The document discusses IPv6 security threats, highlighting that many networks unknowingly utilize IPv6 capabilities by default, which presents significant security risks. It outlines various IPv6 attack tools and methods for reconnaissance, as well as potential local area network threats and attacks, particularly around the neighbor discovery protocol. Recommendations for securing IPv6 networks include implementing network access controls, filtering traffic, and ensuring equal protections for IPv6 as for IPv4.

2. IPv6 Security
Scott Hogg
Global Technology Resources, Inc.
Director of Technology Solutions
CCIE #5133, CISSP #4610

3. IPv6 Security – Latent Threat
• Even if you haven’t started using IPv6 yet, you probably have
some IPv6 running on your networks already and didn’t know it.
• Do you use Linux, Mac OS X, BSD, or Microsoft Windows
7/8/Win2K8/Win2012 systems in your environment?
• They all come with IPv6 capability enabled by default and prefer IPv6
connectivity
• They may try to use IPv6 first and then fall-back to IPv4 (+|- Happy
Eyeballs, RFC 6555)
• Or they may create IPv6-in-IPv4 tunnels to Internet resources to reach
IPv6 content
• Some of these techniques take place regardless of user input or
configuration
• If you are not protecting your IPv6 nodes then you have just
allowed a huge back-door to exist

4. IPv6 Security Tools
• THC IPv6 Attack Toolkit
• SI6 Networks IPv6 Toolkit
• Evil FOCA
• Metasploit
• Nmap
• halfscan6, Scan6, CHScanner
• Scapy, SendIP, ISIC6, Packit, Spak6
• 6tunneldos, 4to6ddos, imps6-tools

5. Reconnaissance
• Ping sweeps, port scans, application vulnerability scans are
problematic given the large IPv6 address space.
• Brute-force scanning even a single /64 is not practical.
• There are methods of speeding up reconnaissance on LAN.
• ping6 -I eth0 ff02::1
• [root@hat ~]# ./alive6 eth0 ff02::1
• Node Information Queries (RFC 4620) in BSD
• Scanning for specific EUI-64 addresses using specific OUIs
• Scanning IPv4 and getting IPv6 info
• Metasploit Framework “ipv6_neighbor" auxiliary module can leverage IPv4
to find IPv6 hosts
• Scanning 6to4, ISATAP, Teredo with embedded IPv4 addresses
• Find one node and leverage the neighbor cache to find other nodes
• DHCPv6 logs, DNS servers, server logs, NMSs, Google Hacking

6. LAN Threats
• IPv6 uses ICMPv6 for many LAN operations
• Stateless auto-configuration (SLAAC)
• Neighbor Discovery Protocol (NDP)
• IPv6 equivalent of IPv4 ARP – same attack types
• Spoofed RAs can renumber hosts or launch a MITM attack
• Forged NA/NS messages to confuse NDP
• Redirects – same as ICMPv4 redirects
• Forcing nodes to believe all addresses are on-link
• These attacks presume the attacker is on-net or has
compromised a local computer (Big Requirement!)

7. IPv6 MITM Example
• Evil FOCA is a weaponized Win .EXE that can
perform dual-protocol MITM and DOS attacks and
DNS Hijacking (Released at DEFCON21)
• Sends ICMPv6 RA on LAN (SLAAC)
• Activates IPv6 on local dual-protocol nodes
• Evil FOCA becomes active default gateway
• Sends ICMPv6 NA to spoof local nodes
• Sets up rogue DHCPv6 server
• Performs WPAD attack and sets up proxy
• Performs DNS Hijack
• Can perform RA flood resulting in DOS
Internet
Download at: http://www.informatica64.com/evilfoca/download.aspx
Demo on YouTube: http://www.youtube.com/watch?v=syLoQ4CNfSc

8. Evil FOCA IPv6 MITM Attack

9. Evil FOCA IPv6 RA DOS
C:UsersMe>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 15c2:8297:e614:f45:bc4a:58b9:e948:33c6
. . . (100 of these in Windows 7)
IPv6 Address. . . . . . . . . . . : fcae:a581:9bcb:e6bc:bc4a:58b9:e948:33c6
Temporary IPv6 Address. . . . . . : 15c2:8297:e614:f1f:1ce1:d49d:2ec8:e924
. . . (100 of these in Windows 7)
Temporary IPv6 Address. . . . . . : fcae:a581:9bcb:e6bc:1ce1:d49d:2ec8:e924
Link-local IPv6 Address . . . . . : fe80::bc4a:58b9:e948:33c6%10
IPv4 Address. . . . . . . . . . . : 192.168.11.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::7888:860e:5352:5fec%10
fe80::8d99:1bc3:6f7a:5cf9%10
. . . fe80::a0cf:f7ad:821b:3343%10
192.168.11.1
C:UsersMe>

10. THC IPv6 Attack Toolkit
• THC IPv6 Attack Toolkit contains fake_router6
• Generates rogue RA to become default router
• Option –H adds a hop-by-hop header
• fake_router6 –H eth0 2001:db8:11:11::/64
• Option –F adds a one-shot-fragmentation header
• fake_router6 –F eth0 2001:db8:11:11::/64
• Flood_router26 floods RAs to create DOS
• flood_router26 eth0
• fake_router26 -E H -A 2001:db8:1:1::/64 eth0
• fake_router26 -E 1 -A 2001:db8:1:1::/64 eth0
Download at: http://thc.org/download.php?t=r&f=thc-ipv6-2.3.tar.gz

11. Methods of Preventing Rogue RAs
• Prevent unauthorized LAN access (armed guards, malware defenses)
• Disable unused switch ports
• Network Access Control (NAC), Network Admission Control (NAC)
• IEEE 802.1AE (MACsec), Cisco TrustSec
• IEEE 802.1X
• RA Guard (RFC 6105)
• NDPMon
• Ramond
• Kame rafixd
• ipv6mon
• 6Guard
• addrwatch
• Port Security
• Cisco Port-based ACL (PACL)
Allow
Incoming
RA Message
Block
Incoming
RA Message
Allow
Sending
RAs

12. IPv6 First Hop Security
• Cisco C3750X switch running IOS version 15.2(1)S
ipv6 nd cache interface-limit 3 log 15
ipv6 nd raguard policy HOST
!
ipv6 snooping logging packet drop
ipv6 snooping logging resolution-veto
ipv6 snooping policy ND
limit address-count 10
data-glean log-only
destination-glean log-only
!
ipv6 dhcp guard policy HOST
ipv6 destination-guard policy
destination
ipv6 mld snooping

13. IPv6 First Hop Security (Cont.)
• Cisco C3750X switch running IOS version 15.2(1)S
interface GigabitEthernet2/0/1
switchport access vlan 1200
switchport mode access
ipv6 nd raguard attach-policy HOST
ipv6 dhcp guard attach-policy HOST
!
interface Vlan1200
ip address 192.168.12.100 255.255.255.0
ipv6 enable
ipv6 nd cache interface-limit 3 log 15
!
ipv6 neighbor binding logging
ipv6 neighbor binding max-entries 100
ipv6 neighbor binding vlan 1200
2001:DB8:12::/64

14. IPv6 First Hop Security Results
• Switch successfully blocked RAs and rogue DHCPv6
Mar 30 06:37:31.743: %SISF-4-PAK_DROP: Message dropped A=FE80::AC7F:B2F8:DCB8:F739
G=- V=1200 I=Gi2/0/2 P=NDP::RA Reason=Packet not authorized on port
Mar 30 06:38:06.572: %SISF-4-PAK_DROP: Message dropped A=FE80::1EDF:FFF:FEBB:8944
G=- V=1200 I=Gi2/0/2 P=NDP::NA Reason=Packet accepted but not forwarded
Mar 30 06:23:35.902: %SISF-4-PAK_DROP: Message dropped A=2001:DB8:1:3::1 G=- V=1200
I=Gi2/0/1 P=NDP::NA Reason=Address limit per policy reached
Mar 30 06:38:06.572: %SISF-6-ENTRY_CREATED: Entry created A=FE80::1EDF:FFF:FEBB:8944
V=1200 I=Gi2/0/2 P=0005 M=5CFF.340A.F93D
Mar 30 06:19:38.370: %SISF-6-ENTRY_MAX_ORANGE: Reaching 80% of max adr allowed per
policy (10) V=1200 I=Gi2/0/1 M=3C97.0E86.74AD
!
Mar 30 06:38:42.201: %SISF-4-PAK_DROP: Message dropped A=FE80::45B4:32FF:FE67:53 G=-
V=100 I=Et0/0 P=NDP::NA Reason=Advertise while TENTATIVE
Mar 30 06:38:45.923: %SISF-6-ENTRY_CREATED: Entry created A=FE80::45B4:32FF:FE67:53
V=100 I=Et0/0 P=0005 M=
Mar 30 06:38:52.523: %SISF-6-ENTRY_CHANGED: Entry changed A=FE80::45B4:32FF:FE67:53
V=100 I=Et0/0 P=0005 M=
Mar 30 06:38:58.471: %SISF-6-ENTRY_CHANGED: Entry changed A=FE80::45B4:32FF:FE67:53
V=100 I=Et0/3 P=0005 M=45B4.3267.0053

15. IPv6 First Hop Security Results
• Switch successfully blocked RAs and rogue DHCPv6
Switch-1# show ipv6 snoop counter interface gigabitethernet 2/0/2
Received messages on Gi2/0/2:
Protocol Protocol message
NDP RA[14734]
DHCPv6 SOL[191] ADV[1]
Bridged messages from Gi2/0/2:
Protocol Protocol message
NDP
DHCPv6 SOL[191]
Dropped messages on Gi2/0/2:
Feature Protocol Msg [Total dropped]
DHCP Guard DHCPv6 ADV [1]
reason: Message type is not authorized by the policy on this
port, device-role mismatch [1]
RA guard NDP RA [14734]
reason: Message unauthorized on port [14734]
Switch-1#

16. IPv6 First Hop Security Results
• Switch successfully blocked RAs and rogue DHCPv6
Switch-1# show ipv6 snoop counter interface gigabitethernet 2/0/1
Received messages on Gi2/0/1:
Protocol Protocol message
NDP RS[11] RA[2794] NS[51] NA[7031]
DHCPv6 SOL[142]
Bridged messages from Gi2/0/1:
Protocol Protocol message
NDP RS[11] NS[50] NA[15]
DHCPv6 SOL[142]
Dropped messages on Gi2/0/1:
Feature Protocol Msg [Total dropped]
RA guard NDP RA [2794]
reason: Message unauthorized on port [2794]
Snooping NDP NS [1]
reason: Packet accepted but not forwarded [1]
NA [7016]
reason: Address limit per policy reached [7007]
reason: Packet accepted but not forwarded [9]
Switch-1#

17. IPv6 FHS with IPv6 ACL
• If you don’t have RA Guard on your switch you might be
able to configure a Cisco IPv6 Port-based ACL (PACL)
• ipv6 access-list IPV6_PACL
• remark Deny Rogue DHCPv6
• deny udp any eq 547 any eq 546
• remark Deny Rogue RA
• deny icmp any any router-advertisement
• permit ipv6 any any
• !
• interface GigabitEthernet 1/2
• ipv6 traffic-filter IPV6_PACL in

18. Extension Headers
• There are rules for the frequency and order of various
extension headers
• Hop-by-Hop and Destination Options
• Header Manipulation – Crafted Packets
• Large chains of extension headers
• Separate payload into second fragment
• Consume resources - DoS
• Invalid Extension Headers – DoS
• Routing Headers Type 0 – source routing
• Routers can be configured to block RH0
• This is now the default on newer routers
• Firewalls, Windows, Linux and MacOS all block RH0 by
default

19. Layer-3/4 Spoofing
• Spoofing of IPv6 packets is easy
• IPv6 BOGON (Martians) Filtering is required
• Filter traffic from unallocated space and filter router
advertisements of bogus prefixes
• Permit Legitimate Global Unicast Addresses
• Unicast Reverse Path Forwarding (Unicast-RPF)
• Don’t block FF00::/8 and FE80::/10 – these will block NDP (NS/NA)
• Hierarchical addressing and ingress/egress filtering can
catch packets with forged source addresses
• Tracebacks may prove to be easier with IPv6

20. Transition Mechanism Threats
• Dual Stack is the preferred transition method.
• You are only as strong as the weakest of the two stacks.
• Running dual stack will give you at least twice the number of
vulnerabilities and require almost twice the work to secure.
IPv4 IPv6

21. Threats Against Translation
• Manual Tunnels
• Preferred over dynamic tunnels
• Filter tunnel source/destination and use IPsec
• If spoofing, return traffic is not sent to attacker
• Dynamic Tunnels
• 6to4 Relay routers are “open relays”
• Attackers can guess 6to4 addresses easily
• ISATAP can have potential MITM attacks
• Attackers can spoof source/dest IPv4/v6 addresses
• Translation techniques are susceptible to DoS attacks
• NAT prevents IPsec, DNSSEC, Geolocation and other applications
from working
• Consuming connection state (CPU resource consumption attack
on ALG)
• Consuming public IPv4 pool and port numbers (pool depletion
attack)

22. IPv6 Firewalls
• Don’t just use your IPv4 policy for your IPv6 policy.
• Don’t blindly allow IPsec or IPv4 Protocol 41 (6in4 tunneled
traffic) through the firewall unless you know the tunnel
endpoints
• Firewalls have improved their IPv6 capabilities, IPv6
addresses in the GUI, some logs, ability to filter on Extension
Headers, Fragmentation, PMTUD, and granular filtering of
ICMPv6 and multicast.
• IPv6 firewalls may not have all the same full features as
IPv4 firewalls
• UTM/DPI/IPS/WAF/content filtering features may only
work for IPv4.

23. IPv6 Intrusion Prevention
• Few signatures exist for IPv6 packets or you have to build
your own using cryptic regular expressions or byte-offset
values.
• IPSs should send out notifications when non-conforming
IPv6 packets are observed having faulty parameters, bad
extension headers, source address is a multicast address.
• Many IPSs don’t inspect packets that are encapsulated
(6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite).
• IPv6 support varies greatly in modern IPS systems.
• Talk with your vendor about what you need.

24. Summary of BCPs
• Perform IPv6 filtering at the perimeter (RFC2827 filtering
and Unicast RPF checks).
• Use manual tunnels (with IPsec whenever possible) instead
of dynamic tunnels and deny packets for transition
techniques not used.
• Use common access-network security measures (IPv6 FHS
techniques, RA-Guard, 802.1X, disable unused switch ports,
Ethernet port security, MACSec/TrustSec) .
• Strive to achieve equal protections for IPv6 as with IPv4.
• Continue to let vendors know what you expect in terms of
IPv6 security features.

25. RTFM – Read This Fine Manuscript
• IPv6 Security, By Scott Hogg and Eric Vyncke,
Cisco Press, 2009.
ISBN-10: 1-58705-594-5
ISBN-13: 978-1-58705-594-2

26. Questions and Answers
• Scott Hogg
• shogg@gtri.com
• www.hoggnet.com
• Twitter: @scotthogg
• Network World Blog
• http://www.networkworld.com/community/hogg
• Rocky Mountain IPv6 Task Force
• www.rmv6tf.org