The document provides an overview of IPv6 security and recommendations for strengthening IPv6 network security. It highlights IPv6 threats and attack tools, discusses concepts like IPv6 addressing and protocols. It also provides guidance on creating an IPv6 security policy, including network perimeter policies, LAN policies, host hardening, transition mechanisms policy, and using IPSec to secure communications. The overall aim is to create awareness of IPv6 security implications and best practices for mitigating risks.
There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol.
It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network.
(https://www.troopers.de/troopers14/troopers14-ipv6-security-summit-2014/troopers14-ipv6-security-summit-2014-presentations/index.html#IPv6Snort)
There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol.
It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network.
There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol.
It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network.
(https://www.troopers.de/troopers14/troopers14-ipv6-security-summit-2014/troopers14-ipv6-security-summit-2014-presentations/index.html#IPv6Snort)
There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol.
It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network.
Die monatlichen Anlässe in Zusammenarbeit mit dem Swiss IPv6 Council behandeln verschiedene technische Themenbereiche von IPv6.
Das Referat vom 29. April 2015 widmete sich dem wiedersprüchlichen Verhalten von Betriebssystemen im SLAAC/DHCPv6-Umfeld. In einer IPv6-Umgebung können Knoten ihre IP-Konfiguration entweder stateless (SLAAC) oder stateful (DHPCv6) erhalten. Dafür gibt es in Router Advertisements (RA) drei Flags: das A-, M- und O-Flag. Die Spezifikation definiert jedoch kein klares Verhalten bei widersprüchlicher Konfiguration. Ein kürzliches IETF-Draft zeigt, dass verschiedene Betriebssysteme unterschiedlich auf diese Flags reagieren. Referent Enno Rey zeigte Resultate eines weiterführenden Tests dazu.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.
Powerful tool to #analyze voice #streams recorded in PCAP files. On top of network metrics and standard E-model MOS one receives waveform analysis of all the audio streams and metrics related to reasons for audio quality degradation.
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
Linux has become a 1st class Network Citizen for many years and doesn't fall short compared to commercial solutions. It in fact is the very essence many of those are build on and is used as the foundation for nearly all cloud solutions out there.
This talk will touch on methods and features to set up Layer3 network separation and will walk through and show case
* Policy-based routing
* VRFs (with and without MPLS)
* Network Namespaces
We will compare features and options and go through a number of use cases, covering Linux as a router, VPN server, load balancer, etc.
A basic understanding of networking, routing and how the Internet works certainly help, some aha moments will be there in any way.
Nach 20 Jahren IPv6 (RFC2460 erschien im Dezember 1998) und knapp 40% Verbreitung an Deutschlands Internetzugängen stellt sich IPv6 für die meisten Admins immer noch als Mysterium dar. Teilweise wird sogar von führenden Experten empfohlen IPv6 abzuschalten "weil das nur Probleme macht". Warum das nicht so ist, und warum man sich doch auf die "neue" Welt einlassen sollte erklärt dieser praxisorientierte Vortrag.
Der Vortag führt ein in Adresskonzepte, Adressvergabe und -auflösung (SLAAC, DHCPv6, DHCPv6-PD, ND, RDNSS, etc.) und zeigt einen typischen Adressierunsplan auf. Brückentechnologien wie NAT64, DS-lite und Teredo werden vorgestellt und eingeordnet. Die Konfiguration von IPv6 unter Linux wird am Beispiel von iproute2 bzw. Debian Netzwerkkonfiguration sowie sysctls aufgezeigt.
DPDK Summit 2015 - Aspera - Charles ShiflettJim St. Leger
DPDK Summit 2015 in San Francisco.
Presentation by Charles Shiflett, Aspera.
For additional details and the video recording please visit www.dpdksummit.com.
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
Container runtimes cause Linux to return to its original purpose: to serve applications interacting directly with the kernel. At the same time, the Linux kernel is traditionally difficult to change and its development process is full of myths. A new efficient in-kernel programming language called eBPF is changing this and allows everyone to extend existing kernel components or glue them together in new forms without requiring to change the kernel itself.
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
"Implementing an IPv6 Enabled Environment for a Public Cloud Tenant" case study I delivered in OpenStack Vancouver Summit (May, 2015) jointly with Anik and Sharmin from Cisco System.
Die monatlichen Anlässe in Zusammenarbeit mit dem Swiss IPv6 Council behandeln verschiedene technische Themenbereiche von IPv6.
Das Referat vom 29. April 2015 widmete sich dem wiedersprüchlichen Verhalten von Betriebssystemen im SLAAC/DHCPv6-Umfeld. In einer IPv6-Umgebung können Knoten ihre IP-Konfiguration entweder stateless (SLAAC) oder stateful (DHPCv6) erhalten. Dafür gibt es in Router Advertisements (RA) drei Flags: das A-, M- und O-Flag. Die Spezifikation definiert jedoch kein klares Verhalten bei widersprüchlicher Konfiguration. Ein kürzliches IETF-Draft zeigt, dass verschiedene Betriebssysteme unterschiedlich auf diese Flags reagieren. Referent Enno Rey zeigte Resultate eines weiterführenden Tests dazu.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
This presentation covers routing security at the Internet Scale in detail with a focus on IRR. It talks about how IRRs work, the challenges in IRR based filtering as well as some of the tools which can be used. It also touches RPKI as well as developments IRR-RPKI integration in the next version of IRR daemon.
Powerful tool to #analyze voice #streams recorded in PCAP files. On top of network metrics and standard E-model MOS one receives waveform analysis of all the audio streams and metrics related to reasons for audio quality degradation.
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
Linux has become a 1st class Network Citizen for many years and doesn't fall short compared to commercial solutions. It in fact is the very essence many of those are build on and is used as the foundation for nearly all cloud solutions out there.
This talk will touch on methods and features to set up Layer3 network separation and will walk through and show case
* Policy-based routing
* VRFs (with and without MPLS)
* Network Namespaces
We will compare features and options and go through a number of use cases, covering Linux as a router, VPN server, load balancer, etc.
A basic understanding of networking, routing and how the Internet works certainly help, some aha moments will be there in any way.
Nach 20 Jahren IPv6 (RFC2460 erschien im Dezember 1998) und knapp 40% Verbreitung an Deutschlands Internetzugängen stellt sich IPv6 für die meisten Admins immer noch als Mysterium dar. Teilweise wird sogar von führenden Experten empfohlen IPv6 abzuschalten "weil das nur Probleme macht". Warum das nicht so ist, und warum man sich doch auf die "neue" Welt einlassen sollte erklärt dieser praxisorientierte Vortrag.
Der Vortag führt ein in Adresskonzepte, Adressvergabe und -auflösung (SLAAC, DHCPv6, DHCPv6-PD, ND, RDNSS, etc.) und zeigt einen typischen Adressierunsplan auf. Brückentechnologien wie NAT64, DS-lite und Teredo werden vorgestellt und eingeordnet. Die Konfiguration von IPv6 unter Linux wird am Beispiel von iproute2 bzw. Debian Netzwerkkonfiguration sowie sysctls aufgezeigt.
DPDK Summit 2015 - Aspera - Charles ShiflettJim St. Leger
DPDK Summit 2015 in San Francisco.
Presentation by Charles Shiflett, Aspera.
For additional details and the video recording please visit www.dpdksummit.com.
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemThomas Graf
Container runtimes cause Linux to return to its original purpose: to serve applications interacting directly with the kernel. At the same time, the Linux kernel is traditionally difficult to change and its development process is full of myths. A new efficient in-kernel programming language called eBPF is changing this and allows everyone to extend existing kernel components or glue them together in new forms without requiring to change the kernel itself.
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
"Implementing an IPv6 Enabled Environment for a Public Cloud Tenant" case study I delivered in OpenStack Vancouver Summit (May, 2015) jointly with Anik and Sharmin from Cisco System.
Presented on 6 September 2013 in a seminar organised by Progreso Training.
Sign up for free seminars at http://progresotraining.eventbrite.sg or http://www.progreso.com.sg/training/event_view_all.php for an overview of IPv6 Security.
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
APNIC Network Analyst / Technical Trainer Awal Haolader gives the technical keynote presentation on IPv6 deployment and security considerations at the IDNIC OPM 2023, held from 5 to 7 December 2023 in Bandung, Indonesia.
10 IP VERSION SIX (6) WEEK TEN notes.pptxJoshuaAnnan5
IPV6 addressing solution was announced in the mid 1990s (RFC 2460) and was task in solving IPv4’s shortcomings
NB: Version 5 was already assigned to another developing protocol, this is the reason for the jump from version 4 to 6.
Although both versions function similarly, version 4 and version 6 use different types of packet header formatting and addressing lengths. Meanwhile IPV6 header are more efficient and greatly simplified compared to IPV4 header information . This helps to reduce processing overhead during transmission.
Larger address space:
The main limitations with IPv4 are the imposed address space limitations and eventual complete loss of addressing capability. IPv6 was designed to overcome IPv4’s 32-bit limitations by introducing much larger 128-bit addresses and providing an address pool that is virtually inexhaustible.
Stateless autoconfiguration:
A feature used to issue and generate an IP address without the need for a Dynamic Host Configuration Protocol
(DHCP) server:
• Routers send router advertisements (RAs) to network hosts containing the first half, or first 64 bits, of the 128-bit network address.
• The second half of the address is generated exclusively by the host and is known as the interface identifier. The interface identifier uses its own MAC address, or it may use a randomly generated number.
This allows the host to keep hardware addresses hidden for security reasons and helps an administrator mitigate security risks.
More efficient packet headers: IPv6 uses a simpler header design than IPv4. The enhanced design allows routers to analyze and forward packets faster. Fewer header fields must be read, and header checksums are completely discarded in IPv6. More efficient packet headers improve network performance and save valuable router resources
Changes in multicast operation: Support for multicasting in IPv6 is now mandatory instead of optional, as with IPv4. The multicasting capabilities in IPv6 completely replace the broadcasting functionality found in IPv4. IPv6 replaces broadcasting with an “all-host” multicasting group.
Increased security: Another optional feature found in IPv4, IP Security (IPsec) measures are now considered mandatory and implemented natively in IPv6.
What all this numbers translate into is, flexibility of assigning different functions on the network, without facing address exhaustion. It also allows for an improved network design and troubleshooting efficiency.
The hexadecimal address look like
Components of Computer Networks
In this tutorial, we will cover the components of Computer Networks.
A Computer Network basically comprises multiple computers that are interconnected to each other in order to share information and other resources. Multiple computers are connected either with the help of cables or wireless media.
So basically with the help of a computer network two or more devices are connected in order to share a nearly limitless range of information and services whic
[CB19] New threats are already around you, the IPV6 attack must be understood...CODE BLUE
Due to the exhaustion of IPv4 free address space, the use of IPv6 on the Internet is gradually increasing. All Windows operating systems since Windows Vista have IPv6 enabled by default. IPv6 brings a series of improvements compared to IPV4, but these improvements are also put a double-edged sword.
Recently, we have been focusing on "IPv6" attack research and found that in the IPV6 environment, there are many attack points, such as Iptables will fail, use IPV6 to bypass the Web defense strategy and abuse IPV6-specific protocols for man-in-the-middle attacks, and Other attack ideas!
In this speech, I will disclose the attack methods and ideas I have found for IPV6, and will also release tools for IPV6 attacks.
Building DataCenter networks with VXLAN BGP-EVPNCisco Canada
The session specifically covers the requirements and approaches for deploying the Underlay, Overlay as well as the inter-Fabric connectivity of Data Center Networks or Fabrics. Within the VXLAN BGP-EVPN based Overlay, we focus on the insights like forwarding and control plane functions which are critical to the simplicity operation of the architecture in achieving scale, small failure domains and consistent configuration. To complete the overlay view on VXLAN BGP-EVPN, we are going to the insides of BGP and its EVPN address-familiy and extend to about how multiple DC Fabric can be interconnected within, either as stretched Fabrics or with true DCI. The session concludes with a brief overview of manageability functions, network orchestration capabilities and multi-tenancy details. This Advanced session is intended for network, design and operation engineers from Enterprises to Service Providers.
4. The 128 bits IP address
IPv6 Addresses
Global
Unicast
Unicast Multicast Anycast
Solicited NodeAssigned
Link-local Loopback Unspecified Unique Local
Embedded
IPv4
2000::/3 FE80::/64 ::1/128 ::/128 FEC0::/7 ::/80
FF00::/8 FF02::1:FF00:0000/104
4
Skills
5. The 128 bits IP address
|------------------------------128 bits-----------------------------|
Global Routing prefix Subnet ID Interface ID
N bits 64-N bits 64 bits
2^128 ~ 304,282,366,920,938,463,463,374,607,431,768,211,456
trillion trillion trillion possible IP addresses.
Simplified base header compared to IPv4
Plug n play with SLAAC
Most of IPv4 functions (DHCP, DNS, routing …)
5
Skills
7. Any Similarity?
Version IHL Type of Service
Total length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options Padding
Fields Removed Fields removed from IPv6 base header
Fields renamed in IPv6 Fields kept
7
Skills
8. IPv6 is a network-layer
replacement for IPv4
8
Skills
11. Myth or reality?
Is IPv6 is more secured than IPv4?
IPSec is incorporated
There is a large space not easy to scan
11
Skills
12. Myth or reality?
I don’t care IPv6 not on my network
Really?
All modern OS have IPv6 activated by default
# ./flood_router6 iface
12
Skills
13. Myth or reality?
IPv6 is just a successor of IPv4, so similar
Think twice!!!
IPv6 is new and most of the functionalities
13
Skills
14. Myth or reality?
IPv6 is not secured, NAT is missing
Who told you NAT is security?
NAT was meant to save address space
Any how check with your vendor:
CISCO – NPTv6
Juniper – basic-nat66
Iptables – t nat66
Use of proxy
14
Skills
15. Reconnaissance in IPv6
Starting point for network attacks.
/64 subnets, 1M tests/sec => 1400 Mbps =>
28 yrs to discover 1st active IPv6 address.
With IPv6, new technics:
Hints: DN, OIDs, logs, whois, flow, well
known addresses, transition mechs…
15
Skills
16. Reconnaissance in IPv6
Site multicast: FF05::2, FF05::FB, FF05::1:3
Link multicast : FF02::1, FF02::2, …
Deprecated site local fec0:0:0:ffff::1
Van Hauser found 2000 active IPv6
addresses in 20 secondes.
16
Skills
17. Use your border router
Filter all site multicast at border router
Ipv6 access-list NO-SITE-MCAST
deny any FEC0::/10 (deprecated site local)
permit any FF02::/16 (link multicast)
permit any FF0E::/16 (global multicast)
deny any FF00::/16 (all other multicast)
17
Skills
18. A look at ICMPv6
NDP(RS, RA, NS, NA, Redirect)
Signalisation (Destination Unreachable, Time
Exceeded, Packet too big, Redirections)
Diagnostic (Ping, traceroute)
ICMPv6 is crucial to IPv6
18
Skills
19. Some LAN Attacks
Neighbor cache spoofing (works like ARP spoof)
DoS on DAD (Answer to all DAD requests)
Neighbor cache overload (Fake NAs)
Fake Router Advertisement
Fake DHCPv6 server
19
Skills
20. Solutions against spoofing
CISCO – SeND (RFC 3971), encrypts ND.
RA-Guard (RFC 6101), drop RAs on access port.
SAVI(draft), complex solution to solve fake RA,
DHCPv4, and DHCPv6.
RAGuards bypass with fragmentation.
20
Skills
22. Some Protocol problems
SLAAC doesn’t give DNS by default, DHCP
doesn’t give default router.
Need to use both, so think security twice.
TCP reassembly problem.
22
Skills
23. Extensions Headers
New mechanism in IPv6, used to encrypt
optional inter-layer information.
RH0 – deprecated by RFC 5095
Fragmentation VFR
EH manipulation (long chain, reorder)
Block any unknown EH, and make sure to update
list.
23
Skills
24. Implementations problems
Bugs have been found in nearly all
implementations, some examples follow:
Windows vista Teredo filter bypass;
CISCO IPv6 Source Routing Remote memory
corruption;
Linux kernel multiple packet filtering bypass
24
Skills
27. Network perimeter policy
Issues with ICMPv6 messages at perimeter.
Issues with Mobile IPv6 at the perimeter network.
IPv6 bogon addresses at network perimeters.
Only send packets sourced with your allocated IPv6
block or LLA in the case of NDP.
Only receive packets to your allocated IPv6 or for
NDP. 27
Skills
28. Network perimeter policy
Perform uRPF filtering at the network perimeter and
throughout the interior of the network.
Your firewalls should support IPv6 and ICMPv6
messages SPI and parsing the complete EHs.
Use IPv6-capable host-based firewalls.
Use IPS that can deeply inspect IPv6 packets.
Filter multicast packets at your perimeter based on
their scope.
28
Skills
29. Extensions Headers policy
Only use operating systems with RH0 disabled.
Drop RH0 packets and unknown EHs at perimeter
firewall and throughout interior of the network.
29
Skills
30. LAN policy
No unauthorized access is permitted. All Network guests
MUST follow a network access permission policy.
Explicitly prohibit the spoofing of any IPv6 packet on
LAN(RS, RA, NA, NS, redirect) and on the WAN (multicast,
spoofed Layer 3/4 info).
Use randomly determined node identifiers for all IPv6
nodes at the expense of increasing the OPEX.
Determine whether the use of privacy/temporary addresses
is strictly prohibited in your organization.
30
Skills
31. LAN Policy
DHCPv6 is preferred, and EUI-64, if DHCPv6 is not
available.
Keep track of IPv6 addresses all hosts are using.
Use IPv6-capable NAC solutions, and SEND when
available in the network equipment and host OS.
Disable node-information queries on all hosts.
31
Skills
32. Host & device hardening
Hosts and devices related policies:
Harden all IPv6 Nodes (routers, servers, …).
Strictly control the use of multicast.
Only use OS that do not send ICMPv6 error messages in
response to a packet destined for a multicast address.
Use OS that use integrated HIPS and IPv6-capable
firewalling.
32
Skills
33. Host & device hardening
Hosts and devices related policies:
Keep OS/software patched for any IPv6 known
vulnerability or recommended by the vendor.
Proactively monitor the security posture of hosts
and remediate them AQAP.
Secure any routing adjacency or peer to the fullest
extent possible(packet/prefix filtering on interfaces,
passwords, MD5, or IPsec) .
33
Skills
34. Transition mechanisms policy
Prefer DS, and secure each protocol equally.
Use manual tunnels only (using Ipsec preferred) and
perform filtering on the tunnel endpoints.
Avoid 6to4 if not required.
Prevent Teredo on Windows unless a special
security policy waiver has been signed.
No IPv6-in-IPv4 (IP protocol 41) tunnels through
the perimeter unless required.
34
Skills
35. Skills
IPSec Framework
Policies related to IPSec include the following:
Use IPSec when ever possible for securing
communications between systems/network devices unless
the use of DPI, IP35S, traffic classification, and anomaly
systems is a requirement.
Strive to use AH with ESP and IKEv2 for all IPSec
connections.
35
Network-layer successor to IPv4
128 bits long (296 times the total IPv4 address space)
Runs on the same physical infrastructure
The same applications can also run on IPv6
Incompatible with IPv4!
The only sustainable answer to IPv4 exhaustion
Enables continued growth of the Internet
Restores end-to-end model & related applications
Hop to hop checksum is left to link layer & transport layer does end-to-end checksum verification
Application layer attacks
Unauthorized access
Man-in-the-middle attacks
Sniffing/eavesdropping
Denial of service (DoS) attacks
Spoofed packets: forged addresses and other fields
Attacks against routers and other networking devices.
Attacks against the physical or data link layers
Following is a list of threats that are unique to IPv6 networks:
Reconnaissance and scanning worms: Brute-force discovery is more difficult.
Attacks against ICMPv6: ICMPv6 is a required component of IPv6.
Extension Header (EH) attacks: EHs need to be accurately parsed.
Autoconfiguration: NDP attacks are simple to perform.
Attacks on transition mechanisms: Migration techniques are required by IPv6.
Mobile IPv6 attacks: Devices that roam are susceptible to many vulnerabilities.
IPv6 protocol stack attacks: Because of the code freshness of IPv6, bugs in the protocol stack exist.
IPv6 communications are preferred over IPv4’s
IPv6 communications are preferred over IPv4’s
You can terminate all your connections on a proxy server, so the outside will only see the add of the proxy. This was possible with IPv4 but people overloved NAT
Hints can provide information about active IPv6 addresses in the network, 2002(6to4)
.1.3.6.1.2.4.31.1.1 = aggregate information on IPv6
Hints can provide information about active IPv6 addresses in the network, 2002(6to4)
Most of functionalities are on ICMPv6(NDP, ping, MLD, …)
SeND requires PKI infrastructure
can’t work with manually configured , EUI-64 and Privacy Extension addresses
RA-Guard is similar to DHCP snooping
DHCP snooping is a means with which you tell the switch a DHCP server is connected on this port, if there is a different DHCP server don’t accept addresses from this
Isic6 –s 2001:db8::1 –d 2001:db8::2
Even if your firewall is properly configured, if there is a new EH, you need to work on that.
If
Network practitioners have to stay awoken
Network practitioners have to stay awoken
Without clear security policy, all security
activities are pointless.
Aspects to take in account when writing an
IPv6 security policy:
Must be written down.
Must be approved by management.
Must be agreed upon by everyone and have universal participation.
Must be well publicized.
Must be monitored and enforced.
Must be regularly reviewed and updated.
Filter multicast at the perimeter if inter-domain multicast is not required.
Secure any routing adjacency or peer to the fullest extent possible(packet filtering on interfaces, prefix filtering, passwords, MD5, or IPsec) .
Deep Packet Inspection (DPI)
Internet Key Exchange version 2 (IKEv2)