IPv6 Security. Rocky Mountain IPv6 Summit. Scott Hogg. GTRI - Director of Advanced Technology Services CCIE #5133, CISSP #4610

Similar documents
Rocky Mountain IPv6 Summit April 9, 2008

Rocky Mountain ISSA Chapter April 5, IPv6 Security. Scott Hogg. Director of Advanced Technology Services - GTRI CCIE #5133, CISSP #4610

IPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering

Rocky Mountain Cisco User Groups April 16-17, IPv6 Security. Scott Hogg. GTRI - Director of Advanced Technology Services CCIE #5133, CISSP

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

IPv6 Security Considerations: Future Challenges

IPv Implementation - The Naked Truth. Dr. Omar Amer Abouabdalla IPv6 Global Sdn. Bhd.

Security in an IPv6 World Myth & Reality

The IPv6 (in)security

IPv6 Security János Mohácsi IPv6 workshop, Skopje June 2011

IPv6 Security. IPv6 Training Day 18 th September 2012 Philip Smith APNIC

Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse

IPv6 Security for Broadband Access, Wireless and ISPs

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

Insights on IPv6 Security

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

The Layer-2 Insecurities of IPv6 and the Mitigation Techniques

Rocky Mountain IPv6 Summit April 9, 2008

Friday 13 th May :30-12:15

IPv6 Security Fundamentals

Remember Extension Headers?

Insights on IPv6 Security

IPv6 Bootcamp Course (5 Days)

Recent advances in IPv6 insecurities Marc van Hauser Heuse CCC Congress 2010, Berlin Marc Heuse

IPv6 Security: Threats and Mitigation

IPv6 Security awareness

IPv6 Security. 15 August

Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line

Network Security. Thierry Sans

Eric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Everything you need to know about IPv6 security I can manage in 30min. IPv6 Day Copenhagen November 2017

IPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

"Charting the Course... IPv6 Bootcamp Course. Course Summary

Augmented SEND: Aligning Security, Privacy, and Usability. Dr. Ahmad Alsadeh Birzeit University Palestine

IPv6 in Campus Networks

Security Issues in Next Generation IP and Migration Networks

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

IPv6 Next generation IP

Certified Penetration Testing Consultant

IPv4/v6 Considerations Ralph Droms Cisco Systems

IPv6, the Next Generation Network Playground How to Connect and Explore

IPV6 SIMPLE SECURITY CAPABILITIES.

Foreword xxiii Preface xxvii IPv6 Rationale and Features

ASA/PIX Security Appliance

SECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK

IPv6 for the InfoSec Pro On the Go. Allan Stojanovic University of Toronto #include disclaimer.h

Radware ADC. IPV6 RFCs and Compliance

IPv6 Security Safe, Secure, and Supported.

IPv6 Security. ITU/APNIC/MOIC IPv6 Workshop 19 th 21 st June 2017 Thimphu

IPv6 CGAs: Balancing between Security, Privacy and Usability

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

IPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping

The Layer-2 Security Issues and the Mitigation

NIST SP : Guidelines for the Secure Deployment of IPv6

TCP/IP Protocol Suite

Transitioning to IPv6

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

Fundamentals of Network Security v1.1 Scope and Sequence

IPv6 Security Threats and #CLEUR BRKSEC Eric Vyncke

IPv6 Security Course Preview RIPE 76

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

OSI Data Link & Network Layer

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

IPv6. Copyright 2017 NTT corp. All Rights Reserved. 1

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

Secure Neighbor Discovery. By- Pradeep Yalamanchili Parag Walimbe

IPv6 migration challenges and Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

IPv6. Internet Technologies and Applications

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

Configuring IPv6 First-Hop Security

IPv6 Security Issues and Challenges

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

IPv6 Cyber Security Briefing May 27, Ron Hulen VP and CTO Cyber Security Solutions Command Information, Inc.

Cisco CCIE Security Written.

IPv6 Feature Facts

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August

Planning for Information Network

IPv6 Transition Mechanisms

Discussions around IPv6 security have centered on IPsec

IPv6 Transition Mechanisms

IPv6 Transition Technologies (TechRef)

IETF Update about IPv6

Table of Contents Chapter 1 Tunneling Configuration

CSCI-1680 Network Layer:

TD#RNG#2# B.Stévant#

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. IPv6

IPv6: An Introduction

Implementing Firewall Technologies

CCNA Questions/Answers IPv6. Select the valid IPv6 address from given ones. (Choose two) A. FE63::0043::11:21 B :2:11.1 C.

Transition to IPv6. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

IPv6 Deployment - Security Issues Thinking outside the NAT box

Eric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

New IP Header. Why change IP. Address Notation. Changes. Information Sources. IP Version 6 ITL

Information Sources Hans Kruse & Shawn Ostermann, Ohio University

IPv6 tutorial. RedIRIS Miguel Angel Sotos

IPv6 Security. Pedro Lorga - WALC 2006 (Quito, Ecuador July 06)

Transcription:

Rocky Mountain IPv6 Summit IPv6 Security Scott Hogg GTRI - Director of Advanced Technology Services CCIE #5133, CISSP #4610 1

IPv6 Security We will all migrate to IPv6 eventually, but when and how remain to be seen I bet you have some IPv6 running on your networks already Do you use Linux, MacOS X, BSD, or MS Vista? They all come with IPv6 capability, some even have IPv6 enabled by default (IPv6 preferred) They may try to use IPv6 first and then fall-back to IPv4 Or they may create IPv6-in-IPv4 tunnels to Internet resources to reach IPv6 content Some of these techniques take place regardless of user input or configuration If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist 2

IPv6 Security Threats There isn t much of a hacker community focusing on IPv6 today but that is likely to change as IPv6 becomes more popular IPv6 will gain the hacker s attention Many vendors (Cisco, Juniper, Microsoft, Sun, Open Source) have already published IPv6 bugs/vulnerabilities Attacks at the layers below and above the network layer are unaffected by the security of IPv6 3

IPv6 Attack Tools THC IPv6 Attack Toolkit parasite6, alive6, fake_router6, redir6, toobig6, detect-new-ip6, dos-new-ip6, fake_mld6, fake_mipv6, fake_advertiser6, smurf6, rsmurf6 Scanners Nmap, halfscan6 Packet forgery Scapy6, SendIP, Packit, Spak6 DoS Tools 6tunneldos, 4to6ddos, Imps6-tools 4

Reconnaissance First step of an attack Checking registries (whois), DNS (nslookup, dig, etc.), Google Ping sweeps, port scans, application vulnerability scans IPv6 makes the ping sweeps problematic The address space is too large to scan Ping FF02::1 may give results Node Information Queries (RFC 4620) Attackers may find one host and leverage the neighbor cache 5

LAN Threats IPv6 uses ICMPv6 for many LAN operations Stateless auto-configuration IPv6 equivalent of IPv4 ARP Spoofed RAs can renumber hosts or launch a MITM attack NA/NS same attacks as with ARP DHCPv6 spoofing Redirects same as ICMPv4 redirects Forcing nodes to believe all addresses are onlink 6

Secure Neighbor Discovery (SEND) IPSec is not usable to secure NDP SEND (RFC 3971) defines the trust model for nodes communicating on a LAN Nodes use public/private key pair to create Cryptographically Generated Addresses (CGA RFC 3972) which is the last 64 bits of address (interface ID) Improvements on standard neighbor discovery: Neighbor Discovery Protocol messages use RSA-based cryptography to protect their integrity Signed ND messages protect message integrity and authenticate the sender. Trust anchors may certify the authority of routers. Current Deployment DoCoMo USA Labs - OpenSource SEND Project Cisco 12.4T and 12.2SR 7

Cryptographically Generated Addresses (CGA) Each devices has a RSA key pair (no need for cert) Ultra light check for validity Prevent spoofing a valid CGA address RSA Keys Priv Pub Signature Modifier (nonce) Public Key Subnet Prefix CGA Params SHA-1 Send Messages Subnet Prefix Interface Identifier Crypto. Generated Address 8

Extension Headers (EHs) Extension Headers Each header should not appear more than once with the exception of the Destination Options header Hop-by-Hop extension header should only appear once. Hop-by-Hop extension header should be the first header in the list because it is examined by every node along the path. Destination Options header should appear at most twice (before a Routing header and before the upper-layer header). Destination Options header should be the last header in the list if it is used at all. Header Manipulation Crafted Packets Large chains of extension headers Separate payload into second fragment Consume resources - DoS Invalid Extension Headers DoS Routing Headers Type 0 source routing 9

Routing Header 0 Attack RH0 Attacker Fedora7 VLAN 11 Cisco ASA VLAN 22 1 2 RH0 Midway FreeBSD WinXP 2001:db8:11:0::/64 Cisco 2811 3 2001:db8:22:0::/64 RH0 Destination 10

Hierarchy and Traceback IPv6 Internet 2001:db8::/32 2001:db9::/32 Inbound Filter: Allow only packets sourced from 2001:db8:1000::/48 Outbound Filter: Allow only packets destined for 2001:db8:1000::/48 ISP1 ISP2 2001:db8:1000::/48 2001:db9:2000::/48 Victim Server 11

Transition Mechanism Threats Dual Stack - Preferred You are only as strong as the weakest of the two stacks. Running dual stack will give you at least twice the number of vulnerabilities Manual Tunnels - Preferred Filter tunnel source/destination and use IPSec If spoofing, return traffic is not sent to attacker Dynamic Tunnels 6to4 Relay routers are open relays ISATAP potential MITM attacks Attackers can spoof source/dest IPv4/v6 addresses Protocol Translation Not recommended Deny packets for transition techniques not in use Deny IPv4 protocol 41 forwarding unless that is exactly what is intended unless using 6to4 tunneling Deny UDP 3544 forwarding unless you are using Teredo-based tunneling 12

IPv6 Firewalls Don t just use your IPv4 firewall for IPv6 rules Don t just blindly allow IPSec or IPv4 Protocol 41 through the firewall Procure separate firewalls for IPv6 policy Look for vendor support of Extension Headers, Fragmentation, PMTUD Firewalls should have granular filtering of ICMPv6 and multicast Some hosts may have multiple IPv6 addresses so this could make firewall troubleshooting tricky Layer-2 firewalls are trickier with IPv6 because of ICMPv6 ND/NS/NUD/RA/RS messages 13

IPv6-Capable Firewalls Many vendors already have IPv6 capabilities Cisco Router ACLs, Reflexive ACLs, IOS-based Firewall, PIX, ASA, FWSM Juniper, CheckPoint, Fortinet, others ip6tables, ip6fw, ipf, pf Windows XP SP2, Vista IPv6 Internet Connection Firewall IPv6 firewalls don t have all the same full features as IPv4 firewalls UTM features may only work for IPv4 Vendors are working toward feature parity 14

IPv6 Intrusion Prevention Few signatures exist for IPv6 packets IPSs should send out notifications when non-conforming IPv6 packets are observed Faulty parameters, bad extension headers, source address is a multicast address IPv6-Capable IPSs Snort 2.8 Beta and 3.0 Alpha CheckPoint (NFR) Sentivist Cisco 4200 IDS appliances (v6.1) Juniper/NetScreen ScreenOS IBM/ISS Proventia/RealSecure 15

Summary of BCPs Perform IPv6 filtering at the perimeter Use RFC2827 filtering and Unicast Reverse Path Forwarding (urpf) checks throughout the network Use manual tunnels instead of dynamic tunnels Use a NAC/802.1X solution, disable unused switch ports, Ethernet port security, until SEND is available Deny packets for transition techniques not in use Deny IPv4 protocol 41 forwarding unless that is exactly what is intended unless using 6to4 tunneling Deny UDP 3544 forwarding unless you are using Teredobased tunneling Leverage IPSec for everything possible Try to achieve equal protections for IPv6 as with IPv4 16

IPv6 Security Summary IPv6 is no more or less secure than IPv4 Lack of IPv6 knowledge and experience is the issue There are an increasing number of security products that support IPv6 IPv6 will change traffic patterns (p2p, MIPv6) IPv6 larger addresses makes worms and scanning less effective but there are still ways to find hosts IPv6 hierarchical addressing and no NAT should reduce the anonymity of hackers and allow for full IPSec LAN-based attacks exist in IPv6, Physical Security, Ethernet port security, NAC, 802.1X, SEND can help 17

Yet another IPv6 Book IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009. 18

Questions and Answers Q: & A: SHogg@GTRI.com Mobile: 303-949-4865 Scott@HoggNet.com 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback