IPv6 Routing and Firewalls - internetstiftelsen.se · © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 • As in IPv4, IPv6 has 2 families of routing

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

IPv6 Routing and Security

Janne Östling, Systems Engineer

[email protected]

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• Routing in IPv6

• Enforcing a Security Policy in IPv6

Firewalls and First Hop Security (FHS)

• Conclusion

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 3

Routing in IPv6


• As in IPv4, IPv6 has 2 families of routing protocols: IGP and EGP, andstill uses the longest-prefix match routing algorithm

• IGP

RIPng (RFC 2080)

IPv6 address family on Cisco EIGRP

OSPFv3 (RFC 2740)

IPv6 address family on IS-IS (draft-ietf-isis-ipv6-02) and Multi-Topology IS-IS

• EGP : IPv6 address family (Unicast and Multicast) on MP-BGP4 (RFC 2858 and RFC 2545)

• Cisco IOS supports all of them

Pick one meeting your objectives


• RIPv6 is RIP for IPv6 (RFC 2080)

• Based on RIP for IPv4, with enhancements

• Distributes IPv6 prefixes

• Runs directly over IPv6

• Use the all-RIP-routers multicast group address FF02::9


• OSPFv3 is OSPF for IPv6 (RFC 2740)

• Based on OSPFv2, with enhancements

• Distributes IPv6 prefixes

• Runs directly over IPv6

• Ships-in-the-night with OSPFv2

• Uses multicast addresses FF02::5 and FF02::6


• 2 Tag/Length/Values added to introduce IPv6 routing

• IPv6 Reachability TLV (0xEC)

External bit

Equivalent to IP Internal/External Reachability TLV’s

• IPv6 Interface Address TLV (0xE8)

For Hello PDUs, must contain the Link-Local address

For LSP, must only contain the non-Link Local address

• IPv6 NLPID (0x8E) is advertised by IPv6 enabled routers


• IPv6 specific extensions:

Scoped addresses: Next-hop contains a global IPv6 address and/or potentially a link-local address

NEXT_HOP and NLRI are expressed as IPv6 addresses and prefix.

Address Family Information (AFI) = 2 (IPv6)

Sub-AFI = 1 (NLRI is used for unicast)

Sub-AFI = 2 (NLRI is used for multicast RPF check)

Sub-AFI = 3 (NLRI is used for both unicast and multicast RPF check)

Sub-AFI = 4 (label)


AS 65001AS 65002

Router2Router1

Router1#

interface Ethernet0

ipv6 address 3FFE:B00:C18:2:1::F/64

!

router bgp 65001

bgp router-id 10.10.10.1

no bgp default ipv4-unicast

neighbor 3FFE:B00:C18:2:1::1 remote-as 65002

address-family ipv6

neighbor 3FFE:B00:C18:2:1::1 activate

neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in in

neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out out

exit-address-family

3ffe:b00:c18:2:1::F 3ffe:b00:c18:2:1::1

BRKRST-2301

14340_04_2008_c2

RIPRIPv2 for IPv4

RIPng for IPv6

Distinct but similar protocols with RIPng taking advantage of IPv6 specificities

OSPF

OSPFv2 for IPv4

OSPFv3 for IPv6

Distinct but similar protocols with OSPFv3 being a cleaner implementation

that takes advantage of IPv6 specificities

IS-ISExtended to support IPv6

Natural fit to some of the IPv6 foundational concepts

Supports Single and Multi Topology operation

EIGRPExtended to support IPv6

(IPv6_REQUEST_TYPE, IPv6_METRIC_TYPE, IPv6_EXTERIOR_TYPE) Some changes reflecting IPv6 characteristics

BGPNew MP_REACH_NLRI, MP_UNREACH_NLRI, AFI=2 with SAFI for

Unicast/Multicast/Label/VPN

Peering over IPv6 or IPv4 (route maps)

For all intents and purposes, IPv6 IGPs are similar to their IPv4 counterparts

IPv6 IGPs have additional features that could lead to new designs


Routing Protocols Coexistence & Convergence


Almost

• Most likely the IPv6 IGP will not be deployed in a brand new network and just by itself

• Most likely the IPv4 services are more important at first since they are generating most of the revenue

• Redefine “better”

• What is the impact on the convergence of IPv4?

• Are the resources optimally shared?

• Are the topologies going to be congruent?

• Etc.


• What IGPs coexist better?

• What IPv6 IGP impacts IPv4 the least (hopefully not at all)?

At First, the IPv6 IGP Convergence Might Be Less Important than the Impact of IPv6 on the Convergence of the Existent IPv4 Infrastructure


• Resources will be shared between the two IGPs and they will compete for processor cycles in a way that reflects their relative configuration

• This has implications on:

Expected convergence behavior

Single process/topology vs Multi process/topology selection

Resources (Memory, CPU) planning


• With the exception of ISIS single topology, the IPv4 and IPv6 routing processes claim their own memory and processing resources for maintaining adjacencies, databases and related calculations

• It is important to define the IPv6 network design in order to understand the new resource requirements (memory) and the new operational parameters (max CPU) for the network devices


The IGPs Will Compete over Processor Cycles Based on Their Relative Tuning

If you configure the IPv4 and IPv6 IGPs the same way (aggressively tuned for fast convergence), naturally expect a doubling of their stand alone operation convergence time

If the IPv6 IGP is operating under default settings, the convergence time for the optimally tuned IPv4 IGP is not significantly affected


In Theory:

• The similarity between the IPv6 and IPv4 routing protocols leads to similar behavior and expectations

• To select the IPv6 IGP, start by using the IPv4 IGP rules of thumb


• In Practice:

The IPv6 IGP implementations might not be fully optimized yet so there is a bit more uncertainty

Not all knobs for Fast Convergence might be available

No significant operational experience with large scale IPv6 networks


• Same topology considerations as for IPv4

• Convergence time

There are HW and SW dependencies

The average convergence time is 100% larger than IPv4, as IPv6 converges after IPv4

Not all knobs are available. Ex: Fast Hellos for OSPFv3 -> Bidirectional Forwarding Detection (BFD) instead in the future.

Test tools still need to improve


IPv4 Vulnerabilities IPv6 Vulnerabilities


Public servers will still need to be DNS reachable

More information collected by Google...

Increased deployment/reliance on dynamic DNS

More information will be in DNS

Using peer-to-peer clients gives IPv6 addresses of peers

Administrators may adopt easy-to-remember addresses (::10,::20,::BAD:F00D, ::C5C0 or simply IPv4 last octet for dual stack)

By compromising hosts in a network, an attacker can learn new addresses to scan

Transition techniques (see further) derive IPv6 address from IPv4 address

can scan again


Access

Layer

Spoofed IPv6

Source Address

X IPv6

Intranet/Internet

No Route to Src Addr prefix

=> Drop

Access

Layer

Spoofed IPv6

Source Address

X IPv6

Intranet/Internet

No Route to Src Addr prefix out the

packet inbound interface => Drop

uRPF Loose Mode

uRPF Strict Mode

uRPF Remains the Primary Tool for Protecting Against L3

Spoofing

ipv6 verify unicast source reachable-via rx

ipv6 verify unicast source reachable-via any


• Potential router CPU attacks if aggressive scanning

Router will do Neighbor Discovery... And waste CPU and memory

Built-in rate limiter but no option to tune it

• Using a /64 on point-to-point links => a lot of addresses to scan!

• Using infrastructure ACL prevents this scanning

iACL: edge ACL denying packets addressed to your routers

Easy with IPv6 because new addressing scheme can be done


• Operations contained within the link boundaries, necessary for a node to communicate with his neighbors, as well as learn the link exit points. Encompass:

– Address configuration parameters

– Address initialization

– Address resolution

– Default gateway discovery

– Local network configuration

– Neighbor reachability tracking

link


Binding

table

Policy

table

Dynamic

rules

Static

rules

NDP

Glean

DHCP

Glean

MLD

Glean

RA

guard

Source

guardDHCP

guard

Device

tracking

NDP

monitoring

Port

ACL

Router

table

Address

ownership

Data

Glean

NDP

Inspection

Mobility

NDP

Multicast

suppress

RA

Throttler


• BGP, ISIS, EIGRP no change:

An MD5 authentication of the routing update

• OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPSec

• RIPng, PIM also rely on IPSec

• IPv6 routing attack best practices

Use traditional authentication mechanisms on BGP and IS-IS

Use IPSec to secure protocols such as OSPFv3 and RIPng


• Sniffing

IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4

• Application layer attacks

The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent

• Rogue devices

Rogue devices will be as easy to insert into an IPv6 network as in IPv4

• Man-in-the-Middle Attacks (MITM)

Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4

• Flooding

Flooding attacks are identical between IPv4 and IPv6


IPv6 mandates the implementation of IPsec

IPv6 does not require the use of IPsec

Some organizations believe that IPsec should be used to secure all flows...

Interesting scalability issue (n2 issue with IPsec)

Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall

IOS 12.4(20)T can parse the AH

Network telemetry is blinded: NetFlow of little use

Network services hindered: what about QoS?

Recommendation: do not use IPsec end to end within an

administrative domain.

Suggestion: Reserve IPsec for residential or hostile environment or

high profile targets.


The Content Owner

The Application Developer

The Billing Engine

The Vendor

The Enterprise

The ISP

The CIO

The Operations Group

The Transit Provider

We’re all waiting for something…

The RIR


Enforcing a Security Policy


• Can match on

Upper layers: TCP, UDP, SCTP port numbers

TCP flags SYN, ACK, FIN, PUSH, URG, RST

ICMPv6 code and type

Traffic class (only six bits/8) = DSCP

Flow label (0-0xFFFFF)

• IPv6 extension header

routing matches any RH, routing-type matches specific RH

mobility matches any MH, mobility-type matches specific MH

dest-option matches any, dest-option-type matches specific destination options

auth matches AH

Can skip AH (but not ESP) since IOS 12.4(20)T

• fragments keyword matches

Non-initial fragments (same as IPv4)

And the first fragment if the L4 protocol cannot be determined

• undetermined-transport keyword matches (only for deny)

Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header


• Stateful protocol inspection (anomaly detection) of IPv6 fragmented packets, TCP, UDP, ICMP and FTP traffic

• IOS 12.3(7)T (released 2005)

• Stateful inspection of IPv4/IPv6 packets

• IPv6 DoS attack mitigation

• Recognizes IPv6 extension headers

IPv4

Site 3

IPv6

Site 2IPv6 IPv6

Dual Stack

Router

IPv6 Router with

Cisco IOS Firewall

Internet

(IPv4)

IPv6

Site 1IPv6 Router with

Cisco IOS Firewall

IPv6 Router with

Cisco IOS Firewall

IPv6 Router with

Cisco IOS Firewall


• Since version 7.0 (April 2005)

• Dual-stack, IPv6 only, IPv4 only

• Extended IP ACL with stateful inspection

• Application awareness

HTTP, FTP, telnet, SMTP, TCP, SSH, UDP

• uRPF and v6 Frag guard

• IPv6 header security checks

Always block routing-header (type 0 and 2)

• Management access via IPv6

Telnet, SSH, HTTPS

• ASDM support (ASA 8.2)

• Routed & transparent mode (ASA 8.2)

• Fail-over support (ASA 8.2.2)


Conclusion


• Your host:IPv4 is protected by your favorite personal firewall...

IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)

• Your network:Does not run IPv6

• Your assumption:I’m safe

• RealityYou are not safe

Attacker sends Router Advertisements

Your host configures silently to IPv6

You are now under IPv6 attack

• => Probably time to think about IPv6 in your network


• Easy to check!

• Look inside NetFlow records

Protocol 41: IPv6 over IPv4 or 6to4 tunnels

IPv4 address: 192.88.99.1 (6to4 anycast server)

UDP 3544, the public part of Teredo, yet another tunnel

• Look into DNS server log for resolution of ISATAP

• Beware of the IPv6 latent threat: your IPv4-only network may be vulnerable to IPv6 attacks NOW


Main IPv6 page

http://cisco.com/go/ipv6

IPv6 Configuration Guide, Cisco IOS Release 15.0S

http://www.cisco.com/en/US/partner/docs/ios/ipv6/configuration/guide/15_0s/ipv6_15_0s_book.html

First Hop Security white paper

http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11-602135.html

First Hop Security documentation

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html

http://cisco.com/go/ipv6











So, nothing really new in IPv6

Lack of operation experience may hinder security for a while: training is required

Security enforcement is possible

Control your IPv6 traffic as you do for IPv4

Leverage IPsec to secure IPv6 when suitable

Thank you.

Documents

IPv6 Routing and Firewalls - internetstiftelsen.se · © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 • As in IPv4, IPv6 has 2 families of routing