IPv6 Security Talk 2012

IPv6 Introduction and Implications on Network Security
Keith OBrien Cisco Distinguished Engineer kobrien@cisco.com

2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Keith OBrien
Distinguished Engineer Cisco kobrien@cisco.com

Specializes in large scale IP routing, network security and incident response within ISP and enterprise networks. Working with major US based ISPs on their transition to an IPv6 network Adjunct professor of Computer Science at NYUs Polytechnic Institute - Graduate Studies Visiting Professor of Electrical and Computer Engineering at the United States Coast Guard Academy BSEE Lafayette College, MS Stevens Institute of Technology CCIE, CISSP, SANS GIAC http://keithobrien.org Twitter: @keitheobrien
2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
IPv6 Why Now?
Technology Intro
Comparison to IPv4 Addressing ICMPv6 and Neighbor Discovery DHCPv6 and DNS
IPv4/IPv6 Transition and Coexistence
IPv6 Security
Cisco Confidential
Cisco Confidential
Cisco Confidential
More Devices
Nearly 15B Connections
More Internet Users

3 Billion Internet Users
Key Growth Factors
Faster Broadband Speeds

4-Fold Speed Increase
More Rich Media Content

1M Video Minutes per Second
Source: Cisco Visual Networking Index (VNI) Global IP Traffic Forecast, 20102015
IETF IPv6 WG began in early 90s, to solve addressing growth issues, but
CIDR, NAT,were developed
IPv4 32 bit address = 4 billion hosts

IANA recently issued their last /8 blocks to the regional registries
IP is everywhere
Data, voice, audio and video integration is a reality
Main Compelling reason: More IP addresses
Cisco Confidential
Probability of when RIR reaches last /8 threshold
http://www.bgpexpert.com/ianaglobalpool2.php
http://www.potaroo.net/tools/ipv4/rir.jpg
Cisco Confidential
Service Segment Mobile Now When do you run out of IPv4 addresses?
Devices are already being actively deployed with IPv6 addresses
Enterprise Varies
NAT is already being used at peering points where run out has occurred
Wireline
Now
A combination of NAT and IPv6 enabled CPE are being deployed
When is most of the content available on IPv6 network? What is the device/CPE refresh frequency?
Slower ramp Growing rapidly

Due to enterprise specific applications and longer development cycles
Growing rapidly
Short refresh cycle
Longer refresh cycle
Longer refresh cycle
Cisco Confidential
June 6, 2012
Network equipment vendors, ISPs and content providers are coming together on
June 6 to permanently enable IPv6 on the Internet.

Last June 6th World IPv6 Day was a 24 hour soak period Current players
Akamai Comcast AT&T Cisco
D-Link
Internode Time Warner Cable NASA
Facebook
KDDI Yahoo Sprint
Free Telecom
Limelight Netflix
Google
Bing AOL
http://www.worldipv6launch.org/
Cisco Confidential
10
Cisco Confidential
11
Cisco Confidential
12
Service
Addressing Range IP Provisioning Security Mobility Quality-of-Service Multicast
IPv4
32-bit, Network Address Translation DHCP IPSec Mobile IP Differentiated Service, Integrated Service IGMP/PIM/MBGP
IPv6
128-bit, Multiple Scopes SLAAC, Renumbering, DHCP IPSec Mandated, Works End-to-End
Mobile IP with Direct Routing

Differentiated Service, Integrated Service MLD/PIM/MBGP, Scope Identifier
Cisco Confidential
13
IPv4 Header
Version IHL Identification Type of Service Total Length Version Flags Fragment Offset Traffic Class
IPv6 Header
Flow Label
Time to Live
Protocol
Header Checksum
Payload Length
Next Header
Hop Limit
Source Address Destination Address Options Padding
Source Address
Legend
Fields Name Kept from IPv4 to IPv6

Fields Not Kept in IPv6 Name and Position Changed in IPv6 New Field in IPv6
Destination Address
Cisco Confidential
14
V Class Len Destination
Flow 6
Hop
Flow 43
Hop
Flow 43
Hop
Source
Source 17
Source 60 6
Upper Layer TCP Header Payload
Routing Header
Routing Header Destination Options
Upper Layer UDP Header Payload
Upper Layer TCP Header Payload
Extension Headers Are Daisy Chained
Cisco Confidential
15
Order 1 Basic IPv6 Header
Header Type -
Header Code
2
3 4 5 6 7 8 9 Upper Layer Upper Layer Upper Layer
Hop-by-Hop Options
Dest Options (with Routing options) Routing Header Fragment Header Authentication Header ESP Header Destination Options Mobility Header No Next Header TCP UDP ICMPv6
0
60 43 44 51 50 60 135 59 6 17 58
Cisco Confidential
16
Cisco Confidential
17
IPv4 32-bits IPv6 128-bits 32 = 4,294,967,296 2 128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 2 128 32 = 2 * 2 96 2 296
= 79,228,162,514,264,337,593,543,950,336 times the number of possible IPv4 Addresses (79 trillion trillion)
Cisco Confidential
18
IPv6 addresses are 128 bits long
Segmented into 8 groups of four HEX characters (called HEXtets) Separated by a colon (:)
Default is 50% for network ID, 50% for interface ID

Network portion is allocated by Internet registries 2^64 (1.8 x 1019)
Global Unicast Identifier Example
Network Portion
Interface ID
gggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx
Global Routing Prefix n <= 48 bits Subnet ID 64 n bits Host
2001:0000:0000: 00A1:0000:0000:0000:1E2A
Full Format
2001:0:0: A1::1E2A
Abbreviated Format
Cisco Confidential
20
Hex numbers are not case sensitive

Abbreviations are possible Leading zeros in contiguous block could be represented by (::) 2001:0db8:0000:130F:0000:0000:087C:140B 2001:db8:0:130F::87C:140B Double colon can only appear once in the address IPv6 uses CIDR representation IPv4 address looks like 98.10.0.0/16 IPv6 address is represented the same way 2001:db8:12::/48 Only leading zeros are omitted, trailing zeros cannot be omitted 2001:0db8:0012::/48 = 2001:db8:12::/48
2001:db80:1200::/48 2001:db8:12::/48
Cisco Confidential
21
Loopback address representation

0:0:0:0:0:0:0:1 == ::1 Same as 127.0.0.1 in IPv4 Identifies self
Unspecified address representation

0:0:0:0:0:0:0:0 == :: Used as a placeholder when no address available (Initial DHCP request, Duplicate Address Detection DAD) NOT the default route Default Route representation ::/0
Cisco Confidential
22
IANA 2001::/3
AfriNIC ::/12 to::/23
APNIC ::/12 to::/23
ARIN ::/12 to::/23
LACNIC ::/12 to::/23
RIPE NCC ::/12 to::/23
ISP ISP /32 ISP /32 /32
ISP ISP /32 ISP /32 /32
ISP ISP /32 ISP /32 /32
ISP ISP /32 ISP /32 /32
ISP ISP /32 ISP /32 /32
Site Site /48 Site /48 /48


Cisco Confidential 23
Partition of Allocated IPv6 Address Space
Cisco Confidential
24
Partition of Allocated IPv6 Address Space (Cont.)

Lowest-Order 64-bit field
of unicast address may be assigned in several different ways:

Auto-configured from a 64-bit EUI-64, or expanded from a 48-bit MAC address (e.g., Ethernet address) Auto-generated pseudo-random number (to address privacy concerns) Assigned via DHCP Manually configured
Cisco Confidential
25
This format expands the
48 bit MAC address to 64 bits by inserting FFFE into the middle 16 bits
To make sure that the
MAC Address 00 00 90 90 27 FF 00 000000U0 U = 1 90 27 FF FE FE 17 FC 0F 27 17 FC 17 0F FC 0F
chosen address is from a unique Ethernet MAC address, the universal/local (u bit) is set to 1 for global scope and 0 for local scope
Where U=
1 = Unique 0 = Not Unique
02
90
27
FF
FE
17
FC
0F
Cisco Confidential
26
Addresses are assigned to interfaces

Change from IPv4 mode: Interface expected to have multiple addresses Addresses have scope Link Local Unique Local Global Addresses have lifetime Valid and preferred lifetime
Global
Unique Local
Link Local
Cisco Confidential
27
Three types of unicast address scopes

Link-Local Non routable exists on single layer 2 domain (FE80::/64) FE80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx Unique-Local Routable within administrative domain (FC00::/7)
FCgg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx FDgg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx Global Routable across the Internet (2000::/3) 2ggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx 3ggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx
Link Local
Multicast addresses (FF00::/8)

FFfs: xxxx:xxxx:xxxx:xxxx:xxxx :xxxx:xxxx Flags (f) in 3rd nibble (4 bits) Scope (s) into 4th nibble
Unicast Address of a single interface. One-to-one delivery to single interface Multicast Address of a set of interfaces. One-to-many delivery to all interfaces in the set Anycast Address of a set of interfaces. One-to-one-of-many delivery to a single interface in the set that is closest No more broadcast addresses
Cisco Confidential
29
An interface can have many addresses allocated to it
Address Type Link Local Unique Local Global Unicast Auto-Config 6to4 Solicited Node Multicast All Nodes Multicast
Requirement Required Optional Optional Optional Required Required
Comment Required on all interfaces Valid only within an Administrative Domain Globally routed prefix Used for 2002:: 6to4 tunnelling Neighbour Discovery and Duplicate Detection (DAD) For ICMPv6 messages
Cisco Confidential
30
Address FF01::1
Scope Node-Local
Meaning All Nodes
FF01::2
FF02::1 FF02::2 FF02::5 FF02::6 FF02::1:FFXX:XXXX
Node-Local
Link-Local Link-Local Link-Local Link-Local Link-Local
All Routers
All Nodes All Routers OSPFv3 Routers OSPFv3 DR Routers Solicited-Node
http://www.iana.org/assignments/ipv6-multicast-addresses
Cisco Confidential
32
R1#show ipv6 interface e0 Ethernet0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 No global unicast address is configured Joined group address(es): All Nodes FF02::1 All Routers FF02::2 Solicited Node Multicast Address FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. R1#
Cisco Confidential
33
Cisco Confidential
40
Function
Address Assignment Address Resolution Router Discovery Name Resolution
IPv4
DHCPv4 ARP, RARP ICMP Router Discovery DNSv4
IPv6
DHCPv6, SLAAC, Reconfiguration NS, NA RS, RA DNSv6
Cisco Confidential
41
Internet Control Message Protocol version 6

RFC 2463 Modification of ICMP from IPv4 Message types are similar
(but different types/codes)

Destination unreachable (type 1) Packet too big (type 2) Time exceeded (type 3) Parameter problem (type 4) Echo request/reply (type 128 and 129)
Cisco Confidential
42
Replaces ARP, ICMP (redirects, router discovery) Reachability of neighbors Hosts use it to discover routers, auto configuration
of addresses
Duplicate Address Detection (DAD)
Cisco Confidential
43
Neighbor discovery uses ICMPv6 messages, originated from node on
link local with hop limit of 255

Consists of IPv6 header, ICMPv6 header, neighbor discovery header,
and neighbor discovery options

Five neighbor discovery messages Router solicitation (ICMPv6 type 133) Router advertisement (ICMPv6 type 134)
Neighbor solicitation (ICMPv6 type 135)

Neighbor advertisement (ICMPv6 type 136) Redirect (ICMPV6 type 137)
Cisco Confidential
44
A
NS NA
Neighbour Solicitation ICMP Type IPv6 Source IPv6 Destination Data Query 135 A Unicast B Solicited Node Multicast FE80:: address of A What is B link layer address? Neighbour Advertisment ICMP Type IPv6 Source IPv6 Destination Data 136 B Unicast A Unicast FE80:: address of B, MAC Address
Cisco Confidential
45
RS
RA
Router Solicitation ICMP Type IPv6 Source IPv6 Destination Query 133 A Link Local (FE80::1) All Routers Multicast (FF02::2) Please send RA
Router Advertisement ICMP Type IPv6 Source IPv6 Destination Data 134 A Link Local (FE80::2) All Nodes Multicast (FF02::1) Options, subnet prefix, lifetime, autoconfig flag
Router solicitations (RS) are sent by booting nodes to request RAs for
configuring the interfaces

Routers send periodic Router Advertisements (RA) to the all-nodes
multicast address
Autoconfiguration is used to automatically assigned an address to a host plug and play
Generating a link-local address, Generating global addresses via stateless address autoconfiguration Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link
MAC 00:2c:04:00:fe:56
A 1
RS
R1 2001:db8:face::/64 2
RA
3
DAD
Host Autoconfigured Address comprises Prefix Received + Link-Layer Address if DAD check passes 2001:db8:face::22c:4ff:fe00:fe56
Router Advertisement (RA) Ethernet DA/SA Prefix Information Default Router Router R2 / Host A 2001:db8:face::/64 Router R1
Cisco Confidential
47
Cisco Confidential
48
IPv4
IPv6
Hostname to IP address
A record:
www.abc.test. A 192.168.30.1
AAAA record:
www.abc.test AAAA 2001:db8:C18:1::2
IP address to hostname
PTR record:
1.30.168.192.in-addr.arpa. PTR www.abc.test.
PTR record:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0. 8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
Cisco Confidential
49
192.168.0.3
www.example.org = * ?
IPv4 DNS Server
IPv4 IPv6
www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1
IPv6 2001:db8:1::1
In a dual stack case an application that:

Is IPv4 and IPv6-enabled
Can query the DNS for IPv4 and/or IPv6 records (A) or (AAAA) records
Chooses one address and, for example, connects to the IPv6 address
Domain name with IPv6 address only

mSecs Source 0.000 0.158 0.000 0.135 Destination Prot DNS DNS DNS DNS Info Standard query A ipv6.google.com Standard query response CNAME ipv6.l.google.com
Initial Query over IPv4 for IPv4 A record DNS response refers to an alias/canonical address
64.104.197.141 64.104.200.248 64.104.200.248 64.104.197.141 64.104.197.141 64.104.200.248 64.104.200.248 64.104.197.141
Standard query AAAA ipv6.google.com
Host immediately sends a request for AAAA record (original FQDN)
IPv6 address of canonical name returned Standard query response CNAME ipv6.l.google.com AAAA 2404:6800:8004::68
Domain name with both addresses

mSecs Source 0.000 64.104.197.141 0.017 64.104.200.248 0.000 64.104.197.141 0.017 64.104.200.248 0.001 2001:420:1:fff:2 Destination 64.104.200.248 64.104.197.141 64.104.200.248 64.104.197.141 2001:dc0:2001:11::211 Prot DNS DNS DNS DNS Info Standard query A www.apnic.net Standard query response A 202.12.29.211 Standard query AAAA www.apnic.net
Initial Query over IPv4 for IPv4 A record
IPv4 address returned
Host immediately sends a request for AAAA record
Standard query response AAAA 2001:dc0:2001:11::211
IPv6 address of FQDN returned
Hosts prefers IPv6 address (configurable) ICMP Echo request (Unknown (0x00)) v6
0.023 2001:dc0:2001:11::211 2001:420:1:fff::2
ICMP Echo reply (Unknown (0x00)) v6
Cisco Confidential
51
Manual Assignment
Statically configured by human operator
Stateless Address Autoconfiguration (SLAAC RFC 4862)

Allows auto assignment of address through Router Advertisements
Stateful DHCPv6 (RFC 3315)

Allows DHCPv6 to allocate IPv6 address plus other configuration parameters (DNS, NTP etc)
DHCPv6-PD (RFC 3633)

Allows DHCPv6 to allocate entire subnets to a router/CPE device for further allocation
Stateless DHCPv6 (RFC 3736)

Combination of SLAAC for host address allocation DHCPv6 for additional parameters such as DNS Servers and NTP
Updated version of DHCP for IPv4

Supports new addressing Can be used for renumbering DHCP Process is same as in IPv4, but,
Client first detect the presence of routers on the link

If found, then examines router advertisements to determine if DHCP can be used If no router found or if DHCP can be used, then
DHCP Solicit message is sent to the All-DHCP-Agents multicast address Using the link-local address as the source address
Multicast addresses used:

FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope) FF05::1:3 = All DHCP Servers (Site-local scope) DHCP Messages: Clients listen UDP port 546; servers and relay agents listen on UDP port 547
Cisco Confidential
53
RA message contain flags that indicate address allocation combination (A, M
and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options A 1
RA Router 1 (DHCPv6 Relay) 2001:db8:face::/64
DHCP Server
2
Send DHCP Solicit to FF02::1:2 (All DHCP Relays)
3
2001:db8:face::1/64, DNS1, DNS2, NTP
Router Advertisement (RA) A bit (Address config flag) M bit (Managed address configuration flag) O bit (Other configuration flag) Set to 0 - Do not use SLAAC for host config Set to 1 - Use DHCPv6 for host IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
54
RA message contain flags that indicate address allocation combination (A, M and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options
2001:db8:face::22c:4ff:fe00:fe56
A 1
RA
Router 1 (DHCPv6 Relay)
DHCP Server
3
Send DHCP Solicit to FF02::1:2 for options only
2001:db8:face::/64
4
DNS1, DNS2, NTP
Router Advertisement (RA) A bit (Address config flag) On-link Prefix M bit (Managed address configuration flag) O bit (Other configuration flag) Set to 1 - Use SLAAC for host address config 2001:db8:face::/64 Set to 0 - Do not use DHCPv6 for IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
55
Cisco Confidential
56
A wide range of techniques have been identified and implemented,
basically falling into three categories:

Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same devices and networks Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions Translation techniques, to allow IPv6-only devices to communicate with IPv4only devices Expect all of these to be used, in combination
Cisco Confidential
57
Dual Stack App
IPv4 + IPv6 Edge
IPv6 + IPv4 Core
IPv4 and/or IPv4 edge
PE CE
PE
CE
IPv4 IPv6 IPv4

IPv4/IPv6 Core IPv4 configured interface
IPv6
Some or all interfaces in cloud dual configured
IPv6 configured interface
All P + PE routers are capable of IPv4+IPv6 support Two IGPs supporting IPv4 and IPv6 Memory considerations for larger routing tables Native IPv6 multicast support All IPv6 traffic routed in global space Good for content distribution and global services (Internet)
Dual Stack App
IPv4 + IPv6 Edge
IPv6 + IPv4 Core
IPv4 and/or IPv4 edge
CE
PE
PE
CE
IPv4 IPv6 IPv4

IPv4/IPv6 Core
IPv6
ipv6 unicast-routing interface Ethernet0 ip address 192.168.99.1 255.255.255.0 ipv6 address 2001:db8:213:1::1/64
Cisco Confidential
59
Application
IPv6-Enabled Application
TCP
UDP
TCP
UDP
Preferred Method on Applications Servers
IPv4
IPv6
IPv4
IPv6
0x0800
0x86dd
0x0800
0x86dd
Frame Protocol ID
Data Link (Ethernet)
Data Link (Ethernet)
Dual Stack Node Means:

Both IPv4 and IPv6 stacks enabled Applications can talk to both Choice of the IP version is based on name lookup and
application preference
GRE
Manual 6to4 DMVPN ISATAP MPLS Manual MPLS 6PE
Cisco Confidential
61
Dual-Stack Router1 IPv6 Network
IPv4
Dual-Stack Router2
IPv6 Network
IPv4: 192.168.30.1 IPv6: 2001:db8:800:1::2
IPv4: 192.168.99.1 IPv6: 2001:db8:800:1::3
router1# interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::3/128 tunnel source 192.168.99.1 tunnel destination 192.168.30.1 tunnel mode gre ipv6
router2# interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::2/128 tunnel source 192.168.30.1 tunnel destination 192.168.99.1 tunnel mode gre ipv6
Cisco Confidential
62
Dual-Stack Router1
IPv6 network
IPv4
Dual-Stack Router2
IPv6 network
IPv4: 192.168.99.1 IPv6: 2001:db8:800:1::3
IPv4: 192.168.30.1 IPv6: 2001:db8:800:1::2
router1# interface Tunnel0 ipv6 enable ipv6 address2001:db8:c18:1::3/127 tunnel source 192.168.99.1 tunnel destination 192.168.30.1 tunnel mode ipv6ip
router2# interface Tunnel0 ipv6 enable ipv6 address 2001:db8:c18:1::2/127 tunnel source 192.168.30.1 tunnel destination 192.168.99.1 tunnel mode ipv6ip
Cisco Confidential
63
IPv6 Packet
IPv6 Network 200.15.15.1 (e0/0)
IPv6 Packet
IPv4 Header
IPv6 Packet
IPv6 Network 200.11.11.1 (e0/0)
IPv4 Backbone Network
IPv6 2002:c80f:0f01 CE
PE

6 to 4 Tunnel
PE CE
IPv6 2002:c80b:0b01
P 2002:c80f:0f01:100::1
P 2002:c80b:0b01:100::1
Automatic tunnel method using 2002:IPv4::/48 IPv6 range IPv4 embedded in IPv6 format eg. 2002:c80f:0f01:: = 200.15.15.1 No impact on existing IPv4 or MPLS Core (IPv6 unaware) Tunnel endpoints have to be IPv6 and IPv4 aware (Dual stack) Transition technology not for long term use No multicast support, Static Routing Intrinsic linkage between destination IPv6 Subnet and IPv4 gateway interface IPv4 Gateway = Tunnel End point
IPv6 Packet
IPv6 Network 200.15.15.1 (e0/0)
IPv6 Packet
IPv4 Header
IPv6 2002:c80f:0f01 CE
PE
6 to 4 Tunnel
PE
192.88.99.1 (lo0) 2002:c058:6301::1 (lo0) IPv6 Relay
P 2002:c80f:0f01:100::1 192.88.99.1 (lo0) 2002:c058:6301::1 (lo0) PE
IPv6 Internet 2000::/3
IPv6 Relay
6 to 4 relay allows access to IPv6 global network

Can use tunnel Anycast address 192.88.99.1
6 to 4 router finds closest 6-to-4 relay router Return path could be asymmetric
Default route to IPv6 Internet

BGP can also be used to select particular 6 to 4 relay based on prefix Allows more granular routing policy
Cisco Confidential
66
Cisco Confidential
67
Additional and increased focus on IPv6 at security conference
such as Blackhat, CanSecWest and others.

Companies putting additional effort into IPv6 vulnerability
research Stonesoft released 163 new Advanced Evasion Techniques 12 of those are IPv6-specific
Private security researchers are also putting additional focus on
IPv6. Chinese researchers, Marc Heuse, Fernando Gont to name a few

UKs CPNI The Centre for the Protection of National
Infrastructure 220 page report Security Assessment of the Internet Protocol version 6 (IPv6)
Cisco Confidential
68
The Hackers Choice http://thc.org/thc-ipv6/

Over 30 tools Included in BackTrack Private version available A sampling
Parasite6: icmp neighbor solicitation/advertisement spoofer, puts you as man-in-themiddle, same as ARP mitm (and parasite) dnsdict6: parallized dns ipv6 dictionary bruteforcer fake_router6: announce yourself as a router on the network, with the highest priority flood_router6: flood a target with random router advertisements
Cisco Confidential
69
Industry as a whole has far less experience with IPv6 vs IPv4 IPv6 implementations have not been proven over time Security tools such as firewalls, IDS have varying levels of IPv6
support. Even when it is claimed to be supported that level of support varies widely
IPv6 brings added complexity which is the enemy of security Network engineers and security operations staff are not fully
trained on IPv6
Cisco Confidential
70
Cisco Confidential
71
Default subnets in IPv6 have 264 addresses

10 Mpps = more than 50 000 years
NMAP doesnt even support ping sweeps on
IPv6 networks
2128
6.5 Billion
= 52 Trillion Trillion IPv6 addresses per person
Worlds population is approximately 6.5 billion
Cisco Confidential
72
Public servers will still need to be DNS reachable Increased deployment and reliance on Dynamic DNS
More info in DNS

Admins might adopt easy to remember addresses such as:
::20, ::F00D, ::CAFE, or the last IPv4 octet
Transition technologies derive IPv6 address from IPv6 addresses

Brute force IPv6 scanning assumes that the addresses are
randomly distributed. This has been shown not to be the case*:

SLACC IP based on MAC IPv4 based (2001:0db8::192.168.100.1) Low number (2001:0db8:1:1::1)
(*) Malone, D. 2008. Observations of IPv6 Addresses. Passive and Active Measurement Conference (PAM 2008, LNCS 4979), 2930 April 2008.
3 site-local multicast addresses

FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers
Several link-local multicast addresses

FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP, ...
Some deprecated (RFC 3879) site-local addresses but still used

FEC0:0:0:FFFF::1 DNS server
Not feasible from remote

Source Destination Payload 2001:db8:2::50 DHCP Attack 2001:db8:1::60
Attacker FF05::1:3
2001:db8:3::70
http://www.iana.org/assignments/ipv6-multicast-addresses/
Cisco Confidential
74
Bittorrent will expose IPv6 peers Look in web server log files for IPv6 address. Convince the target
to browse to web server

Email headers from target Mailing list archives
Cisco Confidential
75
ICMPv6 echo/response Send invalid ICMPv6 options and nodes will be forced to reply Use Traceroute6 Look for well know IPv4 addresses which are linked to IPv6 (e.g.
Teredo)
Neighbor discovery cache for already compromised hosts
root@bt:~# alive6 -s 1 eth1 Alive: 2001:470:67b9:1:234:36ff:fe9c:3132 Alive: 2001:470:67b9:1:21d:29ff:fef9:bc06 Alive: 2001:470:67b9:1:22f:29ff:fe61:1ea1 Alive: 2001:470:67b9:1:259:29ff:fe40:e19a Alive: 2001:470:67b9:1:231:ebff:fef7:f140 Alive: fe80::ebff:d4ff:fedd:c572 Alive: 2001:470:67b9:1:b917:c2ff:fed9:6b1b Alive: 2001:470:67b9:1:993:cbff:fea3:1733 Alive: 2001:470:67b9:1:675:dfff:fede:4875 Alive: 2001:470:67b9:1:b67d:caff:fe1b:c7a7 Alive: 2001:470:67b9:1:b78f:cbff:fee9:fd7f Found 11 systems alive
root@bt:~# ip -6 neigh show 2001:470:67b9:1:7273:cbff:fee9:ddf3 dev eth1 lladdr 70:73:cb:e9:dd:f3 DELAY 2001:470:67b9:1:224:36ff:fe9c:ff56 dev eth1 lladdr 00:24:36:9c:ff:56 DELAY 2001:470:67b9:1:216:cbff:fea3:dd44 dev eth1 lladdr 00:16:cb:a3:dd:44 DELAY 2001:470:67b9:1:223:dfff:fede:1122 dev eth1 lladdr 00:23:df:de:11:22 DELAY fe80::223:ebff:fedd:1298 dev eth1 lladdr 00:23:eb:dd:12:98 DELAY 2001:470:67b9:1:ba17:c2ff:fed9:11ed dev eth1 lladdr b8:17:c2:d9:11:ed DELAY 2001:470:67b9:1:5a55:caff:fe1b:dfee dev eth1 lladdr 58:55:ca:1b:df:ee DELAY
Cisco Confidential
76
/23 2001
/32
/48
/64 Interface ID
Temporary addresses for IPv6 host client application,
e.g. web browser

Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detection before using it Rate of change based on local policy Can have this address in addition to EUI-64 address on an interface (based on mac address)
Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back)
Google Many sites use ipv6.example.com or ip6.example.com
during the transition phase.

Search for site: ipv6* or site: ip6*
Do a AXFR if DNS is misconfigured If DNSSEC is being used try NSEC walk*. NSEC3 records make
this more difficult.

Try a brute force. Perform automated AAAA lookups based on
a preconfigured dictionary. (i.e. lookup firewall.example.com, server1.example.com, mail.example.com)
Cisco Confidential
78
Cisco Confidential
79
Your host:
IPv4 is protected by your favorite personal firewall... IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)
Your network:
Does not run IPv6
Your assumption:
Im safe
Reality
You are not safe Attacker sends Router Advertisements
Your host configures silently to IPv6

You are now under IPv6 attack
=> Probably time to think about IPv6 in your network
Cisco Confidential
80
Easy to check!
Look inside NetFlow records Protocol 41: IPv6 over IPv4 or 6to4 tunnels IPv4 address: 192.88.99.1 (6to4 anycast server) UDP 3544, the public part of Teredo, yet another tunnel
Look into DNS server log for resolution of ISATAP
Beware of the IPv6 latent threat: your IPv4-only network may be
vulnerable to IPv6 attacks NOW
Cisco Confidential
81
Cisco Confidential
82
Router Advertisements contains: -Prefix to be used by hosts -Data-link layer address of the router -Miscellaneous options: MTU, DHCPv6 use,
RA w/o Any Authentication Gives Exactly Same Level of Security as DHCPv4 (None)
MITM
DoS
1. RS
2. RA
2. RA
1. RS: Data = Query: please send RA
2. RA: Data= options, prefix, lifetime, A+M+O flags
Cisco Confidential
83
Devastating:
Denial of service: all traffic sent to a black hole Man in the Middle attack: attacker can intercept, listen, modify unprotected data
Also affects legacy IPv4-only network with IPv6-enabled hosts Most of the time from non-malicious users Requires layer-2 adjacency (some relief)
The major blocking factor for enterprise IPv6 deployment
Cisco Confidential
84
Where
What
Routers Hosts Routers & Hosts
Increase legal router preference Disabling Stateless Address Autoconfiguration SeND Router Authorization
Switch (First Hop) Switch (First Hop)

Switch (First Hop)
Host isolation Port Access List (PACL)

RA Guard
Cisco Confidential
85
RFC 3972 Cryptographically Generated Addresses (CGA)

IPv6 addresses whose interface identifiers are cryptographically generated from node public key SeND adds a signature option to Neighbor Discovery Protocol
Using node private key

Node public key is sent in the clear (and linked to CGA) Very powerful If MAC spoofing is prevented But, not a lot of implementations: Cisco IOS, Linux, some H3C, third party for Windows
Cisco Confidential
86
Each devices has a RSA key pair (no need for cert)
Ultra light check for validity Prevent spoofing a valid CGA address RSA Keys
Priv Pub
Modifier Public Key Subnet Prefix
SHA-1
Signature
CGA Params
Subnet Prefix Interface Identifier
SeND Messages
Crypto. Generated Address

Adding a X.509 certificate to RA Subject Name contains the list of authorized IPv6 prefixes
Trust Anchor
X.509 cert
X.509 cert
Router Advertisement Source Addr = CGA CGA param block (incl pub key) Signed
Cisco Confidential
88
Prevent Node-Node Layer-2 communication by using:

1 VLAN per host (SP access network with Broadband Network Gateway) Private VLANs (PVLAN) where node can only contact the official router
Link-local scope multicast (RA, DHCP request, etc) sent only to the local
official router: no harm

Can also be used on Wireless in AP Isolation Mode
PC (public V6 ) CPE
PVLAN
RA
BNG
PC (public V6 )
CPE
PVLAN
Cisco Confidential
89
Port ACL blocks all ICMPv6 Router
Advertisements from hosts

interface FastEthernet3/13
RA
switchport mode access ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port
RA
RA RA RA
Cisco Confidential
90
host
I am the default gateway Configuration- based Learning-based Challenge-based

Verification succeeded ?
Router Advertisement Option: prefix(s)
Bridge RA
Switch selectively accepts or rejects RAs based on various criterias Can be ACL based, learning based or challenge (SeND) based. Hosts see only allowed RAs, and RAs with allowed content
Cisco Confidential
92
Pretty much like RA: no authentication

Any node can steal the IP address of any other node Impersonation leading to denial of service or MITM
Requires layer-2 adjacency
Cisco Confidential
93
Where
What
Routers & Hosts Routers & Hosts Switch (First Hop) Switch (First Hop)
configure static neighbor cache entries Use CryptoGraphic Addresses (SeND CGA) Host isolation Address watch
Glean addresses in NDP and DHCP Establish and enforce rules for address ownership
Cisco Confidential
94
Cisco Confidential
95
Remote
Remote router CPU/memory DoS attack if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Local router DoS with NS/RS/
NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2
NS: 2001:db8::1
2001:db8::/64
Cisco Confidential
96
Mainly an implementation issue Rate limiter on a global and per interface Prioritize renewal (PROBE) rather than new resolution
Maximum Neighbor cache entries per interface and per MAC address
Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only
=> Allocate and configure a /64 but uses addresses fitting in a /120 in order to have a simple ingress ACL
Cisco Confidential
97
Built-in rate limiter but no option to tune it Since 15.1(3)T: ipv6 nd cache interface-limit Or IOS-XE 2.6: ipv6 nd resolution data limit
Destination-guard is coming with First Hop Security phase 3

Using a /64 on point-to-point links => a lot of addresses to scan! Using /127 could help (RFC 6164) Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only Using infrastructure ACL prevents this scanning iACL: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done
Cisco Confidential
98
Cisco Confidential
99
RFC allows for multiple and repeating extension headers. RFC 3128 is not applicable to IPv6; extension header can be
fragmented
Packets get increasing complex to parse
Original Packet IPv6 hdr Dest Option Dest Option TCP data
First Fragment IPv6 hdr Frag Header Dest Option
Second Fragment IPv6 hdr
Frag Header Dest Option
TCP
data
Cisco Confidential
100
Unlimited size of header chain (spec-wise) can make
filtering difficult
Potential DoS with poor IPv6 stack implementations More boundary conditions to exploit
Can I overrun buffers with a lot of extension headers?

Perfectly Valid IPv6 Packet According to the Sniffer Header Should Only Appear Once Destination Header Which Should Occur at Most Twice Destination Options Header Should Be the Last
See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html Cisco Confidential
101
Use a stateful firewall which reassembles all of the fragments and
then applies the filtering rules

This only has limited usefulness as the attacker can keep adding
headers and increasing the number of fragments to a point where the firewall can no longer reassemble
Filter out packets with specific combinations of Extension
Headers or number of Extension Headers

Filter out packets that combine fragmentation with additional
Extension Headers
Cisco Confidential
102
Cisco Confidential
103
Most IPv4/IPv6 transition mechanisms have no authentication
built in
=> an IPv4 attacker can inject traffic if spoofing on IPv4 and
IPv6 addresses
IPv6 ACLs Are Ineffective Since IPv4 & IPv6 Is Spoofed Tunnel Termination Forwards the Inner IPv6 Packet
IPv4
IPv6
IPv6 Network Public IPv4 Internet
IPv6 in IPv4 Tunnel
Tunnel Termination Tunnel Termination
IPv6 Network
Server A
Server B
Unauthorized tunnelsfirewall bypass (protocol 41)

IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in the
enterprise
This has implications on network segmentation and network discovery
No authentication in ISATAProgue routers are possible

Windows default to isatap.example.com
Ipv6 addresses can be guessed based on IPv4 prefix

ISATAP Router Any Host Can Talk to the Router ISATAP Tunnels
IPv4 Network ~ Layer 2 for IPv6 Service

Direct Communication
6to4 relay
IPv6
Internet
ACL
IPv4 6to4 router
tunnel
6to4 router Direct tunneled traffic ignores hub ACL
6to4 router
Cisco Confidential
106
Teredo navalis
A shipworm drilling holes in boat hulls Teredo Microsoftis
IPv6 in IPv4 punching holes in NAT devices
Source: United States Geological Survey
Cisco Confidential
107
All outbound traffic inspected: e.g., P2P is blocked

All inbound traffic blocked by firewall
IPv6 Internet IPv4 Internet Teredo Relay IPv4 Firewall
IPv4 Intranet
Teredo threatsIPv6 Over UDP (port 3544) Internal users wants to get P2P over IPv6
Configure the Teredo tunnel (already enabled by default!) FW just sees IPv4 UDP traffic (may be on port 53) No more outbound control by FW
IPv6 Internet
IPv4 Internet Teredo Relay IPv4 Firewall
IPv4 Intranet
Once Teredo Configured Inbound connections are allowed

IPv4 firewall unable to control IPv6 hackers can penetrate Host security needs IPv6 support now
IPv6 Internet
IPv4 Internet Teredo Relay IPv4 Firewall
IPv4 Intranet
Cisco Confidential
111
Residential Broadband Service Case: CPE based Scenario 1 thru 5 And Future
IPv4 IPv4 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6
Red : New or Changed Function in the network
6RD CE
IPv4-Only IPv4-Only
6RD CE IPv4-Only
IPv4 Address Sharing IPv6 Internet Access
Dual Stack Dual-Stack
DualStack Dual-Stack
DualStack IPv6 only
IPv4 Internet Access
IPv4 Internet Access IPv6 Internet Access
IPv4
IPv4 Address Sharing
CGN
6rd BR
CGN + 6rd
CGN
Stateful [DS Lite] Stateless 46
IPv4
IP NGN Backbone 1. Running 6PE/6vPE 2. Running Dual-Stack
IPv6 Internet
IPv4 Internet
Cisco Confidential
112
Public IPv4
Private IPv4
IPv6 Internet Access
Use of Carrier Grade NAT will require more information to be
gathered in order to accurately identify a subscriber.

Currently a simple IPv4 address and a time frame is normally
sufficient
With the advent of IPv6 and IPv4 address exhaustion you will
need more.
The following should be gathered:
IPv4 address (source and destination) IPv6 address if in use TCP/UDP ports (source and destination) Time
Cisco Confidential
113
IPv4 IPv6 host
Customer Router
IPv6 Internet
IPv6
IPv4+IPv6 host
SP NAT Sharing IPv4 address(es)

IPv4 host
IPv4 Internet
Subscriber Network
Dual-Stack SP Network using RFC1918 addresses
Internet
More likely scenario:

IPv6 being available all the way to the consumer SP core and customer has to use IPv4 NAT due to v4 depletion
Every IPv4 address has a reputation

Either blacklist or more sophisticated (senderbase.org) Used to detect spam, botnet members,
It is fine as long as:

One IPv4 == One legal entity (subscriber) What if One IPv4 == 10.000 entities/subscribers through SP NAT?
11 5
Cisco Confidential
115
Usual way to block a Denial of Service (DoS) against a server is to block
the source IPv4 address(es)

Before SP NAT: ok because it blocks only the attacker With SP NAT: will block the attacker but also 9.999 potential users/customers
11 6
Cisco Confidential
116
Servers currently keep only the remote IPv4 address in their log
Law Enforcement Agencies (LEA) can request any ISP to get the
subscriber ID of this IPv4 address on a specific time
With SP NAT, there will be 10,000 subscribers using this IPv4 address
11 7
Cisco Confidential
117
SP will have to keep all the translation log (data retention)

<time, subscriber internal IP, subscriber internal TCP/UDP port, subscriber external TCP/UDP port, Internet IP, Internet TCP/UDP port> <10:23:02 UTC, 10.1.2.3, 6543, 23944, 91.121.200.122, 80> AND, the server will have to extend the log to include the TCP/UDP
port
At 10:23:02 who was using the shared port 23944?
11 8
Cisco Confidential
118
Operator has expanding customer base, but does not have enough IPv4 addresses to service new customers. Business need is to be able to assign new users an IP address and give those new subscribers access to IPv4 Internet content as well as IPv6 internet content. Possible Scenarios 1.1 IPv6 address to subscriber with Carrier Grade NAT 1.2 Carrier Grade NAT with private v4 address 1.3 Dual stack private v4 and public v6 at customer. 1.4 Dual stack public v4 and public v6 at customer
Cisco Confidential
119
Thank you.

IPv6 Security Talk 2012

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPv6 Security Talk 2012

Uploaded by

Copyright:

Available Formats

IPv6 Introduction and Implications on Network Security

Keith OBrien Cisco Distinguished Engineer kobrien@cisco.com

2010 Cisco and/or its affiliates. All rights reserved.

IPv6 Why Now?

IPv4/IPv6 Transition and Coexistence

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

More Internet Users

Key Growth Factors

Faster Broadband Speeds

More Rich Media Content

IPv4 32 bit address = 4 billion hosts

Main Compelling reason: More IP addresses

2010 Cisco and/or its affiliates. All rights reserved.

Probability of when RIR reaches last /8 threshold

2010 Cisco and/or its affiliates. All rights reserved.

Slower ramp Growing rapidly

Short refresh cycle

Longer refresh cycle

Longer refresh cycle

2010 Cisco and/or its affiliates. All rights reserved.

June 6 to permanently enable IPv6 on the Internet.

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

Mobile IP with Direct Routing

2010 Cisco and/or its affiliates. All rights reserved.

Source Address Destination Address Options Padding

Fields Name Kept from IPv4 to IPv6

2010 Cisco and/or its affiliates. All rights reserved.

V Class Len Destination

V Class Len Destination

V Class Len Destination

Upper Layer TCP Header Payload

Routing Header Destination Options

Upper Layer UDP Header Payload

Upper Layer TCP Header Payload

Extension Headers Are Daisy Chained

2010 Cisco and/or its affiliates. All rights reserved.

Order 1 Basic IPv6 Header

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

IPv4 32-bits IPv6 128-bits 32 = 4,294,967,296 2 128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 2 128 32 = 2 * 2 96 2 296

2010 Cisco and/or its affiliates. All rights reserved.

IPv6 addresses are 128 bits long

Default is 50% for network ID, 50% for interface ID

Hex numbers are not case sensitive

2010 Cisco and/or its affiliates. All rights reserved.

Loopback address representation

Unspecified address representation

2010 Cisco and/or its affiliates. All rights reserved.

AfriNIC ::/12 to::/23

APNIC ::/12 to::/23

ARIN ::/12 to::/23

LACNIC ::/12 to::/23

RIPE NCC ::/12 to::/23

ISP ISP /32 ISP /32 /32

ISP ISP /32 ISP /32 /32

ISP ISP /32 ISP /32 /32

ISP ISP /32 ISP /32 /32

ISP ISP /32 ISP /32 /32

Site Site /48 Site /48 /48