IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi - PowerPoint PPT Presentation

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer Sc. & Engg. LOGO Indian Institute of Technology Guwahati

Agenda Outline  Motivation for IPv6  Brief comparision between IPv6 and IPv4  IPv6 Addressing Architecture  IPv6 Header Fields  IPv6 Extension Headers  IPv6 Options  Internet Control Message Protocol version 6 (ICMPv6)  Neighbor Discovery for IPv6  Address Resolution  Stateless Address Auto-configuration (SLAAC)

If you use IPv4? I’m Running IPv4…Does This Affect Me?

What about all These?

IPv4 vs IPv6 IPv4 IPv6 Addressing 32 bits 128 bits Address ARP ICMPv6 NS/NA (+ MLD) resolution Auto- DHCP & ICMP ICMPv6 RS/RA & configuration RS/RA DHCPv6 ( optional ) (+MLD) Fault Isolation ICMPv4 ICMPv6 IPsec support Optional Mandatory (to "optional") Fragmentation Both in hosts Only in hosts and routers

Protocol Format

Brief comparision of IPv4 and IPv6 (II)  Header formats:

IPv6 header  Fixed-length (40-bytes) header

The Big IPv6 Security Question Built-In IPSec Offers Better Security… Right ?  IPSec is a mandatory part of the IPv6 Protocol

First and foremost issue! Unfamiliarity Causes Misconfigurations

What is IPSec? Internet Protocol Security (IPSec ) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications.  Among other things, IPSec consists of: • Authentication Headers (AH) – Provides data origin authentication and integrity (protects against replay attacks) • Encapsulating Security Payloads (ESP) – Adds encryption to the mix to provide confidentiality

What are IPv6 Extension Headers?  Remember IPv6 Ext. headers may include: Dropped options need to go somewhere… • Hop-by-hop options header simplification? • Destination Options • Routing IPv4 Header IPv6 Header • Fragmentation IPv6 (20 bytes) (40 bytes) Payload • AH Header Header • ESP Header Traffic Type of Dropped Version Version IHL Flow Label Total Length • Etc… Class Service Next Fragmen Flag IPv6 Extension Payload Length Identification Heade Hop Limit Payload s t Offset Header Header r Time to Header Protocol Live Checksum Source Address IPv6 Extension Extension Source Address Payload Header Header Header Destination Address Destination Address Options Padding

Built-In IPSec Offers Better Security… Right ?  IPSec is a mandatory part of the IPv6 Protocol What does this really mean? • Part of IPv6 protocol stack, not an optional add-on • Implemented with AH and ESP Extension Headers • Follows one standard (less interop issues) • Every IPv6 device can do IPSec • However , IPSec usage is still OPTIONAL ! • Manual configuration of Security Associations (SA) and this can be a tedious or impractical task considering the volume. • Even if SAs were established, it is not possible to verify the ownership of dynamically generated IP addresses. • SAs can be created only through using the Internet Key Exchange (IKE). But IKE requires a functional IP stack in order to function and this result in a bootstrapping problem.

Wait! Doesn’t IPv4 Offer IPSec too?  Some truths about IPv6’s additional IPSec Security: • IPv4 has it too (though, not “natively”) • You don’t have to use it, and most don’t • Still complex • May require PKI Infrastructure So is this really a security benefit? Short term – probably no measureable advantage over IPv4 IPSec • Long term – More applications will leverage it now that it’s • mandatory!

A Look Back at IPv4 ARP Poisoning And 192.168.20.2, Hey Everyone. I I also have And ….. 192.168.20.1 have 192.168.20.34 I Do. Here’s Who has 192.168.20.34? my MAC No authentication or security

Neighborhood Discovery Suffers from Similar Issues Neighbor Solicitation I Do. Send Neighbor Advertisement traffic to me ND Spoofing I Do. Here’s my Who has Who has 2001::3/64? 2001::3/64? Layer 2 address No authentication or security

Many Other Neighbor and Router Discovery Issues Other ND related attacks: • Duplicate Address Detection (DAD) DoS attack • ND spoofing attack for router (allows for MitM) • Neighbor Unreachability Detection (NAD) DoS attack • Last Hop Router spoofing (malicious router advertisements) • And many more… (http://rfc -ref.org/RFC-TEXTS/3756/chapter4.html) Solution: SEcure Neighbor Discovery (SEND) – RFC 3971 • Essentially adds IPSec to ND communications • Requires PKI Infrastructure • Not available in all OSs yet. • 802.1X also an option

New Multicast Protocol Helps with Reconnaissance IPv6 multicast includes a ton of reserved addresses. Here’s a few: Multicast Address Reservation IPv6 multicast addresses: FF02::1 All Host Address FF02::2 All Router Address (LL) FF02::9 RIP Routers FF02::A EIGRP Routers Attackers can use FF02::B Mobile-Agents these multicast FF02::1:2 All DHCP Agents addresses to FF05::2 All Router Address (SL) enumerate your network. FF05::1:3 All DHCP Servers FF05::1:4 ALL DHCP Relays FF0X::101 NTP FF0X::106 Name Service Server

IPv6 Security Controls Lagging Hacking Arsenal/Tools Attacker already have many IPv6 capable tools: THC-IPv6 Attack Suite TCPDump Imps6-tools THC-IPv6 Attack Suite Alive6 Fake_mld6 Unfortunately, IPv6 COLD Relay6 Nmap security controls and Fake_Advertiser6 Parasite6 Spak6 6tunnel Wireshark products seems to be SendPees6 Redir6 a bit behind. Isic6 Hyenae NT6tunnel Multi-Generator (MGEN) DNSDict6 Fake_Router6 Detect-New-IPv6 Trace6 IPv6 Security Scanner (vscan6) SendIP VoodooNet DoS-New-IPv6 Flood_Router6 Halfscan6 Scapy6 Packit Smurf6 Flood_Advertise6 Strobe Metasploit (etc.) 4to6ddos Fuzz_IP6 rSmurf6 Netcat6 etc… Web Browsers (XSS & TooBig6 6tunneldos SQLi) Fake_MIPv6

Typical IPv6 Devices Have Multiple Addresses At least a Link-Local Address (FE80::/10) Likely a Unique Global Address (2000::/3) Possibly a Site-Local Address (FC00::/7) You will probably need MULTIPLE Firewall or ACL policies for these extra networks within your organization

Extra Security Can Cause Insecurity Internet

Firewalls (and Admins) Must Learn New Tricks How to filter ICMPv6? Handling new extension headers Filtering Multicast and Anycast Hosts w/multiple addresses

EXTRA: The Same  There are some security issues that IPv6 has little effect on: Application-layer attacks Sniffing Rogue Devices Man-in-the-Middle Attacks Flooding/DoS Attacks

THANK YOU

Major References  IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation  http://www.cisco.com/web/about/security/security_services/ciag/documents/ v6-v4-threats.pdf  IPv6 Security Challenges https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IP v6SecurityChallenges.pdf  IPv6 Security Challenges by Samuel Sotillo http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf  IPv6 Security Best Practices http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_S ecurity_Best_Practices.pdf  IPv6 Security Considerations and Recommendations  http://technet.microsoft.com/en-us/library/bb726956.aspx  NIST: Guidelines for the Secure Deployment of IPv6  http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf  IPv6 Transition/Coexistence Security Considerations (RFC 4942)  http://www.ietf.org/rfc/rfc4942.txt  And many more….