IPv6 Security Tutorial

Transcription

1 IPv6 Security Tutorial TWNOG and TWNIC OPM 23 June 2016 Acknowledgment Some parts of this presentation is based on IPv6 Security by SWITCH Networks. 1

2 Agenda IPv6 Operations and Features IPv6 Protocol Issues and Security Myths IPv6 Toolkits Scanning IPv6 Networks Neighbour Advertisement Attacks Attacks with Router Advertisement Rogue RA, Lifetime 0, RA Flooding Extension Header Attacks (Hop by Hop, Routing Header 0) Securing IPv6 Best Practices IPv6 Operations & Features A Short Overview 4 2

3 IPv6 is the new Protocol IP stands for Internet Protocol which is one of the main pillars that supports the Internet today Current version of IP protocol is IPv4 The new version of IP protocol is IPv6 IPv6 was also called IPng in the early days of IPv6 protocol development stage New Functional Improvement Address Space Increase from 32-bit to 128-bit address space Management Stateless autoconfiguration means no more need to configure IP addresses for end systems, even via DHCP Performance Fixed header size (40 bytes) and 64-bit header alignment mean better performance from routers and bridges/switches No hop-by-hop segmentation Path MTU discovery 3

4 New Functional Improvement Multicast/Multimedia Built-in features for multicast groups, management, and new "anycast" groups Mobile IP Eliminate triangular routing and simplify deployment of mobile IP-based systems Virtual Private Networks Built-in support for ESP/AH encrypted/ authenticated virtual private network protocols Built-in support for QoS tagging No more broadcast IPv6 Security Features IPsec is mandatory in IPv6 Since IPsec became part of the IPv6 protocol, all nodes can secure their IP traffic if they have required keying infrastructure IPsec does not replace standard network security requirement but introduce added layer of security with existing IP network 4

5 IPsec Security Services AH ESP Integrity of the IPv6 header & data Confidentiality of the IPv6 data Source: Migrating to IPv6, Marc Blanchet IPv6 Addressing An IPv6 address is 128 bits long So the number of addresses are 2^128 or x trillion trillion trillion addresses 2001:DC0:A910:: nibbles

6 IPv6 Addressing 2001:0DB8:DEAD:BEEF:1AB6:503F:A804:71D bits is reduced down to 32 hex digits 11 IPv6 Address Space IPv6 Prefix Allocation RFC 0000::/8 Reserved by IETF RFC ::/3 Global Unicast RFC 4291 FC00::/7 Unique Local Address RFC 4193 FE80::/10 Link Local Unicast RFC 4291 FEC0::/10 Reserved by IETF RFC 3879 FF00::/8 Multicast RFC ::/16 6to4 RFC

7 IPv6 Addressing Structure bits Network Prefix Interfaced Identifier (IID) ISP /32 Customer Site /48 Subnet /64 Device /128 Addressing Threats Using EUI-64 for Interface ID means its unique worldwide Same trackable IID even when network prefix changes Loss of privacy 7

8 IPv6 Extension Header Adding an optional Extension Header in IPv6 makes it simple to add new features in IP protocol in the future without major re-engineering of IP routers everywhere. The number of extension headers are not fixed, so the total length of the extension header chain is variable. The extension header will be placed in between main header and payload in an IPv6 packet. IPv6 Extension Header IPv6-Header Next Header = 6 (TCP) TCP Header & TCP Segment Typical IPv6 Header IPv6-Header Routing Hdr Fragment Hdr TCP Header Next Header = 43 (Routing) Next Header = 44 (Fragment) Next Header = 6 (TCP) & Data IPv6 Header with Extension Header 16 8

9 Next Header Field 17 IPv6 Extension Headers Value (Hex) Value (Dec) Extension Header 00 0 Hop-by-Hop Extension Header 2B 43 Routing Extension Header 2C 44 Fragmentation Extension Header Encrypted Security Payload (ESP) Extension Header Authentication Header (AH) Extension Header 3A 58 ICMPv6 3B 59 No Next Header 3C 60 Destination Options Extension Headers 9

10 Order Of Extension Header Source node follow the order: 1. Hop-by-hop 2. Routing 3. Fragment 4. Authentication 5. Encapsulating security payload 6. Destination option 7. Upper-layer Only hop-by-hop has to be processed by every intermediate nodes Routing header need to be processed by intermediate routers At the destination fragmentation has to be processed before others Extension Header Threats IPv6 extension headers are used to extend the functionality of the protocol An attacker could manipulate this feature to create attack Create an IPv6 packet with long list of extension headers that cause a DoS to the routers along the path or to the destination host Lengthy extension headers could consume system resource or could crash the the host protocol stack Could be use as an attack vector to inject malicious code to the network by avoiding firewall and IDS (Numerous extension header in a single packet could spread the payload in to second fragment that could not be checked by the firewall) 10

11 Extension Header Limitations There is no limit to the number of extension headers that can be used Different formats for each type of extension header The order of extension header is a recommendation, not a requirement ICMPv6 Messages There are two classes of ICMPv6 messages (like ICMPv4) Error messages Destination Unreachable, Packet Too Big, Time Exceeded, Parameter Problem Informational messages Echo request, Echo reply, Router solicitation, Router advertisement, Redirect, Router renumbering ICMPv6 message contain a type (8 bit) and code (8 bit) Type: Identifies the ICMP message type i.e Destination Unreachable Code: That relate the details (Sub type) of the message to the type of the message i.e. Destination Unreachable (Type 1) has got 4 code (Sub type) 11

12 ICMPv6 filtering is more complex ICMPv6 Message Types Error-Messages (1-127) 1:Destination Unreachable 2:Packet too big (PMTUD) 3:Time Exceeded (Hop Limit) 4:Parameter Problem Info-Messages (Ping) 128:Echo Request 129:Echo Reply Multicast Listener Discovery (MLD, MLD2) 130:Multicast Listener Query 131/143:Multicast Listener Report/2 132:Multicast Listener Done Neighbor Discovery (NDP), Stateless Autoconfiguration (SLAAC) 133: Router Solicitation 134: Router Advertisement 135: Neighbor Solicitation (DAD) 136: Neighbor Advertisement (DAD) 137: Redirect Message Other (Router Renumbering, Mobile IPv6, Inverse NS/NA, ) ICMPv6 Messages One minor improvement made in ICMPv6 was that the message types were separated error messages have type values from 0 to 127 informational messages have type values from 128 to 255 List of all ICMPv6 type and code value Some of the type values are defined so far So undefined type should be blocked Unallocated error messages: Type 5-99 and type Unallocated informational message: Type and type Experimental message: Type 100, 101, 200, 201 Extension type message: Type 127, 255 However if new message are allocated by IANA in the future, adjustment need to be made to this filter 12

13 ICMPv6 Messages ICMPv6 is used for many legitimate purpose so following messages must be permitted through the network perimeter Type 1: Destination Unreachable Type 2: Packet Too Big [PMTUD] Type 3: Time Exceeded Type 4: Parameter Problem Following messages can be permitted as an option through the network perimeter (If Source & Destination of the packet can be controlled) Type 128: Echo Request Type 129: Echo Reply ICMPv6 Messages Following messages need to be blocked through the network perimeter if those functions are not used for specific purpose: Type 138: Router Renumbering Type 129: Echo Reply Type 139 & 140: Node Information Query Messages RFC 4890 recommendations for filtering ICMPv6 13

14 ICMPv6 Messages ICMPv6 error message contain part/full of the original packet in its payload that cause the error at the first place More likely full packet in ICMPv6 as minimum MTU is 1280 byte This payload could be used by the hacker as a covert channel to send any malicious code So firewall should inspect payload segment in ICMPv6 error packet to make sure it is legitimate If the error packet fragment does not contain legitimate IPv6 address or it is not statefully sent then packet should be dropped ICMPv6 Messages A Denial of Service (DoS) attack can be initiated by generating a stream of illegal packets i.e large packet, expiring hop count etc If enough erred packets are generated it could drive high CPU utilization of the router ICMPv6 error message generation can be limited by using following command Router(config)#ipv6 icmp error-interval [in millisecond] 14

15 ICMPv6 Messages Rate limiting ICMPv6 traffic from overwhelming the router!! ipv6 access-list ICMPv6! permit icmp any any!!! class-map match-all ICMPv6! match protocol ipv6! match access-group name ICMPv6!!!!! policy-map ICMPv6_RATE_LIMIT! class ICMPv6! police conform-action transmit exceed-action drop!!! Interface fa0/0! service-policy input ICMPv6_RATE_LIMIT!!! Example configuration ICMPv6 filter (Undefined ICMPv6 message type) Router#sh ipv6 access-list ICMPV6_UNDEFINE_TYPE! IPv6 access list ICMPV6_UNDEFINE_TYPE! deny icmp any any 5 99 sequence 10! deny icmp any any sequence 20! deny icmp any any sequence 30! deny icmp any any sequence 40! deny icmp any any 100 sequence 50! deny icmp any any 101 sequence 60! deny icmp any any 200 sequence 70! deny icmp any any 201 sequence 80! deny icmp any any 127 sequence 90! deny icmp any any 255 sequence 100! permit icmp any any sequence 110! 15

16 Example configuration ICMPv6 filter (Specific ICMPv6 message type and code) Router(config)#ipv6 access-list ICMPV6_SPECIFIC_TYPE_CODE! Router(config-ipv6-acl)#deny icmp any any?! <0-255> ICMPv6 message type! auth beyond-scope dest-option dest-option-type Match on authentication header! Destination beyond scope! Destination Option header (all types)! Destination Option header with type! destination-unreachable Destination address is unreachable! dhaad-reply dhaad-request dscp Home agent address discovery reply! Home agent address discovery request! Match packets with given dscp value! Continue next slide. Example configuration echo-reply echo-request Echo reply! Echo request (ping)! flow-label Flow label! header Parameter header problems! hop-limit log log-input mld-query mld-reduction mld-report mobility Hop limit exceeded in transit! Log matches against this entry! Log matches against this entry, including input! Multicast Listener Discovery Query! Multicast Listener Discovery Reduction! Multicast Listener Discovery Report! Mobility header (all types)! Continue next slide. 16

17 Example configuration mobility-type mpd-advertisement mpd-solicitation nd-na Mobility header with type! Mobile prefix advertisement! Mobile prefix solicitation! Neighbor discovery neighbor advertisements! nd-ns Neighbor discovery neighbor solicitations! next-header Parameter next header problems! no-admin Administration prohibited destination! Continue next slide. Example configuration no-route packet-too-big parameter-option parameter-problem port-unreachable reassembly-timeout redirect No route to destination! Packet too big! Parameter option problems! All parameter problems! Port unreachable! Reassembly timeout! Neighbor redirect 17

18 IPv6 Neighbor Discovery (ND) RFC 4861 IPv6 uses multicast (L2) instead of broadcast to find out target host MAC address It increases network efficiency by eliminating broadcast from L2 network IPv6 ND uses ICMPv6 as transport Compared to IPv4 ARP, there is no need to write different ARP for different L2 protocol i.e. Ethernet etc. NDP Message Types 133 Router Solicitation Prompts a router to send a Router Advertisement. 134 Router Advertisement Sent by routers to tell hosts on the local network the router exists and describe its capabilities 135 Neighbor Solicitation Sent by a device to request the layer two address of another device while providing its own as well 136 Neighbor Advertisement Provides information about a host to other devices on the network 137 Redirect Router informs host of a better first hop to destination 36 18

19 IPv6 Neighbor Discovery (ND) Solicited-Node Multicast is used for Duplicate Address Detection Part of the Neighbour Discovery process Replaces ARP Duplicate IPv6 Addresses are rare, but still have to be tested for For each unicast and anycast address configured, there is a corresponding solicited-node multicast address This address is only significant for the local link IPv6 Neighbor Discovery (ND) Solicited Node Multicast Address Starts with FF02::1:FF00:0/104 Last 24 bit from the interface IPV6 address Example Solicited Node Multicast Address IPV6 Address 2406:6400:0:0:0:0:0000:0010 Solicited Node Multicast Address is FF02:0:0:0:0:1:FF00:0010 All hosts listen to its solicited node multicast address corresponding to its unicast and anycast address (if defined) 19

20 IPv6 Neighbor Discovery (ND) Host A would like to communicate with Host B Host A IPv6 global address 2406:6400::10 Host A IPv6 link local address fe80::226:bbff:fe06:ff81 Host A MAC address 00:26:bb:06:ff:81 Host B IPv6 global address 2406:6400::20 Host B Link local UNKNOWN [Gateway if outside the link] Host B MAC address UNKNOWN How will Host A create L2 frame for Host B? IPv6 Neighbor Discovery (ND) 20

21 IPv6 Autoconfiguration RFC 2462 Stateless mechanism For a site not concerned with the exact addresses No manual configuration required Minimal configuration of routers No additional servers Use SLAAC Stateful mechanism For a site that requires tighter control over exact address assignments Use stateful address protocol (DHCPv6) Stateless with DHCP Use Router Advertisement to allocate prefixes Other parameters provided by DHCP What is SLAAC? Stateless Address Autoconfiguration (SLAAC) RFC 4862 IP address is assigned based on the prefix provided by router (RA) + generated Interface ID Use Duplicate Address Detection (DAD) to verify the new address is unique 21

22 IPv6 Autoconfiguration 1. A new host is turned on 2. Assign tentative address to new host Is this address unique? 2001:1234:1:1/64 network Assign FE80::310:BAFF:FE64:1D Tentative Address (EUI-64) FE80::310:BAFF:FE64:1D 3. Perform Duplicate Address Detection (DAD) 4. Host sends NS message to all-nodes multicast address (FF02::1) 5. Wait for NA message. If none arrives, it is unique. 6. Assign link local address to interface 43 IPv6 Autoconfiguration Send me Router Advertisement 2001:1234:1:1/64 network Router Advertisement 1. Host sends an RS message to all-routers multicast group (FF02::2) 2. Router replies with a Routing Advertisement (RA) 3. Host will learn the network prefix FE80::310:BAFF:FE64:1D Assign 2001:1234:1:1:310:BAFF:FE64:1D 4. Host will assign a new address using Network Prefix + Interface ID 22

23 Exercise: Basic IPv6 Login to your assigned VM Assign a static IPv6 address to the interface 2406:6400:X::/48 Launch Wireshark or any sniffing tool Filter out ICMPv6 Observe the message types (and content) of the packets IPv6 Toolkits Quick Introduction to the Tools 46 23

24 IPv6 Attack Frameworks The Hackers Choice THC-IPv6 SI6 Networks IPv6 Toolkit Chiron THC-IPv6 Installation Ubuntu Redhat / CentOS #install sudo apt-get install thc-ipv6 #verify ls /usr/bin/atk6-* #install sudo yum install epel-release sudo apt-get install thc-ipv6 #verify ls /usr/bin/*

25 THC-IPv6 Tools alive6 parasite6 redir6 implementation6 firewall6 thcping6 fake_router26 ndpexhaust26 thcsyn6 Checks for live interfaces with ipv6 address ARP spoofer for ipv6 Redirects all traffic into a target Test what the firewall supports Performs various ACL bypass attempts Test for anti-spoofing (RPF check) thcping6 <interface> <src-addr> <dest-addr> Pretend to be a router (replaces fake_router6) Attack with ICMPv6 toobig and echorequest Flood the target with SYN packets SI6 IPv6Toolkit Installation Ubuntu Redhat / CentOS sudo apt-get -y install libpcap-dev wget ipv6toolkit/archive/master.zip unzip master.zip cd ipv6toolkit-master/ sudo make all sudo make install sudo yum -y install libpcap-devel wget ipv6toolkit/archive/master.zip unzip master.zip cd ipv6toolkit-master/ sudo make all sudo make install #verify ls /usr/local/sbin/*6 #verify ls /usr/local/sbin/*

26 SI6 IPv6 Toolkit Commands addr6 Blackhole6 flow6 frag6 icmp6 na6 ra6 scan6 tcp6 IPv6 address analysis and manipulation tool Troubleshooting tool which can find IPv6 where in the network topology packet with specific Extension header is being dropped Tool to perform security assessment of the IPv6 Flow Label Tool to perform IPv6 fragmentation-based attacks Attacks based on ICMPv6 error messages Tool to send arbitrary Neighbor Advertisement messages Tool to send arbitrary Router Advertisement messages IPv6 address scanning tool Send arbitrary TCP segments and perform a variety of TCP-based attacks Exercise: Attack Toolkit If you are running Linux or OS X: Install THC-IPv6 and IPv6 Toolkit If you are running Windows: Request for a Linux VM from instructor Login to the VM assigned to you Both tools are already installed 26

27 Scanning IPv6 Networks 53 Fact or Myth? IPv6 uses 128-bit address It takes too long (or impossible) to scan the entire range 27

28 Scanning a Network The entire IPv4 address space can be scanned in under 5 minutes* IPv6 networks are too big to scan sequentially, but still possible It's not still possible anymore DNS bruteforcing on common hostnames using a dictionary or sequential a,aa,aaa,aab Alive bruteforcing on typical addresses low range: ::1,::2,::3, DHCP: sequential ranges (find one, got all) Serviceport in IP addresses numbers: ::80,::53,53:1,53:2 Autoconfiguration with MAC: 24 Bit are per Vendor-ID, 24 Bit must be guessed (16'777'216) Addresses using words 2001:db8::cafe:f00d:babe:beef other guessable patterns 28

29 Example: Finding hosts in DNS for target.org use dnsdict6 with 'xlarge' built-in dictionary dnsdict6 x target.org - apollo.target.org ==> 2001:beef:123:8:20c:29ff:fe3d:903 - ares.target.org ==> 2001:beef:123:8:20c:29ff:fea0:11fc - argos.target.org ==> 2001:beef:123:8:20c:29ff:fea0: athena.target.org ==> 2001:beef:123:8:20c:29ff:fea0:2ffc [ ] Found 72 hosts and 60 unique ip-addresses for target.org Example: Finding live IPs of target.org ping6 (to get an idea of the used ip-pattern) 2001:beef:123:1::5 use alive26 with a known or guessed pattern alive26 -d eth1 2001:beef:123:0-ff:0:0:0:0-1f Alive: 2001:beef:123:1::5 ( [ICMP echo-reply] Alive: 2001:beef:123:2::4 (logon.target.org) [ICMP echo-reply] Alive: 2001:beef:123:3::1 (sales.target.org) [ICMP echo-reply] Alive: 2001:beef:123:a::9 (control.target.org) [ICMP echo-reply] [ ] Scanned 8192 addresses and found 138 systems alive 29

30 More help from DNS / DNSSEC Try DNS Zone Transfer to read complete zone file <domain> axfr è seldom possible by now DNSSEC Zone Walking (NSEC records are chained) dnssecwalk <nameserver> <domain> è corrective with NSEC3 (bind 9.6.0) If the attacker is already in the LAN ping multicast addresses e.g.link-local scope all nodes multicast address ff02::1 ping6 I eth1 ff02::1 alive26 eth1 ff02::1 doesn't work from Windows doesn't work for all targets Sniffing e.g. listen to Neighbor Discovery Protocol Neighbor Cache the equivalent to IPv4 ARP chache Linux: ip -6 neigh Windows: netsh interface ipv6 show neighbors Cisco: show ipv6 neighbors 30

31 Target Discovery Mitigation? Use of static random addresses & unguessable DNS names? (hmm.) Privacy extensions? (hmm.) Any place where IPv6 addresses are listed will become more attractive for attackers (DNS, DHCP records, Logfiles ) è protect them also mitigate Remote Neighbor Cache Exhaustion Attack A scan floods neighbor cache table (fast) Rate limiting, Ingress Filtering (see Section Perimeter) Scanning Attack Tool dnsdict6 Used to find all subdomains and enumerate IPv6 addresses alive26 Shows alive addresses in the segment. root@kali:~# atk6-dnsdict6 -d apnic.net 31

32 Starting DNS enumeration work on apnic.net.... Gathering NS and MX information... NS of apnic.net. is sec1.apnic.net. => 2001:dc0:2001:a:4608::59 NS of apnic.net. is ns1.apnic.net. => 2001:dc0:2001:0:4608::25 NS of apnic.net. is sec3.apnic.net. => 2001:dc0:1:0:4777::140 NS of apnic.net. is ns3.apnic.net. => 2001:dc0:1:0:4777::131 NS of apnic.net. is sec4.apnic.net. => 2001:dc0:4001:1:0:1836:0:141 MX of apnic.net. is ao-mailgw.apnic.net. => 2001:dd8:8:701::25 MX of apnic.net. is ia-mailgw.apnic.net. => 2001:dd8:a:851::25 MX of apnic.net. is nx-mailgw.apnic.net. => 2001:dd8:9:801::25 Starting enumerating apnic.net. - creating 8 threads for 1419 words... Estimated time to completion: 1 to 2 minutes 6to4.apnic.net. => 2001:dc0:2001:11::234 api.apnic.net. => 2001:dd8:9:2::101:29 as.apnic.net. => 2001:dd8:9:2::101:12 blog.apnic.net. => 2001:dd8:8:701::11 63 Attacks at the Local link Attacks related to Neighbor Discovery (NDP) Neighbor Solicitation (NS) Advertisement (NA) Duplicate Address Detection Attacks related to Router Advertisement (RA) RA Flooding 32

33 Neighbor Advertisement Attacks DAD DoS, ND Spoofing, NA Spoofing 65 Duplicate Address Detection - DOS I want to use this IPv6 address Sorry, I have this address already A B C A sends NS for DAD Attacker sends NA for each NS A can't configure any IPv6 address 33

34 Duplicate Address Detection - DOS Attacker replies to each DAD-NS Victim can't configure an IPv6 address at all Works also if Autoconfiguration is disabled: DAD is mandatory also for DHCPv6 or manually configured addresses! DAD Attack Tool dos-new-ip6 This tool prevents new ipv6 interfaces to come up by sending answers to duplicate ip6 checks. This results in a DOS for new IPv6 devices. root@kali:~# atk6-dos-new-ip6 eth0 Started ICMP6 DAD Denial-of-Service (Press Control-C to end)... Spoofed packet for existing ip6 as 2400:6401::1 Spoofed packet for existing ip6 as fe80::5054:ff:fe42:e97a poofed packet for existing ip6 as 2001:d35d:b33f:0:5054:ff:fe42:e97a Spoofed packet for existing ip6 as 2001:d35d:b33f:0:5054:ff:fe42:e97a 34

35 Exercise: DAD DoS Try to assign a new IPv6 address to your interface, using static address sudo ifconfig eth0 add 2400:6400::1/64 Alternatively, restart the interfaces so it will do another ND If you want to act as an attacker, try the command: dos-new-ip6 eth0 Observe the output of the tool. Has the client obtained a global unicast address? DAD-DOS Observations Linux configures link local address (!) and tries every 30 seconds to configure a Global Unicast Address. /proc/sys/net/ipv6/conf/*/accept_dad default=1 XP tries a few times also with different random addresses, and then quits Win7 tries a few times and then quits - might show popup "Windows has detected an IP address conflict 35

36 DAD DOS Mitigation NS/NA can't be blocked because it's used also for Address Resolution ("ARP ) Most switches can forward multicast packets only to the needed ports This feature is called "MLD snooping", check if it is enabled Neighbor Discovery Spoofing I want to talk to IP B, pls send your MAC addr. I have IP B, here is my MAC address A B B A sends NS: Who has IPv6 address B? Please send Link Layer Address Attacker spoofs NA with his MAC address A talks to Attacker instead of B 72 36

37 NDP Spoofing Attack Tool Parasite6 This is an "ARP spoofer" for IPv6, redirecting all local traffic to your own system (or nirvana if fake-mac does not exist) by answering falsely to Neighbor Solicitation requests, specifying FAKE-MAC results in a local DOS. Also check out fake_advertise6, flood_advertise6, flood_solicitate6 NDP Spoofing Attack Tool root@kali:~# atk6-parasite6 -l eth0 aa:bb:cc:11:22:33 Remember to enable routing (ip_forwarding), you will denial service otherwise! => echo 1 > /proc/sys/net/ipv6/conf/all/forwarding Started ICMP6 Neighbor Solitication Interceptor (Press Control-C to end)... Spoofed packet to fe80::3636:3bff:fed0:3030 as fe80::4af8:b3ff:fe9a:d29e Spoofed packet to fe80::3636:3bff:fed0:3030 as fe80::4af8:b3ff:fe9a:d29e 37

38 Redirect Spoofing <target-ip> B <src-ip> A R1 <original-router> <new-ip> B A wants to talk to B Attacker sends redirect to A with new-ip/mac A adds route and then talks to Attacker instead of B 75 ICMPv6 Redirect Attack Tool redir6 Implant a route into src-ip, which redirects all traffic to target-ip to new-ip. You must know the router which would handle the route. If the new-routermac does not exist, this results in a DOS. 38

39 Attacks with Router Advertisement Rogue RA, Lifetime 0 Attacks, RA Flooding 77 Rogue RA Principle I am your Default Router! R1 A C B Attacker sends Router Advertisements All nodes autoconfigure IPv6 according to spoofed RA: Default Router, Prefix information ICMPv6 Type 134 (RA) Src: own Link Local Address Dst: ff02::1 Data: Prefix, Options, Lifetime, Autoconfig Flag 39

40 Rogue RA Denial of Service BLOCK R1 A B B Default Router All traffic sent to Attacker ends up in a black hole 79 Rogue RA Man in the Middle Attack FORWARD R1 A B B Default Router Attacker can intercept, listen, modify unprotected data 80 40

41 Rogue RA Performance Issue WLAN R1 A B B Default Router Attacker becomes a bottleneck Often not an attack but misconfigured client 81 Rogue RA Attack Tool fake_router6 / fake_router26 Announce yourself as a router and try to become the default router. root@kali:~# atk6-fake_router26 -A 2001:D35D:B33F::/64 eth0 Starting to advertise router (Press Control-C to end)... 41

42 Rogue RA Attack Tool ~]$ ifconfig Output after fake_router26 is run eth0 Link encap:ethernet HWaddr 52:54:00:42:E9:7A inet addr: Bcast: Mask: inet6 addr: 2001:d35d:b33f:0:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2001:db8::5054:ff:fe42:e97a/64 Scope:Global inet6 addr: fe80::5054:ff:fe42:e97a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:0 frame:0 TX packets:89280 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes: (210.3 MiB) TX bytes: (6.3 MiB) Exercise: Route Advertise Login to your assigned VM Try to become the default route fake_router26 eth0 Observe the interface ip -6 route Advertise a fake route fake_router26 A 1234::abcd:X::/64 eth0 42

43 Router Lifetime 0 Attack R1 is down (Router lifetime = 0) R1 A B B Attacker sends RAs with Lifetime = 0 Try to remove router from routing table 85 Router Lifetime 0 Attack kill_router6 Announce (to ff02:1) that a router is going down (RA with Router Lifetime 0) to delete it from the routing tables. root@kali:~# atk6-kill_router6 eth0 '*' 86 43

44 Some Rogue RA Facts Everybody can send Router Advertisements! Nodes will add (new) global addresses Nodes will add / delete default route Also in "IPv4-only" networks: IPv6-enabled hosts will configure IPv6 addresses and can then be attacked over IPv6 (second door) Possible Attacks: DOS, MITM, decreased Network-Performance (and more, see soon) Router Advertisement Flooding 2004:: is a prefix 2005:: is a prefix 2006:: is a prefix 2007:: is a prefix R1 A B C Attacker floods LAN with Router Advertisements 88 44

45 RA Flooding Tool flood_router26 / flood_router6 Flood the local network with router advertisements RA Flooding Tool root@kali:~# atk6-flood_router6 eth0!! Please note: flood_router6 is deprecated, please use flood_router26!! Starting to flood network with router advertisements on eth0 (Press Control-C to end, a dot is printed for every 1000 packets):

46 RA Flooding Victim ~]$ ifconfig inet6 addr: 2a01:96f0:c201:ed8f:5054:ff:fe42:e97a/64 Scope:Global eth0 Link encap:ethernet HWaddr 52:54:00:42:E9:7A inet addr: Bcast: Mask: inet6 addr: 2a01:d07b:1aca:eccb:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:d86e:5318:d649:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:364a:768d:3b38:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:cea:f971:b02b:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:3a55:4067:f66a:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:206e:57f1:c2fa:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:3b81:65c6:317b:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:de28:2da1:2a1b:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:53aa:d153:a394:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:d4b0:f9:c3e7:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:c994:2497:861e:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:ed60:6bfd:cc19:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: 2a01:5e4c:2412:e7e0:5054:ff:fe42:e97a/64 Scope:Global inet6 addr: fe80::5054:ff:fe42:e97a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets: errors:0 dropped:0 overruns:0 frame:0 TX packets:89790 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes: (218.2 MiB) TX bytes: (6.3 MiB) inet6 addr: 2a01:8c7f:8bb0:1611:5054:ff:fe42:e97a/64 Scope:Global 91 Some RA Flooding Facts Everybody can send Router Advertisements! Attacker floods LAN with RAs and lots of Prefixes Nodes will stall or crash: Windows XP,Vista,7,8,200x Server Free/Net/Open-BSD - depends on version OS X Juniper Android phones, ipads,... slow down or freeze Safe: Cisco IOS & ASA - is fixed Linux has a limit of 16 IPv6 addresses incl. link local (not attackable) 46

47 Detection of Rogue RAs & ND Spoofing With a generic Intrusion Detection System signatures needed decentralized sensors in all network segments needed With NDPmon can monitor RAs, NAs, DAD-DOS generates syslog-events and/or sends s free available at ndpmon.sourceforge.net Using Deprecation Daemons: ramond, rafixd RA Guard Router Advertisement Guard (RFC 6105) All messages between IPv6 end-devices traverse the controlled L2 networking device. Filter RA messages based on a set of criteria 47

48 RA Guard 3 Types Stateless RA-Guard filter incoming RAs based on information found in the message (Link Layer address, IP source address, Prefix List, Router Priority) or in the L2-device configuration (Switch-Port). Stateful RA-Guard Stateful RA-Guard learns dynamically about legitimate RA senders and stores this information for allowing subsequent RAs ("Learning-Mode"). SEND-based RA-Guard Filtering RAs based on SEND considerations SEND Secure Neighbor Discovery (RFC 3971) A crypto solution for securing NDP messages A set of new ND options added 48

49 Rogue RA Conclusion Mitigation of Rogue RA must be considered - even in IPv4-only networks There are several mitigation approaches with different Pros/Cons these can be combined Different operational scenarios require different mitigation approaches See RFC 6104 for more information and references IPv6 Security Best Practices 98 49

50 0. Are you running IPv6? Know whether you are running IPv6 IPv6 is enabled by default in some devices and operating systems (ISATAP, Teredo, etc in Windows PC) If not using IPv6, make sure to disable this in all devices Decide when to enable IPv6 Make sure there are IPv6 policies in place 1. Learn IPv6 Teach your network operators about IPv6 Teach your users about IPv6 Set up a test environment Don t assume that staff will get it the first time some trial and error to be done Learn from others deployment strategies 50

51 2. Adopt the same BCPs in IPv4 Implement BCP38 and MANRS Replicate your IPv4 policies into IPv6 Replicate your IPv4 filters Use similar authentication methods as in IPv4 For login and routing protection 3. Apply Filters Filter out some ICMPv6 messages Rate limit Block Routing Header 0 This is now the default from RFC

52 4. IPv6 Support for Equipment Check if your security equipment has support for IPv6 Always include security plans in the overall IPv6 deployment plan Update purchasing plans to include this References IPv6 Security by S. Hogg and E. Vyncke NIST Guidelines for the Secure Deployment of IPv6 52

53 References RFC 2460: Internet Protocol Version 6 (IPv6) Specification RFC 4861: Neighbor Discovery for IP version 6 (IPv6) RFC 6583: Operational Neighbor Discovery Problem RFC 5157: IPv6 Implications for Network Scanning RFC 7707: Network Reconnaissance in IPv6 Networks RFC 7721: Security and Privacy Considerations for IPv6 Address Generation Mechanisms RFC 5095: Deprecation of Type 0 Routing Headers in IPv6 RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls RFC 6980: Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery RFC 7527: Enhanced Duplicate Address Detection RFC 6104: Rogue IPv6 Router Advertisement Problem Statement References RFC 6105: IPv6 Router Advertisement Guard RFC 3971: Secure Neighbor Discovery (SEND) 53

54 Questions?