Prof. Dr. Sureswaran RamadassDirectorNational Advanced IPv6 Centre (NAv6)Universiti Sains Malaysia

IPv6 Security:Firewall Considerations

Why IPv6? 1. Exhaustion of the IANA IPv4 free pool.

2. Awareness activities such as the IPv6 Forum and “World IPv6 Day”.

3. Imminent exhaustion of the free pool of IPv4 addresses at the different RIRs.

4. All OS has IPv6 support part of your network is already running IPv6!

5. IPv6 is the only way moving forward! How about NAT???

NAT Causes Problems

• Breaks globally unique address model• Breaks address stability• Breaks always-on model• Breaks peer-to-peer model• Breaks some applications• Breaks some security protocols• Breaks some QoS functions• Introduces a false sense of security• Introduces hidden costs

Drivers for IPv6• An explosion of Internet applications, games,

information sources, and financial transactions.

• The movement of traditional services such as voice and video from legacy circuit-based infrastructures to IP networks.

• Millions of new IP-enabled mobile devices, with millions more projected in the near future.

• Expanding economies in populous countries such as China and India, and developing economies throughout the world.

• Burgeoning consumer electronics industries finding new ways to exploit IP capabilities.

• Emerging IP-enabled sensor networks for industrial,medical, and military applications.

MigrationDeploymentIPv6

RIRs have been allocatingIPv6 address space since 1999.

Thousands of organizations havereceived an IPv6 allocation to date.

ARIN has IPv6 distribution policies for service providers, community networks,

and end-user organizations.

6

IPv6 Deployment has begun

IPv4 & IPv6 Coexistence

• Today, the Internet is predominantly based on IPv4.

• For the foreseeable future, the Internet must run both IP versions (IPv4 & IPv6) at the same time. (When done on a single device, this is called the “dual-stack” approach.)

• Deployment is already underway: Today, there are organizations attempting to reach your mail, web, and application servers via IPv6...

7

Is IPv6 more secure than IPv4?less

Does IPv6 help or hinder network security?

The Answer is not that simple!

The Big IPv6 Security Question

Types of IPv6 Security Issues• Issues due to the IPv6 protocol itself• Issues due to transition mechanisms• Issues due to IPv6 deployment.

used in

• Dual-stacking increase the complexity of the network, and thus the number of potential vulnerabilities.

• Co-existence traffic usually results in complex traffic (with multiple encapsulations).

• This increases the difficulty of performing Deep Packet Inspection (DPI)

• Increase in complexity of firewall filtering policies or detection.

Co-existence Security Concerns

IPv6 Deployment Security Concerns• There is much less experience with IPv6 than

with IPv4

• IPv6 implementations are less mature than their IPv4 counterparts

• Security products (firewalls, NIDS, etc.) have less support for IPv6 than for IPv4

• The complexity of the resulting network will increase during the transition/co-existance period:– Two internetworking protocols (IPv4 and IPv6)– Increased use of NATs– Increased use of tunnels– Use of other transition/co-existance technologies

• Lack of well-trained IPv6 Engineers.

Areas of Concern of IPv6 Deployment

System Security Security Training & Experience

Hackers

Application Security

Network Security

• Attacker already have many IPv6 capable tools:

THC-IPv6 Attack Suite

Alive6

Parasite6

Redir6

Fake_Router6

Detect-New-IPv6

DoS-New-IPv6

Smurf6

rSmurf6

TooBig6

Fake_MIPv6

Fake_mld6

Fake_Advertiser6

SendPees6

DNSDict6

Trace6

Flood_Router6

Flood_Advertise6

Fuzz_IP6

etc…

Unfortunately, IPv6 security controls and

products seems to be a bit

behind.

THC-IPv6 Attack Suite

Nmap

iNetmon/Wireshark

Multi-Generator (MGEN)

IPv6 Security Scanner (vscan6)

Halfscan6

Strobe

Netcat6

Imps6-tools

Relay6

6tunnel

NT6tunnel

VoodooNet

Scapy6

Metasploit (etc.)

Web Browsers (XSS & SQLi)

TCPDump

COLD

Spak6

Isic6 Hyenae

SendIP

Packit

4to6ddos

6tunneldos

IPv6 Security Hacking Arsenal/Tools

IPv6 and Firewall

• On Windows, many third party host based firewalls have only limited support for IPv6.– Some have none at all.– Others may even block some mechanisms such as DHCPv6 or SLAAC. – In Windows 7 and above, the built-in firewall has excellent support for IPv6 • On *BSD, the pf kernel-based packet filter can easily be deployed as an

excellent host based dual stack firewall. You can even build a full gateway firewall using it.

• The pfsense open source project has built a good GUI around pf, has very limited support for IPv6.

• On Linux, netfilter/iptables is roughly equivalent to *BSD’s pf, but is not as complete and also does have support for IPv6.

Host Based Firewalls

• In addition to all the typical gateway firewall mechanisms and controls for IPv4 (including port forwarding and NAT), true dual-stack gateway firewalls should include the following new features:– Support for native dual stack service, plus tunnel endpoint support for

one or more mechanisms including 6in4, TSP, 6rd, and even 4in6.– Configurable Router Advertisement Daemon– Support for multiple internal subnets with different /64 prefixes into

each internal subnet.– Packet filtering controls for IPv6 traffic independent of controls for IPv4.– Independent control over all ICMPv6 messages– Dual stack application layer proxies for the most common protocols

(HTTP, SMTP, SIP, etc)

Gateway Firewalls

At least a Link-Local Address (FE80::/10)

Likely a Unique Global Address (2000::/3)

Possibly a Site-Local Address (FC00::/7)

You will probably need MULTIPLE Firewall or ACL policies for these

extra networks within your organization

Typical IPv6 Devices Have MultipleAddresses

How to filter ICMPv6?

Handling new extension headers

Filtering Multicast and Anycast

Hosts w/multiple addresses

Firewalls (and Admins) Must Learn New Tricks

20

• More powerful than ICMPv4• ICMPv6 uses IPv6 extension header # 58 (RFC 2463)

– Type Description– 1 Destination Unreachable – 2 Packet too Big– 3 Time exceeded– 4 Parameter problem– 128 Echo Request– 129 Echo Reply– 130 Multicast Listener Query – sent to ff02::1 (all nodes)– 131 Multicast Listener Report– 132 Multicast Listener Done – sent to ff02::2 (all routers)– 133 Router Solicitation (RS) – sent to ff01::2 (all routers)– 134 Router Advertisement (RA) – sent to ff01::1 (all nodes)– 135 Neighbor Solicitation (NS) – sent to ff02:0:0:0:0:1:ff00::/104– 136 Neighbor Advertisement (NA)– 137 Redirect

ICMPv6

Prof. Dr. Sureswaran Ramadasssures@nav6.usm.mywww.nav6.usm.my

THANK YOU