![MYTH:
CONFIGURE IPV6 FILTERS SAME AS IPV4
REALITY:
DHCPV6 && ND INTRODUCE NUANCE
• Neighbor Discovery uses ICMP
• DHCPv6 message exchange:
• Solicit: [your link local]:546 -> [ff02::1:2]:547
• Advertise: [upstream link local]:547 -> [your link local]:546
• and two more packets, both between your link locals.
CHRIS GRUNDEMANN
1/13/2014
32](https://image.slidesharecdn.com/ipv6securitymyths-sanog-xviii-jan2014-140114000842-phpapp01/75/Security-in-an-IPv6-World-Myth-Reality-32-2048.jpg)
![REALITY: EXAMPLE FIREWALL FILTER (MIKROTIK)
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Not just ping - ND runs over icmp6.
chain=input action=accept protocol=icmpv6 in-interface=ether1-gateway
1 chain=input action=accept connection-state=established in-interface=ether1-gateway
2 ;;; related means stuff like FTP-DATA
chain=input action=accept connection-state=related in-interface=ether1-gateway
3 ;;; for DHCP6 advertisement (second packet, first server response)
chain=input action=accept protocol=udp src-address=fe80::/16 dst-address=fe80::/16
in-interface=ether1-gateway dst-port=546
4 ;;; ssh to this box for management (note non standard port)
chain=input action=accept protocol=tcp dst-address=[myaddr]/128 dst-port=2222
5 chain=input action=drop in-interface=ether1-gateway
CHRIS GRUNDEMANN
1/13/2014
33](https://image.slidesharecdn.com/ipv6securitymyths-sanog-xviii-jan2014-140114000842-phpapp01/75/Security-in-an-IPv6-World-Myth-Reality-33-2048.jpg)
Uploaded byChris Grundemann
Security in an IPv6 World - Myth & Reality
The document addresses common myths surrounding IPv6 security, highlighting the reality that many systems and applications are already utilizing IPv6, which poses security risks even if a network is not actively using it. It dispels misconceptions about built-in security features and emphasizes that various vulnerabilities and attacks can affect IPv6 networks similar to IPv4. The talk advocates for proactive security measures and awareness of the unique attributes of IPv6 to ensure robust protection.
More Related Content
Similar to Security in an IPv6 World - Myth & Reality
Security in an IPv6 World - Myth & Reality
- 1. SECURITY IN ANIPv6 WORLD MYTH & REALITY SANOG XXIII – Thimphu, Bhutan – 14 January 2014 Chris Grundemann
- 2. WHO AM I? • “DO”Director @ Internet Society • CO ISOC Founding Chair • NANOG PC • RMv6TF Board • NANOG-BCOP Founder & Chair • IPv6 Author (Juniper Day One Books) • IETF Contributor (Homenet) • Past: ARIN, UPnP, DLNA, CEA… CHRIS GRUNDEMANN 1/13/2014 2
- 3. THIS TALK… • Aimsto debunk the most common IPv6 security myths • Is NOT a comprehensive look at IPv6 security practices CHRIS GRUNDEMANN 1/13/2014 3
- 4. Let’s get tobusting SOME MYTHS… CHRIS GRUNDEMANN 1/13/2014 4
- 5. MYTH: I’M NOT RUNNINGIPV6, I DON’T HAVE TO WORRY CHRIS GRUNDEMANN 1/13/2014 5
- 6. MYTH: I’M NOT RUNNINGIPV6, I DON’T HAVE TO WORRY REALITY: YOUR APPLICATIONS ARE USING IPV6 ALREADY • Linux, Mac OS X, BSD, and Microsoft Vista/Windows 7 systems all come with IPv6 capability, some even have IPv6 enabled by default (IPv6 preferred) • They may try to use IPv6 first and then fall-back to IPv4 • If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist! CHRIS GRUNDEMANN 1/13/2014 6
- 7. MYTH: I’M NOT RUNNINGIPV6, I DON’T HAVE TO WORRY REALITY: YOUR USERS ARE USING IPV6 ALREADY 6to4 / Toredo CHRIS GRUNDEMANN 1/13/2014 7
- 8. MYTH: IPV6 HAS SECURITYDESIGNED IN CHRIS GRUNDEMANN 1/13/2014 8
- 9. MYTH: IPV6 HAS SECURITYDESIGNED IN REALITY: IPSEC IS NOT NEW • IPsec exists for IPv4 • IPsec mandates in IPv6 are no guarantee of security CHRIS GRUNDEMANN 1/13/2014 9
- 10. MYTH: IPV6 HAS SECURITYDESIGNED IN REALITY: IPV6 WAS DESIGNED 15-20 YEARS AGO CHRIS GRUNDEMANN 1/13/2014 10
- 11.
- 12. MYTH: IPV6 HAS SECURITYDESIGNED IN REALITY: • Routing Header Type 0 (RH0) – Source Routing • Deprecated in RFC 5095: The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic. CHRIS GRUNDEMANN 1/13/2014 12
- 13. MYTH: IPV6 HAS SECURITYDESIGNED IN REALITY: • Hop-by-Hop Options Header • Vulnerable to low bandwidth DOS attacks • Threat detailed in draft-krishnan-ipv6-hopbyhop CHRIS GRUNDEMANN 1/13/2014 13
- 14. MYTH: IPV6 HAS SECURITYDESIGNED IN REALITY: • Extension Headers are vulnerable in general • Large extension headers • Lots of extension headers • Invalid extension headers CHRIS GRUNDEMANN 1/13/2014 14
- 15. MYTH: IPV6 HAS SECURITYDESIGNED IN REALITY: • Rogue Router Advertisements (RAs) • Can renumber hosts • Can launch a Man In The Middle attack • Problem documented in RFC 6104 In this document, we summarise the scenarios in which rogue RAs may be observed and present a list of possible solutions to the problem. CHRIS GRUNDEMANN 1/13/2014 15
- 16. MYTH: IPV6 HAS SECURITYDESIGNED IN REALITY: • Forged Neighbor Discovery messages • ICMP Redirects – just like IPv4 redirects CHRIS GRUNDEMANN 1/13/2014 16
- 17. MYTH: IPV6 HAS SECURITYDESIGNED IN REALITY: MANY ATTACKS ARE ABOVE OR BELOW IP • Buffer overflows • SQL Injection • Cross-site scripting • E-mail/SPAM (open relays) CHRIS GRUNDEMANN 1/13/2014 17
- 18. MYTH: NO IPV6 NATMEANS LESS SECURITY CHRIS GRUNDEMANN 1/13/2014 18
- 19. MYTH: NO IPV6 NATMEANS LESS SECURITY REALITY: STATEFUL FIREWALLS PROVIDE SECURITY • NAT can actually reduce security CHRIS GRUNDEMANN 1/13/2014 19
- 20. MYTH: IPV6 NETWORKS ARETOO BIG TO SCAN CHRIS GRUNDEMANN 1/13/2014 20
- 21. MYTH: IPV6 NETWORKS ARETOO BIG TO SCAN REALITY: • SLAAC - EUI-64 addresses (well known OUIs) • Tracking! • DHCPv6 sequential addressing (scan low numbers) • 6to4, ISATAP, Teredo (well known addresses) • Manual configured addresses (scan low numbers, vanity addresses) • Exploiting a local node • ff02::1 - all nodes on the local network segment • IPv6 Node Information Queries (RFC 4620) • Neighbor discovery • Leveraging IPv4 (Metasploit Framework “ipv6_neighbor”) • IPv6 addresses leaked out by application-layer protocols (email) CHRIS GRUNDEMANN 1/13/2014 21
- 22. MYTH: IPV6 NETWORKS ARETOO BIG TO SCAN REALITY: PRIVACY ADDRESSES (RFC 4941) • Privacy addresses use MD5 hash on EUI-64 and random number • Often temporary – rotate addresses • Frequency varies • Often paired with dynamic DNS (firewall state updates?) • Makes filtering, troubleshooting, and forensics difficult • Alternative: Randomized DHCPv6 • Host: Randomized IIDs • Server: Short leases, randomized assignments CHRIS GRUNDEMANN 1/13/2014 22
- 23. MYTH: IPV6 IS TOONEW TO BE ATTACKED CHRIS GRUNDEMANN 1/13/2014 23
- 24. MYTH: IPV6 IS TOONEW TO BE ATTACKED REALITY: TOOLS ARE ALREADY AVAILABLE • THC IPv6 Attack Toolkit • IPv6 port scan tools • IPv6 packet forgery tools • IPv6 DoS tools CHRIS GRUNDEMANN 1/13/2014 24
- 25. MYTH: IPV6 IS TOONEW TO BE ATTACKED REALITY: BUGS AND VULNERABILITIES PUBLISHED • Vendors • Open source software CHRIS GRUNDEMANN 1/13/2014 25
- 26. MYTH: IPV6 IS TOONEW TO BE ATTACKED REALITY: SEARCH FOR “ SECURITYFOCUS.COM INURL:BID IPV6” CHRIS GRUNDEMANN 1/13/2014 26
- 27. MYTH: 96 MORE BITS,NO MAGIC (IT’S JUST LIKE IPV4) CHRIS GRUNDEMANN 1/13/2014 27
- 28. MYTH: 96 MORE BITS,NO MAGIC (IT’S JUST LIKE IPV4) REALITY: IPV6 ADDRESS FORMAT IS DRASTICALLY NEW • 128 bits vs. 32 bits • Hex vs. Decimal • Colon vs. Period • Multiple possible formats (zero suppression, zero compression) • Logging, grep, filters, etc. CHRIS GRUNDEMANN 1/13/2014 28
- 29. MYTH: 96 MORE BITS,NO MAGIC (IT’S JUST LIKE IPV4) REALITY: MULTIPLE ADDRESSES ON EACH HOST • Same host appears in logs with different addresses CHRIS GRUNDEMANN 1/13/2014 29
- 30. MYTH: 96 MORE BITS,NO MAGIC (IT’S JUST LIKE IPV4) REALITY: SYNTAX CHANGES • Training! CHRIS GRUNDEMANN 1/13/2014 30
- 31. MYTH: CONFIGURE IPV6 FILTERSSAME AS IPV4 CHRIS GRUNDEMANN 1/13/2014 31
- 32. MYTH: CONFIGURE IPV6 FILTERSSAME AS IPV4 REALITY: DHCPV6 && ND INTRODUCE NUANCE • Neighbor Discovery uses ICMP • DHCPv6 message exchange: • Solicit: [your link local]:546 -> [ff02::1:2]:547 • Advertise: [upstream link local]:547 -> [your link local]:546 • and two more packets, both between your link locals. CHRIS GRUNDEMANN 1/13/2014 32
- 33. REALITY: EXAMPLE FIREWALLFILTER (MIKROTIK) Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Not just ping - ND runs over icmp6. chain=input action=accept protocol=icmpv6 in-interface=ether1-gateway 1 chain=input action=accept connection-state=established in-interface=ether1-gateway 2 ;;; related means stuff like FTP-DATA chain=input action=accept connection-state=related in-interface=ether1-gateway 3 ;;; for DHCP6 advertisement (second packet, first server response) chain=input action=accept protocol=udp src-address=fe80::/16 dst-address=fe80::/16 in-interface=ether1-gateway dst-port=546 4 ;;; ssh to this box for management (note non standard port) chain=input action=accept protocol=tcp dst-address=[myaddr]/128 dst-port=2222 5 chain=input action=drop in-interface=ether1-gateway CHRIS GRUNDEMANN 1/13/2014 33
- 34. MYTH: IT SUPPORTS IPV6 CHRISGRUNDEMANN 1/13/2014 34
- 35. MYTH: IT SUPPORTS IPV6 REALITY: ITPROBABLY DOESN’T • Detailed requirements (RFP) • RIPE-554 • Lab testing • Independent/outside verification CHRIS GRUNDEMANN 1/13/2014 35
- 36. MYTH: THERE ARE NOIPV6 SECURITY BCPS YET CHRIS GRUNDEMANN 1/13/2014 36
- 37. MYTH: THERE ARE NOIPV6 SECURITY BCPS YET REALITY: THERE ARE! • Perform IPv6 filtering at the perimeter • Use RFC2827 filtering and Unicast RPF checks throughout the network • Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels and deny packets for transition techniques not used • Use common access-network security measures (NAC/802.1X, disable unused switch ports, Ethernet port security, MACSec/TrustSec) because SEND won’t be available any time soon • Strive to achieve equal protections for IPv6 as with IPv4 • Continue to let vendors know what you expect in terms of IPv6 security features CHRIS GRUNDEMANN 1/13/2014 37
- 38. MYTH: THERE ARE NOIPV6 SECURITY RESOURCES CHRIS GRUNDEMANN 1/13/2014 38
- 39. MYTH: THERE ARE NOIPV6 SECURITY RESOURCES REALITY: THERE ARE! • IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009 • Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology • Search engines are your friend! CHRIS GRUNDEMANN 1/13/2014 39
- 40. THE REALITY OFDUAL-STACK • Two sets of filters • Two sets of bugs IPv4 CHRIS GRUNDEMANN IPv6 1/13/2014 40
- 41. THANK YOU! Gratitude andCredit: • • • • Scott Hogg – My IPv6 Security Guru Rob Seastrom – For the Mikrotik example The Internet – Lots of searching You – Thanks for listening! CHRIS GRUNDEMANN @ChrisGrundemann http://chrisgrundemann.com http://www.internetsociety.org/deploy360/ 1/13/2014 41
Editor's Notes
- #8 Manual TunnelsPreferred over dynamic tunnelsFilter tunnel source/destination and use IPsecIf spoofing, return traffic is not sent to attackerDynamic Tunnels6to4 Relay routers are “open relays”Attackers can guess 6to4 addresses easilyISATAP can have potential MITM attacksAttackers can spoof source/dest IPv4/v6 addressesDon’t blindly allow IPsec or IPv4 Protocol 41 (6in4 tunneled traffic) through the firewall unless you know the tunnel endpointsMany IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite)
- #10 In some other ways IPv6 in fact does support better security:that IPsec can be guaranteed to be supported fosters its use and propagation.The header design in IPv6 is better, leading to a cleaner division between encryption metadata and the encrypted payload, which some analysts consider has improved the IPsec implementation.
- #14 “The denial of service attack can be carried out by forming an IP datagram with a large number of TLV encoded options with random option type identifiers in the hop-by-hop options header.”All the ipv6 nodes on the path need to process the options in this headerThe option TLVs in the hop-by-hop options header need to be processed in orderA sub range of option types in this header will not cause any errors even if the node does not recognize them.There is no restriction as to how many occurences of an option type can be present in the hop-by-hop header.
- #16 Prevent unauthorized LAN accessDisable unused switch portsNetwork Access Control (NAC), Network Admission Control (NAC)IEEE 802.1AE (MACsec), Cisco TrustSecIEEE 802.1XRA Guard (RFC 6105)NDPMonRamondKame rafixdPort SecurityCisco Port-based ACL (PACL)
- #17 Both require LAN access – like rogue RAs
- #18 Both require LAN access – like rogue RAs
- #20 Translation techniques are susceptible to DoS attacksNAT prevents IPsec, DNSSEC, Geolocation and other applications from workingConsuming connection state (CPU resource consumption attack on ALG)Consuming public IPv4 pool and port numbers (pool depletion attack)
- #33 Don’t block FF00::/8 and FE80::/10 – these will block NDP
- #34 Rules 1 and 2 are stateful. 0 is absolutely necessary for ND to work.It might be a little liberal for some folks though - could be bolteddown tighter.Rule 3 is the one I put in so as to actually hear my reply.
- #36 Firewalls have improved their IPv6 capabilities, IPv6 addresses in the GUI, some logs, ability to filter on Extension Headers, Fragmentation, PMTUD, and granular filtering of ICMPv6 and multicastIPv6 firewalls may not have all the same full features as IPv4 firewallsUTM/DPI/IPS/WAF/content filtering features may only work for IPv4Many IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite)IPv6 support varies greatly in modern IPS systemsFew signatures exist for IPv6 packets or you have to build your own using cryptic regular expressions or byte-offset valuesFew Host-based IPS systems support IPv6Desktop AntiVirus software has gotten better at allowing ICMPv6 (RA/RS/NA/NS) packets throughHowever, there are still a handful of popular AV suites that don’t support IPv6There are many IPv6-capable host-based firewalls available depending on the OS you preferLinux: ip6tables (NetFilter), ipfWindows Firewall with Advanced SecurityBSD: pf, ipfw, ipfMac: ipfw, ipfSolaris, HP-UX : ipf
- #38 Many security standards don’t discuss IPv6. However, any guideline related to IP may apply to both versions – many policies are higher levelhttp://www.antd.nist.gov/usgv6/NIST SP 500-273: USGv6 Test Methods: General Description and ValidationGuidance for Labs, November 2009http://www.antd.nist.gov/usgv6/docs/NIST-SP-500-273.v2.0.pdfNIST SP 500-281: USGv6 Testing Program User’s GuideGuidance for vendors and purchasers, August 2010http://www.antd.nist.gov/usgv6/docs/NIST-SP-500-281-v1.3.pdf