Advanced IPv6 Security: Securing Link- Operations at the First Hop

Advanced IPv6 Security: Securing Link- Operations at the First Hop ERIC LEVY-ABEGNOLI

Quick overview on the Layer 2 domain & IPv6 Some definitions Layer 2 domain: same broadcast domain = link = vlan Nodes: hosts, routers, switches, access points Link operations: operations between nodes on the shared link Security perimeter: draw a line between trusted and untrusted devices First hop: first trusted device inside the security perimeter What is specific to IPv6 on a link? More addresses! More hosts allowed on the link (up to 2 64!). Results in much bigger links More states (neighbor cache, etc) on hosts, routers and switches: creates new opportunities for DoS attacks And protocols IPv6 link operations protocol is Neighbor Discovery More distributed and more autonomous operations Nodes discover their default router automatically Nodes auto-configure their addresses Nodes defend themselves (SeND) 3

Abstract summary and pre-requisite This session focuses on IPv6 security within the Layer 2 domain It focuses on 4 cases: Router theft, Address theft, Address spoofing and Remote address resolution cache exhaustion It discuss the role of the First Hop, more often than not a Layer 2/3 switch It introduces security features at the First Hop, such RA Guard, Source Guard, Destination guard, etc Requirements: Knowledge of the IPv6 and IPv6 Neighbor Discovery Related recommended sessions: BRKSEC-2003 - IPv6 Security Threats and Mitigations TECSEC-2680 - IPv6 Security BRKRST-2301 - Enterprise IPv6 Deployment 4

Agenda IPv6 in the Layer 2 domain: high level considerations Use Case #1: Router theft Use Case #2: Address theft Use Case #3: Address spoofing Use Case #4: Remote address resolution cache exhaustion 5

Is Bigger better? More secure? 7

How about newer? Sometimes, newer means better and more secure Sometimes, experience IS better and safer! 8

Fundamentals On Neighbor Discovery Defined in: RFC 4861 Neighbor Discovery for IP Version 6 (IPv6) RFC 4862 IPv6 Stateless Address Auto-configuration RFC 3971 Secure Neighbor Discovery etc. Used for: Router discovery IPv6 Stateless Address Auto Configuration (SLAAC) IPv6 address resolution (replaces ARP) Neighbor Unreachability Detection (NUD) Duplicate Address Detection (DAD) Redirection Operates above ICMPv6 Relies heavily on (link-local scope) multicast, combined with Layer 2 Multicast Works with ICMP messages and message options 9

Agenda IPv6 in the Layer 2 domain: high level considerations Use Case #1: Router theft Target deployment model Vulnerability scope Protocols: operations and vulnerabilities Mitigation solutions Remaining vulnerabilities Use Case #2: Address ownership Use Case #3: Address spoofing Use Case #4: Remote address resolution cache exhaustion 10

Router Theft - Target deployment model Attacker goal is to become the primary link s default router Hosts, Routers and attacker reside on a shared Layer 2 domain Hosts discover their IPv6 default router with IPv6 ND Attacker can be a plain PC, running simple (publically available) attack tools. Or it can be a careless user 11

Router Theft Vulnerability scope 12

Router Theft Router Discovery protocol Discover default/first hop routers Discover on-link prefixes A B ICMP Type = 133 (Router Solicitation) Src = Host link-local address Dst = All-routers multicast address (FF02::2) Query = please send RA RS RA ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, preference=medium, Option = Prefix X,Y,Z, lifetime Use B as default gateway 13

Router Theft Router Discovery protocol cont d Stateless Address Auto-Configuration, based on prefix information delivered in Router Advertisement ICMP Type = 133 (Router Solicitation) Src = Host link-local address Dst = All-routers multicast address (FF02::2) Query = please send RA RS Computes X::x, Y::y, Z::z and DAD them RA NS Source traffic with X::x, Y::y, Z::z ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, oreference=medium Options = Prefix X,Y,Z, lifetime 14

Router Theft Vulnerability #1 Attacker tricks victim into accepting itself as default router Based on rogue Router Advertisements The most frequent threat by non-malicious user Many variants: preference, timing, final RA, etc. A C B RA Src = C s link-local address Dst = All-nodes Data = preference=high Options = subnet prefix, slla Node A sending off-link traffic to C 15

Router Theft Vulnerability #2 Attacker spoofs Router Advertisement with false on-link prefix Victim generates (topology-bogus) IP address with this prefix Access router drops outgoing packets from victim (ingress filtering) Or return path is broken A C B RA Autoconf BAD::A and DAD it Src = B s link-local address Dst = All-nodes Options = prefix BAD Node A sourcing off-link traffic via B with BAD::A B filters out BAD::A OR NOT 16

Router Theft - Mitigations Where Routers Hosts Routers & Hosts Switch (First Hop) Switch (First Hop) Switch (First Hop) What Increase legal router preference Disable Stateless Address Autoconfiguration SeND Router Authorization Host isolation Port Access Lists (PACL) RA Guard 17

Router Theft Mitigation: Router Authorization overview Objectives for (SeND) Router authorization: Secure default router election on hosts Authorize routers to advertise certain prefixes Protocol overview SeND is just an extension to Neighbor Discovery Protocol, NOT a new protocol SeND secures ND operations, not the end-to-end communication It provides Router Authorization and proof of Address Ownership SeND is specified in RFC3971 & RFC3972 Router identity is the IPv6 source (cryptographic) address of RAs This address is certified in a certificate delivered by a Certificate Authority (CA) 18

Router Theft Mitigation: Router Authorization overview cont d Certificate Authority Certificate C 0 host 1 provision Certificate Authority CA 0 Router certificate request ROUTER ADVERTISEMENT (SRC = R) provision 3 Router certificate C R 2 Router R 4 5 Certificate Path Solicit (CPS): I trust CA 0, who are you R? Certificate Path Advertise (CPA): I am R, this is my certificate C R signed by CA 0 6 Verify C R against CA 0 7 Insert R as default route 19

Router Theft Mitigation: SeND Deployment Challenges ADMINISTRATIVE BOUNDARY CA CA CA Host Router Host Router To benefit fully from SeND, nodes must be provisioned with CA certificate(s) A chain of trust is easy to establish within the administrative boundaries, but very hard outside It is a 2 player game! And very few IPv6 stacks can play the game today: Cisco IOS, Linux, some H3C, third party for Windows (from Hasso-Plattner-Institut in Germany!) 20

RA Router Theft Mitigation: Host Isolation Prevent Node-Node Layer-2 communication by using: Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port) Promiscuous Port RA RA WLAN in AP Isolation Mode one VLAN per host (SP access network with Broadband Network Gateway) Isolated Port Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm RA But Duplicate Address Detection does not work anymore... RA 21

RA Router Theft Mitigation: RA Guard (RFC 6105) Port ACL: blocks all ICMPv6 RA from hosts interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port RA-guard lite: pre-programmed ACL interface FastEthernet0/2 ipv6 nd raguard access-group mode prefer port Device-role router RA RA Device-role host RA-guard: deep RA packet inspection ipv6 nd raguard policy HOST device-role host RA ipv6 nd raguard policy ROUTER device-role router vlan configuration 100 ipv6 nd raguard attach-policy HOST vlan 100 RA interface FastEthernet0/0 ipv6 nd raguard attach-policy ROUTER 22

Router Theft Mitigation: Security Perimeter & Device Role HOST HOST RA device-role=router RA RA deep inspection - hop-limit - M & O flag - Router preference - Source - Prefix list - CGA credentials device-role=trusted switch RA device-role=host device-role=router RA trusted-port RA 23

General principles on FH command interface For Your Reference Each FH feature provides a configuration mode to create and populate policies (+ one implicit default policy) ipv6 nd raguard policy host device-role host Each FH feature provides commands to attach policies to targets: box, vlan, port vlan configuration 100 ipv6 nd raguard attach-policy host ipv6 snooping interface e 0/0 ipv6 nd raguard attach-policy router Packets are processed by the lowest-level matching policy for each feature Packets received on e0/0 are processed by policy ra-guard router AND policy snooping default Packets received on any other port of vlan 100 are processed by policy ra-guard host AND policy snooping default 24

Configuration examples For Your Reference Step1: Configures policies Step2: Attach policies to target Vlan Port ipv6 nd raguard policy HOST device-role host vlan configuration 100-200 ipv6 nd raguard attach-policy HOST ipv6 nd raguard policy ROUTER device-role router interface Ethernet0/0 ipv6 nd raguard attach-policy ROUTER ipv6 snooping policy NODE tracking enable limit address-count 10 security-level guard vlan configuration 100,101 ipv6 snooping attach-policy NODE ipv6 snooping policy SERVER trusted-port tracking disable security-level glean interface Ethernet1/0 ipv6 snooping attach-policy SERVER 25

Router Theft Demo: topology vlan 100 HOST ROUTER PEER SWITCH VILLAIN CAT DUMB 26

Router Theft Demo: Router Discovery, Theft & Mitigation Regular operations ROUTER sends RAs HOST picks up ROUTER as default router and installs default route HOST goes via default route to reach PEER Attack VILLAIN sends RA with higher preference. With prefix BAD:: HOST (and DUMB) picks VILLAIN as default router HOST installs default route to VILLAIN and assigns addresses on BAD:: HOST connects to CAT Mitigation Increase preference on ROUTER: works but Enable SeND on ROUTER. HOST safe, not DUMB (FH) RA-guard 27

Router Theft Here comes fragmentation Problem - RA Guard works like a stateless ACL filtering ICMP type 134 (no reassembly) - Attackers can exploit that to evade RA guard by pushing ULP header (RA) into second fragment - They can even use overlapping fragments to disguise RA into some other valid message - RFC 3128 is not applicable to IPv6 - THC fake_router6 FD implements this attack which bypasses RA Guard IPv6 hdr HopByHop Routing Destination Fragment1 IPv6 hdr HopByHop Routing..Destination Fragment2 Possible solutions - block all fragments sent to ff02::1 - deny ipv6 any any undetermined-transport ICMP type=134 ICMP header is in 2 nd fragment, RA Guard has no clue where to find it! - How about overlapping fragments? Forbidden: RFC 5722- Use a compliant host stack! 28

Agenda IPv6 in the Layer 2 domain: high level considerations Use Case #1: Router discovery Use Case #2: Address theft Target deployment model Vulnerability scope Protocols: operations and vulnerabilities Mitigation solutions Demo Remaining vulnerabilities Use Case #3: Address spoofing Use Case #4: Remote address resolution cache exhaustion 29

Address Theft - Target deployment model Hosts reside on a shared Layer 2 domain (same link) Hosts address assignment performed using SLAAC, DHCP or statically assigned Attacker is also on the link. Can be a plain desktop/laptop, running simple attack tools. Or it can be a careless user Attacker goal is to take over (steal) someone else s address to either source (bogus) traffic or hijack sessions Attacker can also perform a DoS attack by pretending to own the entire address space Vulnerability scope: the link (same as for Router discovery) 30

Address Theft Address Resolution protocol When needed, it resolves the IP address into a MAC address Creates neighbor cache entry Maintains entry with NUD or upon receipt of any updated LLA Last Come, First Serve (LCFS): good for mobility, bad for security! A C B ICMP type = 135 (Neighbor Solicitation) Dst = Solicited-node multicast address of B target = B Query = what is B s Link-Layer Address? B MAC B Neighbor cache NA NS ICMP type = 136 (Neighbor Advertisement) Src = one B s I/F address, Dst=A target = B Option = Target link-layer address (MAC B ) 31

Address Theft Duplicate Address Resolution Verify address uniqueness before using it Required (MUST) by SLAAC, recommended (SHOULD) by DHCP Probe neighbors to verify nobody claims the address A C B ICMP type = 135 (Neighbor Solicitation) Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of A target= A Query = Does anybody use A already? NS Node A can start using address A 32

Address Theft Vulnerability #1 Attacker can claim victim's IP address A Address resolution flow B C B MAC B B MAC MAC C C (unsolicited) NA Attack Tool: Parasite6 Answer to all NS, Claiming to Be All Systems in the LAN... Src = B Target = B Dst = all-nodes Option = MAC C 33

Address Theft Vulnerability #2 Attacker hacks any victim's DAD attempts Victim can't configure IP address and can't communicate A C Src = UNSPEC Dst = Solicited-node multicast address of A target= A Query = Does anybody use A already? NS From RFC 4862 5.4: «If a duplicate @ is discovered the address cannot be assigned to the interface» What If: Use MAC@ of the Node You Want to DoS and Claim Its IPv6 @ Attack Tool: Dos-new-IPv6 NA it s mine! Src = any C s I/F address Dst = A target= A Option = link-layer address of C Mitigation in IOS: Configuring the IPv6 address as anycast disables DAD on the interface 34

Address theft mitigations Where Routers & Hosts Routers & Hosts Switch (First Hop) Switch (First Hop) What configure static neighbor cache entries Use CryptoGraphic Addresses (SeND CGA) Host isolation Address watch Glean addresses in NDP and DHCP Log bindings <address, port, MAC, vlan> for traceability Establish and enforce rules for address ownership Prevent address thefts Limit number of bindings accepted per user (define user ) 35

Address Theft Mitigation: Address ownership proof Objectives for Address ownership: Enable the ND message sender to provide proof of ownership of address and for the receiver to validate the proof Verify that the address is either the source of the ND message or the target for DAD messages (when source is UNSPEC) This is a SeND feature Protocol overview Hosts (and routers) generate a pair of RSA keys The public key is hashed to create a Cryptographic address (CGA) The CGA address is signed by the private key Both the public key and signature are provided in ND messages Receivers must verify the signature and address/key consistency (address = hash(key)) No key distribution required! 36

Address Theft Mitigation: Address ownership overview Computes Address Prefix Interface-id = hash ( ) Src = Address ND-message My address! SIGN VERIFY 37

Address Theft Mitigation: SeND cont d SeND: Extending the 62 bits crypto barrier 62 bits is not considered a good protection against brute force Need to inject delay in the computation Need to make the computation able to evolve Generate keys pub and priv Generate keys pub and priv hash =SHA-1(pub+pfx) hash =SHA-1(pub+pfx) Add tunable delay there! 2 62 attempts hash =hash [0..61] hash =hash [0..61] hash = hash NO done done 38

Address Theft Mitigation: : SeND cont d The real thing key: public key in DER format sec: security level col: collision count = {0} Delay is here! Generate random 16 bytes : mod Build message = mod 0 0 key hash = SHA-1 (message) bits 0 16*sec of hash 0 no yes message = mod prefix col key Increment mod For Your Reference hash = SHA-1 (message) no col<2 Compute address = bytes 0 7 = prefix bytes 8 15 = hash, bytes 0 7 bits 64 66 = sec bits 70, 71 = 0 ( u and g ) Increment col yes duplicate Do DAD No response Report error Start using address 39

Address Theft Mitigation: Address Glean at the First Hop Binding table H1 H2 H3 DAD NS [IP source=unspec, target=a 1, SMAC=MAC H1 ] ADR MAC VLAN IF A 1 MAC H1 100 P1 A 21 MAC H2 100 P2 A 22 MAC H2 100 P2 A 3 MAC H3 100 P3 Preference X Y Y Z DHCPserver REQUEST [XID, SMAC = MAC H2 ] REPLY[XID, IPA 21, IPA 22 ] data [IP source=a 3, SMAC=MAC H3 ] DAD NS [IP source=unspec, target = A 3 ] DHCP LEASEQUERY NA [IP source=a 3, LLA=MAC H3 ] DHCP LEASEQUERY_REPLY 40

Address Theft Mitigation: Address Watch at the First Hop host Binding table Address glean Arbitrate collisions, check ownership Check against max allowed per box/vlan/port Record & report changes Valid? bridge Preference is a function of: configuration, learning method, credential provided Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP preferred over dynamic, not_trusted, not_cga, SLAAC) For collision with same preference, choose First Come, First Serve 41

Address Theft Mitigation: Security Perimeter & State Distribution H11 Binding table ADR MAC IF Binding table ADR MAC IF H21 A 11 MAC H1 P1 A 21 MAC H1 P1 A 21 MAC H2 P2 A 22 MAC H2 P2 Address glean Address glean ADR MAC IF A 11 MAC H1 P1 A 21 MAC H2 P2 A 21 MAC H1 P1 A 22 MAC H2 P2 Binding table 42

Address Theft Demo: the topology Provisioning system HOST ROUTER+DHCP server DUMB SWITCH vlan 100 VILLAIN 43

Address Theft Demo: Address theft & Mitigation Regular operations Show ipv6 address: SLAAC, DHCP, static HOST connects to ROUTER Show neighbor cache Attack HOST connects to ROUTER VILLAIN steals 2001:100::1 and connection breaks HOST re-connects and ends up at VILLAIN Mitigation Configures static cache entry on HOST Configure CGA address on ROUTER. Helps HOST, not DUMB Enable ipv6 snooping on SWITCH Show binding table, preference values, etc. Helps for non-cga, CGA, HOST and DUMB Show logging 44

Address Theft Remaining Vulnerabilities Problems address ownership address authorization! Attacker can forge any address of its own and prove ownership CGA is not widely available First-come first-serve is NOT very secure for SLAAC First-come first-serve is hardly compatible with mobility Solutions Use FH address glean & watch (combine with CGA when available) Use non-default preferences whenever you can. Use authoritative address assignment method (DHCP) when you can. When FCFS must be used, use long lifetime to keep entries in the binding table as long as you can Use logging to trace problems after the fact To reduce issues with mobility, use 802.1X whenever possible For address authorization, see next use case 45

Agenda IPv6 in the Layer 2 domain: high level considerations Use Case #1: Router theft Use Case #2: Address theft Use Case #3: Source Address spoofing Target deployment model Mitigation solutions Demo The standard Use Case #4: Remote address resolution cache exhaustion 46

Address Spoofing - Target deployment model Hosts (victims) are anywhere (on/off link) Attacker is on the link Attacker can be a plain PC, running simple attack tools Attacker goal is to launch single packet attacks or Flood-Based DoS attack without being identified or traceable 47

Address Spoofing Vulnerability scope Non-blind attacks Man in the Middle attacks Third Party Recon Blind attacks Single packet attacks Flood-Based DoS Poisoning attack Spoof-based Worm/Malware Propagation Reflective Attacks Accounting Subversion 48

Address Spoofing - Mitigations Where Routers Nodes What Ingress filtering Unicast Reverse Path Forwarding (urpf) Address Provisioning Mechanisms Layer 2 Switch Layer 2/3 Switch Port-based Address Binding (FH Source Guard) draft-ietf-savi-fcfs draft-ietf-savi-dhcp draft-ietf-savi-send draft-ietf-savi-mix Prefix Guard 49

Address Spoofing Mitigation: Source Guard IPv6 MAC VLAN IF Binding table A 1 MAC A1 100 P1 A 21 MAC A21 100 P2 H1 H2 H3 A 22 MAC A22 100 P2 A 3 MAC A3 100 P3 Address glean DAD NS [IP source=unspec, target = A 3 ] Allow traffic sourced with known IP/SMAC Deny traffic sources with unknown IP/SMAC and triggers address glean process NA [target = A 1 LLA=MAC A3 ] P 3 ::A 3, MAC A3 P 1 :: data, src= A 1, SMAC = MAC A1 P 2 :: data src= A 21, SMAC = MAC A21 P 3 :: data src= A 3, SMAC = MAC A3 DHCP LEASEQUERY DHCP LEASEQUERY_REPLY 50

Address Spoofing Mitigation: Prefix Guard P 1 Home Network Home gateway G1 G2 L2 switch: - FH security - DHCP tag Shared vlan p1 p2 p3 L3 switch: - FH security - DHCP relay DHCP server G3 IPv6 MAC VLAN Port P 1 MAC G1 100 p1 DHCP-PD reply: PREFIX=P 1 RA [P 1 ] SLAAC src = P1::iid src = BAD::iid 51

Address Spoofing Demo For Your Reference HOST SWITCH ROUTER+ DHCP server PEER VILLAIN vlan 100 52

Agenda IPv6 in the Layer 2 domain: high level considerations Use Case #1: Router discovery Use Case #2: Address ownership Use Case #3: Source Address Validation Use Case #4: Remote address resolution cache exhaustion The target deployment model Protocol and vulnerabilities Mitigation solutions Demo 53

Remote address resolution cache Exhaustion Target deployment model Attacker is off link Attacker can be a PC, running simple attack tools Attacker goal is to launch Flood-Based DoS attack targeting the last-hop router, the link behind it, and all nodes on the link Attacker method is to scan the link prefix to force high resolution attempts rate, exhaust the router resources, slow or deny valid resolutions, load the link with useless multicast packets 54

Remote address resolution cache exhaustion Vulnerability scope Internet Attacker is anywhere on the internet His primary victim is the last-hop Layer 3 device (router) He can also harm the link and nodes behind it 55

Remote address resolution cache exhaustion Protocol Gateway X PFX::/64 X scanning 2 64 addresses (ping PFX::a, PFX::b, PFX::z) Dst = Solicited-node multicast address of PFX::a Query = what is PFX::a s link-layer address? NS Dst = Solicited-node multicast address of PFX::b Query = what is PFX::b s link-layer address? NS Dst = Solicited-node multicast address of PFX::z Query = what is PFX::z s link-layer address? NS Neighbor cache 3 seconds history 56

Remote address resolution cache exhaustion Mitigation Where Routers Layer 3 Switch What Address Provisioning Mechanisms Allocate addresses by blocks and filter at the edge ND resolution algorithm - Rate limiting of new resolutions - Separate cache for confirmed reachable entries - Circular buffer for new resolution - Cache boundaries Destination Guard 57

DoS Attack on Address Resolution Mitigation Destination Guard L3 switch host Binding table Neighbor cache Internet B Address glean Scanning {P/64} SRC=D 1 SRC=D n NO Lookup D1 found Forward packet Mitigate prefix-scanning attacks and Protect ND cache Useful at last-hop router and L3 distribution switch Drops packets for destinations without a binding entry 58

DoS Attack on Address Resolution Demo HOST vlan 100 L2/L3 SWITCH PEER VILLAIN DHCP server 59

IPv6 First Hop Security Platform Support Feature/Platform Catalyst 6500 Series Catalyst 4500 Series Catalyst 2K/3K Series ASR1000 Router 7600 Router Catalyst 3850 Wireless LAN Controller (Flex 7500, 5508, 2500, WISM-2) RA Guard 15.0(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2 IPv6 Snooping 15.0(1)SY 1 15.1(2)SG 15.0.(2)SE XE 3.9.0S 15.2(4)S 15.0(1)EX 7.2 DHCPv6 Guard 15.2(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2 Source/Prefix Guard 15.2(1)SY 15.2(1)E 15.0.(2)SE 2 XE 3.9.0S 15.3(1)S 7.2 Destination Guard 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.2(4)S RA Throttler 15.2(1)SY 15.2(1)E 15.2(1)E 15.0(1)EX 7.2 ND Multicast Suppress 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.0(1)EX 7.2 Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release Available Now Not Available Roadmap 60