Security in an IPv6 World Myth & Reality

Similar documents
SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

IPv6 Security. Rocky Mountain IPv6 Summit. Scott Hogg. GTRI - Director of Advanced Technology Services CCIE #5133, CISSP #4610

Rocky Mountain ISSA Chapter April 5, IPv6 Security. Scott Hogg. Director of Advanced Technology Services - GTRI CCIE #5133, CISSP #4610

IPv6 Security Fundamentals

IPv6 Security Course Preview RIPE 76

IPv6 Bootcamp Course (5 Days)

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

IETF Update about IPv6

IPv6 Security: Threats and Mitigation

Insights on IPv6 Security

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

Juniper Netscreen Security Device. How to Enable IPv6 Page-51

TD#RNG#2# B.Stévant#

Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line

IPv4/v6 Considerations Ralph Droms Cisco Systems

IPv6 migration challenges and Security

Radware ADC. IPV6 RFCs and Compliance

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

Foreword xxiii Preface xxvii IPv6 Rationale and Features

Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse

IPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering

Insights on IPv6 Security

Network Management. IPv6 Bootcamp. Zhiyi Huang University of Otago

Chapter 7: IP Addressing CCENT Routing and Switching Introduction to Networks v6.0

IPv6 Implementation Best Practices For Service Providers

IPv6 Security Issues and Challenges

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

Configuring IPv6 for Gigabit Ethernet Interfaces

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

Rocky Mountain IPv6 Summit April 9, 2008

Configuring Mikrotik router with 3CX

"Charting the Course... IPv6 Bootcamp Course. Course Summary

IPv6 Protocol & Structure. npnog Dec, 2017 Chitwan, NEPAL

IPv6 Feature Facts

Configuring IPv6 First-Hop Security

Rocky Mountain IPv6 Summit April 9, 2008

OSI Data Link & Network Layer

IPv6 and IPv4: Twins or Distant Relatives

IPv6 Security: Oxymoron or Oxycodone? NANOG 60 Atlanta Paul Ebersman IPv6

IPv6 Technical Challenges

IPv6 Protocol Architecture

Transitioning to IPv6

Practical IPv6 for Windows Administrators

IPv6 Security awareness

Securing the Transition Mechanisms

Setup. Grab a vncviewer like: Or

IPv6 Neighbor Discovery

Chapter 5. Security Components and Considerations.

Guide to TCP/IP Fourth Edition. Chapter 11: Deploying IPv6

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

Control Plane Protection

IPv6 Security Safe, Secure, and Supported.

IPv6 Security for Broadband Access, Wireless and ISPs

IPv6 Client IP Address Learning

A Border Gateway Protocol 3 (BGP-3) DNS Extensions to Support IP version 6. Path MTU Discovery for IP version 6

Operation Manual IPv6 H3C S3610&S5510 Series Ethernet Switches Table of Contents. Table of Contents

MikroTik Security : The Forgotten Things

Configuring IPv6. Information About IPv6. Send document comments to CHAPTER

IPv6 for the InfoSec Pro On the Go. Allan Stojanovic University of Toronto #include disclaimer.h

Internet Protocol, Version 6

IPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Introduction to IPv6

Remember Extension Headers?

Introduction to IPv6 - II

Recent Advances in IPv6 Security. Fernando Gont

IPv6 Stateless Autoconfiguration

IPv6 ND Configuration Example

IPv6 Neighbor Discovery

IPv6 Deployment at ORNL

Internet Protocol Version 6: advanced features. The innovative aspects of IPv6

IPv6 Deployment at the University of Pennsylvania

Integrated Security 22

Workshop on Scientific Applications for the Internet of Things (IoT) March

IPv6 Security. Pedro Lorga - WALC 2006 (Quito, Ecuador July 06)

Recent IPv6 Security Standardization Efforts. Fernando Gont

Organization of Product Documentation... xi

Recent advances in IPv6 insecurities Marc van Hauser Heuse CCC Congress 2010, Berlin Marc Heuse

DHCPv6 OPERATIONAL ISSUES Tom Coffeen 4/7/2016

IPv6 Security. 15 August

Everything you need to know about IPv6 security I can manage in 30min. IPv6 Day Copenhagen November 2017

The OSI model of network communications

IPv6 It starts TODAY!

IPv6 Cyber Security Briefing May 27, Ron Hulen VP and CTO Cyber Security Solutions Command Information, Inc.

Hardening MikroTik RouterOS

A Practical (and Personal) Perspective on IPv6 for Servers. Geoff Huston June 2011

Planning for Information Network

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

IPv6 Addressing. There are three types of IPV6 Addresses. Unicast:Multicast:Anycast

IPv6 Transition Technologies (TechRef)

Table of Contents Chapter 1 Tunneling Configuration

The Layer-2 Insecurities of IPv6 and the Mitigation Techniques

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

MUM Lagos Nigeria Nov 28th IPv6 Demonstration By Mani Raissdana

Tutorial: IPv6 Technology Overview Part II

CCNA Questions/Answers IPv6. Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B :2:11.1 C.

Recent Advances in IPv6 Security. Fernando Gont

IPv6 Deployment - Security Issues Thinking outside the NAT box

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. IPv6

Transcription:

Security in an IPv6 World Myth & Reality DGI Washington D.C. August 2014 Chris Grundemann

MYTH: IPv6 Has Security Designed In

MYTH: IPv6 Has Security Designed In IPSEC IS NOT NEW IPsec exists for IPv4 IPsec mandates in IPv6 are no guarantee of security

MYTH: IPv6 Has Security Designed In IPV6 WAS DESIGNED 15-20 YEARS AGO

Reality: Extension Headers http://www.cisco.com/en/us/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html

MYTH: IPv6 Has Security Designed In Routing Header Type 0 (RH0) Source Routing Deprecated in RFC 5095: The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-ofservice traffic.

MYTH: IPv6 Has Security Designed In Hop-by-Hop Options Header Vulnerable to low bandwidth DOS attacks Threat detailed in draft-krishnan-ipv6-hopbyhop

MYTH: IPv6 Has Security Designed In Extension Headers are vulnerable in general Large extension headers Lots of extension headers Invalid extension headers

MYTH: IPv6 Has Security Designed In Rogue Router Advertisements (RAs) Can renumber hosts Can launch a Man In The Middle attack Problem documented in RFC 6104 In this document, we summarise the scenarios in which rogue RAs may be observed and present a list of possible solutions to the problem.

MYTH: IPv6 Has Security Designed In Forged Neighbor Discovery messages ICMP Redirects just like IPv4 redirects

MYTH: IPv6 Has Security Designed In MANY ATTACKS ARE ABOVE OR BELOW IP Buffer overflows SQL Injection Cross-site scripting E-mail/SPAM (open relays)

NO IPv6 NAT Means Less Security

NO IPv6 NAT Means Less Security STATEFUL FIREWALLS PROVIDE SECURITY NAT can actually reduce security

IPv6 Networks are too Big to Scan

IPv6 Networks are too Big to Scan SLAAC - EUI-64 addresses (well known OUIs) Tracking! DHCPv6 sequential addressing (scan low numbers) 6to4, ISATAP, Teredo (well known addresses) Manual configured addresses (scan low numbers, vanity addresses) Exploiting a local node ff02::1 - all nodes on the local network segment IPv6 Node Information Queries (RFC 4620) Neighbor discovery Leveraging IPv4 (Metasploit Framework ipv6_neighbor ) IPv6 addresses leaked out by application-layer protocols (email)

IPv6 Networks are too Big to Scan PRIVACY ADDRESSES (RFC 4941) Privacy addresses use MD5 hash on EUI-64 and random number Often temporary rotate addresses Frequency varies Often paired with dynamic DNS (firewall state updates?) Makes filtering, troubleshooting, and forensics difficult Alternative: Randomized DHCPv6 Host: Randomized IIDs Server: Short leases, randomized assignments

IPv6 is too New to be Attacked

IPv6 is too New to be Attacked TOOLS ARE ALREADY AVAILABLE THC IPv6 Attack Toolkit IPv6 port scan tools IPv6 packet forgery tools IPv6 DoS tools

IPv6 is too New to be Attacked BUGS AND VULNERABILITIES PUBLISHED Vendors Open source software

IPv6 is too New to be Attacked Reality: Search for securityfocus.com inurl:bid ipv6

96 more bits, no magic (It s just like IPv4)

96 more bits, no magic (It s just like IPv4) IPV6 ADDRESS FORMAT IS DRASTICALLY NEW 128 bits vs. 32 bits Hex vs. Decimal Colon vs. Period Multiple possible formats (zero suppression, zero compression) Logging, grep, filters, etc.

96 more bits, no magic (It s just like IPv4) MULTIPLE ADDRESSES ON EACH HOST Same host appears in logs with different addresses

96 more bits, no magic (It s just like IPv4) SYNTAX CHANGES Training!

Configure IPv6 Filters Same AS IPv4

Configure IPv6 Filters Same As IPv4 DHCPV6 && ND INTRODUCE NUANCE Neighbor Discovery uses ICMP DHCPv6 message exchange: Solicit: [your link local]:546 -> [ff02::1:2]:547 Advertise: [upstream link local]:547 -> [your link local]:546 and two more packets, both between your link locals.

Reality: Example Firewall Filter (mikrotik) Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Not just ping - ND runs over icmp6. chain=input action=accept protocol=icmpv6 in-interface=ether1-gateway 1 chain=input action=accept connection-state=established in-interface=ether1- gateway 2 ;;; related means stuff like FTP-DATA chain=input action=accept connection-state=related in-interface=ether1- gateway 3 ;;; for DHCP6 advertisement (second packet, first server response) chain=input action=accept protocol=udp src-address=fe80::/16 dstaddress=fe80::/16 in-interface=ether1-gateway dst-port=546 4 ;;; ssh to this box for management (note non standard port) chain=input action=accept protocol=tcp dst-address=[myaddr]/128 dstport=2222 5 chain=input action=drop in-interface=ether1-gateway

It supports IPv6

It supports IPv6 Reality: It probably doesn t Detailed requirements (RFP) RIPE-554 Lab testing Independent/outside verification

There are no IPv6 Security BCPs yet

There are no IPv6 Security BCPs yet THERE ARE! Perform IPv6 filtering at the perimeter Use RFC2827 filtering and Unicast RPF checks throughout the network Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels and deny packets for transition techniques not used Use common access-network security measures (NAC/802.1X, disable unused switch ports, Ethernet port security, MACSec/TrustSec) because SeND won t be available any time soon Strive to achieve equal protections for IPv6 as with IPv4 Continue to let vendors know what you expect in terms of IPv6 security features

There are no IPv6 Security Resources

There are no IPv6 Security Resources THERE ARE! IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Deploy360 has a section specifically on IPv6 Security Search engines are your friend!

The Reality of Dual-Stack Two sets of filters Two sets of bugs IPv 4 IPv 6

Thank you! Gratitude and Credit: Scott Hogg My IPv6 Security Guru Rob Seastrom For the Mikrotik example The Internet Lots of searching You Thanks for listening! @ChrisGrundemann http://chrisgrundemann.com http://www.internetsociety.org/deploy360/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback