Escolar Documentos
Profissional Documentos
Cultura Documentos
BRKSEC-2003
Session Objectives
IPv6 vs. to IPv4 from a threat and mitigation perspective
Advanced IPv6 security topics like transition options and dual stack environments Requirements: basic knowledge of the IPv6 and IPSec protocols as well as IPv4 security best practices A lot of overlap content with TECSEC-2101 and TECMPL-2192
BRKSEC-2003
Cisco Public
Those slides are mainly for reference and are indicated by the book icon on the top right corner (as on this slide)
BRKSEC-2003
Cisco Public
Agenda
Shared Issues by IPv4 and IPv6 Specific Issues for IPv6
IPsec everywhere, dual-stack, tunnels and 6VPE
BRKSEC-2003
Cisco Public
Shared Issues
Security Issues Shared by IPv4 and IPv6
BRKSEC-2003
Cisco Public
Reconnaissance in IPv6
Subnet Size Difference
Default subnets in IPv6 have 264 addresses
10 Mpps = more than 50 000 years
BRKSEC-2003
Cisco Public
Reconnaissance in IPv6
Scanning Methods Are Likely to Change
Public servers will still need to be DNS reachable
More information collected by Google...
Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0 or simply IPv4 last octet for dual stack)
By compromising hosts in a network, an attacker can learn new addresses to scan
Transition techniques (see further) derive IPv6 address from IPv4 address
can scan again
BRKSEC-2003
Cisco Public
Using a /64 on point-to-point links => a lot of addresses to scan! Using infrastructure ACL prevents this scanning
iACL: edge ACL denying packets addressed to your routers
BRKSEC-2003
Cisco Public
IPv4 best practices around worm detection and mitigation remain valid
BRKSEC-2003
Cisco Public
L3 Spoofing in IPv6
uRPF Remains the Primary Tool for Protecting Against L3 Spoofing
uRPF Loose Mode
ipv6 verify unicast source reachable-via any
Access Layer
Spoofed IPv6 Source Address
IPv6 Intranet/Internet
Access Layer
Spoofed IPv6 Source Address
IPv6 Intranet/Internet
No Route to Src Addr prefix out the packet inbound interface => Drop
BRKSEC-2003
Cisco Public
10
Cat 3750: no uRPF at all GSR only strict mode with E5 (else not supported) in 12.0(31)S ASR 9K (software limitation)
BRKSEC-2003
Cisco Public
11
Segments Left
BRKSEC-2003
Cisco Public
12
An amplification attack!
BRKSEC-2003
Cisco Public
13
At the edge
With an ACL blocking routing header
BRKSEC-2003
Cisco Public
14
RA/RS w/o Any Authentication Gives Exactly Same Level of Security as ARP for IPv4 (None)
Attack Tool: fake_router6 Can Make Any IPv6 Address the Default Router 2. RA
1. RS
2. RA
1. RS:
Src = :: Dst = All-Routers multicast Address ICMP Type = 133 Data = Query: please send RA
2. RA:
Src = Router Link-local Address Dst = All-nodes multicast address ICMP Type = 134 Data= options, prefix, lifetime, autoconfig flag
Cisco Public
BRKSEC-2003
15
BRKSEC-2003
Cisco Public
16
For more information BRKSEC-3003: Advanced IPv6 Security: Securing Link Operations at First Hop
BRKSEC-2003
Cisco Public
17
RA-guard feature in host mode (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port
interface FastEthernet3/13
switchport mode access ipv6 nd raguard access-group mode prefer port
RA RA RA
BRKSEC-2003
Cisco Public
18
Address Assignment
Address Resolution Router Discovery Multicast Group Management Mobile IPv6 Support
X
X X X X
19
Generic ICMPv4
Border Firewall Policy
Internal Server A
Internet
Dst A A A A A
ICMPv4 Type 0 8 3 3 11
ICMPv4 Code 0 0 0 4 0
Name Echo Reply Echo Request Dst. Unreachable Net Unreachable Dst. Unreachable Frag. Needed Time Exceeded TTL Exceeded
BRKSEC-2003
Cisco Public
20
Equivalent ICMPv6
RFC 4890: Border Firewall Transit Policy
Internet
Dst A A A A
ICMPv6 Type
128 129 1 2
ICMPv6 Code
0 0 0 0
Name Echo Reply Echo Request No Route to Dst. Packet Too Big
Permit
Permit
BRKSEC-2003
Any
Any
A
A
3
4
0
0
Cisco Public
Internet
Action Src Permit Any Permit Any Permit Any Permit Any Deny
BRKSEC-2003
Dst B B B B
Name Packet too Big Parameter Problem Multicast Listener Neighbor Solicitation and Advertisement For locally generated traffic
Any Any
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
DHCPv6 Threats
Note: use of DHCP is announced in Router Advertisements
Rogue devices on the network giving misleading information or consuming resources (DoS)
Rogue DHCPv6 client and servers on the link-local multicast address (FF02::1:2): same threat as IPv4 Rogue DHCPv6 servers on the site-local multicast address (FF05::1:3): new threat in IPv6
BRKSEC-2003
Cisco Public
23
BRKSEC-2003
Cisco Public
24
172.18.1.2
Belgian Schtroumpf
25
Note: anti-spoofing also blocks amplification attacks because a remote attacker cannot masquerade as his victim
http://iana.org/assignments/ipv6-multicast-addresses/
BRKSEC-2003
Cisco Public
26
27
OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPSec RIPng, PIM also rely on IPSec IPv6 routing attack best practices
Use traditional authentication mechanisms on BGP and IS-IS Use IPSec to secure protocols such as OSPFv3 and RIPng
BRKSEC-2003
Cisco Public
28
interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN key chain MYCHAIN key 1 key-string 1234567890ABCDEF1234567890ABCDEF accept-lifetime local 12:00:00 Dec 31 2006 12:00:00 Jan 1 2008 send-lifetime local 00:00:00 Jan 1 2007 23:59:59 Dec 31 2007
BRKSEC-2003 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
Rogue devices
Rogue devices will be as easy to insert into an IPv6 network as in IPv4
Flooding
Flooding attacks are identical between IPv4 and IPv6
BRKSEC-2003
Cisco Public
30
BRKSEC-2003
Cisco Public
31
BRKSEC-2003
Cisco Public
32
33
Temporary addresses for IPv6 host client application, e.g. web browser
Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detection before using it Rate of change based on local policy
Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back)
BRKSEC-2003 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
34
netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent netsh interface ipv6 set privacy state=disabled store=persistent
Alternatively
Use DHCP (see later) to a specific pool Ingress filtering allowing only this pool
BRKSEC-2003
Cisco Public
35
IPv6 hdr
HopByHop
Routing
AH
TCP
data
IPv6 hdr
HopByHop
Routing
AH
Unknown L4
???
IPv6 hdr
AH
TCP
data
BRKSEC-2003
Cisco Public
36
Reassembly done by end system like in IPv4 Attackers can still fragment in intermediate system on purpose ==> a great obfuscation tool
BRKSEC-2003
Cisco Public
37
IPv6 hdr
HopByHop
Routing
IPv6 hdr
HopByHop Fragment2
TCP
Data
BRKSEC-2003
Cisco Public
38
BRKSEC-2003
Cisco Public
39
Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets.
BRKSEC-2003 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
Tunnels
Bypass firewalls (protocol 41 or UDP) Can cause asymmetric traffic (hence breaking stateful firewalls)
BRKSEC-2003
Cisco Public
41
Host security controls should block and inspect traffic from both IP versions
Host intrusion prevention, personal firewalls, VPN clients, etc.
IPv4 IPsecVPN with No Split Tunneling
BRKSEC-2003
Cisco Public
42
Your network:
Does not run IPv6
Your assumption:
Im safe
Reality
You are not safe Attacker sends Router Advertisements Your host configures silently to IPv6 You are now under IPv6 attack
BRKSEC-2003
Cisco Public
43
IPv4
IPv6
IPv6 Network Public IPv4 Internet
IPv6 in IPv4 Tunnel Tunnel Termination
2011 Cisco and/or its affiliates. All rights reserved.
IPv6 Network
Server A
BRKSEC-2003
Tunnel Termination
Cisco Public
Server B
44
Transition ThreatsISATAP
Unauthorized tunnelsfirewall bypass (protocol 41) IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in the enterprise
This has implications on network segmentation and network discovery
ISATAP Tunnels IPv4 Network ~ Layer 2 for IPv6 Service Direct Communication
BRKSEC-2003
Cisco Public
45
Root cause
ISATAP routers ignore each other
ISATAP router:
accepts native IPv6 packets forwards it inside its ISATAP tunnel
Mitigation: IPv6 anti-spoofing everywhere ACL on ISATAP routers accepting IPv4 from valid clients only Within an enterprise, block IPv4 ISATAP traffic between ISATAP routers Within an enterprise block IPv6 packets between ISATAP routers
http://www.usenix.org/events/woot09/tech/full_papers/nakibly.pdf
BRKSEC-2003
Cisco Public
46
ACL
tunnel
6to4 router
BRKSEC-2003
6to4 router
Cisco Public
47
Traffic is asymmetric
6to4 client/router -> 6to4 relay -> IPv6 server: client IPv4 routing selects the relay IPv6 server -> 6to4 relay -> 6to4 client/router: server IPv6 routing selects the relay Cannot insert a stateful device (firewall, ...) on any path
BRKSEC-2003
Cisco Public
48
ISATAP router:
accepts 6to4 IPv4 packets Can forward the inside IPv6 packet back to 6to4 relay
Mitigation: Easy on ISATAP routers: deny packets whose IPv6 is its 6to4 Less easy on 6to4 relay: block all ISATAP-like local address? Enterprise block all protocol 41 at the edge which are not known tunnels Good news: not so many open ISATAP routers on the Internet
http://www.usenix.org/events/woot09/tech/full_papers/nakibly.pdf
BRKSEC-2003
Cisco Public
49
TEREDO?
Teredo navalis
A shipworm drilling holes in boat hulls
Teredo Microsoftis
IPv6 in IPv4 punching holes in NAT devices
BRKSEC-2003
Cisco Public
50
IPv4 Intranet
BRKSEC-2003
Cisco Public
51
IPv4 Intranet
BRKSEC-2003
Cisco Public
52
IPv4 Intranet
BRKSEC-2003
Cisco Public
53
VRF
VRF
v6 VPN 2001:db8:1:1:/64
VRF
2001:db8:1:2:/64
BRKSEC-2003
Cisco Public
54
6VPE Security
6PE (dual stack without VPN) is a simple case Security is identical to IPv4 MPLS-VPN, see RFC 4381 Security depends on correct operation and implementation
QoS prevent flooding attack from one VPN to another one PE routers must be secured: AAA, iACL, CoPP
PE security
Advantage: Only PE-CE interfaces accessible from outside Makes security easier than in normal networks IPv6 advantage: PE-CE interfaces can use link-local for routing => completely unreachable from remote (better than IPv4)
BRKSEC-2003
Cisco Public
55
BRKSEC-2003
Cisco Public
56
BRKSEC-2003
Cisco Public
57
Known extension headers (HbH, AH, RH, MH, destination, fragment) are scanned until:
Layer 4 header found Unknown extension header is found
BRKSEC-2003
Cisco Public
58
59
BRKSEC-2003
Cisco Public
60
61
Note: PACL replaces RACL for the interface (or is merged with RACL) In August 2010, Nexus-7000, Cat 3750 12.2(46)SE, Cat 4500 12.2(54)SG and Cat 6500 12.2(33)SXI4
BRKSEC-2003 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
62
BRKSEC-2003
Cisco Public
63
64
Caveats:
Cannot block specific extension headers
BRKSEC-2003
Cisco Public
65
BRKSEC-2003
Cisco Public
66
BRKSEC-2003
Cisco Public
67
BRKSEC-2003
Cisco Public
68
FWSM
IPv6 in software... 80 Mbps Not an option (put an IPv6-only ASA in parallel)
IOS Firewall
IOS 12.3(7)T (released 2005)
IPS
Since 6.2 (released 2008)
Email Security Appliance (ESA) under beta testing early 2010 Web Security Appliance (WSA) not before 2011
BRKSEC-2003
Cisco Public
69
BRKSEC-2003
Cisco Public
70
No traffic injection
No service theft
Public Network Site 2 Site 6in4/GRE Tunnels Protected by IPsec DMVPN 12.4(20)T IPv6 IPsec VTI 12.4(6)T Remote Access ISATAP Protected by RA IPsec SSL VPN Client AnyConnect N/A
IPv4
BRKSEC-2003
Cisco Public
71
Secure Site to Site IPv6 Traffic over IPv4 Public Network with GRE IPsec
IPsec protects IPv4 unicast traffic... The encapsulated IPv6 packets
IPv6 Network IPv6 Network
72
IPv4
GRE tunnel can be used to transport both IPv4 and IPv6 in the same tunnel
BRKSEC-2003 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Site to Site IPv6 Traffic over IPv4 Public Network with DMVPN
IPv6 packets over DMVPN IPv4 tunnels
In IOS release 12.4(20)T (July 2008) IPv6 and/or IPv4 data packets over same GRE tunnel
BRKSEC-2003
Cisco Public
73
BRKSEC-2003
Cisco Public
74
IPsec
IPv6 PC
ISATAP
Enterprise VPN head-end (ASA, IOS, ...) ISATAP Tunnel server on dual stack router
IPv4
IPsec with NAT-T can traverse NAT ISATAP encapsulates IPv6 into IPv4
BRKSEC-2003
Cisco Public
IPv6 Network
75
Secure RA IPv6 Traffic over IPv4 Public Network: AnyConnect SSL VPN Client
IPv4
BRKSEC-2003
Cisco Public
IPv6 Network
76
Summary
BRKSEC-2003
Cisco Public
77
BRKSEC-2003
Cisco Public
78
Is IPv6 in My Network?
Easy to check!
Look inside NetFlow records
Protocol 41: IPv6 over IPv4 or 6to4 tunnels IPv4 address: 192.88.99.1 (6to4 anycast server) UDP 3544, the public part of Teredo, yet another tunnel
Look into DNS server log for resolution of ISATAP Beware of the IPv6 latent threat: your IPv4-only network may be vulnerable to IPv6 attacks NOW
BRKSEC-2003
Cisco Public
79
BRKSEC-2003
Cisco Public
80
BRKSEC-2003
Recommended Reading
BRKSEC-2003
Cisco Public
81
Cisco Confidential
82
BRKSEC-2003
Cisco Public
83