how to securely operate an ipv6 network eric vyncke, distinguished engineer,...

How to Securely Operate an IPv6 NetworkEric Vyncke, Distinguished Engineer, [email protected]

@evyncke

1

mailto:[email protected]

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Foreword

All topics common to IPv4/IPv6 are unchanged:– Physical security– Role Base Access Control– ....

I took the liberty to include Cisco configuration (as it may be useful for you) but I will not detail them


Agenda Management Plane Control Plane

– Routing Information– Neighbor Discovery– Control Plane Protection

Data Plane– Anti-spoofing– Access Control List– Tunnel loops

Telemetry Forensic Lawful Intercept Summary

3

4

Management Plane


Management over IPv6

SSH, syslog, SNMP, NetFlow all work over IPv6 Dual-stack management plane

– More resilient: works even if one IP version is down– More exposed: can be attacked over IPv4 and IPv6

RADIUS over IPv6 is recent (IOS 15.2(1)T, IOS-XE rls 3.2S)– But, IPv6 RADIUS attributes can be transported over IPv4

As usual, infrastructure ACL is your friend (more to come) as well as out-of-band management

5


IPv6 ACL to Protect VTY

ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any

line vty 0 4 ipv6 access-class VTY in

In IOS-XR, the command is ‘access-class VTY ingress’, the IPv4 and IPv6 ACL must have the same name

In IOS-XR, the command is ‘access-class VTY ingress’, the IPv4 and IPv6 ACL must have the same name

Must be done before enabling IPv6 on any interfaceBeware there is no equivalent for HTTP => use ACLMust be done before enabling IPv6 on any interfaceBeware there is no equivalent for HTTP => use ACL

6

For YourReference

Control Plane: Routing Protocols


Preventing IPv6 Routing AttacksProtocol Authentication

BGP, IS-IS, EIGRP no change: – An MD5 authentication of the routing update

OSPFv3 originally pulled MD5 authentication from the protocol and instead relies on transport mode IPsec (for authentication and confidentiality)– But see RFC 6506 (not yet widely implemented)

IPv6 routing attack best practices– Use traditional authentication mechanisms on BGP and IS-IS– Use IPsec to secure protocols such as OSPFv3

8


OSPF or EIGRP Authentication

9

interface Ethernet0/0 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF

interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN

key chain MYCHAIN key 1key-string 1234567890ABCDEF1234567890ABCDEF accept-lifetime local 12:00:00 Dec 31 2006 12:00:00 Jan 1 2008send-lifetime local 00:00:00 Jan 1 2007 23:59:59 Dec 31 2007

No crypto maps, no ISAKMP: transport mode with static session keys

For YourReference


BGP Route Filters Pretty obvious for customer links For peering, a relaxed one

ipv6 prefix-list RELAX deny 3ffe::/16 le 128ipv6 prefix-list RELAX deny 2001:db8::/32 le 128ipv6 prefix-list RELAX permit 2001::/32ipv6 prefix-list RELAX deny 2001::/32 le 128ipv6 prefix-list RELAX permit 2002::/16ipv6 prefix-list RELAX deny 2002::/16 le 128ipv6 prefix-list RELAX deny 0000::/8 le 128ipv6 prefix-list RELAX deny fe00::/9 le 128ipv6 prefix-list RELAX deny ff00::/8 le 128ipv6 prefix-list RELAX permit 2000::/3 le 48ipv6 prefix-list RELAX deny 0::/0 le 128

Source: http://www.space.net/~gert/RIPE/ipv6-filters.html

10

For YourReference


Link-Local Addresses vs. Global Addresses Link-Local addresses, fe80::/10, (LLA) are isolated

– Cannot reach outside of the link– Cannot be reached from outside of the link – LLA can be configured statically (not the EUI-64 default) to avoid changing

neighbor statements when changing MAC

interface FastEthernet 0/0

ipv6 address fe80::1/64 link-local

11


Link-Local Addresses vs. Global Addresses Could be used on the infrastructure interfaces

– Routing protocols (inc BGP) work with LLA

neighbor fe80::2%FastEthernet0/0

12

Case sensitive !


LLA-Only Pros and Cons

Benefits: – no remote attack against your

infrastructure links: implicit infrastructure ACL*

– Smaller routing table (links do not appear)

– Simpler configuration– Easier to renumber

Cons:– need to provision loopback for:

ICMP for Traceroute ICMP for PMTUD SNMP/NetFlow/syslog/ ...

– No interface ping

13

Special case for IXP:-Usually a specific /64 which is not routed => uRPF will drop ICMP generated (PMTUd) by routers in the IXP-LLA-only on the IXP interfaces => ICMP are generated from a non IXP interface

*: loopbacks are still routable/reachable

Control Plane: Neighbor Discovery


Scanning Made Bad for CPURemote Neighbor Cache Exhaustion RFC 6583

Potential router CPU/memory attacks if aggressive scanning – Router will do Neighbor Discovery... And waste CPU and memory

Local router DoS with NS/RS/…

15

2001:db8::/64

2001:db8::12001:db8::1

2001:db8::2

2001:db8::2

2001:db8::3

2001:db8::3

NS: 2001:db8::1NS: 2001:db8::1

NS: 2001:db8::2NS: 2001:db8::2

NS: 2001:db8::3NS: 2001:db8::3

NS: 2001:db8::1NS: 2001:db8::1

NS: 2001:db8::2NS: 2001:db8::2

NS: 2001:db8::3NS: 2001:db8::3

NS: 2001:db8::1NS: 2001:db8::1

NS: 2001:db8::2NS: 2001:db8::2

NS: 2001:db8::3NS: 2001:db8::3


Mitigating Remote Neighbor Cache Exhaustion

Built-in rate limiter with options to tune it– Since 15.1(3)T: ipv6 nd cache interface-limit– Or IOS-XE 2.6: ipv6 nd resolution data limit – Destination-guard is part of First Hop Security phase 3– Priority given to refresh existing entries vs. discovering new ones (RFC 6583)

Using a /64 on point-to-point links => a lot of addresses to scan!– Using /127 could help (RFC 6164)

Internet edge/presence: a target of choice– Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses

only Using infrastructure ACL prevents this scanning

– iACL: edge ACL denying packets addressed to your routers – Easy with IPv6 because new addressing scheme can be done

16

http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-assessment-mitigation-strategies-part-1


Simple Fix forRemote Neighbor Cache Exhaustion

Ingress ACL allowing only valid destination and dropping the rest NDP cache & process are safe Requires DHCP or static configuration of hosts

2001:db8::/64

2001:db8::12001:db8::1

2001:db8::2

2001:db8::2

2001:db8::3

2001:db8::3

NS: 2001:db8::1NS: 2001:db8::1

NA: 2001:db8::1NA: 2001:db8::1

2001:db8::2

2001:db8::2

2001:db8::3

2001:db8::3

17


ARP Spoofing is now NDP Spoofing:Threats

ARP is replaced by Neighbor Discovery Protocol– Nothing authenticated– Static entries overwritten by dynamic ones

Stateless Address Autoconfiguration – rogue RA (malicious or not)– All nodes badly configured

DoS Traffic interception (Man In the Middle Attack)

Attack tools exist (from THC – The Hacker Choice)– Parasit6– Fakerouter6– ...

18


ARP Spoofing is now NDP Spoofing:Mitigation

GOOD NEWSGOOD NEWS: dynamic ARP inspection for IPv6 is available – First phase (Port ACL & RA Guard) available since Summer 2010– Second phase (NDP & DHCP snooping) starting to be available since Summer 2011– http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html

(Kind of ) (Kind of ) GOOD NEWSGOOD NEWS: Secure Neighbor Discovery– SeND = NDP + crypto – IOS 12.4(24)T– But not in Windows Vista, 2008 and 7, Mac OS/X, iOS, Android– Crypto means slower...

Other GOOD NEWSGOOD NEWS:– Private VLAN works with IPv6– Port security works with IPv6– IEEE 801.X works with IPv6 (except downloadable ACL)

19

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html


Mitigating Rogue RA: Host Isolation

Prevent Node-Node Layer-2 communication by using:– Private VLANs (PVLAN) where nodes (isolated port) can

only contact the official router (promiscuous port)– WLAN in ‘AP Isolation Mode’ – 1 VLAN per host (SP access network with Broadband

Network Gateway)

Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm

Can break DAD– Advertise the SLAAC prefix without

the on-link bit to force router to do ‘proxy-ND’

20

Isolated PortIsolated Port

RA

RA

RA

RA

RA

Promiscuous Port

Promiscuous Port


First Hop Security: RAguard since 2010RFC 6105

Port ACL blocks all ICMPv6 RA from hostsinterface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port

RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port

interface FastEthernet0/2 ipv6 nd raguard access-group mode prefer port

RA-guard (12.2(50)SY, 15.0(2)SE)ipv6 nd raguard policy HOST device-role hostipv6 nd raguard policy ROUTER device-role routeripv6 nd raguard attach-policy HOST vlan 100interface FastEthernet0/0 ipv6 nd raguard attach-policy ROUTER

21

HOSTDevice-role

HOSTDevice-role

RA

RA

RA

RA

RA

ROUTERDevice-roleROUTER

Device-role

Can also enforce MTU, prefix, ... In

RA

Control Plane Protection


Control Plane Policing for IPv6Protecting the Router CPU

Against DoS with NDP, Hop-by-Hop, Hop Limit Expiration... See also RFC 6192

24

For YourReference

Data Plane


R1R2

Serial 0/02001:db8::1/64

Serial 0/02001:db8::2/64

1) To 2001:db8::3

2) To 2001:db8::33) To 2001:db8::3

4) To 2001:db8::3

.... 5) To 2001:db8::3

DoS ExamplePing-Pong over Physical Point-to-Point

Same as in IPv4, on real P2P without NDP, if not for me, then send it on the other side... Could produce looping traffic

Classic IOS and IOS-XE platforms implement RFC 4443 so this is not a threat– Except on 76xx see CSCtg00387 (tunnels) and few others– IOS-XR see CSCsu62728– Else use /127 on P2P link (see also RFC 6164)– Or use infrastructure ACL or only link-local addresses

26


IPv6 Intranet

IPv6 Bogon and Anti-Spoofing Filtering

IPv6 nowadays has its bogons:– http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

Every network should implement two forms of anti-spoofing protections:– Prevent spoofed addresses from entering the network– Prevent the origination of packets containing spoofed source addresses

Anti-spoofing in IPv6 same as IPv4 – => Same technique for single-homed edge= uRPF

Inter-Networking Device with uRPF Enabled

IPv6 Unallocated Source Address

X IPv6 Intranet/Internet

No Route to SrcAddr => Drop

27

http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt


Bogons Filtering

Detailed & updated list at:– http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

Or simpler but more relaxedipv6 access-list NO_BOGONS remark Always permit ICMP unreachable (Path MTU Discovery & co) permit icmp any any unreachable remark Permit only large prefix blocks from IANA permit ip 2001::/16 any permit ip 2002::/16 any permit ip 2003::/18 any permit ip 2400::/12 any permit ip 2600::/10 any permit ip 2800::/12 any permit ip 2a00::/12 any permit ip 2c00::/12 any Remark implicit deny at the end (but see later)

Source: http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xml

28

http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt


Remote Triggered Black Hole

RFC 5635 RTBH is easy in IPv6 as in IPv4 uRPF is also your friend for blackholing a source RFC 6666 has a specific discard prefix

– 100::/64

http://www.cisco.com/web/about/security/intelligence/ipv6_rtbh.html

29

Source: Wikipedia Commons


Parsing the Extension Header Chain

Finding the layer 4 information is not trivial in IPv6– Skip all known extension header– Until either known layer 4 header found => MATCHMATCH– Or unknown extension header/layer 4 header found... => NO MATCHNO MATCH

30

IPv6 hdr HopByHop Routing AH TCP data

IPv6 hdr HopByHop Routing AH Unknown L4 ???


Parsing the Extension Header ChainFragmentation Matters!

Extension headers chain can be so large than it must be fragmented!

RFC 3128 is not applicable to IPv6

Layer 4 information could be in 2nd fragment

IPv6 hdr HopByHop Routing DestinationFragment1

IPv6 hdr HopByHop Fragment2 TCP DataRouting

Layer 4 header is in 2nd fragment


Parsing the Extension Header ChainFragments and Stateless Filters

RFC 3128 is not applicable to IPv6 but– RFC 6980 ‘nodes MUST silently ignore NDP ... If packets include a fragmentation header’ ;-)

Layer 4 information could be in 2nd fragment

But, stateless firewalls could not find it if a previous extension header is fragmented

IPv6 hdr HopByHop Routing Destination …Fragment1

Layer 4 header is in 2nd fragment,Stateless filters have no clue where to find it!

IPv6 hdr HopByHop Fragment2 TCP DataRouting … Destination


IOS IPv6 Extended ACL

Can match on– Upper layers: TCP, UDP, SCTP port numbers, ICMPv6 code and type– TCP flags SYN, ACK, FIN, PUSH, URG, RST – Traffic class (only six bits/8) = DSCP, Flow label (0-0xFFFFF)

IPv6 extension header– routing matches any RH, routing-type matches specific RH– mobility matches any MH, mobility-type matches specific MH– dest-option matches any destination options– auth matches AH– hbh matches hop-by-hop (since 15.2(3)T)

fragments keyword matches – Non-initial fragments

undetermined-transport keyword does not match if– TCP/UDP/SCTP and ports are in the fragment– ICMP and type and code are in the fragment– Everything else matches (including OSPFv3, …) – Only for deny ACE

33

Check your platform & release as your mileage can vary…

CRITICAL without this, there is a way to bypass STATELESS ACL!


IPv6 ACL Implicit Rules

Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery:

Nexus 7000 also allows RS & RA

Be careful when adding « deny ipv6 any any log » at the end

permit icmp any any nd-napermit icmp any any nd-nsdeny ipv6 any any

permit icmp any any nd-napermit icmp any any nd-nsdeny ipv6 any any log

34


Example: Generic ACL on PE-CE or Peering

35

ipv6 access-list SIMPLE

remark To be reviewed for potential customization (e.g. use of ULA)

remark Drop evil routing header type 0

deny ipv6 any any routing-type 0

remark allow DAD

permit IPv6 host :: 2000::/3

permit IPv6 host :: FE80::/10

remark Allow unicast global to other valid destinations

permit ipv6 2000::/3 2000::/3

permit ipv6 2000::/3 FE80::/10

permit ipv6 2000::/3 FF00::/8

remark Allow link-local to other valid destinations

permit ipv6 FE80::/64 FE80::/64

permit ipv6 FE80::/64 FF02::/10

permit ipv6 FE80::/63 2000::/3

remark Catch-up

deny ipv6 any any

For YourReference


Controls are AvailableFor Example: Cisco IPv6 Security Products

ASA Firewall (Since version 7.0 released 2005)

– Flexibility: Dual stack, IPv6 only, IPv4 only

– SSL VPN for IPv6 over IPv4 (ASA 8.0) over IPv6 (ASA 9.0)

– Stateful-Failover (ASA 8.2.2)

– Extension header filtering and inspection (ASA 8.4.2)

– Dual-stack ACL & object grouping (ASA 9.0)

ASA-SM– Leverage ASA code base, same features ;-) 16 Gbps of IPv6 throughput

IOS Firewall (IOS 12.3(7)T - released 2005; Zone-based firewall on IOS-XE 3.6 2012)

IPS (Since 6.2 - released 2008)

Email Security Appliance (ESA) under beta testing since 2010, IPv6 support since 7.6.1 (May 2012)

Web Security Appliance (WSA) with explicit and transparent proxy Cisco Cloud Web Security (ScanSafe) work in progress (need IPv6 connectivity for all

towers...) FIREpower NGIPS provides Decoder for IPv4 & IPv6 Packets

36


Looping Attack Between 6to4 and ISATAP (RFC 6324)

Root cause– Same IPv4 encapsulation (protocol 41)– Different ways to embed IPv4 address in the

IPv6 address ISATAP router:

– accepts 6to4 IPv4 packets– Can forward the inside IPv6 packet back to 6to4

relay Symmetric looping attack exists

6to4 relay192.0.2.1

ISATAP routerPrefix 2001:db8::/64192.0.2.2

1. Spoofed packetS: 2001:db8::200:5efe:c000:201D: 2002:c000:202::1

2. IPv4 Packet to 192.0.2.2 containingS: 2001:db8::200:5efe:c000:201D: 2002:c000:202::1

3. IPv6 packetS: 2001:db8::200:5efe:c000:201

D: 2002:c000:202::1

Repeat until Hop Limit == 0

Mitigation:•Easy on ISATAP routers: deny packets whose IPv6 is its 6to4•Less easy on 6to4 relay: block all ISATAP-like local address?•Good news: not so many open ISATAP routers on the Internet•Do not announce the 6to4 relay address outside of your AS and accepts protocol-41 packets only from your AS

37


IPv4

6to4/6rd router

IPv6

Internet6to4/6rd relay

6to4/6rd router

tun

ne

l

Direct tunneled traffic ignores

hub ACL

ACL

6to4/6rd Tunnels Bypass Centralized ACL

6rd CPE router can be configured to always go through hubDirect CPE-CPE communication must then be forbidden by IPv4 network6rd CPE router can be configured to always go through hubDirect CPE-CPE communication must then be forbidden by IPv4 network

38


6rd Relay Security Issues

6rd is more constrained than 6to4, hence more secure IPv4 ACL (or IPv4 routing) can limit the 6rd packets to the 6rd domain within the ISP

– No more open relay– No more looping attacks

39


Secure IPv6 over IPv4/6 Public Internet No traffic sniffing No traffic injection No service theft

40

Public Network Site 2 Site Remote Access

IPv4

6in4/GRE Tunnels Protected by IPsec

DMVPN 12.4(20)T

ISATAP Protected by RA IPsec

SSL VPN Client AnyConnect

IPv6 IPsec VTI 12.4(6)T

DMVPN 15.2(1)T

AnyConnect 3.1 & ASA 9.0

Telemetry

IPv6 security is similar to IPv4 securityNo excuse to operate an insecure IPv6 network


Available Tools

Usually IPv4 telemetry is available SNMP MIB

– Not always available yet on Cisco gears Flexible Netflow for IPv6

– Available in : 12.4(20)T, 12.2(33)SRE– Public domain tools: nfsen, nfdump, nfcpad…

42


IPv6 MIB ImplementationIP FWD

(ROUTES)IP ICMP TCP UDP

Original IPv4 only 2096 2011 2012 2013

IPv6 only 2465 2466 2452 2454

Protocol Version Independent (PVI)

rfc2096-update

=

4292

rfc2011-update

=

4293 = IP-MIB

rfc2012-update

=

4022

rfc2013-update

=

4113

IPv4/IPv6 stats can be monitored from CLI “show interface accounting” on most platforms

RFC 4292 and 4293 – Interface Stats table are added, also required HW support

Tunnel MIB (RFC 4087)

43

For YourReference


Using SNMP to Read Interfaces Traffic

44

evyncke@charly:~$ snmpwalk -c secret -v 1 udp6:[2001:db8::1] –Cw 70 -m IP-MIB ipNetToPhysicalPhysAddress

SNMP table: IP-MIB::ipIfStatsTable

index ipIfStatsInReceives ipIfStatsHCInReceives ipIfStatsInOctets

ipv4.1 683929 ? 55054803

ipv4.2 1123281 ? 107467461

ipv6.1 152612 ? 17261398

ipv6.2 15083935 ? 2131680450

evyncke@charly:~$ snmpwalk -c secret -v 1 udp6:[2001:db8::1] –Cw 70 ifTabl

SNMP table: IF-MIB::ifTable

index ifIndex ifDescr ifType ifMtu ifSpeed

1 1 FastEthernet0/0 ethernetCsmacd 1500 100000000

2 2 FastEthernet0/1 ethernetCsmacd 1500 100000000

For YourReference


Using SNMP to Read IPv4/IPv6 Neighbors Cache

45

evyncke@charly:~$ snmpwalk -c secret -v 1 udp6:[2001:db8::1] -m IP-MIB ipNetToPhysicalPhysAddress

IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4."192.168.0.2" = STRING: 0:13:c4:43:cf:e

IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4."192.168.0.3" = STRING: 0:23:48:2f:93:24

IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4."192.168.0.4" = STRING: 0:80:c8:e0:d4:be

...

IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:07:e9:ff:fe:f2:a0:c6" = STRING: 0:7:e9:f2:a0:c6

IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:20:4a:ff:fe:bf:ff:5f" = STRING: 0:20:4a:bf:ff:5f

IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:30:56:da:9d:23:91:5e:ea" = STRING: 78:ca:39:e2:43:3

...

evyncke@charly:~$ snmptable -c secret -v 1 udp6:[2001:db8::1] -Ci -m IP-MIB ipNetToPhysicalTable

For YourReference


NetFlow Versions

46

NetFlow Version Comments

1 Original

5 Standard and most common

7

Specific to Cisco Catalyst 6500 and 7600 Series Switches

Similar to version 5, but does not include AS, Interface, TCP Flags, and ToS Information

8Choice of 11 aggregation schemes

Reduces resource usage

9Flexible, extensible file export format to enable easier support of additional fields and technologies; coming out now are MPLS, Multicast, and BGP Next-Hop

For YourReference


Flexible Flow Record: IPv6 Key Fields

IPv6

IP (Source or Destination)

Payload Size

Prefix (Source or Destination)

Packet Section (Header)

Mask (Source or Destination)

Packet Section (Payload)

Minimum-Mask (Source or Destination)

DSCP

Protocol Extension

Traffic Class Hop-Limit

Flow Label Length

Option Header Next-header

Header Length Version

Payload Length

Interface Input

Output

RoutingDestination AS

Peer AS

Traffic Index

Forwarding Status

Is-Multicast

IGP Next Hop

BGP Next Hop

TransportDestination Port TCP Flag: ACK

Source Port TCP Flag: CWR

ICMP Code TCP Flag: ECE

ICMP Type TCP Flag: FIN

IGMP Type TCP Flag: PSH

TCP ACK Number TCP Flag: RST

TCP Header Length TCP Flag: SYN

TCP Sequence Number

TCP Flag: URG

TCP Window-Size UDP Message Length

TCP Source Port UDP Source Port

TCP Destination Port

UDP Destination Port

TCP Urgent Pointer

Flow Sampler ID

Direction

47

For YourReference


Flexible Flow Record: IPv6 Extension Header Map

Bits 11-31 Bit 10 Bit 9 Bit 8 Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0

Res ESP AH PAY DST HOP Res UNK FRA0 RH FRA1 Res

FRA1: Fragment header – not first fragment

RH: Routing header

FRA0: Fragment header – First fragment

UNK: Unknown Layer 4 header (compressed, encrypted, not supported)

HOP: Hop-by-hop extension header

DST: Destination Options extension header

PAY: Payload compression header

AH: Authentication header

ESP: Encapsulating Security Payload header

Res: Reserved48

For YourReference


Flexible NetFlow Exporter, Record and Monitorflow exporter FLOW-EXPORTER destination 2001:db8::1 <<< IPv6 is supported transport udp 9995

flow record FLOW-RECORD match ipv6 source address <<< key fields match ipv6 destination address match ipv6 protocol collect counter bytes <<< non key fields collect counter packets collect datalink mac source address input <<< can also collect MAC addresses ;-)

flow monitor FLOW-MONITOR ; record netflow ipv6 original-output <<< for traditional NetFlow records record FLOW-RECORD exporter FLOW-EXPORTER statistics packet protocol statistics packet size

interface GigEthernet0/15 ipv6 flow monitor FLOW-MONITOR output

49

For YourReference


Netflow Reverse Usage

Scanning an IPv6 network is impossible (address space too large) How can we run a security audit? Easy

– Get all IPv6 addresses from Netflow– Note: scanning link-local addresses requires layer-2 adjacency, i.e.

Ping6 ff02::1

50


Vulnerability Scanning in a Dual-Stack World

Finding all hosts:– Address enumeration does not work for IPv6– Need to rely on DNS or NDP caches or NetFlow

Vulnerability scanning– IPv4 global address, IPv6 global address(es) (if any), IPv6 link-local address– Some services are single stack only (currently mostly IPv4 but who knows...)– Personal firewall rules could be different between IPv4/IPv6

IPv6 vulnerability scanning MUST be done for IPv4 & IPv6 even in an IPv4-only network– IPv6 link-local addresses are active by default

51

Forensic


Multiple Facets to IPv6 Addresses

Every host can have multiple IPv6 addresses simultaneously– Need to do correlation! – Alas, no Security Information and Event Management (SIEM) supports IPv6– Usually, a customer is identified by its /48

Every IPv6 address can be written in multiple ways– 2001:0DB8:0BAD::0DAD– 2001:DB8:BAD:0:0:0:0:DAD– 2001:db8:bad::dad (this is the canonical RFC 5952 format)– => Grep cannot be used anymore to sieve log files…

53


Perl to Canonical IPv6 Addresses#!/usr/bin/perl –wuse strict ;use Socket ;use Socket6 ;

my (@words, $word, $binary_address) ; ## go through the file one line at a timewhile (my $line = <STDIN>) {

@words = split /[ \n]/, $line ;foreach $word (@words) {

$binary_address = inet_pton AF_INET6, $word ;if ($binary_address) {

print inet_ntop AF_INET6, $binary_address ;} else {

print $word ;}print " " ;

}print "\n" ;

}

54

For YourReference


Perl Grep6#!/usr/bin/perl –wuse strict ;use Socket ;use Socket6 ;

my (@words, $word, $binary_address, $address) ; $address = inet_pton AF_INET6, $ARGV[0] ;if (! $address) { die "Wrong IPv6 address passed as argument" ; }

## go through the file one line at a timewhile (my $line = <STDIN>) {

@words = split /[ \n\[\]]/, $line ;foreach $word (@words) {

$binary_address = inet_pton AF_INET6, $word ;if ($binary_address and $binary_address eq $address) {

print $line ;next ;

}}

}

55

For YourReference


How to Find the MAC Address of an IPv6 Address?

Easy if EUI-64 format as MAC is embedded

–2001:db8::0226:bbff:fe4e:9434– (need to toggle bit 0x20 in the first MAC byte = U/L)

– Is 00:26:bb:4e:94:34

56



DHCPv6 address or prefix… the client DHCP Unique ID (DUID) can be– MAC address: trivial– Time + MAC address: simply take the last 6 bytes– Vendor number + any number: no luck… next slide can help– No guarantee of course that DUID includes the real MAC address.

# show ipv6 dhcp binding Client: FE80::225:9CFF:FEDC:7548 DUID: 000100010000000A00259CDC7548 Username : unassigned Interface : FastEthernet0/0 IA PD: IA ID 0x0000007B, T1 302400, T2 483840 Prefix: 2001:DB8:612::/48 preferred lifetime 3600, valid lifetime 3600 expires at Nov 26 2010 01:22 PM (369) 57


DHCPv6 in Real Live…

Not so attractive Only supported in Windows Vista, and Windows 7, Max OS/X Lion

– Not in Linux (default installation), …

Windows Vista does not place the used MAC address in DUID but any MAC address of the PC

# show ipv6 dhcp binding Client: FE80::FDFA:CB28:10A9:6DD0 DUID: 0001000110DB0EA6001E33814DEE Username : unassigned IA NA: IA ID 0x1000225F, T1 300, T2 480 Address: 2001:DB8::D09A:95CA:6918:967 preferred lifetime 600, valid lifetime 600 expires at Oct 27 2010 05:02 PM (554 seconds)

Actual MAC address:0022.5f43.6522Actual MAC address:0022.5f43.6522

58



Last resort… look in the live NDP cache (CLI or SNMP)

If no more in cache, then you should have scanned and saved the cache… EEM can be your friend First-Hop Security phase II can generate a syslog event on each new binding

– ipv6 neighbor binding logging

#show ipv6 neighbors 2001:DB8::6DD0IPv6 Address Age Link-layer Addr State Interface

2001:DB8::6DD0 8 0022.5f43.6522 STALE Fa0/1

59

Lawful Intercept


Which Target?

Target could be– Host address /128: probably very rare– Subscriber prefix /48 or /56– Layer-2 address (MAC address)– Circuit – PPP session– Content of 6RD/MAP-T/DS-lit tunnel by intercepting the external addresses

Targets based not based on IPv6 addresses are ‘as usual’ and can be done as usual from a SP perspective– Of course mediation device & LEA must understand IPv6

61

Summary


Key Takeaway /1

Management plane– Protect management plane with access-class

Control plane– Authenticate IGP– Consider the use of link-local on P-P links?– Mitigate rogue-RA with RA-guard– Configure control plane policing

Data plane– Beware of ping-pong on not /127 real P2P link– Apply anti-spoofing, anti-bogons– Disable source routing– Use ACL where applicable

ACL must permit NDP

63


Key Takeaway /2

Telemetry– SNMP MIB and Netflow v9 are your friends– Netflow can be used for inventory

Forensic– Multiple addresses per node, multiple ways to write an IPV6 address– Finding MAC address from IPv6:

EUI-64, DHCPv6 (not so trivial) else periodic NDP cache dumps...

Lawful Interception– implemented, missing mediation device

64


Conclusion

As expected IPv6 secure operations are quite similar to IPv4– Main differences at layer 2– Tunnels complicate everything– Lack of correlation tools

65

Questions and Answers?


List of Acronyms

6rd: 6 Rapid Deployment

AAA: Authentication, Authorization, Accounting

CGA: Cryptographically Generated Address

DUID: DHCP Unique ID

EUI-64: Extended Unique ID

IPSec: IP Security

ISATAP: Intra-Site Automatic Tunnel Addressing Protocol

LEA: Law Enforcement Agency

LLA: Link-Local Address

MD5: Message Digest 5

NDP: Neighbor Discovery Protocol

PIM: Protocol Independent Multicast

PMTUD: Path MTU Discovery

RA: Router Advertisement

RIPng: Routing Information Protocol Next Generation

SEND: Secure Neighbor Discovery

SSH: Secure SHell

68

For YourReference

how to securely operate an ipv6 network eric vyncke, distinguished engineer,...

Documents

cisco public ipv6 acl

ipv6 ssh

cisco andor

ipv6 prefixlist

ipv6 accessclass vty

cisco public management

ipv6 radius attributes

cisco public ospf