How to Securely Operate an IPv6 Network

Transcription

1

2 How to Securely Operate an IPv6 Network Eric Vyncke 2

3 Abstract This intermediate session describes how an IPv6 network can be securely operated. The session explains how the management, control and data planes can be secured. It also covers topics such as forensic, telemetry and lawful intercept. The content is mainly geared to Service Providers but enterprises may also find it useful. It is targeted to security and network architects with operational background. There is also enterprise versions of this session BRKSEC-2003 / BRKSEC which is more protocol oriented than operational. Beware that there is 50% overlap between BRKSEC-2003 / BRKSEC-3724 and. 3

4 For Reference Slides For Your Reference There are more slides in the hand-outs than presented during the class Those slides are mainly for reference and are indicated by the book icon on the top right corner (as on this slide) Some slides have also a call-out to another session (see below) BRKSEC

5 This presentation does not cover the common parts with IPv4 network: Physical security Role-based access control & AAA Configuration management & change control

6 Agenda Management Plane Control Plane Routing Information Neighbor Discovery Control Plane Protection Data Plane Anti-spoofing Access Control List Tunnel loops Telemetry Forensic Lawful Intercept Summary 6

7 Management Plane 7

8 Management over IPv6 SSH, syslog, SNMP, NetFlow all work over IPv6 Dual-stack management plane More resilient: works even if one IP version is down More exposed: can be attacked over IPv4 and IPv6 RADIUS over IPv6 is recent (IOS 15.2(1)T, IOS-XE rls 3.2S) But, IPv6 RADIUS attributes can be transported over IPv4 As usual, infrastructure ACL is your friend (more to come) as well as out-ofband management 8

9 IPv6 ACL to Protect VTY For Your Reference ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty 0 4 ipv6 access-class VTY in Must be done before enabling IPv6 on any interface Beware there is no equivalent for HTTP => use ACL In IOS-XR, the command is access-class VTY ingress, the IPv4 and IPv6 ACL must have the same name 9

10 Control Plane: Routing Protocols

11 Preventing IPv6 Routing Attacks Protocol Authentication BGP, ISIS, EIGRP no change: An MD5 authentication of the routing update OSPFv3 has changed and pulled MD5 authentication from the protocol and instead rely on transport mode IPsec (for authentication and confidentiality) But see RFC 6506 (not yet widely implemented) IPv6 routing attack best practices Use traditional authentication mechanisms on BGP and IS-IS Use IPsec to secure protocols such as OSPFv3 11

12 OSPF or EIGRP Authentication For Your Reference interface Ethernet0/0 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 500 md ABCDEF ABCDEF interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN key chain MYCHAIN key 1 key-string ABCDEF ABCDEF accept-lifetime local 12:00:00 Dec :00:00 Jan send-lifetime local 00:00:00 Jan :59:59 Dec No crypto maps, no ISAKMP: transport mode with static session keys 12

13 BGP Route Filters Pretty obvious for customer links For peering, a relaxed one For Your Reference ipv6 prefix-list RELAX deny 3ffe::/16 le 128 ipv6 prefix-list RELAX deny 2001:db8::/32 le 128 ipv6 prefix-list RELAX permit 2001::/32 ipv6 prefix-list RELAX deny 2001::/32 le 128 ipv6 prefix-list RELAX permit 2002::/16 ipv6 prefix-list RELAX deny 2002::/16 le 128 ipv6 prefix-list RELAX deny 0000::/8 le 128 ipv6 prefix-list RELAX deny fe00::/9 le 128 ipv6 prefix-list RELAX deny ff00::/8 le 128 ipv6 prefix-list RELAX permit 2000::/3 le 48 ipv6 prefix-list RELAX deny 0::/0 le 128 Source: 13

14 Link-Local Addresses vs. Global Addresses Link-Local addresses, fe80::/10, (LLA) are isolated Cannot reach outside of the link Cannot be reached from outside of the link Could be used on the infrastructure interfaces Routing protocols (inc BGP) work with LLA Benefit: no remote attack against your infrastructure: implicit infrastructure ACL Note: need to provision loopback for ICMP generation (notably traceroute and PMTUD) See also: draft-ietf-opsec-lla-only LLA can be configured statically (not the EUI-64 default) to avoid changing neighbor statements when changing MAC interface FastEthernet 0/0 ipv6 address fe80::1/64 link-local 14

15 Control Plane: Neighbor Discovery

16 Scanning Made Bad for CPU Remote Neighbor Cache Exhaustion RFC 6583 Potential router CPU/memory attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Local router DoS with NS/RS/ NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 2001:db8::/64 16

17 Mitigating Remote Neighbor Cache Exhaustion Built-in rate limiter with options to tune it Since 15.1(3)T: ipv6 nd cache interface-limit Or IOS-XE 2.6: ipv6 nd resolution data limit Destination-guard is part of First Hop Security phase 3 Priority given to refresh existing entries vs. discovering new ones (RFC 6583) Using a /64 on point-to-point links => a lot of addresses to scan! Using /127 could help (RFC 6164) Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only Using infrastructure ACL prevents this scanning iacl: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done 17

18 Simple Fix for Remote Neighbor Cache Exhaustion Ingress ACL allowing only valid destination and dropping the rest NDP cache & process are safe Requires DHCP or static configuration of hosts NS: 2001:db8::1 NA: 2001:db8::1 2001:db8::/64 18

19 ARP Spoofing is now NDP Spoofing: Threats ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones Stateless Address Autoconfiguration rogue RA (malicious or not) All nodes badly configured DoS Traffic interception (Man In the Middle Attack) Attack tools exist (from THC The Hacker Choice) Parasit6 Fakerouter

20 ARP Spoofing is now NDP Spoofing: Mitigation GOOD NEWS: dynamic ARP inspection for IPv6 is available First phase (Port ACL & RA Guard) available since Summer 2010 Second phase (NDP & DHCP snooping) starting to be available since Summer first_hop_security.html (Kind of ) GOOD NEWS: Secure Neighbor Discovery SeND = NDP + crypto IOS 12.4(24)T But not in Windows Vista, 2008 and 7, Mac OS/X, ios, Android Crypto means slower... Other GOOD NEWS: Private VLAN works with IPv6 Port security works with IPv6 IEEE 801.X works with IPv6 (except downloadable ACL) BRKSEC

21 RA Mitigating Rogue RA: Host Isolation Prevent Node-Node Layer-2 communication by using: Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port) WLAN in AP Isolation Mode 1 VLAN per host (SP access network with Broadband Network Gateway) Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm Can break DAD Advertise the SLAAC prefix without the on-link bit to force router to do proxy-nd RA Promiscuous Port RA R A RA Isolated Port 21

22 Secure Neighbor Discovery (SeND) RFC 3971 Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated RSA signature option Protect all messages relating to neighbor and router discovery Timestamp and nonce options Prevent replay attacks Certification paths for authorized Routers Anchored on trusted parties, expected to certify the authority of the routers on some prefixes Requires IOS 12.4(24)T Not available on host OS (Windows, OS/X, Android, ios, ) 22

23 Securing Link Operations: First Hop Trusted Device Advantages central administration, central operation Complexity limited to first hop Transitioning lot easier Efficient for threats coming from the link Efficient for threats coming from outside Disadvantages Applicable only to certain topologies Requires first-hop to learn about end-nodes First-hop is a bottleneck and single-point of failure Certificate server Time server 23

24 RA First Hop Security: RAguard since 2010 Port ACL blocks all ICMPv6 RA from hosts interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port interface FastEthernet0/2 ipv6 nd raguard access-group mode prefer port RA-guard (12.2(50)SY, 15.0(2)SE) ipv6 nd raguard policy HOST device-role host ipv6 nd raguard policy ROUTER device-role router ipv6 nd raguard attach-policy HOST vlan 100 interface FastEthernet0/0 ipv6 nd raguard attach-policy ROUTER RA ROUTER Device-role RA R A RA HOST Device-role 24

25 IPv6 and the LAN Access IPv6 FHS RA Guard DHCP Guard C6K C4K C3K C2K WLC 12.2(50)SY and 15.0(1)SY 12.2(54)SG 15.0(2)SE 15.0(2)SE (1)SY XE 3.4.xSG 15.1(2)SG 15.0(2)SE 15.0(2)SE 7.2 Binding Integrity Guard 15.2(1)SY XE 3.4.xSG 15.1(2)SG 15.0(2)SE 15.0(2)SE 7.2 Source Guard TO BE UPDATED SHORTLY BEFORE THE EVENT Destination Guard 15.2(1)SY 15.2(1)SY XE 3.5.0E 15.2(1)E XE 3.4.xSG 15.1(2)SG 15.0(2)SE 15.0(2)SE (2)SE 15.0(2)SE

26 CPE to CPE Communication IPv4 vs. IPv6 SP want to inspect/bill all user to user traffic IPv4 WAN addresses must communicate (NAT ) Usually in the same layer 2 domain tricks to force traffic to BNG IPv6 WAN addresses have no reason to communicate IPv6 LAN addresses must communicate BNG inspection is easy: this is routed traffic 2001:db8:bad::/64 Eric s CPE 2001:db8:café::/64 SP Broadband Network Gateway /24 Ole s CPE / / :db8:babe::/64 26

27 Control Plane Protection

28 Control Plane Policing for IPv6 Protecting the Router CPU For Your Reference Against DoS with NDP, Hop-by-Hop, Hop Limit Expiration... Software routers (ISR, 7200): works with CoPPr (CEF exceptions) See also RFC 6192 policy-map COPPr class ICMP6_CLASS police 8000 class OSPF_CLASS police class class-default police 8000! control-plane cef-exception service-policy input COPPr 28

29 Control Plane Policing for IPv6 Protecting the Router CPU For Your Reference Cat 6K & 7600 with Sup720 IPv6 shares mls rate-limit with IPv4 for NDP & HL expiration mls rate-limit all ttl-failure 1000 mls rate-limit unicast cef glean 1000 Cat 6K with Sup-2T (IOS 12.2(50)SY) IPv6 shares class-copp-ttl-fail and class-copp-options with IPv4 platform rate-limit... show platform hardware statistics show platform qos IPv

30 Data Plane

31 DoS Example Ping-Pong over Physical Point-to-Point Same as in IPv4, on real P2P without NDP, if not for me, then send it on the other side... Could produce looping traffic Classic IOS and IOS-XE platforms implement RFC 4443 so this is not a threat Except on 76xx see CSCtg00387 (tunnels) and few others IOS-XR see CSCsu62728 Else use /127 on P2P link (see also RFC 6164) Or use infrastructure ACL or only link-local addresses R1 2) To 2001:db8::3 Serial 0/0 2001:db8::1/64 3) To 2001:db8::3 Serial 0/0 2001:db8::2/64 R2 4) To 2001:db8::3... 5) To 2001:db8::3 31

32 IPv6 Bogon and Anti-Spoofing Filtering IPv6 nowadays has its bogons: Anti-spoofing in IPv6 same as IPv4 => Same technique for single-homed edge= urpf IPv6 Intranet Inter-Networking Device with urpf Enabled X IPv6 Intranet/Internet IPv6 Unallocated Source Address No Route to SrcAddr => Drop 32

33 IPv6 urpf and Cisco Devices The Theory-Practice Gap Supported everywhere except: 7600 & Cat 6K Sup720/32: no IPv6 urpf at all Sup 2T is OK Cat 3750: no urpf at all GSR 12K only strict mode only with Engine 5, other engines urpf not supported requires IOS 12.0(31)S or IOS-XR rls 2.1 ASR 5K ASR 9K requires release TO BE UPDATED SHORTLY BEFORE THE EVENT 33

34 Bogons Filtering Detailed & updated list at: Or simpler but more relaxed ipv6 access-list NO_BOGONS remark Always permit ICMP unreachable (Path MTU Discovery & co) permit icmp any any unreachable remark Permit only large prefix blocks from IANA permit ip 2001::/16 any permit ip 2002::/16 any permit ip 2003::/18 any permit ip 2400::/12 any permit ip 2600::/10 any permit ip 2800::/12 any permit ip 2a00::/12 any permit ip 2c00::/12 any Remark implicit deny at the end (but see later) Source: 34

35 Remote Triggered Black Hole RFC 5635 RTBH is easy in IPv6 as in IPv4 urpf is also your friend for blackholing a source RFC 6666 has a specific discard prefix 100::/64 Source: Wikipedia Commons 35

36 Cisco IOS IPv6 Extended Access Control Lists Very much like in IPv4 Filter traffic based on Source and destination addresses Next header presence Layer 4 information Implicit deny all at the end of ACL Empty ACL means traffic allowed Reflexive and time based ACL Known extension headers (HbH, AH, RH, MH, destination, fragment) are scanned until: Layer 4 header found Unknown extension header is found Side note for 7600 & other switches: VLAN ACL only in 15.0(1)SY Port ACL on Nexus-7000, Cat 3750 (12.2(46)SE), Cat 4K (12.2(54)SG), Cat 6K (12.2(33)SXI4) See also:

37 IOS IPv6 Extended ACL Can match on Upper layers: TCP, UDP, SCTP port numbers, ICMPv6 code and type TCP flags SYN, ACK, FIN, PUSH, URG, RST Traffic class (only six bits/8) = DSCP, Flow label (0-0xFFFFF) IPv6 extension header routing matches any RH, routing-type matches specific RH mobility matches any MH, mobility-type matches specific MH dest-option matches any destination options auth matches AH hbh matches hop-by-hop (since 15.2(3)T) fragments keyword matches Non-initial fragments undetermined-transport keyword does not match TCP/UDP/SCTP and ports are in the fragment ICMP and type and code are in the fragment Everything else matches (including OSPFv3, ) Only for deny ACE Check your platform & release as your mileage can vary 37

38 Parsing the Extension Header Chain Finding the layer 4 information is not trivial in IPv6 Skip all known extension header Until either known layer 4 header found => MATCH Or unknown extension header/layer 4 header found... => NO MATCH IPv6 hdr HopByHop Routing AH TCP data IPv6 hdr HopByHop Routing AH Unknown L4??? 38

39 IOS-XR IPv6 Extended ACL 2nd & subsequent fragments are always permitted by default Except if denied by an ACE with fragment 1st fragment without layer-4 does not match any ACE Undetermined-transport keyword does not exist Header extension parsing is in µcode, no limit in the header chain length (except a very minor impact on the performance) 39

40 Example: Rogue RA & DHCP Port ACL For Your Reference ipv6 access-list ACCESS_PORT remark drop all weird fragments deny ip any any undetermined-transport remark Block all traffic DHCP server -> client deny udp any eq 547 any eq 546 remark Block Router Advertisements deny icmp any any router-advertisement permit any any Interface gigabitethernet 1/0/1 switchport ipv6 traffic-filter ACCESS_PORT in Note: PACL replaces RACL for the interface 40

41 Equivalent ICMPv6 RFC 4890: Border Firewall Transit Policy Internet Internal Server A For Your Reference Action Src Dst ICMPv6 Type ICMPv6 Code Name Permit Any A Echo Reply Permit Any A Echo Request Permit Any A 1 0 No Route to Dst. Permit Any A 2 0 Packet Too Big Permit Any A 3 0 Time Exceeded TTL Exceeded Permit Any A 4 0 Parameter Problem 41

42 Potential Additional ICMPv6 RFC 4890: Border Firewall Receive Policy Internal Server A For Your Reference Internet Firewall B Action Src Dst ICMPv6 Type ICMPv6 Code Name Permit Any B 2 0 Packet too Big Permit Any B 4 0 Parameter Problem For locally generated traffic Permit Any B Multicast Listener Permit Any B 135/136 0 Neighbor Solicitation and Advertisement Deny Any Any 42

43 IPv6 ACL Implicit Rules Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery: permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any Nexus 7000 also allows RS & RA Be careful when adding «deny ipv6 any any log» at the end permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log 43

44 Example: RFC 4890 ICMP ACL For Your Reference ipv6 access-list RFC4890 permit icmp any any echo-reply permit icmp any any echo-request permit icmp any any 1 3 permit icmp any any 1 4 permit icmp any any packet-too-big permit icmp any any time-exceeded permit icmp any any parameter-problem permit icmp any any mld-query permit icmp any any mld-reduction permit icmp any any mld-report permit icmp any any nd-na permit icmp any any nd-ns permit icmp any any router-solicitation 44

45 Example: Generic ACL on PE-CE or Peering ipv6 access-list SIMPLE remark To be reviewed for potential customization (e.g. use of ULA) remark Drop evil routing header type 0 deny ipv6 any any routing-type 0 remark allow DAD permit IPv6 host :: 2000::/3 permit IPv6 host :: FE80::/10 remark Allow unicast global to other valid destinations permit ipv6 2000::/3 2000::/3 permit ipv6 2000::/3 FE80::/10 permit ipv6 2000::/3 FF00::/8 remark Allow link-local to other valid destinations permit ipv6 FE80::/64 FE80::/64 permit ipv6 FE80::/64 FF02::/10 permit ipv6 FE80::/ ::/3 remark Catch-up deny ipv6 any any For Your Reference 45

46 Summary of Cisco IPv6 Security Products ASA Firewall Since version 7.0 (released 2005) Flexibility: Dual stack, IPv6 only, IPv4 only SSL VPN for IPv6 over IPv4 (ASA 8.0) over IPv6 (ASA 9.0) Stateful-Failover (ASA 8.2.2) Extension header filtering and inspection (ASA 8.4.2) Dual-stack ACL & object grouping (ASA 9.0) ASA-SM Leverage ASA code base, same features ;-) 16 Gbps of IPv6 throughput IOS Firewall IOS 12.3(7)T (released 2005) Zone-based firewall on IOS-XE 3.6 (2012) IPS Since 6.2 (released 2008) Security Appliance (ESA) under beta testing since 2010, IPv6 support since (May 2012) Web Security Appliance (WSA) with explicit proxy then transparent mode, work in progress Cisco Cloud Web Security (ScanSafe) work in progress Will need to work on Source Fire of course before final upload BRKSEC

47 Looping Attack Between 6to4 and ISATAP (RFC 6324) 1. Spoofed packet S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 6to4 relay IPv4 Packet containing S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 ISATAP router Prefix 2001:db8::/ IPv6 packet S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 Repeat until Hop Limit == 0 Root cause Same IPv4 encapsulation (protocol 41) Different ways to embed IPv4 address in the IPv6 address ISATAP router: accepts 6to4 IPv4 packets Can forward the inside IPv6 packet back to 6to4 relay Symmetric looping attack exists Mitigation: Easy on ISATAP routers: deny packets whose IPv6 is its 6to4 Less easy on 6to4 relay: block all ISATAP-like local address? Good news: not so many open ISATAP routers on the Internet Do not announce the 6to4 relay address outside of your AS and accepts protocol-41 packets only from your AS 47

48 6to4/6rd Tunnels Bypass Centralized ACL 6to4/6rd relay IPv6 Internet ACL tunnel IPv4 6to4/6rd router Direct tunneled traffic ignores hub ACL 6to4/6rd router 6rd CPE router can be configured to always go through hub Direct CPE-CPE communication must then be forbidden by IPv4 network 48

49 6rd Relay Security Issues 6rd is more constrained than 6to4, hence more secure IPv4 ACL (or IPv4 routing) can limit the 6rd packets to the 6rd domain within the ISP No more open relay No more looping attacks 49

50 Secure IPv6 over IPv4/6 Public Internet No traffic sniffing No traffic injection No service theft Public Network Site 2 Site Remote Access IPv4 6in4/GRE Tunnels Protected by IPsec ISATAP Protected by RA IPsec DMVPN 12.4(20)T SSL VPN Client AnyConnect IPv6 IPsec VTI 12.4(6)T DMVPN 15.2(1)T AnyConnect 3.1 & ASA 9.0 BRKSEC BRKSEC BRKSEC

51 Telemetry IPv6 security is similar to IPv4 security No excuse to operate an insecure IPv6 network

52 Available Tools Usually IPv4 telemetry is available SNMP MIB Not always available yet on Cisco gears Flexible Netflow for IPv6 Available in : 12.4(20)T, 12.2(33)SRE Public domain tools: nfsen, 52

53 Cisco IOS IPv6 MIB Implementation For Your Reference IP FWD (ROUTES) IP ICMP TCP UDP Original IPv4 only IPv6 only Cisco-ized PVI (subset of early PVI drafts under Cisco enterprise OID) Protocol Version Independent (PVI) Cisco-ized subset of ID-00 rfc2096-update rfc2096-update = 4292 Cisco-ized subset of ID-00 rfc2011-update rfc2011-update = 4293 rfc2012-update = 4022 rfc2013-update = 4113 IPv4/IPv6 stats can be monitored from CLI show interface accounting on most platforms RFC 4292 and 4293 Interface Stats table are added, also required HW support Tunnel MIB (RFC 4087) on 12.2(33)SRB 53

54 Flexible NetFlow with Traditional Flow Record For Your Reference flow exporter FLOW-EXPORTER destination 2001:db8::1 <<< IPv6 is supported now source FastEthernet0/1 transport udp 3000 template data timeout 60 flow monitor FLOW-MONITOR record netflow ipv6 original-output exporter FLOW-EXPORTER statistics packet protocol statistics packet size interface GigEthernet0/15 ipv6 flow monitor FLOW-MONITOR output 54

55 Flexible Flow Record: IPv6 Key Fields For Your Reference IPv6 IP (Source or Destination) Prefix (Source or Destination) Mask (Source or Destination) Minimum-Mask (Source or Destination) Protocol Traffic Class Flow Label Option Header Header Length Payload Length Payload Size Packet Section (Header) Packet Section (Payload) DSCP Extension Hop-Limit Length Next-header Version Routing Destination AS Peer AS Traffic Index Forwarding Status Is-Multicast IGP Next Hop BGP Next Hop Flow Sampler ID Direction Interface Input Output Transport Destination Port Source Port ICMP Code ICMP Type IGMP Type TCP ACK Number TCP Header Length TCP Sequence Number TCP Window-Size TCP Source Port TCP Destination Port TCP Urgent Pointer TCP Flag: ACK TCP Flag: CWR TCP Flag: ECE TCP Flag: FIN TCP Flag: PSH TCP Flag: RST TCP Flag: SYN TCP Flag: URG UDP Message Length UDP Source Port UDP Destination Port 55

56 Netflow Reverse Usage Scanning an IPv6 network is impossible (address space too large) How can we run a security audit? Easy Get all IPv6 addresses from Netflow Note: scanning link-local addresses requires layer-2 adjacency, i.e. Ping6 ff02::1 56

57 Cisco Network Analysis Modules (NAM) Service Modules for C6K, C7600 and ISR Release 3.x include IPv6 Network Management capabilities IPv6 monitoring and decodes with NAM Can set up alarms with IPv6 addresses Can configure an easy IPv6 capture filter and IPv6- historical reports 57

58 Vulnerability Scanning in a Dual-Stack World Finding all hosts: Address enumeration does not work for IPv6 Need to rely on DNS or NDP caches or NetFlow Vulnerability scanning IPv4 global address, IPv6 global address(es) (if any), IPv6 link-local address Some services are single stack only (currently mostly IPv4 but who knows...) Personal firewall rules could be different between IPv4/IPv6 IPv6 vulnerability scanning MUST be done for IPv4 & IPv6 even in an IPv4-only network IPv6 link-local addresses are active by default 58

59 Forensic

60 Multiple Facets to IPv6 Addresses Every host can have multiple IPv6 addresses simultaneously Need to do correlation! Alas, no Security Information and Event Management (SIEM) supports IPv6 Usually, a customer is identified by its /48 Every IPv6 address can be written in multiple ways 2001:0DB8:0BAD::0DAD 2001:DB8:BAD:0:0:0:0:DAD 2001:db8:bad::dad (this is the canonical RFC 5952 format) => Grep cannot be used anymore to sieve log files 60

61 Perl to Canonical IPv6 Addresses #!/usr/bin/perl w use strict ; use Socket ; use Socket6 ; For Your Reference my (@words, $word, $binary_address) ; ## go through the file one line at a time while (my $line = <STDIN>) = split /[ \n]/, $line ; foreach $word (@words) { $binary_address = inet_pton AF_INET6, $word ; if ($binary_address) { print inet_ntop AF_INET6, $binary_address ; } else { print $word ; } print " " ; } print "\n" ; } 61

62 Perl Grep6 #!/usr/bin/perl w use strict ; use Socket ; use Socket6 ; For Your Reference my (@words, $word, $binary_address, $address) ; $address = inet_pton AF_INET6, $ARGV[0] ; if (! $address) { die "Wrong IPv6 address passed as argument" ; } ## go through the file one line at a time while (my $line = <STDIN>) = split /[ \n\(\)\[\]]/, $line ; foreach $word (@words) { $binary_address = inet_pton AF_INET6, $word ; if ($binary_address and $binary_address eq $address) { print $line ; next ; } } } 62

63 How to Find the MAC Address of an IPv6 Address? Easy if EUI-64 format as MAC is embedded 2001:db8::0226:bbff:fe4e:9434 (need to toggle bit 0x20 in the first MAC byte = U/L) Is 00:26:bb:4e:94:34 63

64 How to Find the MAC Address of an IPv6 Address? DHCPv6 address or prefix the client DHCP Unique ID (DUID) can be MAC address: trivial Time + MAC address: simply take the last 6 bytes Vendor number + any number: no luck next slide can help No guarantee of course that DUID includes the real MAC address. # show ipv6 dhcp binding Client: FE80::225:9CFF:FEDC:7548 DUID: A00259CDC7548 Username : unassigned Interface : FastEthernet0/0 IA PD: IA ID 0x B, T , T Prefix: 2001:DB8:612::/48 preferred lifetime 3600, valid lifetime 3600 expires at Nov :22 PM (369) 64

65 DHCPv6 in Real Live Not so attractive Only supported in Windows Vista, and Windows 7, Max OS/X Lion Not in Linux (default installation), Windows Vista does not place the used MAC address in DUID but any MAC address of the PC # show ipv6 dhcp binding Client: FE80::FDFA:CB28:10A9:6DD0 DUID: DB0EA6001E33814DEE Username : unassigned IA NA: IA ID 0x F, T1 300, T2 480 Address: 2001:DB8::D09A:95CA:6918:967 Actual MAC address: f preferred lifetime 600, valid lifetime 600 expires at Oct :02 PM (554 seconds) 65

66 How to Find the MAC Address of an IPv6 Address? Last resort look in the live NDP cache (CLI or SNMP) #show ipv6 neighbors 2001:DB8::6DD0 IPv6 Address Age Link-layer Addr State Interface 2001:DB8::6DD f STALE Fa0/1 If no more in cache, then you should have scanned and saved the cache EEM can be your friend First-Hop Security phase II can generate a syslog event on each new binding ipv6 neighbor binding logging 66

67 Lawful Intercept

68 Which Target? Target could be Host address /128: probably very rare Subscriber prefix /48 or /56 Layer-2 address (MAC address) Circuit PPP session Content of 6RD/MAP-T/DS-lit tunnel by intercepting the external addresses Targets based not based on IPv6 addresses are as usual and can be done as usual from a SP perspective Of course mediation device & LEA must understand IPv6 68

69 Summary

70 Our journey... Management Plane Control Plane Routing Information Neighbor Discovery Control Plane Protection Data Plane Anti-spoofing Access Control List Tunnel loops Telemetry Forensic Lawful Intercept Summary 70

71 Key Takeaway /1 Management plane Protect management plane with access-class Control plane Authenticate IGP Consider the use of link-local on P-P links? Mitigate rogue-ra with RA-guard Configure control plane policing Data plane Beware of ping-pong on not /127 real P2P link Apply anti-spoofing, anti-bogons Disable source routing Use ACL where applicable ACL must permit NDP 71

72 Key Takeaway /2 Telemetry SNMP MIB and Netflow v9 are your friends Netflow can be used for inventory Forensic Multiple addresses per node, multiple ways to write an IPV6 address Finding MAC address from IPv6: EUI-64, DHCPv6 (not so trivial) else periodic NDP cache dumps... Lawful Interception implemented, missing mediation device 72

73 Conclusion As expected IPv6 secure operations are quite similar to IPv4 Main differences at layer 2 Tunnels complicate everything Lack of correlation tools 73

74 Call to Action Visit the World of Solutions:- Cisco Campus Walk-in Labs Technical Solutions Clinics Meet the Engineer Lunch Time Table Topics, held in the main Catering Hall Recommended Reading: For reading material and further resources for this session, please visit 74

75 Complete Your Online Session Evaluation Complete your online session evaluation Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt 75

76 Questions and Answers?

77 List of Acronyms For Your Reference 6rd: 6 Rapid Deployment AAA: Authentication, Authorization, Accounting CGA: Cryptographically Generated Address DUID: DHCP Unique ID EUI-64: Extended Unique ID IPSec: IP Security ISATAP: Intra-Site Automatic Tunnel Addressing Protocol LEA: Law Enforcement Agency LLA: Link-Local Address MD5: Message Digest 5 NDP: Neighbor Discovery Protocol PIM: Protocol Independent Multicast PMTUD: Path MTU Discovery RA: Router Advertisement RIPng: Routing Information Protocol Next Generation SEND: Secure Neighbor Discovery SSH: Secure SHell 77

78 IETF OPSEC Working Group 78

79 Recommended Reading 79

80