IPv6 Security

NIST - Guidelines for the Secure

Deployment of IPv6
http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
(Summary Slides prepared by Robert Cartelli)

IPV6 FEATURES
extended address space
route aggregation
extension headers
autoconfiguration
quality of service
IPsec
mobility

IPV6 FEATURES
EXTENDED ADDRESS SPACE

The network prefix may change

while the host identifier can remain
static.
The static host identifier allows a
device to maintain a consistent
identity despite its location in a
network.

IPV6 FEATURES
AUTOCONFIGURATION

IPv6 autoconfiguration defines a method

for devices to configure their IP addresses
and other parameters without the need for a
DHCP server.
It also defines a method, renumbering,
whereby the time and effort required to
renumber a network by replacing an old
prefix with a new prefix are vastly reduced

IPV6 FEATURES
HEADER STRUCTURE

simpler than IPv4

fixed length of 40-bytes
2 - 16 bytes addresses ( 32 bytes )
8 bytes for header information
improved fast processing of packets and
protocol flexibility
optional extension headers

IPV6 FEATURES
EXTENSION HEADERS

RFC 2460 defines six extension headers:

hop-by-hop option header
routing header
fragment header
destination options header
authentication header (AH)
encapsulating security payload (ESP)
header
Each extension header is identified by the
Next Header field in the preceding header

IPV6 FEATURES
IPSEC SUPPORT
IPsec is a mandatory part of an IPv6
implementation; however, its use is not
required.
Uses two extension headers:
Encapsulating Security Payload (ESP)
Authentication Header (AH)
The negotiation and management of IPsec
security protections and the associated
secret keys is handled by the Internet Key
Exchange (IKE) protocol.

IPV6 FEATURES
MOBILITY - MOBILE IPV6 (MIPV6)
enhanced protocol supporting roaming for a
mobile node, so that it can move from one
network to another without losing IP-layer
connectivity
maintain connections to applications and
services if a device changes its temporary
IP address

IPV6 FEATURES
QUALITY OF SERVICE (QOS)
Uses Traffic Class and Flow Label fields
The new Flow Label field and enlarged
Traffic Class field in the main IPv6 header
allow more efficient and finer grained
differentiation of various types of traffic.
The new Flow Label field can contain a
label identifying or prioritizing a certain
packet flows such as voice over IP (VoIP)
or videoconferencing

IPV6 FEATURES
ROUTE AGGREGATION

hierarchical addressing structure

simplified header
large amount of addresses allows for blocks
of contiguous address space
contiguous address space allows for
aggregation under a reduced number of
prefixes

IPV6 FEATURES
EFFICIENT TRANSMISSION

IPv6 packet fragmentation control occurs at

the IPv6 source host, not at a router
host uses a procedure called Path
Maximum Transmission Unit (PMTU)
Discovery to learn the path MTU size and
eliminate the need for routers to perform
fragmentation

IPV6 THREATS
RECONNAISSANCE
Due to the size of IPv6 subnets (264 in a
typical IPv6 environment compared to 28 in
a typical IPv4 environment), traditional IPv4
scanning techniques that would normally
take seconds could take years on a
properly designed IPv6 network

IPV6 THREATS
RECONNAISSANCE
Attackers will still be able to use passive
techniques, such as Domain Name System
(DNS) name server resolution, to identify
victim networks for more targeted
exploitation

IPV6 THREATS
RECONNAISSANCE
If an attacker is able to obtain access to one
system on an IPv6 subnet, the attacker will
be able to leverage IPv6 neighbor discovery
to identify hosts on the local subnet for
exploitation.
Neighbor discovery-based attacks will also
replace counterparts on IPv4 such as ARP
spoofing.

IPV6 THREATS
FILTERING
IPv6 adds more components to be filtered
than IPv4, such as extension headers,
multicast addressing, and increased use of
ICMP.
possibility of an IPv6 host having a number
of global IPv6 addresses
security tools (firewalls) slow to adopt

IPV6 THREATS
lack of robust IPv6 security controls
lack of overall understanding of IPv6
many IPv6 services may rely on tunneling
IPv6 traffic in IPv4, which will also increase
the complexity
possibility that the number of vulnerabilities
in software from implementing IPv6
capabilities could rise

IPV6 THREATS
MITIGATIONS
Apply different types of IPv6 addressing
(privacy addressing, unique local
addressing, sparse allocation, etc) to limit
access and knowledge of IPv6-addressed
environments
Assign subnet and interface identifiers
randomly to increase the difficulty of
network scanning

IPV6 THREATS
MITIGATIONS
Develop a granular ICMPv6 filtering policy
for the enterprise. Ensure that ICMPv6
messages that are essential to IPv6
operation are allowed, but others are
blocked
Identify capabilities and weaknesses of
network protection devices in an IPv6
environment.

IPV6 THREATS
MITIGATIONS
Use IPsec to authenticate and provide
confidentiality to assets that can be tied to a
scalable trust model (an example is access
to Human Resources assets by internal
employees that make use of an
organizations Public Key Infrastructure
(PKI) to establish trust).
Pay close attention to the security aspects
of transition mechanisms such as tunneling
protocols.

IPV6 THREATS
MITIGATIONS
Enable controls that might not have been
used in IPv4 due to a lower threat level
during initial deployment (implementing
default deny access control policies,
implementing routing protocol security, etc).
On networks that are IPv4-only, block all
IPv6 traffic.

IPV6 THREATS
MITIGATIONS
Many IPv6 threat mitigations rely on IPsec
to provide protection against attack. Due to
issues with key management and overall
configuration complexity (including
applications), it is possible that IPsec will
not be deployed much more than it is with
IPv4 today for initial IPv6 use

IPV6 ADDRESS SCOPE

Site-local. This scope was intended to apply
to all IPv6 networks or a single logical entity
such as the network within an organization.
Addresses with this scope start with FEC0::
/10. They were intended not to be globally
routable but potentially routed between
subnets within an organization. Site local
addresses have been deprecated and
replaced with unique local addresses.

IPV6 ADDRESS SCOPE

Unique local unicast. FC00::/7 this scope is
meant for a site, campus, or enterprises
internal addressing. It replaces the
deprecated site-local concept. Unique local
addresses (ULAs) may be routable within
an enterprise. Use of unique local
addresses is not yet widespread; see RFC
4193, Unique Local IPv6 Unicast
Addresses, for more information.

IPV6 ADDRESS SCOPE

THREAT - SITE-LOCAL
Site-local addresses were abandoned and
replaced with unique local addresses. Older
implementations of IPv6 may still use site
local addresses, so IPv6 firewalls need to
recognize and handle site local addresses
correctly.

IPV6 EXTENSION HEADERS

ROUTING THREAT
Examining the Destination Address in the
IPv6 header may not provide all of the
information needed to make packet filtering
decisions.
An amplification attack, resulting in severe
congestion and DoS, can be caused by a
packet with a Routing Header containing
multiple instances of the same address.

IPV6 EXTENSION HEADERS

ROUTING THREAT - MITIGATION
Type 0 Routing Header used in source
routing (node specifies the routers in the
path) is a security threat
It is crucial to perform ingress filtering that
prohibits the forwarding of packets with a
deprecated Type 0 Routing Header (RFC
5095).

IPV6 EXTENSION HEADERS

THREAT
Extension headers can have a number of
security implications. Hop-by-hop extension
headers must be analyzed at every node
along the forwarding path, and can
potentially cause a resource consumption
attack. Extension headers also incorporate
additional complexity for the purpose of
traffic filtering and can also be used as a
covert channel to hide communications
between two systems, e.g., in Destination
Options.

IPV6 ICMPV6
THREAT
Neighbor Discovery and PMTU discovery
are dependent upon ICMPv6
Simply filtering ICMPv6 is not possible on
an IPv6 network
Rogue routers or nodes may send false RA
messages (man-in-the-middle DOS attack)
Spoofed NS/NA packets can cause redirect
or DOS attacks

IPV6 ICMPV6
THREAT - MITIGATIONS
Filter ICMPv6, but still allow for essential
functions
Transit: Packet Too Big, Time Exceeded,
etc.
Local: Router RS/RA, Neighbor NS/NA,
etc.
RS and RA is only useful on the local
segment, uses link-local addresses, and
should never be routed

IPV6 ICMPV6
THREAT - MITIGATIONS
Any IP network, whether it is IPv4-only or a
dual stack IPv4/IPv6 network, must have
the capability to detect and examine
ICMPv6 and IPv6 packets
Without this capability, rogue IPv6 nodes
may be operating on a network that is
intended to handle only IPv4

IPV6 DNS
THREAT
DNS responses with AAAA records are
longer than similar IPv4 responses, and
interfaces may have more than one IPv6
address in the DNS.
Zone file transfer sizes will increase and,
potentially, responses returning multiple
AAAA resource records (e.g. MX requests)
may require fragmentation. Since IPv6
fragments are discouraged, and sometimes
are blocked, this could impact availability.

IPV6 DNS
THREAT
Some authoritative servers ignore queries
for an AAAA record and cause a resolver
first to wait and timeout and then to fall back
to a query for an A record, which may
cause a fatal timeout at the application that
called the resolver. Even if the resolver and
application eventually succeed, the result
can be an unacceptable delay for the
applications user, especially with
interactive applications like web browsing.

IPV6 MULTICAST
THREAT
Attackers may take advantage of wellknown multicast addresses to find hidden
resources such as routers or particular
servers
Denial of service attacks may use multicast
to amplify bandwidth consumption or
attempt to exhaust other resources

IPV6 MULTICAST
THREAT
IPsec coverage for multicast is incomplete.
If a multicast group has more than one
sender, the replay protection mechanism
does not work. More importantly, IKE is a
unicast UDP protocol that only works
between two parties, so automated key
management for multicast IPsec is lacking

IPV6 MULTICAST
THREAT - MITIGATION
IPv6 routers, packet filters, firewalls, and
tunnel endpoints need to enforce multicast
scope boundaries
Filter any packets with a multicast source
address
Never forward link-layer multicast
packets

IPV6 JUMBOGRAMS
THREAT
Some IPsec implementations do not
support Jumbograms
Jumbograms may be used as a vehicle for
DOS
can cause substantial latency, increase
the cost of retransmission, and interfere
with QoS
A jumbogram, used together with a hopby-hop header, could be used to perform
a resource-consumption attack

IPV6 JUMBOGRAMS
THREAT
Intermediate systems such as application
layer firewalls and intrusion detection
systems may be unprepared to handle huge
jumbograms
Many IPv6 implementations may contain
places in which the Payload Length is
stored as an unsigned 16-bit integer.
Finding and exploiting these may be a
method of causing buffer overflows, kernel
crashes, or other unintended effects.

IPV6 DHCPV6
THREAT
Since DHCPv6 clients use a DHCP Unique
Identifier (DUID) to request an IPv6
address, correlating DHCPv4 and DHCPv6
logs is difficult.
DHCPv4 requests use the MAC Address
as the request identifier

IPV6 SLACC AND PRIVACY ADDRESSES

THREAT
Network and clients using SLACC for
address configuration typically use IEEE
EUI-64 to generate the clients IP.
Since IEEE EUI-64 is based on the client
s MAC Address, it is possible to trace a
client as they move from network to
network

IPV6 SLACC AND PRIVACY ADDRESSES

THREAT
RFC 4941 defines Privacy Extensions for
Stateless Address Autoconfiguration in IPv6
Privacy addresses are randomly
generated by the client
This can make it difficult for organization
and network administrators to track
clients or perform forensics

IPV6 SWITCH THREAT / MITIGATION

Threat

Mitigation

Spoofed/Illegitimate RAs
Spoofed NDP NA

RA Guard (or PACL)

MLD Snooping
DHCPv6 Snooping
NDP Inspection
NDP Inspection
NDP Cache Limits, CoPP
Ingress ACL, CoPP,
NDP Cache Limits
MLD Snooping,
NDP Inspection
DHCPv6 Guard
DHCPv6 Guard

Spoofed Local NDP NS Flood

Spoofed Remote NDP NS Flood
Spoofed DAD Attack
Spoofed DHCPv6 Attack
Spoofed/Illegitimate DHCPv6 Replies