The Layer-2 Security Issues and the Mitigation

Similar documents
The Layer-2 Insecurities of IPv6 and the Mitigation Techniques

Advanced IPv6 Security: Securing Link- Operations at the First Hop

Eric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

IPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping

IPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping

Configuring IPv6 First-Hop Security

Eric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Configuring Wireless Multicast

IPv6 Security: Threats and Mitigation

IPv6 Client IP Address Learning

Guide to TCP/IP Fourth Edition. Chapter 6: Neighbor Discovery in IPv6

TD#RNG#2# B.Stévant#

Advances in Routing BRKRST Cisco Public BRKRST Cisco and/or its affiliates. All rights reserved.

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

Remember Extension Headers?

IPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering

Chapter 5. Security Components and Considerations.

IPv6 First-Hop Security Binding Table

IPv6 Security Course Preview RIPE 76

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

IPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

IETF Update about IPv6

SECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK

Basic L2 and L3 security in Campus networks. Matěj Grégr CNMS 2016

How to Securely Operate an IPv6 Network

IPv6 Neighbor Discovery

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse

IPv6 Security Threats and #CLEUR BRKSEC Eric Vyncke

IPv6 Neighbor Discovery

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

ERNW WHITEPAPER 62 RA GUARD EVASION REVISITED

DELVING INTO SECURITY

Recent IPv6 Security Standardization Efforts. Fernando Gont

IPv6 Neighbor Discovery

IPv6 Security Fundamentals

Secure Neighbor Discovery. By- Pradeep Yalamanchili Parag Walimbe

IPv6 Neighbor Discovery

The Netwok Layer IPv4 and IPv6 Part 2

Configuring IPv6 basics

IPv6 Neighbor Discovery

Juniper Netscreen Security Device. How to Enable IPv6 Page-51

Basic Attacks and Mitigation Strategies

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

IPv6 Security Threats and Mitigations

IPv6 Security Safe, Secure, and Supported.

Cisco Support Community Expert Series Webcast

Insights on IPv6 Security

IPv6 Access Control Lists

IPv6 ND Configuration Example

IPv6 Protocol Architecture

IPv6 migration challenges and Security

Introduction to IPv6 - II

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

A Border Gateway Protocol 3 (BGP-3) DNS Extensions to Support IP version 6. Path MTU Discovery for IP version 6

IPv6 Stateless Autoconfiguration

HP 3600 v2 Switch Series

Operation Manual IPv6 H3C S3610&S5510 Series Ethernet Switches Table of Contents. Table of Contents

IPv6 Protocol & Structure. npnog Dec, 2017 Chitwan, NEPAL

HPE FlexFabric 5940 Switch Series

Internet Protocol v6.

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

Configuration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

HP 6125 Blade Switch Series

The Study on Security Vulnerabilities in IPv6 Autoconfiguration

IPv6 Commands: d to im

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

Networking Potpourri: Plug-n-Play, Next Gen

Completing Interface Configuration (Transparent Mode)

Internet Control Message Protocol

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

Selected Network Security Technologies

A SAVI Solution for DHCP. Jun Bi, Jianping Wu, Guang Yao, Fred Baker draft ietf savi dhcp 01(02).txt IETF77, Anaheim Mar

H3C S6800 Switch Series

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

IPv6 Security. 15 August

Wireless Client Isolation. Overview. Bridge Mode Client Isolation. Configuration

IPv6 Commands: d to im

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

DHCPv6 Overview 1. DHCPv6 Server Configuration 1

IPv6 Bootcamp Course (5 Days)

H3C S5120-EI Switch Series

Configuring Interfaces (Transparent Mode)

Table of Contents 1 IPv6 Basics Configuration 1-1

ipv6 hello-interval eigrp

HP A5830 Switch Series Layer 3 - IP Services. Configuration Guide. Abstract

Internet Engineering Task Force (IETF) Category: Standards Track. J. Halpern Ericsson E. Levy-Abegnoli, Ed. Cisco February 2017

Rocky Mountain IPv6 Summit April 9, 2008

HPE ArubaOS-Switch IPv6 Configuration Guide YA/YB.16.02

Implementing Firewall Technologies

IPv6 Multicast Listener Discovery Protocol

Insights on IPv6 Security

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

Configuring IPv6 for Gigabit Ethernet Interfaces

IPv6 Security János Mohácsi IPv6 workshop, Skopje June 2011

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

IPv6 maintenance Working Group (6man) Updates: 3971, 4861 (if approved) January 12, 2012 Intended status: Standards Track Expires: July 15, 2012

Introduction to IPv6

Transcription:

The Layer-2 Security Issues and the Mitigation Techniques Eric Vyncke Cisco Distinguished Engineer evyncke@cisco.com Eric.Vyncke@ipv6council.be Eric.Vynce@ulg.ac.be 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Attacker Layer-7 Data and services Layer-2 Firewall Courtesy of Curt Smith 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Router Advertisements contains: - Prefix to be used by hosts - Data-link layer address of the router - Miscellaneous options: MTU, DHCPv6 use, RA w/o Any Authentication Gives Exactly Same Level of Security as DHCPv4 (None) MITM DoS 1. RS 2. RA 2. RA 1. RS: Data = Query: please send RA 2. RA: Data= options, prefix, lifetime, A+M+O flags 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Where Routers Hosts Routers & Hosts Switch (First Hop) Switch (First Hop) Switch (First Hop) What Increase legal router preference Disabling Stateless Address Autoconfiguration SeND Router Authorization Host isolation Port Access List (PACL) RA Guard 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

RFC 3972 Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated from node public key SeND adds a signature option to Neighbor Discovery Protocol Using node private key Node public key is sent in the clear (and linked to CGA) Very powerful If MAC spoofing is prevented But, not a lot of implementations: Cisco IOS, Linux, some H3C, third party for Windows (from Hasso-Plattner-Institut in Germany!) 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Clipart from Clipartheaven.com

Prevent Node-Node Layer-2 communication by using: Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port) Promiscuous Port WLAN in AP Isolation Mode 1 VLAN per host (SP access network with Broadband Network Gateway) RA RA Isolated Port Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm RA RA RA 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Port ACL blocks all ICMPv6 RA from hosts interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port RA RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port interface FastEthernet0/2 ipv6 nd raguard access-group mode prefer port RA-guard (12.2(50)SY) ipv6 nd raguard policy HOST device-role host ipv6 nd raguard policy ROUTER device-role router ipv6 nd raguard attach-policy HOST vlan 100 interface FastEthernet0/0 ipv6 nd raguard attach-policy ROUTER RA RA RA RA 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

host? Configuration- based Learning-based Challenge-based Verification succeeded? I am the default gateway Router Advertisement Option: prefix(s) Bridge RA Switch selectively accepts or rejects RAs based on various criteria s Can be ACL based, learning based or challenge (SeND) based. Hosts see only allowed RAs, and RAs with allowed content 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

IPv6 hdr HopByHop Routing Fragment1 Destination IPv6 hdr HopByHop Routing Fragment2 TCP Data Layer 4 header is in 2 nd fragment 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

IPv6 hdr HopByHop Routing Fragment1 Destination IPv6 hdr HopByHop Routing Fragment2 Destination ICMP type=134 ICMP header is in 2 nd fragment, RA Guard has no clue where to find it! 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Pretty much like RA: no authentication Any node can steal the IP address of any other node Impersonation leading to denial of service or MITM Requires layer-2 adjacency IETF SAVI Source Address Validation Improvements (work in progress) 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

Where Routers & Hosts Routers & Hosts Switch (First Hop) Switch (First Hop) What configure static neighbor cache entries Use CryptoGraphic Addresses (SeND CGA) Host isolation Address watch Glean addresses in NDP and DHCP Establish and enforce rules for address ownership 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

If a switch wants to enforce the mappings < IP address, MAC address> how to learn them? Multiple source of information SeND: verify signature in NDP messages, then add the mapping DHCP: snoop all messages from DHCP server to learn mapping (same as in IPv4) NDP: more challenging, but first come, first served The first node claiming to have an address will have it 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

H1 H2 H3 NS [IP source=a 1, LLA=MAC H1 ] Binding table ADR MAC VLAN IF A 1 MAC H1 100 P1 A 21 MAC H2 100 P2 A 22 MAC H2 100 P2 A 3 MAC H3 100 P3 DHCPserver REQUEST [XID, SMAC = MAC H2 ] REPLY[XID, IP=A 21, IP=A 22 ] data [IP source=a 3, SMAC=MAC H3 ] DAD NS [IP source=unspec, target = A 3 ] DHCP LEASEQUERY NA [IP source=a 3, LLA=MAC H3 ] DHCP LEASEQUERY_REPLY 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Binding table host Address glean Arbitrate collisions, check ownership Check against max allowed per box/vlan/port Record & report changes Valid? bridge Preference is a function of: configuration, learning method, credential provided Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP preferred over dynamic, not_trusted, not_cga, SLACC) For collision with same preference, choose First Come, First Serve 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

Remote Remote router CPU/memory DoS attack if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Local router DoS with NS/RS/ NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 2001:db8::/64 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Mainly an implementation issue Rate limiter on a global and per interface Prioritize renewal (PROBE) rather than new resolution Maximum Neighbor cache entries per interface and per MAC address Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only Allocate and configure a /64 but uses addresses fitting in a /120 in order to have a simple ingress ACL Using a /64 on point-to-point links => a lot of addresses to scan! Using /127 could help (RFC 6164) 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Ingress ACL allowing only valid destination and dropping the rest NDP cache & process are safe Requires DHCP or static configuration of hosts 2001:db8::1 NS: 2001:db8::1 NA: 2001:db8::1 2001:db8::/64 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Without a secure layer-2, there is no upper layer security Rogue Router Advertisement is the most common threat Mitigation techniques Host isolation Secure Neighbor Discovery: but not a lot of implementations SAVI-based techniques: discovery the right information and dropping RA/NA with wrong information Last remaining issue: (overlapped) fragments => drop all fragments Neighbor cache exhaustion Use good implementation Expose only a small part of the addresses and block the rest via ACL Products are now available implementing the techniques ;-) 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

For Your Reference IPv6 VLAN ACL & RA-Guard lite: 12.2(54)SG, 3.2.0SG, 15.0(2) SG, 12.2(33)SXI4 NDP inspection & RA-Guard: Cat 6K Sup 2T: 12.2(50)SY and 15.0(1)SY WLC: 7.2 7600: XE 7.0 Cat 2K/3K: 15.0(2)SE For more Information: http://www.cisco.com/en/us/docs/ios/ipv6/configuration/guide/ip6- roadmap.html http://www.cisco.com/en/us/docs/ios-xml/ios/ipv6/configuration/15-2mt/ ip6-first-hop-security.html 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

And a shameless plug 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Thank you.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback