 4.29X10^9 possible addresses.
(4.29 billion)
• The Internet Engineering Task Force (IETF) has foreseen an
eventual depletion of available IPv4 addresses, thus IPv6 was
designed.

Projected IPv4 Exhaustion
• Projected IANA Unallocated Address Pool Exhaustion:
05-Jun-2011
• INTEC Systems Institute "IPv4 Exhaustion Counter“
• http://inetcore.com/project/ipv4ec/index_en.html

IPv4 Example…
• IPv4 address range:
0.0.0.0 -> 255.255.255.255 = 4,294,967,296 possible
addresses
• An IPv4 address: "173.194.35.104”

IPv6 Example…
• IPv6 address range:
0000:0000:0000:0000:0000:0000:0000:0000 ->
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff =
340,282,366,920,938,463,463,374,607,431,768,211,456
possible addresses!
• An IPv6 address:
0023:a46e:0000:0000:0000:87ba:00ac:58ce
23:a46e:0:0:0:87ba:ac:58ce
23:a46e::87ba:ac:58ce

Where is IPv6?
• As a commonly accepted protocol, IPv6 has seen difficulty
gaining momentum. Almost the entire IT industry is perfectly
happy with IPv4, and converting an established network to
use IPv6 addresses is a monumental task.
• Most use of IPv6 today is found in research, dedicated
networks, and by an inquisitive few.

Where is IPv6... Really?
• Since 2008, the US Government has mandated that new purchases
of computer and network equipment must support certain
minimum standards for IPv6. See NIST Special Publication 500-267.
• IPv6 is becoming generally supported in network devices, operating
systems, remote management protocols, and other networked
applications.
• Microsoft Windows XP/Server 2003 offered optional support for
IPv6. Microsoft Windows Vista/Server 2008 and beyond have
nearly complete IPv6 support, and the protocol is enabled by
default. Linux and Cisco also support IPv6.
• Recent versions of Microsoft Windows also include utilities which
will encapsulate IPv6 traffic within an IPv4 tunnel.

So I might be running IPv6 now?
• Yes! And this new IPv6 capability in contemporary systems
represents an unknown security risk.
• The IT industries' propensity to ignore IPv6 in favor of IPv4
means that local administrators might be unaware of the
potential IPv6 traffic traversing their network and interacting
with their information systems.
• Furthermore, support for IPv6 on contemporary network
security devices seems to be lagging behind IPv6 support in
operating systems and routers. Network based Content
Inspection, Intrusion Prevention, and Antivirus may be
ineffective at scanning native or encapsulated IPv6 traffic.

IPv6 Interfaces in Windows Vista

Windows Vista is Listening on IPv6

DNS: “A” record and “AAAA” Record

Wait, what was this about
encapsulated IPv6?
• Encapsulation technologies such as Teredo, 6to4 and IP
Protocol 41 (ISATAP) were developed to aid in the transition to
IPv6.
• These transition aids are necessary, as both IPv4 and IPv6 will
coexist for quite some time.
• RFC 5211 “An Internet Transition Plan” describes the use of
these IPv6 encapsulation mechanisms as the IPv4 address
space becomes depleted and organizations are forced to
migrate to IPv6.
• Network security devices might not be able to "peel the
onion" to discover what applications and threats might be
utilizing IPv6 resources within the IPv4 encapsulation.

Teredo and Windows
• Windows Vista and Windows 7 have an IPv6 encapsulation
service called Teredo, which is enabled by default.
• Teredo will automatically seek out a Teredo gateway
( teredo.ipv6.microsoft.com ), assign an IPv6 address to the
Teredo interface, and attempt to route IPv6 traffic.
• Teredo is intended for tunneling IPv6 traffic via an IPv4 NAT
router.

Example: IPv6/Teredo in Wireshark

6to4 and Windows
• 6to4 is intended for tunneling IPv6 traffic via non-NAT IPv4
transport.
• A host or router intending to use 6to4 must have inherent
IPv6 support and a routable (non-NAT) IPv4 address.
• IPv6 traffic is encapsulated and tunneled via an IPv4 network
from one IPv6 network to another IPv6 network on the
remote end.

ISATAP and Windows
• ISATAP traffic is another transition mechanism where IPv6
traffic is tunneled via IPv4
• ISATAP packets use IPv4 with the IP Protocol field set to 41
• ISATAP is typically seen on an Intranet for host to host
communications, but host to router communication is also
possible.

How do I control this IPv6 traffic?
• First - awareness is the key. Check your networked systems to
see which components offer IPv6 support, and if IPv6 support
is enabled. Run packet captures and analyze your systems to
see if native or encapsulated IPv6 traffic traverses your
network.
• In a server farm or corporate environment where there is no
need for IPv6 at this time, consider establishing a policy to
disable the IPv6 interfaces on computer systems and block or
null-route IPv6 traffic in the network.

How do I control this IPv6 traffic?
• In ISP, government, higher education, or research
environments, the use of IPv6 might be legitimate. In this
case, monitoring and granular control is warranted.
• Check your network security equipment to see how it handles
IPv6. The integrated Proxies and Application Layer Gateways
might not yet handle IPv6 traffic.
• Network security devices might not be able to "peel the
onion" to discover what applications and threats might be
utilizing IPv6 resources within the IPv4 encapsulation.

This Removes the Native IPv6 Interface

Also shut off the tunnel interfaces…

Control IPv6 at Internet Edge
• IPv6 related Protocol types and Descriptions
41 ISATAP
43 IPv6-Route Routing Header for IPv6
44 IPv6-Frag Fragment Header for IPv6
58 IPv6-ICMP ICMP for IPv6
59 IPv6-NoNxt No Next Header for IPv6
60 IPv6-Opts Destination Options for IPv6
• Inbound ACL:
deny 41 any any
deny 43 any any
deny 44 any any
deny 58 any any
deny 59 any any
deny 60 any any
• Outbound ACL:
deny udp any any eq 3544 - used by Teredo to reach Internet locations
deny ip any host 192.88.99.1 - is the 6 to 4 relay anycast address

Story Time with Peter Rounds
• In the spring, an SU Sys-admin came to Peter Rounds with a
concern – he was able to bypass the datacenter firewall and
open an RDP connection to datacenter servers via IPv6.
• Teredo was tunneling through their datacenter firewall and
presenting itself to the public Internet via IPv6.
• In the interim, SU has implemented firewall policies to block
ISATAP, IPv6, and Teredo negotiation protocols in their router
ACLs.

Story Time with Peter Rounds
• Disabling IPv6 and tunneling mechanisms represents a
stopgap measure which break the transition technologies
designed to aid in the general deployment of IPv6.
• Transition is coming very soon! Verizon Business Solutions
has said that the “last drop of oil” will be tapped in a matter
of months. Verizon will be unable to provide IPv4 blocks and
will instead be assigning IPv6 address space.

Conclusions
• IPv6 isn’t "bad", and may represent the future for a lot of
networks. Some say that IPv4 will never go away, but in the
meantime, IPv6 is here.
• IT Administrators need to be aware of IPv6 as a protocol
which is gaining legitimacy and is actually supported on a
wide number of systems.
• IPv4 to IPv6 encapsulation mechanisms exist as a tool to aid in
the migration from a predominantly IPv4 environment to an
IPv6 environment.
• With this awareness comes the requirement to control IPv6
with the same attention to detail that they would apply to
controlling the more commonplace IPv4 traffic.

References – Transitional Security Issues
• Security Concerns With IP Tunneling
http://tools.ietf.org/html/draft-ietf-v6ops-tunnel-
security-concerns-02
• Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-
us/magazine/2009.07.cableguy.aspx
• IPv6 Security Considerations and Recommendations
http://technet.microsoft.com/en-us/library/bb726956.aspx

References – Threat Mitigation
• How to prevent ipv6 tunneling across firewalls and
routers
http://www.howfunky.com/2010/02/how-to-prevent-ipv6-
tunneling-across.html
• Disable all IPv6 in Windows
http://tutorials-tips-tricks.info/disable-and-turn-off-
ipv6-in-windows
• Wiki - IPv6 Firewalls
http://www.getipv6.info/index.php/IPv6_Firewalls
• IPv6 firewalling knows no middle ground
http://arstechnica.com/hardware/news/2007/05/ipv6-
firewall-mixed-blessing.ars

References – Guidelines for IPv6 Adoption
• An Internet Transition Plan
http://tools.ietf.org/html/rfc5211
• Hurricane Electric IPv6 Certification Project
http://ipv6.he.net/certification/
• NIST Special Publication 800-119 - Guidelines for the
Secure Deployment of IPv6 (Draft)
http://csrc.nist.gov/publications/drafts/800-119/draft-
sp800-119_feb2010.pdf
• Microsoft Windows Server 2008 Whitepaper - IPv6
Transition Technologies
http://download.microsoft.com/download/1/2/4/124331bf-
7970-4315-ad18-0c3948bdd2c4/IPv6Trans.doc

References – Guidelines for IPv6 Adoption
• Tier 1 for IPv4! = Tier 1 for IPv6
http://www.networkworld.com/community/blog/tier-1-ipv4-
tier-1-ipv6
• BT Diamond IP IPv6 Address Management Guide
http://btdiamondip.com/software/offers/confirm_ipv6.aspx
• Google, Microsoft, Netflix in talks to create shared
list of IPv6 users
http://www.networkworld.com/news/2010/032610-dns-ipv6-
whitelist.html

IPv6 Can No Longer Be Ignored

More Related Content

What's hot

Similar to IPv6 Can No Longer Be Ignored

More from Rochester Security Summit

Recently uploaded

IPv6 Can No Longer Be Ignored