The document discusses security issues with IPv6 and proposed mitigation techniques. It covers topics such as router advertisements, neighbor discovery protocol, and fragmentation. Specifically, it notes that router advertisements and neighbor solicitations are not authenticated by default, allowing for spoofing attacks. The document proposes several mitigation approaches including cryptographically generated addresses, router authorization, port access control lists, and host isolation to secure IPv6 networks.

1. Session ID:
Session Classification:
Eric Vyncke
Cisco / Consulting Engineering
TECH-F42
Intermediate
THE LAYER-2
INSECURITIES OF IPV6
AND THE MITIGATION
TECHNIQUES

2. No doubts anymore IPv4 is out...

3. ... And IPv6 in In ;-)
Source: http://www.google.com/intl/en/ipv6/statistics/ http://www.vyncke.org/ipv6status

4. ► Content providers: Facebook, Google, Yahoo!, Youtube...
► Service providers: AT&T, Verizon, T-Mobile, Comcast...
US is leading IPv6...
2 % of US
Internet users
can do IPv6

5. WHAT IS IPV6?
6

6. ► IPv6 is IPv4 with larger addresses
► 128 bits vs. 32 bits
► NAT no more needed => easier for applications
► Simpler hence more security
► Data-link layer unchanged: Ethernet, xDSL, …
► Transport layer unchanged: UDP, TCP, …
► Applications “unchanged”: HTTP, SSL, SMTP, …
► IPv6 is not really BETTER than IPv4 because it is ‘new’
► IPv6 has been specified in 1995…
► IPsec is identical in IPv4 & IPv6
► Only benefit is a much larger address space
IPv6 in One Slide

7. A word on IPv6 addresses
2001:DB8:ABBA:BABE 1234:4567:89AB:CDEF
64-bit interface identifier:
unique within the
network to identify a
node
64-bit prefix: identifying
the network or FE80::
for local-link
Origin:
• Configuration
• DHCPv6
• Stateless Address
Autoconfiguration
• Via Router
Advertisements
Origin:
• Configuration
• DHCPv6
• Stateless Address Autoconfiguration
• Ethernet address
• Random Number (privacy
extension)

8. Innocent Windows Upgrade
C:>ping svr-01
Pinging svr-01.example.com [10.121.12.25] with 32 bytes of data:
Reply from 10.121.12.25: bytes=32 time<1ms TTL=128
Reply from 10.121.12.25: bytes=32 time<1ms TTL=128
Reply from 10.121.12.25: bytes=32 time<1ms TTL=128
Reply from 10.121.12.25: bytes=32 time<1ms TTL=128
Windows 2003
C:>ping svr-01
Pinging svr-01 [fe80::c4e2:f21d:d2b3:8463%15] with 32 bytes of data:
Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms
Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms
Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms
Reply from fe80::c4e2:f21d:d2b3:8463%15: time<1ms
Upgraded Host to Windows 2008
ALL recent OS have IPv6 enabled by default and prefer it...
=> Enable IPv6 host security and IPv6 IPS

9. IPv6 in the IPv4 Data Center:
Don’t be Blind
“IPv4-only” Datacenter
IPv6 traffic by default, using link-local addresses
IPv4-only IDS,
Monitoring, ...
MUST be upgraded to IPv6
NOW
Operators must be trained

10. Content Providers
Dual-Stack Internet Edge in 2012-2013
IPv4
Internet
IPv6
IPv4
Security
Enforcement Load Balancer
Legacy IPv4-
only Servers
IPv6
Internet
IPv6 Network stops at load balancer

11. Dual-Stack - Selecting IPv4 or IPv6
IPv4
Internet
IPv6
IPv4
Dual-Stack
Server
www.foo.com
IPv6
Internet
ISP DNS
Server
1) www.foo.com?
2) IPv4 and IPv6 addresses
of www.foo.com
3) Should I
use IPv4 or
IPv6 ???
Decision by the USER/INITIATOR:
-RFC 6555: Happy Eyeball, try both and keep the fastest
-RFC 6724: local policy, usually IPv6 is preferred
Content
provider has no
influence

12. IPv6 Myths: Better, Faster, More Secure
Sometimes, newer means better and more secure
Sometimes, experience IS better and safer!

13. LAYER-2 IS
IMPORTANT FOR
SECURITY

14. Networks are Sand Castles…
Attacker
Layer-2
Layer-7 Data and
services
Firewall
Courtesy of Curth Smith

15. ► Defined in RFC 4861, “Neighbor Discovery for IP
Version 6 (IPv6)” and RFC 4862 (“IPv6 Stateless
Address Autoconfiguration”)
► Used for:
► Router discovery
► Autoconfiguration of addresses (SLAAC)
► IPv6 address resolution (replaces ARP)
► Neighbor reachability (NUD)
► Duplicate Address Detection (DAD)
► Redirection
► Operates above ICMPv6
Fundamentals on Neighbor Discovery

16. ROUTER
SPOOFING WITH
ROGUE-RA

17. 1. RS:
Data = Query: please
send RA
2. RA1. RS
RA w/o Any
Authentication Gives
Exactly Same Level of
Security as DHCPv4
(None)
Router Advertisements (RA) contain:
-Prefix to be used by hosts
-Data-link layer address of the router
-Miscellaneous options: MTU, DHCPv6 use, …
Last come, last used
2. RA
DoS
MITM
2. RA:
Data= options, prefix, lifetime,
A+M+O flags
Rogue Router Advertisement

18. ► Devastating:
► Denial of service: all traffic sent to a black hole
► Man in the Middle attack: attacker can intercept, listen, modify
unprotected data
► Also affects legacy IPv4-only network with IPv6-enabled hosts
► Most of the time from non-malicious users
► Requires layer-2 adjacency(some relief…)
► The major blocking factor for enterprise IPv6 deployment
► Special from THC: RA flood with different prefixes => crash
Windows and a few other OS  Still in 2013!
Effects of Rogue RA

19. Rogue RA – Mitigation Techniques
Where What
Routers Increase “legal” router preference
Hosts Disabling Stateless Address Autoconfiguration
Routers & Hosts SeND “Router Authorization”
Switch (First Hop) Host isolation
Switch (First Hop) Port Access List (PACL)
Switch (First Hop) RA Guard

20. ► RFC 3972 Cryptographically Generated Addresses
(CGA)
► IPv6 addresses whose interface identifiers are cryptographically
generated from node public key
► SeND adds a signature option to Neighbor Discovery
Protocol
► Using node private key
► Node public key is sent in the clear (and linked to CGA)
► Very powerful
► If MAC spoofing is prevented
► But, not a lot of implementations: Cisco IOS, Linux, some H3C,
third party for Windows (from Hasso-Plattner-Institut)
Secure Neighbor Discovery (SeND)

21. ► Each devices has a RSA key pair (no need for cert)
► Ultra light check for validity
► Prevent spoofing a valid CGA address
Cryptographically Generated Addresses
CGA RFC 3972 (Simplified)
SHA-1
RSA Keys
Priv Pub
Subnet
Prefix
Interface
Identifier
Crypto. Generated Address
Signature
SeND Messages
Modifier
Public
Key
Subnet
Prefix
CGA Params

22. ► Adding a X.509 certificate to RA
► Subject Name contains the list of authorized IPv6 prefixes
Securing Router Advertisements with SeND
Trust
Anchor X.509
cert
Router Advertisement
Source Addr = CGA
CGA param block (incl pub key)
Signed
X.509
cert

23. Isolated Port
► Prevent Node-Node Layer-
2 communication by using:
► Private VLANs (PVLAN) where nodes
(isolated port) can only contact the
official router (promiscuous port)
► WLAN in ‘AP Isolation Mode’
► 1 VLAN per host (SP access network
with Broadband Network Gateway)
► Link-local multicast (RA,
DHCP request, etc) sent
only to the local official
router: no harm
Mitigating Rogue RA: Host Isolation
RA
RA
RA
RA
RA
Promiscuous
Port

24. ► Port ACL blocks all ICMPv6 RA from hosts
interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
access-group mode prefer port
► RA-guard (12.2(50)SY)
ipv6 nd raguard policy HOST device-role host
ipv6 nd raguard policy ROUTER device-role router
ipv6 nd raguard attach-policy HOST vlan 100
interface FastEthernet0/0
ipv6 nd raguard attach-policy ROUTER
Mitigating Rogue RA: RFC 6105
RA
RA
RA
RA
RA

25. ► Extension headers chain can be so large than it is fragmented!
► RFC 3128 is not applicable to IPv6
► Layer 4 information could be in 2nd fragment
Here comes Fragmentation…
IPv6 hdr HopByHop Routing DestinationFragment1
Layer 4 header is
in 2nd fragment
IPv6 hdr HopByHop Fragment2 TCP DataRouting

26. ► RFC 3128 is not applicable to IPv6, extension header can be fragmented
► ICMP header could be in 2nd fragment after a fragmented extension header
► RA Guard works like a stateless ACL filtering ICMP type 134
► THC fake_router6 –FD implements this attack which bypasses RA Guard
► Partial work-around: block all fragments sent to ff02::1
► ‘undetermined-transport’ is even better (IETF work item)
► Does not work in a SeND environment (larger packets) but then no need for
RA-guard 
Parsing the Extension Header Chain
Fragments and Stateless Filters (RA Guard)
IPv6 hdr HopByHop Routing Destination …Fragment1
ICMP header is in 2nd fragment,
RA Guard has no clue where to find it!
IPv6 hdr HopByHop Fragment2 ICMP type=134Routing … Destination

27. ATTACKING
NEIGHBOR
DISCOVERY
WITH NDP
SPOOFING

28. Neighbor Solicitation
Src = A
Dst = Solicited-node multicast of B
ICMP type = 135
Data = link-layer address of A
Query: what is your link address?
A B
Src = B
Dst = A
ICMP type = 136
Data = link-layer address of B
A and B Can Now Exchange
Packets on This Link
Security Mechanisms
Built into Discovery
Protocol = None
=> Very similar to ARP
Attack Tool:
Parasite6
Answer to all NS,
Claiming to Be All
Systems in the LAN...

29. Duplicate Address Detection
Src = ::
Dst = Solicited-node multicast of A
ICMP type = 135
Data = link-layer address of A
Query = what is your link address?
A B
From RFC 4862 5.4:
« If a duplicate @
is discovered…
the address cannot
be assigned to the interface»
What If: Use MAC@ of the Node
You Want to DoS and Claim Its IPv6
@
Attack Tool:
Dos-new-IPv6
Mitigation in IOS:
Configuring the IPv6 address as
anycast disables DAD on the
interface
Duplicate Address Detection (DAD) Uses Neighbor Solicitation to Verify the
Existence of an Address to Be Configured

30. ► Pretty much like RA: no authentication
► Any node can ‘steal’ the IP address of any other node
► Impersonation leading to denial of service or MITM
► Requires layer-2 adjacency
► IETF SAVI Source Address Validation Improvements (work in progress)
Neighbor Advertisement can be Spoofed

31. NDP Spoofing Mitigations
Where What
Routers & Hosts configure static neighbor cache entries
Routers & Hosts Use CryptoGraphic Addresses (SeND CGA)
Switch (First Hop) Host isolation
Switch (First Hop) Address watch
• Glean addresses in NDP and DHCP
• Establish and enforce rules for address ownership

32. Securing Neighbor Advertisements
with SeND
Neighbor Advertisement
Source Addr = CGA
CGA param block (incl pub key)
Signed

33. ► If a switch wants to enforce the mappings < IP address,
MAC address> how to learn them?
► Multiple source of information
► SeND: verify signature in NDP messages, then add the mapping
► DHCP: snoop all messages from DHCP server to learn mapping
(same as in IPv4)
► NDP: more challenging, but ‘first come, first served’
► The first node claiming to have an address will have it
SAVI: How to Learn?

34. Binding table
NS [IP source=A1, LLA=MACH1]
DHCP-
server
REQUEST [XID, SMAC = MACH2]
REPLY[XID, IP=A21, IP=A22]
data [IP source=A3, SMAC=MACH3]
DAD NS [IP source=UNSPEC, target = A3]
NA [IP source=A3, LLA=MACH3]
ADR MAC VLAN IF
A1 MACH1 100 P1
A21 MACH2 100 P2
A22 MACH2 100 P2
A3 MACH3 100 P3
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
H1 H2 H3
NDP Spoofing – Mitigation: Binding
Integrity at the First Hop
Then, drop all Neighbor Discovery packets not matching the binding...

35. EXHAUSTING
THE NEIGHBOR
CACHE

36. ► Remote router CPU/memory DoS attack if aggressive scanning
► Router will do Neighbor Discovery... And waste CPU and memory
► Local router DoS with NS/RS/…
Remote Neighbor Cache Exhaustion
2001:db8::/64
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3

37. ► Mainly an implementation issue
► Rate limiter on a global and per interface
► Prioritize renewal (PROBE) rather than new resolution
► Maximum Neighbor cache entries per interface and per MAC
address
► Internet edge/presence: a target of choice
► Ingress ACL permitting traffic to specific statically configured
(virtual) IPv6 addresses only
Allocate and configure a /64 but uses addresses fitting in a /120
in order to have a simple ingress ACL
Mitigating Remote Neighbor Cache
Exhaustion

38. ► Ingress ACL allowing only valid destination and dropping the rest
► NDP cache & process are safe
► Requires DHCP or static configuration of hosts
Simple Fix for
Remote Neighbor Cache Exhaustion
2001:db8::/64
NS: 2001:db8::1
NA: 2001:db8::1

39. FINDING THE
MAC ADDRESS
OF AN IPV6...

40. ► DHCPv6 address or prefix… the client DHCP Unique ID
(DUID) can be
► Time + MAC address: simply take the last 6 bytes of ANY
network card
► Vendor number + any number: no luck… next slide can help
► No guarantee of course that DUID includes the used MAC
address.
Audit-trail: finding the MAC of IPv6
# show ipv6 dhcp binding
Client: FE80::225:9CFF:FEDC:7548
DUID: 000100010000000A00259CDC7548
Username : unassigned
Interface : FastEthernet0/0
IA PD: IA ID 0x0000007B, T1 302400, T2 483840
Prefix: 2001:DB8:612::/48
preferred lifetime 3600, valid lifetime 3600
expires at Nov 26 2010 01:22 PM (369)

41. ► Last resort… look in the live NDP cache
► If no more in cache, then you should have scanned and
saved the live cache…
► Frequently (expiration is about 5 minutes)
► Securely
Dumb but working...
#show ipv6 neighbors 2001:DB8::6DD0
IPv6 Address Age Link-layer Addr State Interface
2001:DB8::6DD0 8 0022.5f43.6522 STALE Fa0/1

42. IMPACT ON MY
EXISTING
NETWORK

43. ► Easy to check!
► Look inside NetFlow records
► Protocol 41: IPv6 over IPv4 or 6to4 tunnels
► IPv4 address: 192.88.99.1 (6to4 anycast server)
► UDP 3544, the public part of Teredo, yet another tunnel
► Look into DNS server log for resolution of ISATAP
► Beware of the IPv6 latent threat:
► your IPv4-only network may be vulnerable to IPv6 attacks
NOW
Is IPv6 in My Network?

44. CONCLUSION

45. ► IPv6 is here to stay
► Security officer MUST NOT ignore IPv6
► IPv6 security is ~ IPv4 security
► Neighbor Discovery Protocol is as ‘secure’ as ARP/DHCP
KEY TAKE AWAY

46. ► Learn more about IPv6 and its security
► In short: 99% as IPv4 ;-)
► Review/audit critical security pieces
► Audit-trail
► Rate-limiting
► Access control / reputation
► Penetration test
► Deploy NOW the IPv6 security of your switches
APPLY

47. QUESTIONS AND
ANSWERS?