SlideShare a Scribd company logo
1 of 27
Download to read offline
© 2010 Verizon. All Rights Reserved. PTEXXXXX XX/10
Thierry Zoller
Practice Lead EMEA / Threat and Vulnerability
May 20, 2011
IPv6
Common Vulnerabilities & Countermeasures
2
Agenda
•Who am I
– Zoller Thierry
– Professional Services / Practise Lead EMEA
•Agenda – Scope: Enterprise
– Crash course / Fundamental Changes
– Vulnerabilities and Countermeasures
– Changes to the Threat Landscape
– Best Practises
– Summary
– Q&A
Who in the audience has IPv6 “activated” inside
your corporate LAN at this moment ?
3
Quick Refresh on Changes
Primary changes
• IPv4
– 4 Octets / 32 Bit addressing
»4.294.967.296 addresses
»Example : 192.168.1.1
– DHCP / Broadcast
– Broadcast
– IPSEC hacked into
• IPv6
– 16 Octets / 128 bit addressing
»340.282.366.920.938.463.463.374.607.431.
768.211.456 Addresses
»Example: 2a01:2b3:4:a::1
– Stateless Auto Configuration (ICMP)
– Flexible Multicast (Groups) – Local only
– Mobility – keeps connections when
moving locations
– IPSEC build into (mandatory)
– Routers no longer fragment
• Typical Subnet : /64
– 4.294.967.296 * Size of the Internet
(2^64 = 18.446.744.073.709.551.616)
– Implications on “ping sweeps”
– (roughly dumb scans could take years to
finish)
4
The Basics
IP Header
Source: Cisco
• No Header Length
• No IPID
• No Checksum
• No Fragmentation field
• No Options
5
The Basics
Unicast IPv6 Address
• IPv6 IP Address
Local Identifier
• SLAAC (EUI-64) RFC 4291
• DHCP
• Automatic Random (Privacy
Extensions
• Assigned Manual
Used for routing
Advertised by the Router
6
The Basics
Multicast / Anycast / Unicast
•Unicast
– One destination
•Multicast
– All routers [FF02:0:0:0:0:0:0:2 ] Node-Local
– All DHCP servers [FF05:0:0:0:0:0:1:3 ] Link-Local
•Anycast - (All nodes in Subnet)
– “An IPv6 anycast address is an address that is assigned to more than one interface
(typically belonging to different nodes), with the property that a packet sent to an anycast
address is routed to the "nearest" interface having that address,
according to the routing protocols' measure of distance. “ RFC4291
7
IPv6
Examples of Protocol Vulnerabilities
IPv6 LAN
Procotol changes, Attacks &
Countermeasures
8
State of independent security research
• Has attracted interest from the Hacking community in the recent
years
• First dedicated Attack Toolkit released in 2005 (“THC IPv6 Attack
Toolkit”)
•General Tools available (scapy etc.)
•IPv6 used in Databreaches in early 2002 to camouflage traffic (lack
of inspection - more on that later)
9
Changes
Stateless Configuration
•IPv4 – DHCP / Broadcast
– “ I am new give me an IP address !” (Broadcast)
– “ I am your DHCP server here is the info”
•IPV6 – ICMPv6 / Multicast / (DHCP Optional)
– Clients set their routing table and network prefix based on “Router
Advertisements” (RA)
» Either through RA announcements or RS request
10
Attack
Stateless Configuration
The counterpart of IPv4
“DHCP Spoofing”
Attacker
11
Countermeasures
Stateless configuration
• ACL on managed switches (RA not allowed on all Ports)
– Drop all RA messages sent from a nontrusted port (ICMPv6 type 133)
• Port Security
• IPSEC
• Monitoring and Alerting
• NAC
12
Changes
ARP / NDP
•IPv4 – ARP
– Who has 192.168.1.1
– I have and my MAC is 00:DE:AD:BE:EF:00
•IPV6 – NDP - ICMPv6 (ARP is dead – long live ICMPv6)
13
Attack
NDP
The counterpart of IPv4
“ARP Spoofing”
Attacker
14
Countermeasures
NDP
Secure Neighbor Discovery
– SEND = NDP + crypto
– IOS 12.4(24)T (advanced enterprise)
– Microsoft 7, 2008 support and later only 
Others :
– Private VLAN works with IPv6
– Port security
15
Summary
Quick rundown
Unless IPSEC is consistently used
– Nearly all classical IPv4 vulnerabilities are present in IPv6
– Most of them have similar countermeasures
– IPv6 per default is a tad bit more secure IPv4
»Lack of IPv6 knowledge, experience and hardware is the issue (F.U.D)
»Common Counter Measures exist for all of the above
IPv4 IPv6 Mitigated by IPSEC
Source Routing Source Routing / RH0 No
ICMP redirect ICMP redirect Yes
DHCPv4 Spoofing DHCPv6 Spoofing Yes
ARP Spoofing NDP Spoofing Yes (or SEND)
DoS / Smurf DoS / Smurf Some
16
IPv6
General Weaknesses
IPv6 LAN
General Weaknesses and BCP
17
General Weaknesses
“Hidden” IPv6 capabilities
Waking the sleeping giant
– 1. All major OS have default IPv6 support built into (BSD, Linux, Vista, ..)
– 2. IPv6 is prefered over IPv4 per Default (most)
What if we announce a IPv6 Router on a IPv4 Network ?
If attacker does 6to4 it’s possible to
exfiltrate Data
18
General Weaknesses
Dual Stack
Worse
• While creating firewall entries it is often forgotten to set IPv6 ones
– Afterall we are not using IPv6 ..
– Complete unfirewalled access to host
• General DUAL stack issue
19
General Weaknesses
“Hidden” IPv6 capability
Are you still sure you have no IPv6 on your Network ?
• NetFlow records
– Protocol 41: IPv6 over IPv4 or 6to4 tunnels
– IPv4 address: 192.88.99.1 (6to4 anycast server)
– UDP 3544, the public part of Teredo, yet another tunnel
• Check DNS server log for resolution of ISATAP
• Update Default Host Builds to take into account IPv6
– Check others
Latent Threat :
IPv4-only network may be vulnerable to IPv6 attacks right
now
20
IPv6
Changes to the Threat Landscape
IPv6
Changes to the Threat Landscape
21
IPv6
Changes to the Threat Landscape
• Large Addressing Space – “Impossible” to scan ?
• Depends
– Local : Using multicast and NDP will give you all the addresses. While you can filter
ECHO_Request, you can’t filter replies to PackettoBig, Missing Extensions, Fragments
etc. -> Scanning localy is easy.
– Internet
»DNS – gives a way a lot – minimum one Network prefix
»How hard it is depends on Numbering Logic - (Random, DHCP (incremental), SLAAC, Manual)
»Random attribution = Hard to maintain / Operational Overhead
»IF SLAAC is used keyspace can be reduced to 24bits on entropy (There are only 15000
registered OUI and 100 used a lot, which are part of the MAC which is part of the EUI-64, which is
part of the Interface Identifier)
– It is more difficult, but depending on the Numbering setup and the Methodology of the
Attacker – feasable if no other countmeasures present (throttling, blocking)
22
IPv6
Changes to the Threat Landscape
• Worms (Like slammer, likely be a thing of the past)
– Although new ways likely (P2P)
• Does not mitigate any sorts of Web application vulnerabilities
• E-mail Threats , Social Media etc.
• Sniffing
– Without IPSec, there is no difference between IPv6 or IPv4
• Rogue devices
– No Difference
• Man-in-the-Middle Attacks (MITM)
– Without IPSec, same problems.
• Flooding
– Flooding attacks are identical
23
IPv6
Best Practises
IPv6
Best Practises
24
IPv6
Best Practices
Source Routing
– Block Routing Header type 0
– Intermediate nodes :
»no ipv6 source-route
– Edge
»With an ACL blocking routing header
DHCP Spoofing
– Port ACL can block DHCPv6 traffic from client ports
»deny udp any eq 547 any eq 546
General
• Perform IPv6 filtering at the perimeter
• Perform granular ICMP filtering
• Deny packets for transition techniques not in use
• Deny IPv4 protocol 41 forwarding unless that is exactly what is intended
• Deny UDP 3544 forwarding unless you are using Teredo based tunneling
• Leverage IPSec for everything possible
• Try to achieve equal protections for IPv6 as with IPv4
25
IPv6
Summary
Summary
• Some things changed, most things stay
• Perform regular Penetration tests
• Protect your IPv6 Network like you protect your IPv4 Network
• Training and Awareness is necessary
• Use IPSEC when and where possible
26
IPv6
Famous last words
Famous last words :
• PCI-DSS - Payment Card Industry Data Security Standard
– requires the use of NAT for security (which it was never meant for)
• Fact: Lack of NAT (66) in most firewalls
• PCI DSS compliance cannot be achieved with IPv6 ?
27
FYN
Q&A ?
Thank you for your attention

More Related Content

What's hot

SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center Networking
Thomas Graf
 
2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-
Eduardo Coelho
 
Roadmap to Next Generation IP Networks: A Review of the Fundamentals
Roadmap to Next Generation IP Networks: A Review of the FundamentalsRoadmap to Next Generation IP Networks: A Review of the Fundamentals
Roadmap to Next Generation IP Networks: A Review of the Fundamentals
Network Utility Force
 

What's hot (20)

IPv6 at CSCS
IPv6 at CSCSIPv6 at CSCS
IPv6 at CSCS
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
 
DPDK Summit 2015 - Sprint - Arun Rajagopal
DPDK Summit 2015 - Sprint - Arun RajagopalDPDK Summit 2015 - Sprint - Arun Rajagopal
DPDK Summit 2015 - Sprint - Arun Rajagopal
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Netscreen Policy Based Routing
Netscreen Policy Based RoutingNetscreen Policy Based Routing
Netscreen Policy Based Routing
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
 
An Introduction to BGP Flow Spec
An Introduction to BGP Flow SpecAn Introduction to BGP Flow Spec
An Introduction to BGP Flow Spec
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering Automation
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
 
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center Networking
 
Open Network OS Overview as of 2015/10/16
Open Network OS Overview as of 2015/10/16Open Network OS Overview as of 2015/10/16
Open Network OS Overview as of 2015/10/16
 
Microsoft IT's IPv6 Killer App
Microsoft IT's IPv6 Killer AppMicrosoft IT's IPv6 Killer App
Microsoft IT's IPv6 Killer App
 
2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-
 
OpenFlow tutorial
OpenFlow tutorialOpenFlow tutorial
OpenFlow tutorial
 
Roadmap to Next Generation IP Networks: A Review of the Fundamentals
Roadmap to Next Generation IP Networks: A Review of the FundamentalsRoadmap to Next Generation IP Networks: A Review of the Fundamentals
Roadmap to Next Generation IP Networks: A Review of the Fundamentals
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDN
 
Hotplug and Virtio - Tetsuya Mukawa
Hotplug and Virtio - Tetsuya MukawaHotplug and Virtio - Tetsuya Mukawa
Hotplug and Virtio - Tetsuya Mukawa
 

Similar to IPV6 - Threats and Countermeasures / Crash Course

Similar to IPV6 - Threats and Countermeasures / Crash Course (20)

fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdf
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
IPv6 on the Interop Network
IPv6 on the Interop NetworkIPv6 on the Interop Network
IPv6 on the Interop Network
 
Tutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demoTutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demo
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-on
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
PLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New AgainPLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New Again
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
How the Internet works...and why
How the Internet works...and whyHow the Internet works...and why
How the Internet works...and why
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
 
10 fn s05
10 fn s0510 fn s05
10 fn s05
 
10 fn s05
10 fn s0510 fn s05
10 fn s05
 
IPv6 transition and coexistance - Jordi Palet
IPv6 transition and coexistance - Jordi PaletIPv6 transition and coexistance - Jordi Palet
IPv6 transition and coexistance - Jordi Palet
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 
IPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsIPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPs
 
L6 6 lowpan
L6 6 lowpanL6 6 lowpan
L6 6 lowpan
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities Report
 
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandIPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
 

More from Thierry Zoller

More from Thierry Zoller (11)

BLtouch marlin configuration
BLtouch marlin configurationBLtouch marlin configuration
BLtouch marlin configuration
 
Neo coolcam - smart-plug user guide v2 - Zwave
Neo coolcam  - smart-plug user guide v2 - ZwaveNeo coolcam  - smart-plug user guide v2 - Zwave
Neo coolcam - smart-plug user guide v2 - Zwave
 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depth
 
Heise Security - Scheunentor Bluetooth
Heise Security - Scheunentor BluetoothHeise Security - Scheunentor Bluetooth
Heise Security - Scheunentor Bluetooth
 
23c3 Bluetooth hacking revisited
23c3 Bluetooth hacking revisited23c3 Bluetooth hacking revisited
23c3 Bluetooth hacking revisited
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to us
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
 
All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.All your Bluetooth is belong to us - the rest too.
All your Bluetooth is belong to us - the rest too.
 
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
The Rise of the Vulnerability Markets - History, Impacts, Mitigations - Thier...
 
SSL Audit - The SSL / TLS Scanner
SSL Audit -  The SSL / TLS ScannerSSL Audit -  The SSL / TLS Scanner
SSL Audit - The SSL / TLS Scanner
 
The TLS/SSLv3 renegotiation vulnerability explained
The TLS/SSLv3 renegotiation vulnerability explainedThe TLS/SSLv3 renegotiation vulnerability explained
The TLS/SSLv3 renegotiation vulnerability explained
 

Recently uploaded

Cymulate (Breach and Attack Simulation).
Cymulate (Breach and Attack Simulation).Cymulate (Breach and Attack Simulation).
Cymulate (Breach and Attack Simulation).
luckyk1575
 

Recently uploaded (12)

OC Streetcar Final Presentation-Downtown Santa Ana
OC Streetcar Final Presentation-Downtown Santa AnaOC Streetcar Final Presentation-Downtown Santa Ana
OC Streetcar Final Presentation-Downtown Santa Ana
 
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdfOracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
Oracle Database Administration I (1Z0-082) Exam Dumps 2024.pdf
 
DAY 0 8 A Revelation 05-19-2024 PPT.pptx
DAY 0 8 A Revelation 05-19-2024 PPT.pptxDAY 0 8 A Revelation 05-19-2024 PPT.pptx
DAY 0 8 A Revelation 05-19-2024 PPT.pptx
 
Cymulate (Breach and Attack Simulation).
Cymulate (Breach and Attack Simulation).Cymulate (Breach and Attack Simulation).
Cymulate (Breach and Attack Simulation).
 
Breathing in New Life_ Part 3 05 22 2024.pptx
Breathing in New Life_ Part 3 05 22 2024.pptxBreathing in New Life_ Part 3 05 22 2024.pptx
Breathing in New Life_ Part 3 05 22 2024.pptx
 
The Influence and Evolution of Mogul Press in Contemporary Public Relations.docx
The Influence and Evolution of Mogul Press in Contemporary Public Relations.docxThe Influence and Evolution of Mogul Press in Contemporary Public Relations.docx
The Influence and Evolution of Mogul Press in Contemporary Public Relations.docx
 
05232024 Joint Meeting - Community Networking
05232024 Joint Meeting - Community Networking05232024 Joint Meeting - Community Networking
05232024 Joint Meeting - Community Networking
 
Deciding The Topic of our Magazine.pptx.
Deciding The Topic of our Magazine.pptx.Deciding The Topic of our Magazine.pptx.
Deciding The Topic of our Magazine.pptx.
 
Understanding Poverty: A Community Questionnaire
Understanding Poverty: A Community QuestionnaireUnderstanding Poverty: A Community Questionnaire
Understanding Poverty: A Community Questionnaire
 
ACM CHT Best Inspection Practices Kinben Innovation MIC Slideshare.pdf
ACM CHT Best Inspection Practices Kinben Innovation MIC Slideshare.pdfACM CHT Best Inspection Practices Kinben Innovation MIC Slideshare.pdf
ACM CHT Best Inspection Practices Kinben Innovation MIC Slideshare.pdf
 
ServiceNow CIS-Discovery Exam Dumps 2024
ServiceNow CIS-Discovery Exam Dumps 2024ServiceNow CIS-Discovery Exam Dumps 2024
ServiceNow CIS-Discovery Exam Dumps 2024
 
art integrated project of computer applications
art integrated project of computer applicationsart integrated project of computer applications
art integrated project of computer applications
 

IPV6 - Threats and Countermeasures / Crash Course

  • 1. © 2010 Verizon. All Rights Reserved. PTEXXXXX XX/10 Thierry Zoller Practice Lead EMEA / Threat and Vulnerability May 20, 2011 IPv6 Common Vulnerabilities & Countermeasures
  • 2. 2 Agenda •Who am I – Zoller Thierry – Professional Services / Practise Lead EMEA •Agenda – Scope: Enterprise – Crash course / Fundamental Changes – Vulnerabilities and Countermeasures – Changes to the Threat Landscape – Best Practises – Summary – Q&A Who in the audience has IPv6 “activated” inside your corporate LAN at this moment ?
  • 3. 3 Quick Refresh on Changes Primary changes • IPv4 – 4 Octets / 32 Bit addressing »4.294.967.296 addresses »Example : 192.168.1.1 – DHCP / Broadcast – Broadcast – IPSEC hacked into • IPv6 – 16 Octets / 128 bit addressing »340.282.366.920.938.463.463.374.607.431. 768.211.456 Addresses »Example: 2a01:2b3:4:a::1 – Stateless Auto Configuration (ICMP) – Flexible Multicast (Groups) – Local only – Mobility – keeps connections when moving locations – IPSEC build into (mandatory) – Routers no longer fragment • Typical Subnet : /64 – 4.294.967.296 * Size of the Internet (2^64 = 18.446.744.073.709.551.616) – Implications on “ping sweeps” – (roughly dumb scans could take years to finish)
  • 4. 4 The Basics IP Header Source: Cisco • No Header Length • No IPID • No Checksum • No Fragmentation field • No Options
  • 5. 5 The Basics Unicast IPv6 Address • IPv6 IP Address Local Identifier • SLAAC (EUI-64) RFC 4291 • DHCP • Automatic Random (Privacy Extensions • Assigned Manual Used for routing Advertised by the Router
  • 6. 6 The Basics Multicast / Anycast / Unicast •Unicast – One destination •Multicast – All routers [FF02:0:0:0:0:0:0:2 ] Node-Local – All DHCP servers [FF05:0:0:0:0:0:1:3 ] Link-Local •Anycast - (All nodes in Subnet) – “An IPv6 anycast address is an address that is assigned to more than one interface (typically belonging to different nodes), with the property that a packet sent to an anycast address is routed to the "nearest" interface having that address, according to the routing protocols' measure of distance. “ RFC4291
  • 7. 7 IPv6 Examples of Protocol Vulnerabilities IPv6 LAN Procotol changes, Attacks & Countermeasures
  • 8. 8 State of independent security research • Has attracted interest from the Hacking community in the recent years • First dedicated Attack Toolkit released in 2005 (“THC IPv6 Attack Toolkit”) •General Tools available (scapy etc.) •IPv6 used in Databreaches in early 2002 to camouflage traffic (lack of inspection - more on that later)
  • 9. 9 Changes Stateless Configuration •IPv4 – DHCP / Broadcast – “ I am new give me an IP address !” (Broadcast) – “ I am your DHCP server here is the info” •IPV6 – ICMPv6 / Multicast / (DHCP Optional) – Clients set their routing table and network prefix based on “Router Advertisements” (RA) » Either through RA announcements or RS request
  • 10. 10 Attack Stateless Configuration The counterpart of IPv4 “DHCP Spoofing” Attacker
  • 11. 11 Countermeasures Stateless configuration • ACL on managed switches (RA not allowed on all Ports) – Drop all RA messages sent from a nontrusted port (ICMPv6 type 133) • Port Security • IPSEC • Monitoring and Alerting • NAC
  • 12. 12 Changes ARP / NDP •IPv4 – ARP – Who has 192.168.1.1 – I have and my MAC is 00:DE:AD:BE:EF:00 •IPV6 – NDP - ICMPv6 (ARP is dead – long live ICMPv6)
  • 13. 13 Attack NDP The counterpart of IPv4 “ARP Spoofing” Attacker
  • 14. 14 Countermeasures NDP Secure Neighbor Discovery – SEND = NDP + crypto – IOS 12.4(24)T (advanced enterprise) – Microsoft 7, 2008 support and later only  Others : – Private VLAN works with IPv6 – Port security
  • 15. 15 Summary Quick rundown Unless IPSEC is consistently used – Nearly all classical IPv4 vulnerabilities are present in IPv6 – Most of them have similar countermeasures – IPv6 per default is a tad bit more secure IPv4 »Lack of IPv6 knowledge, experience and hardware is the issue (F.U.D) »Common Counter Measures exist for all of the above IPv4 IPv6 Mitigated by IPSEC Source Routing Source Routing / RH0 No ICMP redirect ICMP redirect Yes DHCPv4 Spoofing DHCPv6 Spoofing Yes ARP Spoofing NDP Spoofing Yes (or SEND) DoS / Smurf DoS / Smurf Some
  • 17. 17 General Weaknesses “Hidden” IPv6 capabilities Waking the sleeping giant – 1. All major OS have default IPv6 support built into (BSD, Linux, Vista, ..) – 2. IPv6 is prefered over IPv4 per Default (most) What if we announce a IPv6 Router on a IPv4 Network ? If attacker does 6to4 it’s possible to exfiltrate Data
  • 18. 18 General Weaknesses Dual Stack Worse • While creating firewall entries it is often forgotten to set IPv6 ones – Afterall we are not using IPv6 .. – Complete unfirewalled access to host • General DUAL stack issue
  • 19. 19 General Weaknesses “Hidden” IPv6 capability Are you still sure you have no IPv6 on your Network ? • NetFlow records – Protocol 41: IPv6 over IPv4 or 6to4 tunnels – IPv4 address: 192.88.99.1 (6to4 anycast server) – UDP 3544, the public part of Teredo, yet another tunnel • Check DNS server log for resolution of ISATAP • Update Default Host Builds to take into account IPv6 – Check others Latent Threat : IPv4-only network may be vulnerable to IPv6 attacks right now
  • 20. 20 IPv6 Changes to the Threat Landscape IPv6 Changes to the Threat Landscape
  • 21. 21 IPv6 Changes to the Threat Landscape • Large Addressing Space – “Impossible” to scan ? • Depends – Local : Using multicast and NDP will give you all the addresses. While you can filter ECHO_Request, you can’t filter replies to PackettoBig, Missing Extensions, Fragments etc. -> Scanning localy is easy. – Internet »DNS – gives a way a lot – minimum one Network prefix »How hard it is depends on Numbering Logic - (Random, DHCP (incremental), SLAAC, Manual) »Random attribution = Hard to maintain / Operational Overhead »IF SLAAC is used keyspace can be reduced to 24bits on entropy (There are only 15000 registered OUI and 100 used a lot, which are part of the MAC which is part of the EUI-64, which is part of the Interface Identifier) – It is more difficult, but depending on the Numbering setup and the Methodology of the Attacker – feasable if no other countmeasures present (throttling, blocking)
  • 22. 22 IPv6 Changes to the Threat Landscape • Worms (Like slammer, likely be a thing of the past) – Although new ways likely (P2P) • Does not mitigate any sorts of Web application vulnerabilities • E-mail Threats , Social Media etc. • Sniffing – Without IPSec, there is no difference between IPv6 or IPv4 • Rogue devices – No Difference • Man-in-the-Middle Attacks (MITM) – Without IPSec, same problems. • Flooding – Flooding attacks are identical
  • 24. 24 IPv6 Best Practices Source Routing – Block Routing Header type 0 – Intermediate nodes : »no ipv6 source-route – Edge »With an ACL blocking routing header DHCP Spoofing – Port ACL can block DHCPv6 traffic from client ports »deny udp any eq 547 any eq 546 General • Perform IPv6 filtering at the perimeter • Perform granular ICMP filtering • Deny packets for transition techniques not in use • Deny IPv4 protocol 41 forwarding unless that is exactly what is intended • Deny UDP 3544 forwarding unless you are using Teredo based tunneling • Leverage IPSec for everything possible • Try to achieve equal protections for IPv6 as with IPv4
  • 25. 25 IPv6 Summary Summary • Some things changed, most things stay • Perform regular Penetration tests • Protect your IPv6 Network like you protect your IPv4 Network • Training and Awareness is necessary • Use IPSEC when and where possible
  • 26. 26 IPv6 Famous last words Famous last words : • PCI-DSS - Payment Card Industry Data Security Standard – requires the use of NAT for security (which it was never meant for) • Fact: Lack of NAT (66) in most firewalls • PCI DSS compliance cannot be achieved with IPv6 ?
  • 27. 27 FYN Q&A ? Thank you for your attention