Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse

Similar documents
Recent advances in IPv6 insecurities Marc van Hauser Heuse CCC Congress 2010, Berlin Marc Heuse

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

Configuring IPv6 for Gigabit Ethernet Interfaces

IPv6 Security Course Preview RIPE 76

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

IPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

IPv6 Security awareness

Introduction to IPv6 - II

Juniper Netscreen Security Device. How to Enable IPv6 Page-51

IPv6 Cyber Security Briefing May 27, Ron Hulen VP and CTO Cyber Security Solutions Command Information, Inc.

IPv6 Neighbor Discovery

IPv6 Neighbor Discovery

Everything you need to know about IPv6 security I can manage in 30min. IPv6 Day Copenhagen November 2017

IPv6 Security. 15 August

IPv6. (Internet Protocol version 6)

IPv6 Protocol & Structure. npnog Dec, 2017 Chitwan, NEPAL

Guide to TCP/IP Fourth Edition. Chapter 6: Neighbor Discovery in IPv6

IPv6 Protocol Architecture

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

IPv6 Security. Rocky Mountain IPv6 Summit. Scott Hogg. GTRI - Director of Advanced Technology Services CCIE #5133, CISSP #4610

The Netwok Layer IPv4 and IPv6 Part 2

Setup. Grab a vncviewer like: Or

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

IPv6 Security Considerations: Future Challenges

Configuring IPv6 First-Hop Security

IPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering

Configuring IPv6 basics

Remember Extension Headers?

IPv6 Security Safe, Secure, and Supported.

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

IPv6 Security: Threats and Mitigation

IPv6 Neighbor Discovery

Operation Manual IPv6 H3C S3610&S5510 Series Ethernet Switches Table of Contents. Table of Contents

Configuring IPv6. Information About IPv6. Send document comments to CHAPTER

TCP/IP Protocol Suite

IPv6 Security Fundamentals

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August

The Layer-2 Insecurities of IPv6 and the Mitigation Techniques

Introduction to IPv6

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

IPv6 Security János Mohácsi IPv6 workshop, Skopje June 2011

IPv6 Next generation IP

Internet Protocol v6.

IPv6 Bootcamp Course (5 Days)

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

IPv6 Technical Challenges

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

CSCI-1680 Network Layer:

IPv6 Rogue Router Advertisement Attack Prepared By: Andrew Gray & Wil Hall Prepared For: Dr. Tom Calabrese

ECE 435 Network Engineering Lecture 14

The Layer-2 Security Issues and the Mitigation

IPv6 ND Configuration Example

Rocky Mountain IPv6 Summit April 9, 2008

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

IPv6 Neighbor Discovery

The Study on Security Vulnerabilities in IPv6 Autoconfiguration

IPv6 Concepts. Improve router performance Simplify IP header Align to 64 bits Address hierarchy with more levels Simplify routing tables

IPv6 Neighbor Discovery

IPv6 migration challenges and Security

Insights on IPv6 Security

TD#RNG#2# B.Stévant#

IPv6 Stateless Autoconfiguration

Internet Protocol, Version 6

Configuring Wireless Multicast

Chapter 7: IP Addressing CCENT Routing and Switching Introduction to Networks v6.0

IPv6 address configuration and local operation

IPv6. Copyright 2017 NTT corp. All Rights Reserved. 1

Planning for Information Network

Network Security. Thierry Sans

Security in an IPv6 World Myth & Reality

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. IPv6

Aeronautical Systems Center

IPv6 Feature Facts

Certified Penetration Testing Consultant

IPv6 Source Addresses

Introduction to IPv6. IPv6 addresses

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Workshop on Scientific Applications for the Internet of Things (IoT) March

OSI Data Link & Network Layer

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Chapter 2 Advanced TCP/IP

"Charting the Course... IPv6 Bootcamp Course. Course Summary

Recent IPv6 Security Standardization Efforts. Fernando Gont

Networking Fundamentals IPv6 APNIC 44. TAICHUNG, TAIWAN 7-14 September 2017

Table of Contents 1 IPv6 Basics Configuration 1-1

Lecture Computer Networks

Introduction to IPv6. IPv6 addresses

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

Personal Firewall Default Rules and Components

ERNW WHITEPAPER 62 RA GUARD EVASION REVISITED

IPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

Tik Network Application Frameworks. IPv6. Pekka Nikander Professor (acting) / Chief Scientist HUT/TML / Ericsson Research NomadicLab

SECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK

IPv6 Configuration Guide, Cisco IOS XE Fuji 16.8.x (Catalyst 9400 Switches)

Foreword xxiii Preface xxvii IPv6 Rationale and Features

IPv6 Security. Pedro Lorga - WALC 2006 (Quito, Ecuador July 06)

Transcription:

Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL 2011 2011 Marc Heuse <mh@mh-sec.de>

Hello, my name is

Basics Philosophy Vulnerabilities Vendor Responses & Failures Recommendations

Basics 2011 Marc Heuse <mh@mh-sec.de>

The future is here already

IPv6 16 octets 340.282.366.920.938.463.463.374.607.4 31.768.211.456 addresses 2a01:2b3:4:a::1

Separated by colons Leading zeros are omitted 2a01:2b3:4:a::1 2 octets each, hexadecimal The longest chain of :0:0: is replaced with ::

Subnets are /64 4.294.967.296 x the size of the Internet!

Features! Autoconfiguration IPSEC Mobility Enough addresses!

Most in IPv6 is OPTIONAL

Mandatory Multiple IPv6 addresses per interface ARP => ICMPv6 Router Advertisements No router & routes via DHCPv6! Multicast (local)

IPv6 is much simpler than IPv4

in theory.

Philosophy 2011 Marc Heuse <mh@mh-sec.de>

Eliminate IPv4

True end-to-end communication No NAT No defragmentation by firewalls No fragmentation by routers Many ICMPv6 msgs must pass the firewall

IPv6 is secure IPv6 has mandatory IPSEC

Security Model is from 1995 Local = Trusted Security = Encryption Security = Filter Rules Networking + Features > Security

Blatant mistakes No DNS server in autoconfiguration No private addresses IPSEC does not work with multicast Many protocol security design problems

Vulnerabilities 2011 Marc Heuse <mh@mh-sec.de>

Local Remote Vulnerabilities Design Implementation

Excerpt!

Local Design I m p l e m Vulnerabilities e n t a t i o R e m o t e

Neighbor Discovery Spoofing A B 1. NS 2. NA 1. NS: ICMP Type = 135 Src = A Dst = All-Nodes Mulitcast Query= Who-has IP B? parasite6: Answers to every NS, claims to be every system on the LAN 2. NA: ICMP Type = 136 Src = B Dst = A Data= MAC ARP spoofing in IPv4 more dangerous due OVERRIDE flag Source: common knowledge Tool: parasite6

Duplicate Address Detection DOS A 1. NS 1. NS: ICMP Type = 135 Src = A Dst = All-Nodes Mulitcast Query= Who-has IP B? dos-new-ipv6: Answer to every NS, claim to be every system on the LAN optional in IPv4, mandatory in IPv6 for all addresses Source: common knowledge Tool: dos-new-ipv6

Router Advertisement Spoofing A 1. RA fake_router6: Sets any IP as default router, defines network prefixes and DNS servers ICMP Type = 134 Src = Router Link-local Address Dst = FF02::1 Data= options, prefix, lifetime, autoconfig flag many, many attacks Source: common knowledge Tool: fake_router6

Router Advertisement Spoofing Become the default router MITM Assign multiple address spaces Paypal, Ebay, Amazon, Google == local MITM Remove real routing entry (spoofing lifetime 0) DOS

Router Advertisement Spoofing Turns IPv4 networks into Dual Stack environments MITM to remote dual stack targets Attack on IPv6 address potentially bypasses personal firewall

ICMP Redirect Spoofing Pong (V)ictim (A)ttacker (R)outer (T)arget redir6 Redirect Bypasses secure redirect check, default on all OS. IPv4: remote, IPv6: local only Ping Source: Sebastian Krahmer, Marc Heuse Tool: redir6

Multicast Listener Discovery DOS A Sends periodically MLD general query messages MLD Report: I am a multicast DNS server to all routers Spoof MLD general query message as fe80:: DNS multicast traffic Spoofs A MLD Done message flows to the network Send general query as fe80:: with special MAC Denies site/org multicast traffic to LAN Source: Marc Heuse Tool: fake_mld6

Local Remote Vulnerabilities Desig n Implementation

IPv6 Vulnerabilities (CVE) 18 16 14 12 10 8 6 4 2 0 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

Router Advertisement Flooding A B C Flood LAN with random RAs. DOS: Windows 7, 2008, 2003, XP Cisco IOS+ASA (fixed) Juniper Netscreen FreeBSD (should be fixed) Source: Marc Heuse Tool: flood_router6

Sniffer Detection

Sniffer Detection ping6 dst-mac: 33:33:ff:00:ff:00 A ping6 reply ping6 dst-mac: 33:33:ff:00:ff:00 C Discover: Windows 7, 2008, 2003, XP Linux FreeBSD Source: Marc Heuse Tool: thcping6

Weird stuff Speed-up packet transmission by x100 <sorry, to be published in May 2012 >

Implementation Design L Remote o c Vulnerabilities a l

Privacy Issues in Autoconfiguration Autoconfiguration: host address based on MAC address A 1. RA MAC address: 00:0c:29:69:a6:66 IPv6 host address: ::020c:29ff:fe69:a666 Identify a host wherever it travels ICMP Type = 134 Src = Router Link-local Address Dst = FF02::1 Data= options, prefix, lifetime, autoconfig flag Source: common knowledge Tool: not needed

Source Routing Internet Spoofing, DOS Now deprecated by RFC Source: Philippe Bondi Tool: alive6

Routing Loop Tunnel DOS Internet Multiple encapsulation headers specifying tunnel endpoints => DOS Source: Gabi Nakibly Tool: unknown

Reduce MTU (A)ttacker toobig6 (V)ictim (R)outer (T)arget Reduces MTU to 1280, limited impact Same as redirect attack, but remote Source: Marc Heuse Tool: toobig6

Vendor Responses & Failures 2011 Marc Heuse <mh@mh-sec.de>

The complexity problem

The vendor solution:

Different support of options Different maturity Changes with every update Product supports IPv6 means nothing

Firewalls IPv4: Whitelist / Deny anything unknown IPv6: Blacklist / Drop anything known evil

Covert Channels Company Internet Collector Host HTTP TCP Every field can be used (IPv6 header foo fields, Fragment ID, ) 1.4kb per packet (>90%) Source: Marc Heuse Destination Options [ENCRYPTED SECRET DATA] IPv6 Tool: covert_send6

Trust Local ( do nothing ) RA Guard / ND Security What vendors propose SeND IPSEC

SeND Trust Local ( do nothing ) G u a r d I What vendors P propose S E C a.k.a. as The Microsoft Approach R A

We consider this issue to be by design [and will not fix it]. The attack would require that an attacker has access to the targeted network - a situation that does not provide a security boundary. Microsoft statement

while there are no explicit RFC violations in our implementation, we do agree that there is room for improvement Juniper is currently working through the IETF to come up with a standard method of avoiding [and won t move a finger until then, see you again in two years] Juniper Statement

Source: http://www.networkworld.com/news/2011/050311-microsoft-juniper-ipv6.html

SeND ( do nothing ) IPSEC RA Guard / ND Security What vendors propose Trust Local

My opinion of RA guard

RA Guard

RA Guard / ND Security Bypass RA Prepend fragmentation and destination header RA RA Destination Options (large & empty) Fragmentation IPv6 Source: Marc Heuse Tool: fake_router6

Trust Local ( do nothing ) RA Guard / ND Security What vendors propose SeND IPSEC

Sorry, but: All devices must support it (printers!) No privacy extensions possible Key distribution => big overhead Only protects RA & ND (SeND)

SeND DOS A B 1. NS NS NS 1. NS: ICMP Type = 135 Src = A Dst = All-Nodes Mulitcast Query= Who-has IP B? CGA = signing information Flood NS: ICMP Type = 135 Src = Attacker Dst = All-Nodes Mulitcast Data= MAC CGA = fake signing information CGA verification => CPU expensive Flood => DOS Source: Will Damn Tool: seenpees6

More SeND & IPSEC attacks <I am not publishing this yet, sorry> Source: Marc Heuse Tool: ******6

The Problem: IPv4 thinking applied to IPv6

IPv6 requires a new thinking for Designing Implementing Configuring Hacking

Recommendations 2011 Marc Heuse <mh@mh-sec.de>

Sorry, no time

Contact 2011 Marc Heuse <mh@mh-sec.de>

Contact Marc Heuse

End 2011 Marc Heuse <mh@mh-sec.de>

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback