Académique Documents
Professionnel Documents
Culture Documents
BRKSEC-2003
Presentation_ID
Cisco Public
Session Objectives
! IPv6 vs. to IPv4 from a threat and mitigation
perspective
! Advanced IPv6 security topics like transition options
and dual stack environments
! The focus is Enterprises
BRKOPT-1200 has a SP focus
BRKSEC-2003
Cisco Public
For Your
Reference
BRKSEC-2003
Cisco Public
Agenda
! Shared Issues by IPv4 and IPv6
! Specific Issues for IPv6
IPsec everywhere, dual-stack, tunnels and 6VPE
BRKSEC-2003
Cisco Public
IPv4 Vul.
IPv6 Vul.
Shared Issues
Security Issues Shared by IPv4 and IPv6
Presentation_ID
Cisco Public
Reconnaissance In IPv6
Subnet Size Difference
2128
6.5
Billion
Worlds population is
approximately 6.5 billion
BRKSEC-2003
Cisco Public
Reconnaissance In IPv6
BRKSEC-2003
Cisco Public
BRKSEC-2003
Cisco Public
Reconnaissance In IPv6?
Easy With Multicast!
! No need for reconnaissance anymore
! 3 site-local multicast addresses
FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers
Destination
Attacker FF05::1:3
Payload
DHCP Attack
2001:db8:2::50
2001:db8:1::60
2001:db8:3::70
http://www.iana.org/assignments/ipv6-multicast-addresses/
BRKSEC-2003
Cisco Public
Preventing Reconnaissance
With IPv6 Multicast
Organization B
Organization A
Cisco Public
10
BRKSEC-2003
Cisco Public
11
/32
/48
/64
Interface ID
2001
Cisco Public
12
IPv6
Intranet
Management System IPv6
Address2001:DB8:F15:C15::1*
Internal Server
2001:DB8:F15:c16::1/64
X
Action
Src
Dest
Src Port
Dst Port
Permit
2001:DB8:
F15:C15::1
2001:DB8:
F15:c16::1
Any
80
Deny
Any
Any
Cisco Public
13
For Your
Reference
! Microsoft Windows
Deploy a Group Policy Object (GPO)
Or
netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy state=disabled store=persistent
! Alternatively
Use DHCP (see later) to a specific pool
Ingress filtering allowing only this pool
BRKSEC-2003
Cisco Public
14
L3 Spoofing In IPv6
Access
Layer
Inter-Networking Device
with uRPF Enabled
IPv6
Intranet/Internet
Spoofed IPv6
Source Address
Access
Layer
Inter-Networking Device
with uRPF Enabled
IPv6
Intranet/Internet
Spoofed IPv6
Source Address
Cisco Public
15
ICMPv4
ICMPv6
Connectivity Checks
Informational/Error Messaging
Address Assignment
Address Resolution
Router Discovery
Cisco Public
16
Generic ICMPv4
For Your
Reference
Internal Server A
Internet
BRKSEC-2003
Action
Src
Dst
ICMPv4
Type
ICMPv4
Code
Permit
Any
Echo Reply
Permit
Any
Echo Request
Permit
Any
Dst. Unreachable
Net Unreachable
Permit
Any
Dst. Unreachable
Frag. Needed
Permit
Any
11
Time Exceeded
TTL Exceeded
Cisco Public
Name
17
Equivalent ICMPv6
For Your
Reference
Internal Server A
Internet
Action
Src
Dst
ICMPv6
Type
ICMPv6
Code
Permit
Any
128
Echo Reply
Permit
Any
129
Echo Request
Permit
Any
No Route to Dst.
Permit
Any
Permit
Any
Time Exceeded
TTL Exceeded
Permit
Any
Parameter Problem
Name
*RFC 4890
BRKSEC-2003
Cisco Public
18
For Your
Reference
Internal Server A
Firewall B
Internet
Action
Src
Dst
ICMPv6
Type
ICMPv6
Code
Permit
Any
Permit
Any
130132
Multicast Listener
Permit
Any
133/134
Neighbor Solicitation
and Advertisement
Permit
Any
Parameter Problem
Name
*RFC 4890
BRKSEC-2003
Cisco Public
19
IPv6 hdr
HopByHop
Routing
AH
TCP
data
IPv6 hdr
HopByHop
Routing
AH
Unknown L4
???
IPv6 hdr
AH
TCP
data
Cisco Public
20
BRKSEC-2003
Cisco Public
21
Next Header
Reserved
Fragment Offset
Identification
Fragment Data
Cisco Public
22
IPv6 hdr
HopByHop
Routing
IPv6 hdr
HopByHop Fragment2
TCP
Data
Layer 4 header is
in 2nd fragment
BRKSEC-2003
Cisco Public
23
BRKSEC-2003
Cisco Public
24
Next Header
RH Type
Routing
Type
Segments Left
BRKSEC-2003
Cisco Public
25
BRKSEC-2003
Cisco Public
26
Next Header
RH Type=
2
Routing
Type
Segments Left= 1
BRKSEC-2003
Cisco Public
27
! At the edge
With an ACL blocking routing header
BRKSEC-2003
Cisco Public
28
1. RS
BRKSEC-2003
Attack Tool:
fake_router6
Can Make Any
IPv6 Address the
Default Router
2. RA
2. RA
! RS:
! RA:
Src = ::
Dst = All-Routers
multicast Address
Cisco Public
29
Cisco Public
30
BRKSEC-2003
Cisco Public
31
Cisco Public
32
RSA Keys
Priv
Modifier
Pub
Public
Key
Subnet
Prefix
Signature
SHA-1
CGA Params
Subnet
Prefix
SEND Messages
BRKSEC-2003
Cisco Public
Interface
Identifier
For Your
Reference
BRKSEC-2003
Cisco Public
34
For Your
Reference
2001:DB8::2C8D:918B:3538:6820
1 001e.be50.dd08
STALE Fa0/0
2001:DB8::3
20 0014.3850.bfe6
STALE Fa0/0
FE80::214:38FF:FE50:BFE6
20 0014.3850.bfe6
STALE Fa0/0
BRKSEC-2003
Cisco Public
35
! Available:
Unix (DoCoMo)
Cisco IOS 12.4(24)T
! Microsoft:
no support in Vista, in Windows 2008 (and probably not Windows7)
BRKSEC-2003
Cisco Public
36
! Advantages
No central administration, no
central operation
No bottleneck, no single-point of failure
Intrinsic part of the link-operations
Time server
! Disadvantages
Heavy provisioning of end-nodes
Poor for threats coming from outside
the link
Bootstrapping issue
Complexity spread all over the domain
Transitioning quite painful
BRKSEC-2003
Cisco Public
37
Cisco Future
Not Committed
Certificate
server
! Advantages
Central administration, central
operation
Complexity limited to first hop
Transitioning lot easier
Efficient for threats coming from the
link
Efficient for threats coming from
outside
Time server
! Disadvantages
Applicable only to certain topologies
Requires first-hop to learn about
end-nodes
First-hop is a bottleneck and singlepoint of failure
BRKSEC-2003
Cisco Public
38
DHCPv6 Threats
! Note: use of DHCP is announced in Router
Advertisements
! Rogue devices on the network giving misleading
information or consuming resources (DoS)
Rogue DHCPv6 client and servers on the link-local multicast
address (FF02::1:2): same threat as IPv4
Rogue DHCPv6 servers on the site-local multicast address
(FF05::1:3): new threat in IPv6
BRKSEC-2003
Cisco Public
39
BRKSEC-2003
Cisco Public
40
Quick Reminder
IPv4 Broadcast Amplification: Smurf
160.154.5.0
ICMP REPLY D=172.18.1.2 S=160.154.5.14
ICMP REPLY D=172.18.1.2 S=160.154.5.15
ICMP REPLY D=172.18.1.2 S=160.154.5.16
Attempt to
Overwhelm WAN
Link to
Destination
172.18.1.2
Cisco Public
Belgian
Schtroumpf
41
http://iana.org/assignments/ipv6-multicast-addresses/
BRKSEC-2003
Cisco Public
42
BRKSEC-2003
Cisco Public
43
BRKSEC-2003
Cisco Public
44
! Rogue devices
Rogue devices will be as easy to insert into an IPv6 network as in IPv4
! Flooding
Flooding attacks are identical between IPv4 and IPv6
BRKSEC-2003
Cisco Public
45
Oct 2008
FreeBSD
OpenBSD
NetBSD and
others
CVE-2008-2136
May 2008
Linux
CVE-2008-1153
Mar 2008
IOS
CVE-2007-4689
Nov 2007
CVE-2007-3038
Aug 2007
Microsoft
BRKSEC-2003
Cisco Public
! Scanners
Snort
TCPdump
Sun Solaris snoop
COLD
Wireshark
Analyzer
Windump
WinPcap
! DoS Tools
6tunneldos
4to6ddos
Imps6-tools
! Packet forgers
Scapy6
SendIP
Packit
Spak6
! Complete tool
http://www.thc.org/thc-ipv6/
BRKSEC-2003
Cisco Public
47
IPv4 Vul.
IPv6 Vul.
Presentation_ID
Cisco Public
48
Cisco Public
49
Cisco Public
50
! Tunnels
Bypass firewalls (protocol 41 or UDP)
Can cause asymmetric traffic (hence breaking stateful firewalls)
BRKSEC-2003
Cisco Public
51
Cisco Public
52
! Your network:
Does not run IPv6
! Your assumption:
Im safe
! Reality
You are not safe
Attacker sends Router Advertisements
Your host configures silently to IPv6
You are now under IPv6 attack
Cisco Public
53
1) Dual-Stack MacOS:
any IPv6 Router?
Cisco Public
54
BRKSEC-2003
Cisco Public
55
IPv4
IPv6
IPv6 Network
Public IPv4
Internet
IPv6 Network
IPv6 in IPv4
Tunnel
Server A
BRKSEC-2003
Tunnel
Termination
Tunnel
Termination
Cisco Public
Server B
56
Transition ThreatsISATAP
! Unauthorized tunnelsfirewall bypass (protocol 41)
! IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in
the enterprise
This has implications on network segmentation and network discovery
ISATAP Tunnels
IPv4 Network ~ Layer 2 for IPv6 Service
Direct
Communication
BRKSEC-2003
Cisco Public
57
IPv6
Internet
ACL
tunnel
6to4
router
IPv4
6to4
router
Direct tunneled
traffic ignores
hub ACL
6to4 router
BRKSEC-2003
Cisco Public
58
! Traffic is asymmetric
6to4 client/router -> 6to4 relay -> IPv6 server:
client IPv4 routing selects the relay
IPv6 server -> 6to4 relay -> 6to4 client/router:
server IPv6 routing selects the relay
Cannot insert a stateful device (firewall, ...) on any path
BRKSEC-2003
Cisco Public
59
TEREDO?
! Teredo navalis
A shipworm drilling holes
in boat hulls
! Teredo Microsoftis
IPv6 in IPv4 punching holes
in NAT devices
BRKSEC-2003
Cisco Public
60
IPv6 Internet
IPv4 Internet
Teredo Relay
IPv4 Firewall
IPv4 Intranet
BRKSEC-2003
Cisco Public
61
Teredo Relay
IPv4 Firewall
IPv4 Intranet
BRKSEC-2003
Cisco Public
62
Teredo Relay
IPv4 Firewall
IPv4 Intranet
BRKSEC-2003
Cisco Public
63
Is It Real?
May Be uTorrrent 1.8 (Released Aug. 08)
BRKSEC-2003
Cisco Public
64
Cisco Public
65
! FPM
Available in software since 12.4(4)T
Hardware implementation in PISA (requires Sup32 and Cat6K)
Classify on multiple attributes within a packet
String match and regex
Expressed in XML
0111111010101010000111000100111110010001000100100010001001
Match Pattern
And
Or
Not
Cisco.com/go/fpm
BRKSEC-2003
Cisco Public
66
FPM Configuration
to Block Teredo
The trick is to block
all packets
containing a
Teredo source or
destination
address in the
UDP payload
Teredo addresses
are in the 2001::/32
(note 32) prefix
For Your
Reference
IP version = 6
BRKSEC-2003
Cisco Public
67
v4 only VPN
10.1.1.0/24
10.1.2.0/24
PE1
v4 and v6 VPN
PE3
VRF
VRF
2001:db8:1:1:/64
Dual-Stack
IPv4-IPv6
PE Routers
10.1.1.0/24
VRF
v4 and v6 VPN
2001:db8:1:2:/64
Dual-Stack
IPv4-IPv6
PE Routers
10.1.2.0/24
VRF
v6 VPN
VRF
PE4
PE2
2001:db8:1:1:/64
BRKSEC-2003
VRF
v6 VPN
2001:db8:1:2:/64
Cisco Public
68
6VPE Security
! 6PE (dual stack without VPN) is a simple case
! Security is identical to IPv4 MPLS-VPN, see RFC 4381
! Security depends on correct operation and implementation
QoS prevent flooding attack from one VPN to another one
PE routers must be secured: AAA, iACL, CoPP
! PE security
Advantage: Only PE-CE interfaces accessible from outside
Makes security easier than in normal networks
IPv6 advantage: PE-CE interfaces can use link-local for routing
=> completely unreachable from remote (better than IPv4)
BRKSEC-2003
Cisco Public
69
Presentation_ID
Cisco Public
70
For Your
Reference
BRKSEC-2003
Cisco Public
71
For Your
Reference
BRKSEC-2003
Cisco Public
72
Presentation_ID
Cisco Public
73
BRKSEC-2003
Cisco Public
74
Cisco Public
75
Cisco Public
76
A Trivial Example
Filtering inbound traffic to one specific destination address
2001:db8:2c80:1000::1
others
ipv6 access-list MY_ACL
remark basic anti-spoofing
deny 2001:db8:2c80:1000::/64 any
permit any 2001:db8:2c80:1000::1/128
interface Serial 0
ipv6 traffic-filter MY_ACL in
IPv6 Internet
Serial 0
Prefix: 2001:db8:2c80:1000::/64
BRKSEC-2003
Cisco Public
77
BRKSEC-2003
Cisco Public
78
For Your
Reference
BRKSEC-2003
Cisco Public
79
For Your
Reference
Cisco Public
80
For Your
Reference
line vty 0 4
ipv6 access-class VTY in
BRKSEC-2003
Cisco Public
81
For Your
Reference
BRKSEC-2003
Cisco Public
82
IPv6
Site 2
IPv6
Internet
(IPv4)
Dual Stack
Router
IPv6
Site 1
IPv6
Cisco Public
83
! Caveat: no
fail-over support
BRKSEC-2003
Cisco Public
84
For Your
Reference
Inside
..::8
Outside
2001:db8:c000:1051::37/64
BRKSEC-2003
Cisco Public
2001:db8:c000:1052::/64
..::7
85
For Your
Reference
interface Ethernet0
nameif outside
ipv6 address 2001:db8:c000:1051::37/64
ipv6 enable
interface Ethernet1
nameif inside
ipv6 address 2001:db8:c000:1052::1/64
ipv6 enable
ipv6 route outside ::/0 2001:db8:c000:1051::1
ipv6 access-list SECURE permit tcp any host
2001:db8:c000:1052::7 eq telnet
ipv6 access-list SECURE permit icmp6 any
2001:db8:c000:1052::/64
access-group SECURE in interface outside
BRKSEC-2003
Cisco Public
86
ASA 7.x:
Stateful Inspection
For Your
Reference
BRKSEC-2003
Cisco Public
87
deny
to any IPv6
addresses
BRKSEC-2003
Cisco Public
88
BRKSEC-2003
Cisco Public
89
Internet
Drop
ASA
BRKSEC-2003
Cisco Public
90
! FWSM
IPv6 in software...
! IPS
Since 6.2 (November 2008)
BRKSEC-2003
Cisco Public
91
Enterprise Deployment:
Secure IPv6 Connectivity
How to Secure IPv6 Over the WAN
Presentation_ID
Cisco Public
92
IPv6
BRKSEC-2003
Site 2 Site
Remote Access
! ISATAP Protected by
RA IPsec
! DMVPN 12.4(20)T
N/A
Cisco Public
93
IPv6 Network
IPv6 Network
IPv4
Cisco Public
94
BRKSEC-2003
Cisco Public
95
BRKSEC-2003
Cisco Public
For Your
Reference
Spoke
interface Tunnel0
!... IPv4 DMVPN configuration may be required...
ipv6 address 2001:db8:100::11/64
ipv6 eigrp 1
ipv6 nhrp map multicast 172.17.0.1
ipv6 nhrp map 2001:db8:100::1/128 172.17.0.1
ipv6 nhrp network-id 100006
ipv6 nhrp holdtime 300
ipv6 nhrp nhs 2001:db8:100::1
tunnel source Serial1/0
tunnel mode gre multipoint
tunnel protection ipsec profile vpnprof
!
interface Ethernet0/0
ipv6 address 2001:db8:1::1/64
ipv6 eigrp 1
!
interface Serial1/0
ip address 172.16.1.1 255.255.255.252
!
ipv6 router eigrp 1
no shutdown
96
For Your
Reference
interface Tunnel0
no ip address
ipv6 address 2001:DB8::2811/64
ipv6 enable
tunnel source Serial0/0/1
tunnel destination 2001:DB8:7::2
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipv6
BRKSEC-2003
Cisco Public
97
BRKSEC-2003
Cisco Public
98
IPsec
IPv6 PC
IPv4
IPv6 Network
ISATAP
Enterprise
VPN head-end
(ASA, IOS, ...)
ISATAP
Tunnel server
on dual stack
router
Cisco Public
99
BRKSEC-2003
IPv4
Cisco Public
IPv6 Network
ASA 8.0
SSL VPN Concentrator
Dual Stack
100
For Your
Reference
BRKSEC-2003
DNS
. .
. .
. .
. .
. .
Cisco Public
Suffix
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
.
.
.
.
:
:
:
:
:
:
cisco.com
192.168.0.200
255.255.255.0
2001:db8:5fff:81::1:1
fe80::205:9aff:fe3c:7a00%13
192.168.0.1
2001:db8:5fff:81::
101
Conclusion
Presentation_ID
Cisco Public
102
BRKSEC-2003
Cisco Public
103
Is IPv6 In My Network?
! Easy to check!
! Look inside NetFlow records
Protocol 41: IPv6 over IPv4 or 6to4 tunnels
IPv4 address: 192.88.99.1 (6to4 anycast server)
UDP 3544, the public part of Teredo, yet another tunnel
BRKSEC-2003
Cisco Public
104
Questions?
Presentation_ID
Cisco Public
105
BRKSEC-2003
Cisco Public
106
Recommended Reading
! IPv6 Security,
ISBN: 1-58705-594-5
! Cisco Self-Study: Implementing
Cisco IPv6 Networks (IPV6),
ISBN: 1-58705-086-2
! Global IPv6 Strategies,
ISBN: 1-58705-343-8
! Deploying IPv6 Networks,
ISBN: 1-58705-210-5
! Mobile IP Technology and
Applications,
ISBN: 1-58705-132-X
BRKSEC-2003
Cisco Public
107
BRKSEC-2003
Cisco Public
BRKSEC-2003
Cisco Public
109
References Slides
Further Information Not Presented but Useful
Presentation_ID
Cisco Public
110
IP Mobility
Probably to
be removed
2001:db8:c18::1
Correspondent Node
Mobile Node
Home Agent
Optimized Routing
Not Possible in IPv4
Mobile Node
2001:2:a010::5
Mobility Means:
Cisco Public
111
BRKSEC-2003
Cisco Public
112
Home Agent
Correspondent Node
Cisco Public
113
Cisco Public
114
BRKSEC-2003
Cisco Public
115
For Your
Reference
IPSec Hub
Dual-Stack
Router
F0/0
F0/1
Corporate
Network
2001:db8:c003:1101:0:5efe:20.1.1.1
BRKSEC-2003
Cisco Public
ipv6 unicast-routing
!
interface FastEthernet0/0
description TO VPN 3000
ip address 20.1.1.1 255.255.255.0
!
interface FastEthernet0/1
description TO Campus Network
ipv6 address 2001:db8:C003:111C::2/64
!
interface Tunnel0
no ip address
ipv6 address 2001:db8:C003:1101::/64
eui-64
no ipv6 nd suppress-ra
tunnel source FastEthernet0/0
tunnel mode ipv6ip isatap
116
IPSec Hub
Dual-Stack
Router
Link
Preferred
infinite
infinite fe80::5efe:10.1.99.102
Type
-------Autoconf
Manual
Met
---9
1
Prefix
-----------------------2001:db8:c003:1101::/64
::/0
Cisco Public
Idx
--2
2
Gateway/Interface Name
--------------------Automatic Tunneling Pseudo-Interface
fe80::5efe:20.1.1.1
117
For Your
Reference
Spoke
Loopback 0 192.168.52.4
Hub
Loopback 0 192.168.52.7
BRKSEC-2003
2001:DB8:C000:1051::/64
2001:DB8:C000:1053::4/128
Secure Site-to-Site
IPv6 Connectivity
IPSec SA
Cisco Public
118
BRKSEC-2003
Cisco Public
119
For Your
Reference
interface Loopback0
ip address 192.168.52.4 255.255.255.255
interface Tunnel4
no ip address
Static IPv4
ipv6 unnumbered FastEthernet0/0
Addresses
ipv6 enable
tunnel source Loopback0
tunnel destination 192.168.52.7
tunnel mode ipv6ip
!
ip route 192.168.52.0 255.255.255.0 Serial0/0
BRKSEC-2003
Cisco Public
120
For Your
Reference
BRKSEC-2003
Cisco Public
121
For Your
Reference
interface Loopback0
ip address 192.168.52.7 255.255.255.255
!
interface Tunnel4
no ip address
Static IPv4
ipv6 unnumbered FastEthernet0/1
Addresses
ipv6 enable
tunnel source Loopback0
tunnel destination 192.168.52.4
tunnel mode ipv6ip
a lot more interfaces Tunnel
ip route 192.168.52.0 255.255.255.0 Serial0/0
BRKSEC-2003
Cisco Public
122
For Your
Reference
BRKSEC-2003
Cisco Public
123
vrf
Address-family IPv4
Address-family IPv6
Dual-stack network
P1
Site-1
2001:101::/64
10.101/16
CE1
MP-eBGP session
P2
PE1
VRF red
Dual-stack network
PE2
CE2
VRF red
Address-family IPv4
Address-family IPv6
2001:201::/64
10.201/16
MP-iBGP session
MP-eBGP session
Address-family VPNv4
Address-family VPNv6
Address-family IPv4
Address-family IPv6
Site-2
Dual stack
server
Cisco Public
124
For Your
Reference
interface Ethernet0/0
ipv6 ospf 1 area 0
ipv6 ospf authentication ipsec spi 500 md5
1234567890ABCDEF1234567890ABCDEF
interface Ethernet0/0
ipv6 authentication mode eigrp 100 md5
ipv6 authentication key-chain eigrp 100 MYCHAIN
key chain MYCHAIN
key 1
key-string 1234567890ABCDEF1234567890ABCDEF
accept-lifetime local 12:00:00 Dec 31 2006
12:00:00 Jan 1 2008
send-lifetime local 00:00:00 Jan 1 2007 23:59:59
Dec 31 2007
BRKSEC-2003
Cisco Public
125