security implications of ipv6

Security Implications of IPv6

Tim HelmingDirector of Product Management

Corey, Nachreiner, CISSP, Sr. Network Security Strategist,

Welcome to WatchGuard’s IPv6 Webinar Series!1 3 42

Security Implications of IPv6• v6 in a v4 world• v6 security advantages/disadvantages

You’re here because v6 matters to you

Part 1: Security Implications of IPv6 in a (mostly) IPv4 World

I’m Running IPv4…Does This Affect Me?

Remember This?

Tunnels In My v4? Holy Teredo!

Talking Behind My Back?

Within the confines of your network, many devices may be communicating over IPv6, even if they are not sending packets to and from the Internet!

Remember...

…Which means...

Spotting and Controlling Rogue IPv6

Part 2: Security Implications of IPv6

The Big IPv6 Security Question

•IPv6 Offers:

IPv6 Security: The Good

Built-In IPSec Offers Better Security… Right?

IPSec is a mandatory part of the IPv6 Protocol

What’s IPSec Again?

Among other things, IPSec consists of:

• Authentication Headers (AH) – Provides data origin authentication and integrity (protects against replay attacks)

• Encapsulating Security Payloads (ESP) – Adds encryption to the mix to provide confidentiality

Internet Protocol Security (IPSec) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications.

What are IPv6 Extension Headers?

Remember IPv6 header simplification?

Version IHL Type ofService Total Length

Identification FlagsFragment

Offset

Time to Live Protocol Header Checksum

Source Address

Destination Address

Options Padding

IPv4 Header (20 bytes)

Version Traffic Class Flow Label

Payload Length Next Header Hop Limit

Source Address

Destination Address

IPv6 Header (40 bytes)

Dropped options need to go somewhere…

Ext. headers may include:

•Hop-by-hop options•Destination Options•Routing•Fragmentation•AH Header •ESP Header•Etc…

Built-In IPSec Offers Better Security… Right?

IPSec is a mandatory part of the IPv6 Protocol

What does this really mean?

•Part of IPv6 protocol stack, not an optional add-on•Implemented with AH and ESP Extension Headers•Follows one standard (less interop issues)•Every IPv6 device can do IPSec•However, IPSec usage is still OPTIONAL!

Wait! Doesn’t IPv4 Offer IPSec too?

Some truths about IPv6’s additional IPSec Security:• IPv4 has it too (though, not “natively”)• You don’t have to use it, and most don’t• Still complex• May require PKI Infrastructure

So is this really a security benefit?• Short term – probably no measureable advantage over

IPv4 IPSec• Long term – More applications will leverage it now that it’s

mandatory!

So Long NAT! Hello, End-2-End Addressing

Vast Address Space Naturally Thwarts Certain Attacks

(340 unidecillion)

Too big for automated reconnaissance and attack:

IPv6 Security: The Bad

Immature Protocols = Increased Vulnerability & Risk

During the creation life-cycle of new standards and protocols:•Security is often an after-thought•Unexpected problems happen due to complex interactions•Many issues don’t surface until the tech receives wider usage

These concepts have proven themselves with many new network protocols in the past. Most experts suspect there are many security issues in IPv6, and

related protocols, that we have yet to uncover.

Unfamiliarity Causes Misconfigurations

Many network administrators and IT practitioners are still relatively unfamiliar with all

IPV6’s “ins and outs”

Common issues:

• Not realizing IPv6 is already in their network•Ignorance of Tunneling Mechanisms•Lack of ACL policy for IPv6 multi-homing•Unawareness of potential privacy issues•Over permissiveness, just to get it to work

Automatic Addressing May Pose Privacy Concerns

1. MAC Address: 90-3A-2B-06-2C-D12. Split in half: 90-3A-2B 06-2C-D13. Insert FFFE: 90:3A:2B:FF:FE:06:2C:D14. Change 7th bit to 1: 92:3A:2B:FF:FE:06:2C:D1

I also have 192.168.20.1

I also have 192.168.20.1

A Look Back at IPv4 ARP Poisoning

Who has 192.168.20.34?

I Do. Here’s my MAC

I Do. Here’s my MAC

Hey Everyone. I have 192.168.20.34

Hey Everyone. I have 192.168.20.34And 192.168.20.2,

And …..And 192.168.20.2,

And …..

No authentication or securityNo authentication or security

I Do. Sendtraffic to meI Do. Send

traffic to me

Neighborhood Discovery Suffers from Similar Issues

Who has 2001::3/64?

I Do. Here’s my Layer 2 addressI Do. Here’s my Layer 2 address

Who has 2001::3/64?

Neighbor SolicitationNeighbor Solicitation

Neighbor AdvertisementNeighbor Advertisement

ND SpoofingND Spoofing

No authentication or securityNo authentication or security

Many Other Neighbor and Router Discovery Issues

Solution: SEcure Neighbor Discovery (SEND) – RFC 3971

•Essentially adds IPSec to ND communications•Requires PKI Infrastructure•Not available in all OSs yet. •802.1X also an option

Other ND related attacks:

•Duplicate Address Detection (DAD) DoS attack•ND spoofing attack for router (allows for MitM)•Neighbor Unreachability Detection (NAD) DoS attack•Last Hop Router spoofing (malicious router advertisements)•And many more… (http://rfc-ref.org/RFC-TEXTS/3756/chapter4.html)

New Multicast Protocol Helps with Reconnaissance

In the first webinar, we introduced IPv6 multicast addresses:IPv6 multicast includes a ton of reserved addresses. Here’s a few:

Multicast Address Reservation

FF02::1 All Host Address

FF02::2 All Router Address (LL)

FF02::9 RIP Routers

FF02::A EIGRP Routers

FF02::B Mobile-Agents

FF02::1:2 All DHCP Agents

FF05::2 All Router Address (SL)

FF05::1:3 All DHCP Servers

FF05::1:4 ALL DHCP Relays

FF0X::101 NTP

FF0X::106 Name Service Server

Attackers can use these multicast

addresses to enumerate your

network.

Attackers can use these multicast

addresses to enumerate your

network.

Note: RFC 2375

IPv6 Security Controls Lagging Hacking Arsenal/Tools

Attackeralready have many IPv6 capable tools:

THC-IPv6 Attack Suite

Unfortunately, IPv6 security controls and products seems to be

a bit behind.

IPv6 Security: The Different

Neutral IPv6 Differences of Concern

Some of IPv6’s differences have security connotations that you should know about. However, they aren’t necessarily

inherently good or bad

Typical IPv6 Devices Have Multiple Addresses

You will probably need MULTIPLE Firewall or ACL policies for these

extra networks within your organization

You will probably need MULTIPLE Firewall or ACL policies for these

extra networks within your organization

Extra Security Can Cause Insecurity

InternetInternet

Firewalls (and Admins) Must Learn New Tricks

EXTRA: The Same

There are some security issues that IPv6 has little effect on:

IPv6 Security: Conclusion

So… Does/Will IPv6 Provide More Security?

Wrapping It Up

Coming Up Next…(1 month from now)1 2 43

What To Expect from IPv6• ISP activities• Connecting the Islands

Major References

• IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf

•IPv6 Security Challenges https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IPv6SecurityChallenges.pdf

• IPv6 Security Challenges by Samuel Sotillo http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf

•IPv6 Security Best Practices http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf

•IPv6 Security Considerations and Recommendations•http://technet.microsoft.com/en-us/library/bb726956.aspx

•NIST: Guidelines for the Secure Deployment of IPv6http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf

•IPv6 Transition/Coexistence Security Considerations (RFC 4942)http://www.ietf.org/rfc/rfc4942.txt

•And many more….

Thank You!