Is IPv6 Security Still an Afterthought? by Merike Kaeo A presentation given at Network Operations session on Tuesday, 4 October 2016.

1. 1
Is IPv6 Security
Still An Afterthought ?
Merike Kaeo, CTO Farsight Security
merike@fsi.io

2. Goals For Today
• Fundamental IPv6 security considerations
• Knowing the right questions to ask
• Admitting that practical IPv6 malware detection
and mitigation needs work
• Learning how DNS can be utilized to help with
IPv6 malware detection
2

3. Does Operations Understand IPv6?
• It *is* similar to IPv4…..but NOT J [Training is Important!!]
• IPv4 and IPv6 interface addressing nuances
• Which IPv6 address used to source traffic?
• When is IPv4 address used vs IPv6 address for
a dual-stacked host?
• Where are special transition addresses used?
• More IPv6 nuances
• Every mobile device is a /64
• Extension headers
• Path MTU Discovery
• Fragmentation
3

4. Fundamental Security Principles
• Authentication
• Who (or What) are you?
• Authorization
• What are you allowed to access or do?
• Integrity
• Has data been altered?
• Confidentiality
• Can only authorized eyeballs see data?
• Availability
• Do I have access to data I need?

5. Fundamental Privacy Principles
• Concern for how data is:
• Collected
• Analyzed
• Used
• Protected
• Potential for increased surveillance and
tracking
How is privacy changing in the world of
social media and information gluttony?

6. Best Practices & Operational Realities
draft-ietf-opsec-v6-09
• Addressing Recommendations
• Extension Header Issues
• Link Layer Security (ND/RA)
• Control Plane Security
• Routing Security
• Logging/Monitoring
• Legacy vs New Coexistence Technologies
• Added Considerations
6

7. Can You Listen to the Network using IPv4 / IPv6 ?
• Sources (data collection points)
• Protocols to use for data collection
• Tools used to collect data
Conference
Net
NOC
Syslog, TFTP,
AAA, DNS,
SNMP
NetFlow,
SNMP
7

8. Growing Trends in DDoS (IPv4)
• DDoS attacks use spoofed IP addresses of legitimate users
• Combining spoofed addresses with legitimate protocol use
makes mitigation extremely difficult – what do you block
and where?
• Recent trends have been utilizing DNS as attack vector
since it is a fundamentally used Internet technology
• Utilize resources of large hosting providers for added attack
bandwidth
• Many other Internet protocols also susceptible
• Mobile networks and IoT – NEEDS ATTENTION
• Latest DDoS attack on Brian Krebs – 600+ Gbps!!!
• Mirai malware – exploits default weak credentials (Telnet!!)
8

9. My Television Uses IPv6 (Really!!)

10. Television Default Permissions

11. Attacker sends ICMP Echo request
packets to a remote network
directed broadcast address using
spoofed IP source addresses
All hosts that receive this ICMP
Echo request packet send a reply
to the spoofed IP source address
and overwhelm spoofed victim
Router that connects this remote network
sends packet onto the local network
1
1
2
2
Victim
3 3
Attacker
(SMURF)
Router Router

12. Type Description Justification
2 Packet too big For correct operation of PMTUD
4 Parameter problem Cannot process packet because cannot identify a
field in a header or the packet itself
130-
132
Multicast listener Routing device must accept these messages to
participate in multicast routing
133 Router solicitation Needed for IPv6 autoconfiguration
134 Router
advertisement
Needed for IPv6 autoconfiguration
135 Neighbor
solicitation
Duplicate address detection and Layer2 (MAC) -to-
IPv6 address resolution
136 Neighbor
advertisement
Duplicate address detection and Layer2 (MAC) -to-
IPv6 address resolution
IPv6 ICMP Considerations

13. Help Mitigate DDoS: Ingress/Egress Filters
ipv6 access-list extended DSL-ipv6-Outbound
permit ipv6 2001:DB8:AA65::/48 any
deny ipv6 any any log
interface atm 0/0
ipv6 traffic-filter DSL-ipv6_Outbound out
router bgp <AS#>
neighbor <IP> remote-as <AS#>
neighbor <IP> prefix-list customer in
ip prefix-list customer permit <netblock>
ip prefix-list customer deny <everything else>
Home
Customer
SMB Customer
ISP
EGRESS
INGRESS
Deploy anti-spoofing filters as close to potential source as possible
ipv6 access-list extended DSL-ipv6-Inbound
permit ipv6 2001:DB8:AA65::/48 any
deny ipv6 any any log
interface atm 0/0
ipv6 traffic-filter DSL-ipv6_Inbound in
INGRESS
13

14. IPv6 Reserved Addresses (RFC 6890)
Description Network
unspecified :: /128
loopback ::1 /128
IPv4-IPv6 Translation address 64::ff9b::/96
IPv4-compatible IPv6 address ::/96
IPv4-mapped IPv6 address ::ffff:0:0/96
discard-only prefix 100::/64
TEREDO 2001::/32
benchmarking 2001:2::/48
ORCHID 2001:10::/28
6to4 2002::/16
reserved ::/8
unique-local address fc00::/7
multicast address ff00::/8
documentation addresses 2001:db8::/3214

15. Using DNS to detect IPv6 Malware
278
Million
10+
Billion
100+
Million
Current
Domain Names
ccTLD
Domains
Current
Hostnames
Questions That Can Be Answered
Using Passive DNS
- Where did this domain name point to
in the past?
- What domain names are hosted by a
given nameserver?
- What domain names point into a
given IP network?
- What subdomains exist below a
certain domain name?
- What new names are hosted in
ccTLDs?

16. Collector
Q1: what is IP address of www.nsrc.org ?
R2: IP address of authoritative server for .org
R1: IP address of www.nsrc.org
Q2: what is IP address of authoritative server for .org?
Client 2
Client 1
R3: IP address of authoritative server for nsrc.org
Q3: what is IP address for authoritative server for .nsrc.org?
R4: IP address of authoritative server for www.nsrc.org
Q4: what is IP address for authoritative server for www.nsrc.org ?
R5: IP address of www.nsrc.org
Q5: what is IP address of www.nsrc.org ?
Passive DNS Sensor
DNS
Resolver
Authoritative
ROOT
Authoritative
ORG
Authoritative
NSRC
Q2, R2, Q3, R3, Q4, R4
Passive DNS – What Is Collected

17. DNSDB Searches
Record Types
ANY-DNSSEC
A
AAAA
NS
CNAME
DNAME
PTR
MX
SRV
TXT
DS
DLV
RRSIG
NSEC
DNSKEY
NSEC3

18. Find Associated Domains [IPv4]:
• Most all malicious
domains utilize A
records although
these could be
legitimate
• Many AAAA records
associated with
legitimate domains
TODAY’S TREND
18

19. Find Associated Domains [IPv6]:
19

20. Further Investigation…
• Correlate domains seen in IPv4 and in IPv6
• IPv4 and IPv4-mapped addresses both associated with > 10,000
domains
• Not all domains are same as seen in IPv4 and IPv6
• Investigate same domains seen in IPv4 and IPv6
• Investigate domains seen separately from IPv4 vs IPv6
address
• Might be legitimate hosting company
Passive DNS can be used to correlate
IPv4 and IPv6 related information
20

21. Operational Observations
• Some IPv6 attacks known but not discussed
• Ongoing SMTP over IPv6 discussions where lack of
reputation information blocks legitimate traffic that
would not be blocked on IPv4
• Many folks turn off SMTP use over IPv6 as response
• https://www.maawg.org/sites/maawg/files/news/M3AAWG_Inb
ound_IPv6_Policy_Issues-2014-09.pdf
• Many IPv6 invalid source addresses observed
• https://ripe67.ripe.net/presentations/288-Jen_RIPE67.pdf
• How would you tell configuration error from deliberate
spoofing?
21

22. • Secure end-host (a router or switch is an end-host)
• Turn off unused services
• Change all default credentials [use 2FA]
• Use cryptographically protected protocols for management
• Limit access to network
• Filter (packet filter vs uRPF vs route filter)
• Ingress AND Egress filtering necessary
• Authenticate
• Device vs User
• Credential management lifecycle
• Use multi-factor authentication
• Audit network traffic
• netflow-v9
• Wireshark (yes, periodically look what is ON THE WIRE)
How Mitigate Most Threats?

23. Trust But Verify….
• Understand what monitoring capability is for IPv4
and/or IPv6 traffic and know how the traffic patterns
can be correlated
• Test dual-stack and transition technology behavior to
know when DNS replies utilize A and/or AAAA records
• Tools for incident response improving for IPv6 but there
is still more improvement needed
• Not all management functionality can utilize IPv6 transport
• Some networks being built for IPv6 only and are motivating
vendors
• Correlation is important!!
23