Embed Size (px)
DESCRIPTION
While IPv6 has been a defined standard since 1998, the end-user adoption of this standard is minimal. Less than 1% of Internet peers utilize IPv6 in the course of normal operation. However, IPv6 support within operating systems and network routers is becoming commonplace. While IT personnel continue to be focused on IPv4, IPv6 capabilities may already be active by default on many Internet connected systems within an IT professional's environment. These IPv6 interfaces generate traffic which can bypass traditional controls based on IPv4 technology. Although IPv6 is likely to eclipse IPv4 as the dominant Internet protocol, the path to this state is disorganized and unclear. This state indicates that as IPv6 gains inertia as a legitimate Internet protocol, IT administrators need to be aware of and manage IPv6 traffic on their network with as much vigilance as they would apply to the more commonplace IPv4. Kevin D. Wilkins, CISSP, Senior Network Engineer, iSecure LLC After coursework at the Rochester Institute of Technology, Kevin’s professional experience includes ISP and VOIP operations. Kevin has 10 years of industry experience in system and network engineering and platform management. In the last few years, a focus on information security has brought his experiences together into a consolidated viewpoint of enterprise-wide security policy and implementation. Peter Rounds, Senior Network Engineer, Syracuse University Peter has been a Sr. Network Engineer at Syracuse University for 11 years. He is responsible for maintaining core network infrastructure consisting of Internet edge traffic identification/management, Internet BGP routing and security profile management, campus OSPF and security profile management, and data center network and security profile management. He is responsible for numerous security technologies for the University.
Citation preview
IPv6 Can No Longer Be Ignored
1Copyright 2010 - ISecure LLC
Prepared for Attendees of the
2010 ISSA Rochester Security Summit
Presenters
• Kevin Wilkins, CISSP – Sr. Network Engineer, iSecure LLC– My professional experience includes 12 years of ISP and
VOIP operations. In the last few years, a focus on information security at iSecure has brought my experiences together into a consolidated viewpoint of enterprise-wide security policy and implementation.
Presenters
• Peter Rounds – Sr. Network Engineer, Syracuse University– Senior network engineer at Syracuse University for 11
years. Responsible for maintaining core network infrastructure, including Internet traffic management implementation and security profiles.
Synopsis
• Hidden risks to enterprise network resources may exist through unmonitored use of IPv6 and IPv4-to-IPv6 transition mechanisms like encapsulated IPv6 protocols 6to4, Intrasite Automatic Tunnel Addressing Protocol (ISATAP or IP Protocol 41) , and Teredo. This discussion includes an introduction to IPv6, the identification of encapsulated IPv6 protocols, their potential threats to enterprise resources, and mitigation strategies designed to protect enterprise resources from these potential threats.
What is IPv6?
• IPv6 is a revised IP protocol intended to supplement and replace IPv4.
• IPv6 was ratified in 1998 as RFC 2460.• IPv6 addresses use a 128 bit value, vs. IPv4's 32 bits. This
provides an address space on the order of 3.4x10^38 addresses. (Nearly a "duodecillion"!!)
What is IPv6 for?
• IPv6 has this large address space as a necessary enhancement to IPv4's much more limited 4.29X10^9 possible addresses. (4.29 billion)
• The Internet Engineering Task Force (IETF) has foreseen an eventual depletion of available IPv4 addresses, thus IPv6 was designed.
Projected IPv4 Exhaustion
• Projected IANA Unallocated Address Pool Exhaustion: 05-Jun-2011
• INTEC Systems Institute "IPv4 Exhaustion Counter“• http://inetcore.com/project/ipv4ec/index_en.html
IPv4 Example…
• IPv4 address range: 0.0.0.0 -> 255.255.255.255 = 4,294,967,296 possible addresses
• An IPv4 address: "173.194.35.104”
IPv6 Example…
• IPv6 address range: 0000:0000:0000:0000:0000:0000:0000:0000 -> ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff = 340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses!
• An IPv6 address:0023:a46e:0000:0000:0000:87ba:00ac:58ce23:a46e:0:0:0:87ba:ac:58ce23:a46e::87ba:ac:58ce
Where is IPv6?
• As a commonly accepted protocol, IPv6 has seen difficulty gaining momentum. Almost the entire IT industry is perfectly happy with IPv4, and converting an established network to use IPv6 addresses is a monumental task.
• Most use of IPv6 today is found in research, dedicated networks, and by an inquisitive few.
Where is IPv6... Really?
• Since 2008, the US Government has mandated that new purchases of computer and network equipment must support certain minimum standards for IPv6. See NIST Special Publication 500-267.
• IPv6 is becoming generally supported in network devices, operating systems, remote management protocols, and other networked applications.
• Microsoft Windows XP/Server 2003 offered optional support for IPv6. Microsoft Windows Vista/Server 2008 and beyond have nearly complete IPv6 support, and the protocol is enabled by default. Linux and Cisco also support IPv6.
• Recent versions of Microsoft Windows also include utilities which will encapsulate IPv6 traffic within an IPv4 tunnel.
So I might be running IPv6 now?
• Yes! And this new IPv6 capability in contemporary systems represents an unknown security risk.
• The IT industries' propensity to ignore IPv6 in favor of IPv4 means that local administrators might be unaware of the potential IPv6 traffic traversing their network and interacting with their information systems.
• Furthermore, support for IPv6 on contemporary network security devices seems to be lagging behind IPv6 support in operating systems and routers. Network based Content Inspection, Intrusion Prevention, and Antivirus may be ineffective at scanning native or encapsulated IPv6 traffic.
IPv6 Interfaces in Windows Vista
IPv6 Routes in Windows Vista
Windows Vista is Listening on IPv6
DNS: “A” record and “AAAA” Record
Wait, what was this about encapsulated IPv6?
• Encapsulation technologies such as Teredo, 6to4 and IP Protocol 41 (ISATAP) were developed to aid in the transition to IPv6.
• These transition aids are necessary, as both IPv4 and IPv6 will coexist for quite some time.
• RFC 5211 “An Internet Transition Plan” describes the use of these IPv6 encapsulation mechanisms as the IPv4 address space becomes depleted and organizations are forced to migrate to IPv6.
• Network security devices might not be able to "peel the onion" to discover what applications and threats might be utilizing IPv6 resources within the IPv4 encapsulation.
Teredo and Windows
• Windows Vista and Windows 7 have an IPv6 encapsulation service called Teredo, which is enabled by default.
• Teredo will automatically seek out a Teredo gateway ( teredo.ipv6.microsoft.com ), assign an IPv6 address to the Teredo interface, and attempt to route IPv6 traffic.
• Teredo is intended for tunneling IPv6 traffic via an IPv4 NAT router.
Pinging Via Teredo
Example: IPv6/Teredo in Wireshark
6to4 and Windows
• 6to4 is intended for tunneling IPv6 traffic via non-NAT IPv4 transport.
• A host or router intending to use 6to4 must have inherent IPv6 support and a routable (non-NAT) IPv4 address.
• IPv6 traffic is encapsulated and tunneled via an IPv4 network from one IPv6 network to another IPv6 network on the remote end.
ISATAP and Windows
• ISATAP traffic is another transition mechanism where IPv6 traffic is tunneled via IPv4
• ISATAP packets use IPv4 with the IP Protocol field set to 41• ISATAP is typically seen on an Intranet for host to host
communications, but host to router communication is also possible.
How do I control this IPv6 traffic?
• First - awareness is the key. Check your networked systems to see which components offer IPv6 support, and if IPv6 support is enabled. Run packet captures and analyze your systems to see if native or encapsulated IPv6 traffic traverses your network.
• In a server farm or corporate environment where there is no need for IPv6 at this time, consider establishing a policy to disable the IPv6 interfaces on computer systems and block or null-route IPv6 traffic in the network.
How do I control this IPv6 traffic?
• In ISP, government, higher education, or research environments, the use of IPv6 might be legitimate. In this case, monitoring and granular control is warranted.
• Check your network security equipment to see how it handles IPv6. The integrated Proxies and Application Layer Gateways might not yet handle IPv6 traffic.
• Network security devices might not be able to "peel the onion" to discover what applications and threats might be utilizing IPv6 resources within the IPv4 encapsulation.
This Removes the Native IPv6 Interface
Also shut off the tunnel interfaces…
Control IPv6 at Internet Edge• IPv6 related Protocol types and Descriptions
41 ISATAP 43 IPv6-Route Routing Header for IPv6 44 IPv6-Frag Fragment Header for IPv6 58 IPv6-ICMP ICMP for IPv6 59 IPv6-NoNxt No Next Header for IPv6 60 IPv6-Opts Destination Options for IPv6
• Inbound ACL:deny 41 any anydeny 43 any anydeny 44 any anydeny 58 any anydeny 59 any anydeny 60 any any
• Outbound ACL:deny udp any any eq 3544 - used by Teredo to reach Internet locationsdeny ip any host 192.88.99.1 - is the 6 to 4 relay anycast address
Story Time with Peter Rounds
• In the spring, an SU Sys-admin came to Peter Rounds with a concern – he was able to bypass the datacenter firewall and open an RDP connection to datacenter servers via IPv6.
• Teredo was tunneling through their datacenter firewall and presenting itself to the public Internet via IPv6.
• In the interim, SU has implemented firewall policies to block ISATAP, IPv6, and Teredo negotiation protocols in their router ACLs.
Story Time with Peter Rounds
• Disabling IPv6 and tunneling mechanisms represents a stopgap measure which break the transition technologies designed to aid in the general deployment of IPv6.
• Transition is coming very soon! Verizon Business Solutions has said that the “last drop of oil” will be tapped in a matter of months. Verizon will be unable to provide IPv4 blocks and will instead be assigning IPv6 address space.
Conclusions
• IPv6 isn’t "bad", and may represent the future for a lot of networks. Some say that IPv4 will never go away, but in the meantime, IPv6 is here.
• IT Administrators need to be aware of IPv6 as a protocol which is gaining legitimacy and is actually supported on a wide number of systems.
• IPv4 to IPv6 encapsulation mechanisms exist as a tool to aid in the migration from a predominantly IPv4 environment to an IPv6 environment.
• With this awareness comes the requirement to control IPv6 with the same attention to detail that they would apply to controlling the more commonplace IPv4 traffic.
References – Transitional Security Issues
• Security Concerns With IP Tunnelinghttp://tools.ietf.org/html/draft-ietf-v6ops-tunnel-security-concerns-02
• Support for IPv6 in Windows Server 2008 R2 and Windows 7http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
• IPv6 Security Considerations and Recommendations http://technet.microsoft.com/en-us/library/bb726956.aspx
References – Threat Mitigation
• How to prevent ipv6 tunneling across firewalls and routers
http://www.howfunky.com/2010/02/how-to-prevent-ipv6-tunneling-across.html
• Disable all IPv6 in Windowshttp://tutorials-tips-tricks.info/disable-and-turn-off-ipv6-in-windows
• Wiki - IPv6 Firewallshttp://www.getipv6.info/index.php/IPv6_Firewalls
• IPv6 firewalling knows no middle groundhttp://arstechnica.com/hardware/news/2007/05/ipv6-firewall-mixed-blessing.ars
References – Guidelines for IPv6 Adoption
• An Internet Transition Planhttp://tools.ietf.org/html/rfc5211
• Hurricane Electric IPv6 Certification Projecthttp://ipv6.he.net/certification/
• NIST Special Publication 800-119 - Guidelines for the Secure Deployment of IPv6 (Draft)
http://csrc.nist.gov/publications/drafts/800-119/draft-sp800-119_feb2010.pdf
• Microsoft Windows Server 2008 Whitepaper - IPv6 Transition Technologies
http://download.microsoft.com/download/1/2/4/124331bf-7970-4315-ad18-0c3948bdd2c4/IPv6Trans.doc
References – Guidelines for IPv6 Adoption
• Tier 1 for IPv4! = Tier 1 for IPv6http://www.networkworld.com/community/blog/tier-1-ipv4-tier-1-ipv6
• BT Diamond IP IPv6 Address Management Guidehttp://btdiamondip.com/software/offers/confirm_ipv6.aspx
• Google, Microsoft, Netflix in talks to create shared list of IPv6 users
http://www.networkworld.com/news/2010/032610-dns-ipv6-whitelist.html
