SlideShare a Scribd company logo

IPv6 Security Overview by QS Tahmeed, APNIC RCT

Bangladesh Network Operators Group
Bangladesh Network Operators Group

This document discusses IPv6 security. It begins with an overview of IPv6 address types and headers. It then notes that some initial assumptions about IPv6 security being more robust have been disproven in reality. Specifically, IPv6 is now the target of around 20% of malicious attacks. The document outlines several IPv6 security threats such as address spoofing, extension header attacks, neighbor discovery spoofing, and rogue router advertisements. It recommends approaches like ingress filtering, RA guard, and SEND to help detect and mitigate these threats. Tools like NDPMon can monitor for anomalies in neighbor discovery behavior. Overall, network operators must apply similar security practices to IPv6 as with IPv4, including access controls, host hardening, and

Internet
1 of 30
Download to read offline
1 IPv6 Security Overview Q S Tahmeed, APNIC RCT, BD
2 IPv4: Current Status
3 3 IPv6: Global End User Readiness https://stats.labs.apnic.net/ipv6
4 4 IPv6: Globally Top 1000 Websites https://pulse.internetsociety.org/technologies
5 IPV6: ADDRESS TYPES & HEADERS
6 6 IPv6: Address Spaces Prefix Designation IPv4 equivalent ::/128 Unspecified This address may only be used as a source address by an initializing host before it has learned its own addresses. 0.0.0.0 ::1/128 Loopback This address is used when a host talks to itself over IPv6. This often happens when one program sends data to another. 127.0.0.1 fc00::/7 Example: fdf8:f535:82e4::53 Unique Local Addresses (ULAs) Reserved for local use in home and enterprise environments (not public address space). Private, or RFC 1918 address space: •10.0.0.0/8 •172.16.0.0/12 •192.168.0.0/16 fe80::/10 Example: fe80::200:5aee:feaa:20a2 Link-Local Addresses Used on a single link or a non-routed common access network, such as an Ethernet LAN. They do not need to be unique outside of that link. 169.254.0.0/16 2001:db8::/32 Example: 2001:db8:8:4::2 Documentation used in examples and documentation. These should never be source or destination addresses. •192.0.2.0/24 •198.51.100.0/24 •203.0.113.0/24 2000::/3 Global Unicast The operators of networks using these addresses can be found using the RIR Whois servers listed in the IANA registry. No equivalent single IPv4 block ff00::/8 Example: ff01:0:0:0:0:0:0:2 Multicast Used to identify multicast groups. They should only be used as destination addresses, never as source addresses. 224.0.0.0/4 The above is a partial list. The full list can be found below: https://www.apnic.net/get-ip/faqs/what-is-an-ip-address/ipv6-address-types/
7 7 IPv6: Protocol Headers IPv6 IPv4
8 8 IPv6: Protocol Headers IPv6 IPv4
9 IPV6: KEY SECURITY FEATURES
10 10 IPv6: Security Statements Statements Reason Reality IPv6 is more secure and it’s built-in RFC4294 – states that IPsec is a MUST - RFC 8504 – states IPsec SHOULD. - IPsec is available. IPv6 has no NAT and we are exposed to attacks from Internet E2E paradigm. Global addresses & No NAT Global addressing doesn’t imply global rechability and each organization is responsible for FILTERING its own traffic. IPv6 Networks are too big to SCAN Standard LAN/VLAN allocation is /64 network prefix Brute-force scan is not possible but there are new scanning techniques available. IPv6 is too new to be attacked Lack of updated information 20% of overall Malicious Traffic is over IPv6. IPv6 is not a security problem in IPv4 only networks Networks having IPv4 services only IPv6 is by default enabled in modern OS and can lead to problems if unchecked. IPv6 security lacks adequate resources and policies Considering that there are no BCPs, resources or features BCPs, Resources & Features are there and regularly updated. ORGs can implement own security policy in accordance.
11 IPv6: How to Approach A change of mindset is necessary q IPv6 has its own security features and risks & need to be addressed accordingly q IPv6 protocol knowledge development is the best security measures
12 IPv6: What’s actually happening out there • 2003 : First IPv6 DDoS - approx. 1Gbps • 2022 October : 10% of all attacks • 2023 June : 20% of all attacks (doubled in less than a year) • 2023 May-June : Spiked to 35% of all attacks (co-insides with the ongoing scanning attacks) • In just 2022 IPv6 overall DDoS traffic volume increased by 600% !!! References: – https://www.juniper.net/content/dam/www/assets/analyst-reports/us/en/2023/corero-ddos-threat-intelligence-report.pdf – https://majorityreport.crowdsec.net – https://www.radware.com/2023-h1-global-threat-analysis-report/ – June 15, 2023: ipv6-exploitation-in-ad-environment – February 14, 2023: MITM6
13 IPv6 Threats: Spoofing • IP Spoofing: – Using a fake IPv6 source address • Solution: – ingress filtering and uRFP (unicast reverse path forwarding) • uRPF : – BCP38 (RFC2827) • Since 1998! – Router verifies if the source address of packets received is in the FIB table and reachable (routing table) • Else DROP! pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 FIB: 2400:6400:100:/48 ge0/0 2400:6400:200:/48 fa0/0 pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
14 IPv6 Threats: BOGONs What is BOGON • Not all IP (v4 and v6) are allocated by IANA to the RIRs • Addresses that should not be seen on the Internet are called “Bogons” (also called “Martians”) – RFC1918s + Reserved space • IANA publishes list of number resources that have been allocated/assigned to RIRs/end-users • IANA - IPv6 Assignment List • IANA - IPv4 Assignment List Impact & Mitigation • Commonly found as source address of DDOS packets • Implement ingress BOGON filters – Should not route them or accept traffic from them – Manually implement from IANA BOGON list – Autoconfig via TeamCymru BOGON route server project
15 IPv6: Extension Headers IPv6 allows an optional Extension Header in between the IPv6 headers and Upper Layer (TCP/UDP) headers – Allows adding new features to IPv6 protocol without major re-engineering RFC8200: – “Extension headers (except for Hop-by-Hop Options header) are not processed, inserted, or deleted by any node along a packet's delivery path, until the packet reaches the node” – But destination nodes must accept and process EH…“any order and occurring any number of times in the same packet” Key Features – Flexible (use is optional) – Fixed (types and orders) – Processed only at end-points (except for Hop-by- Hop & Routing options) IPv6 Header Next Header = 6 TCP header + data IPv6 Header Next Header = 44 Fragment header Next header = 6 TCP header + data Next Header values: 0 Hop-by-hop option 6 TCP 17 UDP 43 Source routing (RFC5095) 44 Fragmentation 50 Encrypted security payload 51 Authentication 58 ICMPv6 59 Null (No next header) 60 Destination option Extension Header
16 16 IPv6: Extension Headers Challenges q Flexibility is a synnonym of Complexity q Security devices/softwares now must process full chain of hearders q Firewalls must be able to filter based on Extension Headers
17 17 IPv6 Threats: EH Threat: • EH as a covert-channel to pass payload (data) • Use extensive number of EH headers – EH chain itself is fragmented and the TCP headers can be at the Nth -fragment … walla! Lets insert a whole bunch of new fragmented packets and overload the destination. Impact: • Bypass IPS/IDP/Firewall • Overwhelm the destination node (DOS/DDOS) Mitigation & Challenges: • Inspect & Filter unwanted EH Packets IPv6 Header Next Header = 44 TCP header + data EH Hidden Data EH Next header
18 IPv6 Threats: EH - Routing Headers • Include one or more IPs that should be visited in the path – Processed by the visited router • Routing Header (Type 0): – RH0 can be used for traffic amplification over a remote path • RH0 Deprecated [RFC5095] – Disable IPv6 Source Routing – Filter RH0 Packets A B Attacker DST RH0 Fields Addr[S] S D E F Addr[A] Addr[B] Addr[A] Addr[B] Addr[A] Addr[B] Addr[D] DST Targetted Link – BW usage
19 IPv6: ICMPv6 – integral part of IPv6 • Filtering ICMPv6 is not a straight-forward task – Drop ICMPv6 à Completely Break IPv6 • RFC4890: “ICMPv6 Filtering Recommendations” – Permit Error messages • Destination Unreachable (Type 1) - All codes • Packet Too Big (Type 2) • Time Exceeded (Type 3) - Code 0 only • Parameter Problem (Type 4) - Codes 1 and 2 only – Permit Connectivity check messages • Echo Request (Type 128) • Echo Response (Type 129) https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
20 20 IPv6 Threats: NDP • Neighbor Discovery (ND): – NDP Spoofing – Duplicate Address Detection (DAD) DoS • Router Advertisement (RA) – Rouge RA – RA flooding • Neighbor Solitation/Advertisement Spoofing – NS with “source link-layer” option chaged – NA with “target link-layer” option changed • Can send unsicited NA or as an answer to NS
21 IPv6 Threats: DAD - DOS Information: q No ARP Table in IPv6 q Remember IP Conflict? IPv6 Approach: q Stateless Address Auto-Configuration (SLAAC) is the feature to configure Unique Link-Local Address q It uses EUI64 Interface Identifier in conbination with the Link-Local prefix FE80::/64 Threat: q Duplicate Address Detection – DoS attacks Neighbor Solicitation (NS) : ICMPv6 Type 135 Neighbor Advertisement (NA) : ICMPv6 Type 136 Attacker Is this address unique? Client sends Neighbor Solicitation (NS) Attacker sends Neighbor Advertisement (NA) for each NS This address is MINE! 1 2
22 IPv6 Threats: ND Spoofing Attacker What is Host B’s MAC address? Client sends Neighbor Solicitation (NS) asking for Host B’s link layer address Attacker Neighbor Advertisement (NA) Spoofs Host B, sends his own MAC I am Host B. This is my MAC. Neighbor Solicitation (NS) : ICMPv6 Type 135 Neighbor Advertisement (NA) : ICMPv6 Type 136 1 2
23 IPv6 Threats: Rogue RA Attacker Client sends Router Solicitation (RS) Attacker sends Route Advertisement (RA) Attacker default router Hosts autoconfigure IPv6 based on spoofed RA including default router (as well as other info - DNS) Global Internet • Attacker can now intercept, listen and modify the packets coming from Host A and B – MITM • Or redirect to a site they control Start of data transfer 1 2
24 24 IPv6: Threat Detection tools • NDPMon – Can detect anomalies in RAs and NAs • Compares against expected/valid behavior (config file – MAC/LLA of routers, prefixes, DNS, flags, parameters) – Can generate syslog events and/or email alerts, or run custom scripts – http://ndpmon.sourceforge.net/index.php
25 25 IPv6: Threat Mitigation Tools • RA Guard (RFC6105/7113) – messages between IPv6 devices traverse the controlled L2 networking device – first-hop security • Allow or drop RA messages based on policies
26 26 IPv6: Threat Mitigation Tools • SeND (RFC3971) – Uses crypto to secure NDP messages • Uses CGA and a set of NDP options • CGA (crypto–generated address): – CGA associates a public key with a IPv6 address • RSA signature option – Node computes interface-ID • Using hash-function of the node’s public key – and appends to the IPv6 prefix - CGA
27 27 IPv6: Threat Mitigation Tools • SeND (RFC3971) – The receiver recomputes the hash and compares with the interface- ID • Verifies the public key binding – Messages sent from a CGA address can be protected by attaching the public key and signing the message with private key.
28 28 IPv6: What Else? • Viruses/Worms – IPv6 any secure? • IMs, emails higher up the stack still same L • Train your people • Assess your network - security nodes must understand IPv6 • Do what you did for IPv4 traffic with IPv6 – ACLs/filters – Harden hosts and applications – Use crypto protections where necessary/critical
29 29 References: • https://www.first.org/resources/papers/conf2015/first_2015-herberg-frank_ipv6- security_20150618.pdf • https://tools.ietf.org/html/rfc2460 • https://tools.ietf.org/html/rfc7112 • https://tools.ietf.org/html/rfc7113 • https://tools.ietf.org/html/rfc8200 • https://labs.ripe.net/Members/ahmad_alsadeh/isend • https://blog.compass-security.com/wp- content/uploads/2015/01/ipv6_secure_neighbor_discovery_1.2.pdf
30

Recommended

APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
Siena Perry
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC
 
Ipv6
Ipv6Ipv6
Ipv6
maha5960
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
Tim Martin
 
IPv6 Addressing Architecture
IPv6 Addressing ArchitectureIPv6 Addressing Architecture
IPv6 Addressing Architecture
Shreehari Dhat
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
APNIC
 
Tech f42
Tech f42Tech f42
Tech f42SelectedPresentations
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 

Recommended

APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
Siena Perry
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC
 
Ipv6
Ipv6Ipv6
Ipv6
maha5960
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
Tim Martin
 
IPv6 Addressing Architecture
IPv6 Addressing ArchitectureIPv6 Addressing Architecture
IPv6 Addressing Architecture
Shreehari Dhat
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
APNIC
 
Tech f42
Tech f42Tech f42
Tech f42SelectedPresentations
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
Zivaro Inc
 
IPv6
IPv6IPv6
IPv6
Talal Alsubaie
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
APNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
APNIC
 
I pv6 for cmu
I pv6 for cmuI pv6 for cmu
I pv6 for cmu
Naranont Atima
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
mithilak
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
Private
 
IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3
Shane Duffy
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideParthiban Nallathambi
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Wardner Maia
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
Tim Martin
 
IPv6
IPv6IPv6
IPv6edgarjgonzalezg
 
IPv6
IPv6IPv6
IPv6
Deepraj Bhujel
 
10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx
JoshuaAnnan5
 
Ipv6 questions
Ipv6 questionsIpv6 questions
Ipv6 questionsKundan Prasad
 
Ipv6
Ipv6Ipv6
Ipv6satish 486
 
Apnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopApnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshop
Nguyen Minh Thu
 
IPV6
IPV6 IPV6
IPV6
Arnold Derrick Kinney
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Bangladesh Network Operators Group
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Bangladesh Network Operators Group
 

More Related Content

Similar to IPv6 Security Overview by QS Tahmeed, APNIC RCT

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
Zivaro Inc
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
APNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
APNIC
 
I pv6 for cmu
I pv6 for cmuI pv6 for cmu
I pv6 for cmu
Naranont Atima
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
mithilak
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
Private
 
IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3
Shane Duffy
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Wardner Maia
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
Tim Martin
 
IPv6
IPv6IPv6
IPv6
Deepraj Bhujel
 
10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx
JoshuaAnnan5
 
Apnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopApnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshop
Nguyen Minh Thu
 
IPV6
IPV6 IPV6
IPV6
Arnold Derrick Kinney
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 

Similar to IPv6 Security Overview by QS Tahmeed, APNIC RCT (20)

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 
IPv6
IPv6IPv6
IPv6
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
I pv6 for cmu
I pv6 for cmuI pv6 for cmu
I pv6 for cmu
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
 
IPv6
IPv6IPv6
IPv6
 
IPv6
IPv6IPv6
IPv6
 
10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx
 
Ipv6 questions
Ipv6 questionsIpv6 questions
Ipv6 questions
 
Ipv6
Ipv6Ipv6
Ipv6
 
Apnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopApnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshop
 
IPV6
IPV6 IPV6
IPV6
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Bangladesh Network Operators Group
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Bangladesh Network Operators Group
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
Bangladesh Network Operators Group
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
Bangladesh Network Operators Group
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
Bangladesh Network Operators Group
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
Bangladesh Network Operators Group
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
Bangladesh Network Operators Group
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
Bangladesh Network Operators Group
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
Bangladesh Network Operators Group
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
Bangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
Bangladesh Network Operators Group
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
Bangladesh Network Operators Group
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
Bangladesh Network Operators Group
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
Bangladesh Network Operators Group
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
Bangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
Bangladesh Network Operators Group
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
Bangladesh Network Operators Group
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
Bangladesh Network Operators Group
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
Bangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
 

Recently uploaded

Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
TristanJasperRamos
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
ShahulHameed54211
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
Himani415946
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 

Recently uploaded (16)

Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 

IPv6 Security Overview by QS Tahmeed, APNIC RCT

  • 1. 1 IPv6 Security Overview Q S Tahmeed, APNIC RCT, BD
  • 3. 3 3 IPv6: Global End User Readiness https://stats.labs.apnic.net/ipv6
  • 4. 4 4 IPv6: Globally Top 1000 Websites https://pulse.internetsociety.org/technologies
  • 6. 6 6 IPv6: Address Spaces Prefix Designation IPv4 equivalent ::/128 Unspecified This address may only be used as a source address by an initializing host before it has learned its own addresses. 0.0.0.0 ::1/128 Loopback This address is used when a host talks to itself over IPv6. This often happens when one program sends data to another. 127.0.0.1 fc00::/7 Example: fdf8:f535:82e4::53 Unique Local Addresses (ULAs) Reserved for local use in home and enterprise environments (not public address space). Private, or RFC 1918 address space: •10.0.0.0/8 •172.16.0.0/12 •192.168.0.0/16 fe80::/10 Example: fe80::200:5aee:feaa:20a2 Link-Local Addresses Used on a single link or a non-routed common access network, such as an Ethernet LAN. They do not need to be unique outside of that link. 169.254.0.0/16 2001:db8::/32 Example: 2001:db8:8:4::2 Documentation used in examples and documentation. These should never be source or destination addresses. •192.0.2.0/24 •198.51.100.0/24 •203.0.113.0/24 2000::/3 Global Unicast The operators of networks using these addresses can be found using the RIR Whois servers listed in the IANA registry. No equivalent single IPv4 block ff00::/8 Example: ff01:0:0:0:0:0:0:2 Multicast Used to identify multicast groups. They should only be used as destination addresses, never as source addresses. 224.0.0.0/4 The above is a partial list. The full list can be found below: https://www.apnic.net/get-ip/faqs/what-is-an-ip-address/ipv6-address-types/
  • 10. 10 10 IPv6: Security Statements Statements Reason Reality IPv6 is more secure and it’s built-in RFC4294 – states that IPsec is a MUST - RFC 8504 – states IPsec SHOULD. - IPsec is available. IPv6 has no NAT and we are exposed to attacks from Internet E2E paradigm. Global addresses & No NAT Global addressing doesn’t imply global rechability and each organization is responsible for FILTERING its own traffic. IPv6 Networks are too big to SCAN Standard LAN/VLAN allocation is /64 network prefix Brute-force scan is not possible but there are new scanning techniques available. IPv6 is too new to be attacked Lack of updated information 20% of overall Malicious Traffic is over IPv6. IPv6 is not a security problem in IPv4 only networks Networks having IPv4 services only IPv6 is by default enabled in modern OS and can lead to problems if unchecked. IPv6 security lacks adequate resources and policies Considering that there are no BCPs, resources or features BCPs, Resources & Features are there and regularly updated. ORGs can implement own security policy in accordance.
  • 11. 11 IPv6: How to Approach A change of mindset is necessary q IPv6 has its own security features and risks & need to be addressed accordingly q IPv6 protocol knowledge development is the best security measures
  • 12. 12 IPv6: What’s actually happening out there • 2003 : First IPv6 DDoS - approx. 1Gbps • 2022 October : 10% of all attacks • 2023 June : 20% of all attacks (doubled in less than a year) • 2023 May-June : Spiked to 35% of all attacks (co-insides with the ongoing scanning attacks) • In just 2022 IPv6 overall DDoS traffic volume increased by 600% !!! References: – https://www.juniper.net/content/dam/www/assets/analyst-reports/us/en/2023/corero-ddos-threat-intelligence-report.pdf – https://majorityreport.crowdsec.net – https://www.radware.com/2023-h1-global-threat-analysis-report/ – June 15, 2023: ipv6-exploitation-in-ad-environment – February 14, 2023: MITM6
  • 13. 13 IPv6 Threats: Spoofing • IP Spoofing: – Using a fake IPv6 source address • Solution: – ingress filtering and uRFP (unicast reverse path forwarding) • uRPF : – BCP38 (RFC2827) • Since 1998! – Router verifies if the source address of packets received is in the FIB table and reachable (routing table) • Else DROP! pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 FIB: 2400:6400:100:/48 ge0/0 2400:6400:200:/48 fa0/0 pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
  • 14. 14 IPv6 Threats: BOGONs What is BOGON • Not all IP (v4 and v6) are allocated by IANA to the RIRs • Addresses that should not be seen on the Internet are called “Bogons” (also called “Martians”) – RFC1918s + Reserved space • IANA publishes list of number resources that have been allocated/assigned to RIRs/end-users • IANA - IPv6 Assignment List • IANA - IPv4 Assignment List Impact & Mitigation • Commonly found as source address of DDOS packets • Implement ingress BOGON filters – Should not route them or accept traffic from them – Manually implement from IANA BOGON list – Autoconfig via TeamCymru BOGON route server project
  • 15. 15 IPv6: Extension Headers IPv6 allows an optional Extension Header in between the IPv6 headers and Upper Layer (TCP/UDP) headers – Allows adding new features to IPv6 protocol without major re-engineering RFC8200: – “Extension headers (except for Hop-by-Hop Options header) are not processed, inserted, or deleted by any node along a packet's delivery path, until the packet reaches the node” – But destination nodes must accept and process EH…“any order and occurring any number of times in the same packet” Key Features – Flexible (use is optional) – Fixed (types and orders) – Processed only at end-points (except for Hop-by- Hop & Routing options) IPv6 Header Next Header = 6 TCP header + data IPv6 Header Next Header = 44 Fragment header Next header = 6 TCP header + data Next Header values: 0 Hop-by-hop option 6 TCP 17 UDP 43 Source routing (RFC5095) 44 Fragmentation 50 Encrypted security payload 51 Authentication 58 ICMPv6 59 Null (No next header) 60 Destination option Extension Header
  • 16. 16 16 IPv6: Extension Headers Challenges q Flexibility is a synnonym of Complexity q Security devices/softwares now must process full chain of hearders q Firewalls must be able to filter based on Extension Headers
  • 17. 17 17 IPv6 Threats: EH Threat: • EH as a covert-channel to pass payload (data) • Use extensive number of EH headers – EH chain itself is fragmented and the TCP headers can be at the Nth -fragment … walla! Lets insert a whole bunch of new fragmented packets and overload the destination. Impact: • Bypass IPS/IDP/Firewall • Overwhelm the destination node (DOS/DDOS) Mitigation & Challenges: • Inspect & Filter unwanted EH Packets IPv6 Header Next Header = 44 TCP header + data EH Hidden Data EH Next header
  • 18. 18 IPv6 Threats: EH - Routing Headers • Include one or more IPs that should be visited in the path – Processed by the visited router • Routing Header (Type 0): – RH0 can be used for traffic amplification over a remote path • RH0 Deprecated [RFC5095] – Disable IPv6 Source Routing – Filter RH0 Packets A B Attacker DST RH0 Fields Addr[S] S D E F Addr[A] Addr[B] Addr[A] Addr[B] Addr[A] Addr[B] Addr[D] DST Targetted Link – BW usage
  • 19. 19 IPv6: ICMPv6 – integral part of IPv6 • Filtering ICMPv6 is not a straight-forward task – Drop ICMPv6 à Completely Break IPv6 • RFC4890: “ICMPv6 Filtering Recommendations” – Permit Error messages • Destination Unreachable (Type 1) - All codes • Packet Too Big (Type 2) • Time Exceeded (Type 3) - Code 0 only • Parameter Problem (Type 4) - Codes 1 and 2 only – Permit Connectivity check messages • Echo Request (Type 128) • Echo Response (Type 129) https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
  • 20. 20 20 IPv6 Threats: NDP • Neighbor Discovery (ND): – NDP Spoofing – Duplicate Address Detection (DAD) DoS • Router Advertisement (RA) – Rouge RA – RA flooding • Neighbor Solitation/Advertisement Spoofing – NS with “source link-layer” option chaged – NA with “target link-layer” option changed • Can send unsicited NA or as an answer to NS
  • 21. 21 IPv6 Threats: DAD - DOS Information: q No ARP Table in IPv6 q Remember IP Conflict? IPv6 Approach: q Stateless Address Auto-Configuration (SLAAC) is the feature to configure Unique Link-Local Address q It uses EUI64 Interface Identifier in conbination with the Link-Local prefix FE80::/64 Threat: q Duplicate Address Detection – DoS attacks Neighbor Solicitation (NS) : ICMPv6 Type 135 Neighbor Advertisement (NA) : ICMPv6 Type 136 Attacker Is this address unique? Client sends Neighbor Solicitation (NS) Attacker sends Neighbor Advertisement (NA) for each NS This address is MINE! 1 2
  • 22. 22 IPv6 Threats: ND Spoofing Attacker What is Host B’s MAC address? Client sends Neighbor Solicitation (NS) asking for Host B’s link layer address Attacker Neighbor Advertisement (NA) Spoofs Host B, sends his own MAC I am Host B. This is my MAC. Neighbor Solicitation (NS) : ICMPv6 Type 135 Neighbor Advertisement (NA) : ICMPv6 Type 136 1 2
  • 23. 23 IPv6 Threats: Rogue RA Attacker Client sends Router Solicitation (RS) Attacker sends Route Advertisement (RA) Attacker default router Hosts autoconfigure IPv6 based on spoofed RA including default router (as well as other info - DNS) Global Internet • Attacker can now intercept, listen and modify the packets coming from Host A and B – MITM • Or redirect to a site they control Start of data transfer 1 2
  • 24. 24 24 IPv6: Threat Detection tools • NDPMon – Can detect anomalies in RAs and NAs • Compares against expected/valid behavior (config file – MAC/LLA of routers, prefixes, DNS, flags, parameters) – Can generate syslog events and/or email alerts, or run custom scripts – http://ndpmon.sourceforge.net/index.php
  • 25. 25 25 IPv6: Threat Mitigation Tools • RA Guard (RFC6105/7113) – messages between IPv6 devices traverse the controlled L2 networking device – first-hop security • Allow or drop RA messages based on policies
  • 26. 26 26 IPv6: Threat Mitigation Tools • SeND (RFC3971) – Uses crypto to secure NDP messages • Uses CGA and a set of NDP options • CGA (crypto–generated address): – CGA associates a public key with a IPv6 address • RSA signature option – Node computes interface-ID • Using hash-function of the node’s public key – and appends to the IPv6 prefix - CGA
  • 27. 27 27 IPv6: Threat Mitigation Tools • SeND (RFC3971) – The receiver recomputes the hash and compares with the interface- ID • Verifies the public key binding – Messages sent from a CGA address can be protected by attaching the public key and signing the message with private key.
  • 28. 28 28 IPv6: What Else? • Viruses/Worms – IPv6 any secure? • IMs, emails higher up the stack still same L • Train your people • Assess your network - security nodes must understand IPv6 • Do what you did for IPv4 traffic with IPv6 – ACLs/filters – Harden hosts and applications – Use crypto protections where necessary/critical
  • 29. 29 29 References: • https://www.first.org/resources/papers/conf2015/first_2015-herberg-frank_ipv6- security_20150618.pdf • https://tools.ietf.org/html/rfc2460 • https://tools.ietf.org/html/rfc7112 • https://tools.ietf.org/html/rfc7113 • https://tools.ietf.org/html/rfc8200 • https://labs.ripe.net/Members/ahmad_alsadeh/isend • https://blog.compass-security.com/wp- content/uploads/2015/01/ipv6_secure_neighbor_discovery_1.2.pdf
  • 30. 30