Professional Documents
Culture Documents
Considerations
Earl Carter
Presentation_ID
Cisco Confidential
Agenda
Introduction
Threat Landscape
IPv6 Known Attack Vectors
Coexistence Issues
Attack
Concerns
Attacker Tools
Host Discovery
Identifying Known Vulnerabilities
Identifying Malicious Traffic
Deployment
Concerns
Verifying Configurations
Presentation_ID
Cisco Confidential
My Background
Security Researcher for 15 years
Security Geek not a Product Expert
Presentation_ID
Cisco Confidential
Agenda
Introduction
Threat Landscape
IPv6 Attack Vectors
Coexistence Issues
Attacker Tools
Host Discovery
Identifying Known Vulnerabilities
Identifying Malicious Traffic
Verifying Configurations
Presentation_ID
Cisco Confidential
What Happened
to IPv5?
Presentation_ID
Cisco Confidential
Threat Landscape
November 2008
May 2009
http://advosys.ca/viewpoints/2009/05/the-coming-ipv6-security-disaster/
http://www.fiercevoip.com/story/arbor-networks-voip-ipv6-emerging-security-threats/2008-11-11?utm_medium=rss&utm_source=rss&cmp-id=OTC-RSS-FV0
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Threat Landscape
http://web.nvd.nist.gov/view/vuln/search-results?cid=2
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Now We Have
NDP Spoofing
10
IPv6 Security
Routing Protocol Authentication
BGP, ISIS, EIGRP no change:
Use MD5 authentication of the routing update
Presentation_ID
Cisco Confidential
11
Presentation_ID
IPv6
IPv4
Header
Manipulation
Rogue Devices
Rogue Devices
Application Attacks
Application Attacks
ND Attacks
ARP Attacks
Cisco Confidential
12
Agenda
Introduction
Threat Landscape
IPv6 Known Attack Vectors
Coexistence Issues
Attacker Tools
Host Discovery
Identifying Known Vulnerabilities
Identifying Malicious Traffic
Verifying Configurations
Presentation_ID
Cisco Confidential
13
IPv4 Header
Version
Datagram Length
length
Flags
Datagram Identifier
TTL
Protocol
Fragment Offset
Traffic
class
Flow Label
Payload length
Next
Header
Hop limit
Checksum
32 bits
Unchanged
Presentation_ID
Cisco Confidential
14
Hop-by-hop Option
43
Routing
TCP Protocol
44
Fragment
EGP Protocol
50
Encapsulating Security
Payload (ESP)
IGP Protocol
17
UDP Protocol
51
Authentication Header
46
RSVP Protocol
59
47
GRE Protocol
60
Destination Option
58
ICMP Protocol
62
Mobility Header
Presentation_ID
Cisco Confidential
15
40
70
100
130
IP Header
0
Hop-by-Hop
Option
Header 43
Routing
Header
51
Authentication
Header
60
160
168
UDP
Destination
Protocol
Options
Header 17 Header
1600
Data
MTU of 1280
Unfragmentable Part
IP Header
Hop-by-Hop
Option
Header
Routing
Header
F
H
IP Header
Hop-by-Hop
Option
Header
Routing
Header
F
H
Authentication
Header
Destination UDP
Options Protocol
Header Header
Data (0-1112)
Data (1113-1432)
Cisco Confidential
16
Note: Recommended order according to RFC 2460. (Hop-by-hop Options must be 1st)
Presentation_ID
Cisco Confidential
17
Cisco Confidential
18
Remember IP Options
in IPv4
Presentation_ID
Cisco Confidential
19
Unicast
One address on a single interface
Delivery to single interface
Multicast
Address of a set of interfaces
Delivery to all interfaces in the set
Anycast
Address of a set of interfaces
Delivery to a single interface in the set (closest)
No broadcast addresses
Presentation_ID
Cisco Confidential
20
Global
Site-Local Link-Local
Presentation_ID
Cisco Confidential
21
Binary prefix
0000...0 (96 zero bits)
001
(2000-3FFF)
1111 1110 10
(FE80-FEBF)
1111 1110 11
(FEC0-FEFF)
1111 1111
(FF)
Presentation_ID
Cisco Confidential
22
Cisco Confidential
23
ICMPv4
ICMPv6
Connectivity Checks
Informational/Error Messaging
Address Assignment
Address Resolution
Router Discovery
Presentation_ID
Cisco Confidential
24
Routers do
not fragment
(need to
allow
throughout
data path)
Presentation_ID
Cisco Confidential
25
Presentation_ID
Cisco Confidential
26
Presentation_ID
Cisco Confidential
27
ICMP
Sp o o
f ICM
Echo
P Ech
o Req
Presentation_ID
Cisco Confidential
Repl
uest
Message
28
Prefix Discovery
Parameter Discovery
Neighbor Discovery
Cisco Confidential
29
Presentation_ID
Cisco Confidential
30
Presentation_ID
Cisco Confidential
31
Presentation_ID
Cisco Confidential
32
RFC 4941
Message Digest of EUI
Concatenate with Random Value
MAC: 0000.BABE.0000
Internet
2001:db8:2::200:baff:febe:0
2001:db8:33::200:baff:febe:0
24 Bits MAC
Network Prefix
FFFE
24 Bits MAC
Interface Identifier
Cisco Confidential
33
Note: Duplicate Address Detection (DAD) Applies to all addresses if interface is configured
for DupAddrDetectTransmits (including Stateful Addresses)
Presentation_ID
Cisco Confidential
34
Presentation_ID
Cisco Confidential
35
IPv6 Auto-Configuration
Stateless (RFC2462)
Host autonomously configures its own Link-Local
address
Router solicitations are sent by booting nodes to
request RAs for configuring the interfaces.
Stateful
RA indicates
SUBNET
PREFIX
SUBNET PREFIX +
MAC ADDRESS
DHCPv6
Tighter Control of Addressing
Renumbering
Hosts renumbering is done by modifying the RA to
announce the old prefix with a short lifetime and the
new prefix.
Router renumbering protocol (RFC 2894), to allow
domain-interior routers to learn of prefix introduction /
withdrawal
Presentation_ID
Cisco Confidential
SUBNET PREFIX +
MAC ADDRESS
36
Presentation_ID
Cisco Confidential
37
RSA Keys
Priv
Pub
Modifier
Public
Key
Signature
Subnet
Prefix
SHA-1
CGA Params
Subnet
Prefix
SEND Messages
Presentation_ID
Cisco Confidential
Interface
Identifier
Presentation_ID
Cisco Confidential
39
Agenda
Introduction
Threat Landscape
IPv6 Known Attack Vectors
IPv4
IPv6
Coexistence Issues
Attacker Tools
Host Discovery
Identifying Known Vulnerabilities
Identifying Malicious Traffic
Verifying Configurations
Presentation_ID
Cisco Confidential
40
Tunnels
Can potentially bypass firewall rules (uses protocol 41 or UDP)
Minimal setup
Presentation_ID
Cisco Confidential
41
IPv6/IPv4
IPv6
Host"
Configured/
6to4 Tunnel"
IPv4
IPv6
Network"
IPv4 ONLY
IPv6
IPv4
ISATAP
Router
Presentation_ID
Cisco Confidential
IPv6
Host"
Configured/
6to4 Tunnel"
IPv6
Network"
ISATAP
Tunneling
Hosts w/ Dual Stack
IPv4 and IPv6 addresses
42
Cisco Confidential
43
Your network:
Does not run IPv6
Your assumption:
Im safe
Presentation_ID
Cisco Confidential
44
Tunneling Mechanisms
No Built-in Security
No Authentication
No Integrity Check
No Confidentiality
Attacks
ISATAP
TEREDO
Tunnel Injection
Tunnel Sniffing
Presentation_ID
Cisco Confidential
45
IPv6
6to4 relay
Internet
ACL
tunnel
6to4
router
IPv4
Direct tunneled
traffic ignores
hub ACL
6to4
router
6to4 router
Presentation_ID
Cisco Confidential
46
6to4 relay
192.0.2.1
ISATAP router
Prefix 2001:db8::/64
192.0.2.2
ISATAP router:
accepts 6to4 IPv4 packets
Can forward the inside IPv6 packet back to 6to4
relay
Presentation_ID
Cisco Confidential
Mitigation:
Easy on ISATAP routers: deny
packets whose IPv6 is its 6to4
Less easy on 6to4 relay: block all
ISATAP-like local address?
Good news: not so many open
ISATAP routers on the Internet
47
Agenda
Introduction
Threat Landscape
IPv6 Known Attack Vectors
Coexistence Issues
Attacker Tools
Host Discovery
Identifying Known Vulnerabilities
Identifying Malicious Traffic
Verifying Configurations
Presentation_ID
Cisco Confidential
48
Presentation_ID
Cisco Confidential
49
Vulnerability Scanners
Does It Scan for IPv6 Issues
Presentation_ID
Cisco Confidential
50
Presentation_ID
Cisco Confidential
51
Presentation_ID
Cisco Confidential
52
Scanners
Snort
TCPdump
Halfscan6
Nmap
COLD
Strobe
Wireshark
Netcat
Analyzer
Windump
Packet forgers
Scapy6
WinPcap
SendIP
Packit
DoS Tools
6tunneldos
Spak6
4to6ddos
Complete tool/
Imps6-tools
THC-IPv6
Relay Tools
6tunnel
relay6
Presentation_ID
Cisco Confidential
53
alive6: an effective alive scanning, which will detect all systems listening to this
address
dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides
on the network (DOS).
http://www.darknet.org.uk/2010/07/thc-ipv6-toolkit-attacking-the-ipv6-protocol/
Presentation_ID
Cisco Confidential
54
http://www.darknet.org.uk/2010/07/thc-ipv6-toolkit-attacking-the-ipv6-protocol/
Presentation_ID
Cisco Confidential
55
http://www.darknet.org.uk/2010/07/thc-ipv6-toolkit-attacking-the-ipv6-protocol/
Presentation_ID
Cisco Confidential
56
Agenda
Introduction
Threat Landscape
IPv6 Known Attack Vectors
Coexistence Issues
Attacker Tools
Host Discovery
Identifying Known Vulnerabilities
Identifying Malicious Traffic
Verifying Configurations
Presentation_ID
Cisco Confidential
57
Host Discovery
IPv4
Easy to identify all hosts
Harder for attacker to hide (if not totally passive)
Cisco Switches have strong support for port security
Tools
NMAP, AMAP,
Presentation_ID
Cisco Confidential
58
Host Discovery
IPv4
IPv6
Traditional scanning not viable
New Protocols
IPv6
Presentation_ID
Cisco Confidential
59
Agenda
Introduction
Threat Landscape
IPv6 Known Attack Vectors
Coexistence Issues
Attacker Tools
Host Discovery
Identifying Known Vulnerabilities
Identifying Malicious Traffic
Presentation_ID
Cisco Confidential
60
Qualys
Run regularly
Presentation_ID
Cisco Confidential
61
Web Scanners
WebInspect
AppScan
Presentation_ID
Cisco Confidential
62
Web Scanners
WebInspect (Yes in latest version)
AppScan (Yes in latest version)
Presentation_ID
Cisco Confidential
63
Agenda
Introduction
Threat Landscape
IPv6 Known Attack Vectors
Coexistence Issues
Attacker Tools
Host Discovery
Identifying Known Vulnerabilities
Identifying Malicious Traffic
Verifying Configurations
Presentation_ID
Cisco Confidential
64
Presentation_ID
Cisco Confidential
65
Best Practices
Well Established
Presentation_ID
Cisco Confidential
66
Best Practices
Being Developed
Presentation_ID
Cisco Confidential
67
Agenda
Introduction
Threat Landscape
IPv6 Known Attack Vectors
Coexistence Issues
Attacker Tools
Host Discovery
Identifying Known Vulnerabilities
Identifying Malicious Traffic
Verifying Configurations
Presentation_ID
Cisco Confidential
68
Verifying Configurations
Common Practice
Verifies configuration matches policy
Find common configuration mistakes
Manual can be time intensive
Presentation_ID
Cisco Confidential
69
Verifying Configurations
IPv4
Manual
Usually for smaller
networks
Automated
Pari
Redseal
Scanning Tools
Limited Effectiveness
Presentation_ID
Cisco Confidential
70
Verifying Configurations
Pari
Configurations
Report Types
Pari
Software
Presentation_ID
Cisco Confidential
71
Verifying Configurations
IPv6
Manual
Scanning Tools
Not very effective
Presentation_ID
Cisco Confidential
72
Verifying Configurations
Unicast Addressing
IPv6
IPv4
Link Local
Global
Presentation_ID
Cisco Confidential
73
References
Presentation_ID
Cisco Confidential
74
Reference Links
http://www.codenomicon.com/
http://www.mudynamics.com/
http://freeworld.thc.org/thc-ipv6
http://www.stindustries.net/IPv6/tools.html
IPv6 Security
by Scott Hogg & Eric Vyncke
Presentation_ID
Cisco Confidential
75
Q and A
Contacts:
Presentation_ID
ecarter@cisco.com
Cisco Confidential
76