Upload
-
View
223
Download
0
Embed Size (px)
Citation preview
8/13/2019 (1)T1-001 IPv6 Security
1/36
IPv6 Security: the Essential
Migration and [email protected]
mailto:[email protected]:[email protected]8/13/2019 (1)T1-001 IPv6 Security
2/36
Outline
Introduction
Some Thoughts on IPv6 Security
Security Issues: Transition mechanism IPv6 deployment
!"#$%&'()*+,+"-./#0-1+,.'23!/4+*567
8/13/2019 (1)T1-001 IPv6 Security
3/36
IPv4 to IPv6 Transition
8/13/2019 (1)T1-001 IPv6 Security
4/36
Transition Strategy
IPv4 Only
Experimental
IPv6 Network
IPv4 Ocean
IPv6 Island
IPv4 Island
IPv6 Ocean
IPv6 OnlyIPv4/IPv6 Translation Required
IPv4 Only
Experimental
IPv6 Network
8/13/2019 (1)T1-001 IPv6 Security
5/36
IPv4 Internet
8/13/2019 (1)T1-001 IPv6 Security
6/36
Network 1 (VLAN 1)IPv4 Only
Network 2 (VLAN 2)IPv4 Only
Network n (VLAN n)IPv4 Only
Trunk VLAN
L3 Switch
UniNetDual StackIPv4 & IPv6
L2 Switch
IPv4
IPv6
Internet
8/13/2019 (1)T1-001 IPv6 Security
7/36
IPv4 Network
IPv4 & IPv6
Network
IPv4 & IPv6
Network
IPv4 IPv4
IPv4 Router IPv4 Router
L3 Switch
IPv6 Tunnel
L3 Switch
IPv6 Tunnel
IPv4 & IPv6 Router
Uninet
IPv4 & IPv6 Network
IPv6
IPv4
IPv6 IPv6 IPv6
IPv6IPv6
Configured TunnelInternet
8/13/2019 (1)T1-001 IPv6 Security
8/36
6to4
http://en.wikipedia.org/wiki/6to4
8/13/2019 (1)T1-001 IPv6 Security
9/36
6rd
http://en.wikipedia.org/wiki/6rd
8/13/2019 (1)T1-001 IPv6 Security
10/36
Network 1 (VLAN 1)IPv4 & IPv6
Network 2 (VLAN 2)IPv4 & IPv6
Network n (VLAN n)IPv4 & IPv6
Trunk VLAN
L3 Switch
UniNetDual StackIPv4 & IPv6
L2 Switch
IPv6 Router
Trunk VLAN
IPv6
IPv4
IPv6
Dual StackInternet
8/13/2019 (1)T1-001 IPv6 Security
11/36
Network 1 (VLAN 1)IPv4 & IPv6
Network 2 (VLAN 2)IPv4 & IPv6
Network n (VLAN n)IPv4 & IPv6
Trunk VLAN
L3 Switch
UniNetDual StackIPv4 & IPv6
L2 Switch
IPv6
IPv6
IPv4 Dual StackInternet
8/13/2019 (1)T1-001 IPv6 Security
12/36
IPv6 Internet
8/13/2019 (1)T1-001 IPv6 Security
13/36
DS-Lite
http://en.wikipedia.org/wiki/DS-Lite
8/13/2019 (1)T1-001 IPv6 Security
14/36
IPv4-IPv6 Translation
8/13/2019 (1)T1-001 IPv6 Security
15/36
IPv4-IPv6 Translation
NAT-PT (Obsoleted) NAT64 and DNS64 etc.
8/13/2019 (1)T1-001 IPv6 Security
16/36
Some Thoughts on IPv6 Security
While IPv6 provides similar features to IPv4, it uses different
mechanisms. and the evil lies in the small details. The security implications of IPv6 should be considered before
it is deployed (not after!). Most systems have IPv6 support enabled by default, and thishas implications on IPv4-only networks! Even if you are not planning to deploy IPv6 in the short term,
most likely you will eventually do it. It is time to learn about and experiment with IPv6!
8/13/2019 (1)T1-001 IPv6 Security
17/36
Issues in IPv6 Transition
IPv6 Transition/Coexistence Mechanism-Specific Issues
Automatic Tunneling and Relays Tunneling IPv6 through IPv4 Networks May
Break IPv4 Network Security Assumptions
8/13/2019 (1)T1-001 IPv6 Security
18/36
Transition Mechanism Specific Issues
in the mechanism themselves in the interaction between mechanisms, or by introducing unsecured paths through multiple
mechanisms*** The mechanisms should be simple as much aspossible to simplify analysis.
8/13/2019 (1)T1-001 IPv6 Security
19/36
Generic dangers to tunneling
It may be easier to avoid ingress filtering checks It is possible to attack the tunnel interface Automatic tunneling mechanisms are dangerous
8/13/2019 (1)T1-001 IPv6 Security
20/36
Automatic Tunneling and Relays
Automatic tunneling intended for use outside a singledomain: 6to4 Teredo
Relays deployed in various locations relay needs to trust all the sources potential address spoofing, DoS attacks and other
threats
8/13/2019 (1)T1-001 IPv6 Security
21/36
Tunneling IPv6 through IPv4 Networks MayBreak IPv4 Network Security Assumptions
Tunneling can change the security model Protocol 41 tunneling Tunneling over UDP is more difficult to manage
Site Network IPv6 IPv4 PublicInternet
Native IPv6
Firewall
6in4 Tunnel
Endpoint
Native IPv4
Firewall
8/13/2019 (1)T1-001 IPv6 Security
22/36
Issues in IPv6 Deployment Router Advertisements DHCPv6
IPv6 Transition/Co-exist Technologies
Application-layer protocols Computer Act. 2550
8/13/2019 (1)T1-001 IPv6 Security
23/36
Router Advertisements
NDP in RFC2461 does not protect messages integrity Malicious node can offer a rogue RA message DoS attack can carry out by deprecate a valid prefix byadvertise it with a zero lifetime
SEND can be used to verified the authorized router toprovide services
8/13/2019 (1)T1-001 IPv6 Security
24/36
DHCPv6
IPv6 version of a mechanism for stateful configuration
It implements prefix delegation, such that a DHCPv6 servercan assign not only an IPv6 address, but also an IPv6 prefix
It used to be the only mechanism available to advertiserecursive DNS servers
It suffers the same problems as IPv6 SLAAC If no authentication is enforced, it is trivial for an attacker to
forge DHCPv6 packets
Layer2 - mitigation can be easily circumvented with the sametechniques as for RA-Guard
8/13/2019 (1)T1-001 IPv6 Security
25/36
IPv6 Transition/Co-exist Technologies
IPv6 is not backwards-compatible with IPv4
Original transition plan: deploy IPv6 before we ran out ofIPv4 addresses,and eventually turn off IPv4 when no longerneeded it didnt happen
Current transition/co-existence plan: based on a toolbox: dual-stack tunnels translation
8/13/2019 (1)T1-001 IPv6 Security
26/36
Transition Technologies: Dual Stack
Each node supports both IPv4 and IPv6
Domain names include both A and AAAA (Quad A) records IPv4 or IPv6 are used as needed
Dual-stack was the original transition co-existence plan, andstill is the recommended strategy for servers
Virtually all popular operating systems include native IPv6support enabled by default
8/13/2019 (1)T1-001 IPv6 Security
27/36
8/13/2019 (1)T1-001 IPv6 Security
28/36
Exploiting Transition Technologies
Some systems (notably Windows) have support of transition
technologies enabled by default. These technologies could be used to circumvent security
controls. Technologies such as Teredo could increase the attack exposureof hosts Possible countermeasures:
Enforce IPv6 security controls on IPv4 networks.
Disable support of these technologies. Deploy packet filtering policies, such that these technologies are
blocked.
8/13/2019 (1)T1-001 IPv6 Security
29/36
Filtering IPv6 Transition TechnologiesTransition Technology Filtering Rule
Dual-Stack Automatic (if network not support IPv6)
IPv6-in-IPv4 tunnels IPv4 Protocol == 41
6to4IPv4.Protocol == 41 &&IPv4.{src,dst} == 192.88.99.0/24
ISATAP IPv4 Protocol == 41
Teredo IPv4.dst == known_teredo_servers &&UDP.DstPort == 3544
TSPIPv4.dst == known_tsp_servers &&{TCP,UDP}.dst == 3653
8/13/2019 (1)T1-001 IPv6 Security
30/36
Application Layer Protocols
A number of applications may leak IPv6 addresses E-mail headers P2P applications
Together with mailing-list archives and popular search engines,they may be an interesting vector for network reconnaissance
8/13/2019 (1)T1-001 IPv6 Security
31/36
DNS
IPv6 addresses can be obtained by querying the DNS for
AAAA records.
Many sites currently use domain names such as ipv6* or v6E.g., Google for site:ipv6* and Facebook for site:v6*
8/13/2019 (1)T1-001 IPv6 Security
32/36
Network Neighborhood protocols
mDNS is being increasingly used for discovering peers on thesame network.
Not IPv6-specific, but could be employed with IPv6, too. Hosts announce themselves on the network, for occasional
networking.
This provides yet another vector for network reconnaissance
8/13/2019 (1)T1-001 IPv6 Security
33/36
Computer Act. 2550
User identification Temporary IPv6 Address IPv6 routing header
8/13/2019 (1)T1-001 IPv6 Security
34/36
!"#$%&'()*+,+"-./#0-1+,.'23!/4+*567
!"#$%&'()8492:62 $6%6/;2?6/4+Route IPv6 Traffic BC? $6%6/;./+,D8!3.E(D&&static >/4+stateful packet inspection BC?
!"#$%&'()38)A%3()% $6%6/;(/FG$+&IPv6 Traffic H2/IC'&Application LayerBC? %@/I&&-1+,.'2.6/&"./".&23!/4+*567IPv6 $6%6/;&'2
8/13/2019 (1)T1-001 IPv6 Security
35/36
Case Study:
SritrangNet
8/13/2019 (1)T1-001 IPv6 Security
36/36