(1)T1-001 IPv6 Security

8/13/2019 (1)T1-001 IPv6 Security

1/36

IPv6 Security: the Essential

Migration and [email protected]
mailto:[email protected]:[email protected]

8/13/2019 (1)T1-001 IPv6 Security

2/36

Outline

Introduction

Some Thoughts on IPv6 Security

Security Issues: Transition mechanism IPv6 deployment

!"#$%&'()*+,+"-./#0-1+,.'23!/4+*567

8/13/2019 (1)T1-001 IPv6 Security

3/36

IPv4 to IPv6 Transition

8/13/2019 (1)T1-001 IPv6 Security

4/36

Transition Strategy

IPv4 Only

Experimental

IPv6 Network

IPv4 Ocean

IPv6 Island

IPv4 Island

IPv6 Ocean

IPv6 OnlyIPv4/IPv6 Translation Required

IPv4 Only

Experimental

IPv6 Network

8/13/2019 (1)T1-001 IPv6 Security

5/36

IPv4 Internet

8/13/2019 (1)T1-001 IPv6 Security

6/36

Network 1 (VLAN 1)IPv4 Only

Network 2 (VLAN 2)IPv4 Only

Network n (VLAN n)IPv4 Only

Trunk VLAN

L3 Switch

UniNetDual StackIPv4 & IPv6

L2 Switch

IPv4

IPv6

Internet

8/13/2019 (1)T1-001 IPv6 Security

7/36

IPv4 Network

IPv4 & IPv6

Network

IPv4 & IPv6

Network

IPv4 IPv4

IPv4 Router IPv4 Router

L3 Switch

IPv6 Tunnel

L3 Switch

IPv6 Tunnel

IPv4 & IPv6 Router

Uninet

IPv4 & IPv6 Network

IPv6

IPv4

IPv6 IPv6 IPv6

IPv6IPv6

Configured TunnelInternet

8/13/2019 (1)T1-001 IPv6 Security

8/36

6to4

http://en.wikipedia.org/wiki/6to4

8/13/2019 (1)T1-001 IPv6 Security

9/36

6rd

http://en.wikipedia.org/wiki/6rd

8/13/2019 (1)T1-001 IPv6 Security

10/36

Network 1 (VLAN 1)IPv4 & IPv6


Network n (VLAN n)IPv4 & IPv6

Trunk VLAN

L3 Switch


L2 Switch

IPv6 Router

Trunk VLAN

IPv6

IPv4

IPv6

Dual StackInternet

8/13/2019 (1)T1-001 IPv6 Security

11/36



Network n (VLAN n)IPv4 & IPv6

Trunk VLAN

L3 Switch


L2 Switch

IPv6

IPv6

IPv4 Dual StackInternet

8/13/2019 (1)T1-001 IPv6 Security

12/36

IPv6 Internet

8/13/2019 (1)T1-001 IPv6 Security

13/36

DS-Lite

http://en.wikipedia.org/wiki/DS-Lite

8/13/2019 (1)T1-001 IPv6 Security

14/36

IPv4-IPv6 Translation

8/13/2019 (1)T1-001 IPv6 Security

15/36

IPv4-IPv6 Translation

NAT-PT (Obsoleted) NAT64 and DNS64 etc.

8/13/2019 (1)T1-001 IPv6 Security

16/36

Some Thoughts on IPv6 Security

While IPv6 provides similar features to IPv4, it uses different

mechanisms. and the evil lies in the small details. The security implications of IPv6 should be considered before

it is deployed (not after!). Most systems have IPv6 support enabled by default, and thishas implications on IPv4-only networks! Even if you are not planning to deploy IPv6 in the short term,

most likely you will eventually do it. It is time to learn about and experiment with IPv6!

8/13/2019 (1)T1-001 IPv6 Security

17/36

Issues in IPv6 Transition

IPv6 Transition/Coexistence Mechanism-Specific Issues

Automatic Tunneling and Relays Tunneling IPv6 through IPv4 Networks May

Break IPv4 Network Security Assumptions

8/13/2019 (1)T1-001 IPv6 Security

18/36

Transition Mechanism Specific Issues

in the mechanism themselves in the interaction between mechanisms, or by introducing unsecured paths through multiple

mechanisms*** The mechanisms should be simple as much aspossible to simplify analysis.

8/13/2019 (1)T1-001 IPv6 Security

19/36

Generic dangers to tunneling

It may be easier to avoid ingress filtering checks It is possible to attack the tunnel interface Automatic tunneling mechanisms are dangerous

8/13/2019 (1)T1-001 IPv6 Security

20/36

Automatic Tunneling and Relays

Automatic tunneling intended for use outside a singledomain: 6to4 Teredo

Relays deployed in various locations relay needs to trust all the sources potential address spoofing, DoS attacks and other

threats

8/13/2019 (1)T1-001 IPv6 Security

21/36

Tunneling IPv6 through IPv4 Networks MayBreak IPv4 Network Security Assumptions

Tunneling can change the security model Protocol 41 tunneling Tunneling over UDP is more difficult to manage

Site Network IPv6 IPv4 PublicInternet

Native IPv6

Firewall

6in4 Tunnel

Endpoint

Native IPv4

Firewall

8/13/2019 (1)T1-001 IPv6 Security

22/36

Issues in IPv6 Deployment Router Advertisements DHCPv6

IPv6 Transition/Co-exist Technologies

Application-layer protocols Computer Act. 2550

8/13/2019 (1)T1-001 IPv6 Security

23/36

Router Advertisements

NDP in RFC2461 does not protect messages integrity Malicious node can offer a rogue RA message DoS attack can carry out by deprecate a valid prefix byadvertise it with a zero lifetime

SEND can be used to verified the authorized router toprovide services

8/13/2019 (1)T1-001 IPv6 Security

24/36

DHCPv6

IPv6 version of a mechanism for stateful configuration

It implements prefix delegation, such that a DHCPv6 servercan assign not only an IPv6 address, but also an IPv6 prefix

It used to be the only mechanism available to advertiserecursive DNS servers

It suffers the same problems as IPv6 SLAAC If no authentication is enforced, it is trivial for an attacker to

forge DHCPv6 packets

Layer2 - mitigation can be easily circumvented with the sametechniques as for RA-Guard

8/13/2019 (1)T1-001 IPv6 Security

25/36

IPv6 Transition/Co-exist Technologies

IPv6 is not backwards-compatible with IPv4

Original transition plan: deploy IPv6 before we ran out ofIPv4 addresses,and eventually turn off IPv4 when no longerneeded it didnt happen

Current transition/co-existence plan: based on a toolbox: dual-stack tunnels translation

8/13/2019 (1)T1-001 IPv6 Security

26/36

Transition Technologies: Dual Stack

Each node supports both IPv4 and IPv6

Domain names include both A and AAAA (Quad A) records IPv4 or IPv6 are used as needed

Dual-stack was the original transition co-existence plan, andstill is the recommended strategy for servers

Virtually all popular operating systems include native IPv6support enabled by default

8/13/2019 (1)T1-001 IPv6 Security

27/36

8/13/2019 (1)T1-001 IPv6 Security

28/36

Exploiting Transition Technologies

Some systems (notably Windows) have support of transition

technologies enabled by default. These technologies could be used to circumvent security

controls. Technologies such as Teredo could increase the attack exposureof hosts Possible countermeasures:

Enforce IPv6 security controls on IPv4 networks.

Disable support of these technologies. Deploy packet filtering policies, such that these technologies are

blocked.

8/13/2019 (1)T1-001 IPv6 Security

29/36

Filtering IPv6 Transition TechnologiesTransition Technology Filtering Rule

Dual-Stack Automatic (if network not support IPv6)

IPv6-in-IPv4 tunnels IPv4 Protocol == 41

6to4IPv4.Protocol == 41 &&IPv4.{src,dst} == 192.88.99.0/24

ISATAP IPv4 Protocol == 41

Teredo IPv4.dst == known_teredo_servers &&UDP.DstPort == 3544

TSPIPv4.dst == known_tsp_servers &&{TCP,UDP}.dst == 3653

8/13/2019 (1)T1-001 IPv6 Security

30/36

Application Layer Protocols

A number of applications may leak IPv6 addresses E-mail headers P2P applications

Together with mailing-list archives and popular search engines,they may be an interesting vector for network reconnaissance

8/13/2019 (1)T1-001 IPv6 Security

31/36

DNS

IPv6 addresses can be obtained by querying the DNS for

AAAA records.

Many sites currently use domain names such as ipv6* or v6E.g., Google for site:ipv6* and Facebook for site:v6*

8/13/2019 (1)T1-001 IPv6 Security

32/36

Network Neighborhood protocols

mDNS is being increasingly used for discovering peers on thesame network.

Not IPv6-specific, but could be employed with IPv6, too. Hosts announce themselves on the network, for occasional

networking.

This provides yet another vector for network reconnaissance

8/13/2019 (1)T1-001 IPv6 Security

33/36

Computer Act. 2550

User identification Temporary IPv6 Address IPv6 routing header

8/13/2019 (1)T1-001 IPv6 Security

34/36

!"#$%&'()*+,+"-./#0-1+,.'23!/4+*567

!"#$%&'()8492:62 $6%6/;2?6/4+Route IPv6 Traffic BC? $6%6/;./+,D8!3.E(D&&static >/4+stateful packet inspection BC?

!"#$%&'()38)A%3()% $6%6/;(/FG$+&IPv6 Traffic H2/IC'&Application LayerBC? %@/I&&-1+,.'2.6/&"./".&23!/4+*567IPv6 $6%6/;&'2

8/13/2019 (1)T1-001 IPv6 Security

35/36

Case Study:

SritrangNet

8/13/2019 (1)T1-001 IPv6 Security

36/36

Documents

(1)T1-001 IPv6 Security