ipv6 security
play

IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, - PowerPoint PPT Presentation

IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break 13:00 - 14:00 Lunch 15:30 - 15:45 Break 17:30 End 2 Introductions Name Number in the list Experience with Security and IPv6


  1. 340,282,366,920,938,463,463,374,607,431,768,211,456 End-to-end /64 /64 /64 /64 /64 /64 Multiple Addresses Link-local Global (GUA) Multicast � 45

  2. IPv6 Address Scope SITE GLOBAL LINK INTERFACE fe80::A:b:100 ff01::2 2001:67c:2e:1::c1 FD00:A:B::100 FF05::1:3 ff02::1 � 46

  3. IPv6 Network Scanning 64 bits 64 bits Network Prefix Interface ID (IID) Network Prefix determination (64 bits) Common patterns in addressing plans DNS direct and reverse resolution Traceroute Interface ID determination (64 bits) “brute force” no longer possible � 47

  4. IID Generation Options 64 bits Interface ID (IID) EUI-64 (uses MAC address) “stable” IID for SLAAC Stable, semantically opaque [RFC7217] “temporary” Temporary pseudo-random [RFC4941] IID for SLAAC DHCPv6 Manually Others (CGA, HBA) � 48

  5. SLAAC IIDs Currently • Consider IID bits “ opaque ”, no value or meaning [RFC7136] How to generate IIDs [RFC7217] Different for each interface in the same network prefix Not related to any fixed interface identifier Always the same when same interface connected to same network • This method is widely used and standardised [RFC8064] � 49

  6. Guessing IIDs 64 bits = 18,446,744,073,709,551,616 Addresses EUI-64 IPv4-based Sequential 2001:db8:1::10.0.0.5 OUI: 24 bits FFFE: 16 bits Low-bits / Trivial (::1) Service port Wordy Address 2001:db8:1::80 2001:db8::bad:cafe � 50

  7. Locally Scanning IPv6 Networks Traffic Snooping Dual-stack Routing Protocols LLMNR [RFC4795] Multicast DNS (mDNS) [RFC6762] Local Protocols DNS Service Discovery (DNS-SD) [RFC6763] Local Scanning � 51

  8. Special / Reserved IPv6 Addresses Name IPv6 Address Comments Unspecified ::/128 When no address available Loopback ::1/128 For local communications IPv6-mapped ::ffff:0:0/96 Used by NAT64. Add IPv4 address 32 bits Documentation 2001:db8::/32 RFC 3849 IPv4/IPv6 Translators 64:ff9b::/96 RFC 6052 Discard-Only 100::/64 RFC 6666 Address Block Teredo 2001::/32 IPv6 in IPv4 Encapsulation Transition Mechanism 6to4 2002::/16 IPv6 in IPv4 Encapsulation Transition Mechanism ORCHID 2001:10::/28 Deprecated Benchmarking 2001:2::/48 See: http://www.iana.org/assignments/iana-ipv6-special-registry/ � 52

  9. Security Tips • Use hard to guess IIDs - RFC 7217 better than EUI-64 - RFC 8064 establishes RFC 7217 as the default • Use IPS/IDS to detect scanning • Filter packets where appropriate • Be careful with routing protocols • Use "default" /64 size IPv6 subnet prefix � 53

  10. IPv6 Network Scanning Exercise 2.2

  11. Exercise 2.2: IPv6 Network Scanning • Description : Use available toolsets to scan a subnet • Goals : - Know about two new toolsets: THC-IPV6 and The IPv6 Toolkit - Learn how to use them to scan a subnet • Time : 10 minutes • Tasks : - Use The IPv6 Toolkit to scan your lab’s subnet - Use THC-IPV6 to scan your lab’s subnet � 55

  12. IPv6 Associated Protocols Security Section 3

  13. ICMPv6 Section 3.1

  14. ICMPv6 [ RFC4443 ] is an integral part of IPv6 Error Messages Informational Messages Destination Unreachable Echo Request Packet Too Big Echo Reply Time Exceeded NDP Parameter Problem MLD � 58

  15. ICMPv6 Format • General Format 8 bits 8 bits 16 bits Type Code Checksum Message Body • Extended Format [ RFC4884 ] Used by: Destination Unreachable Time Exceeded � 59

  16. ICMPv6 Error Messages Type Code No route to destination (0) Communication with destination administratively prohibited (1) Beyond scope of source address (2) Address Unreachable (3) Destination Ureachable (1) Port Unreachable (4) Source address failed ingress/egress policy (5) Reject route to destination (6) Error in Source Routing Header (7) Packet Too Big (2) Packet Too Big (0) Parameter = next hop MTU Hop Limit Exceeded in Transit (0) Time Exceeded (3) Fragment Reassembly Time Exceeded (1) Erroneous Header Field Encountered (0) Unrecognized Next Header Type (1) Parameter Problem (4) Parameter = offset to error Unrecognized IPv6 Option (2) IPv6 First Fragment has incomplete IPv6 Header Chain (3) � 60

  17. FILTER ICMPv6 CAREFULLY! Used in many IPv6 related protocols � 61

  18. ICMPv6 security Packet with MULTICAST destination address No ICMPv6 Error message allowed Echo Reply responding an Echo Request is Optional as response not recommended avoids ? Hosts Discovery Amplification Attacks Smurf Attacks � 62

  19. NDP Section 3.2

  20. Introduction NDP [ RFC4861 ] is used on a link Used for: Messages Neighbour Solicitation Discovery: routers, prefixes, network parameters Autoconfiguration Neighbour Advertisement DAD Router Solicitation NUD Router Advertisement Address Resolution Redirect � 64

  21. Hop Limit = 255 NDP has vulnerabilities [RFC3756] [RFC6583] if not then discard S pecification says to use IPsec SEND [RFC3971] (SEcure Neighbour Discovery) impractical, it’s not used Not widely available � 65

  22. NDP Threats • Neighbor Solicitation/Advertisement Spoofing • Can be done: 1. Sending NS with “source link-layer” option changed 2. Sending NA with “target link-layer” option changed - Can send unsolicited NA or as an answer to NS • Redirection/DoS attack • Could be used for a “Man-In-The-Middle” attack ? � 66

  23. NS Spoofing: Redirection / DoS Neighbour Cache IP1 11:11:11:11:11:11 R IPr MACr = 12:34:56:78:9a:bc IPr 12:34:56:78:9a:bc IP2 22:22:22:22:22:22 aa:aa:aa:aa:aa:aa IP2 a IP1 IP2 1 2 1 1 2 MAC1 = 11:11:11:11:11:11 MAC2 = 22:22:22:22:22:22 IPv6 ICMPv6 NS IPa IPv6.Source IPv6 IP2 MACa = aa:aa:aa:aa:aa:aa IPv6.Destination IPv6 IP1 NS.Target Addr IP1 NS.Src Link-layer Addr aa:aa:aa:aa:aa:aa � 67

  24. Unsolicited NA: Redirection / DoS Neighbour Cache IP1 11:11:11:11:11:11 R IPr MACr = 12:34:56:78:9a:bc IPr 12:34:56:78:9a:bc IP2 22:22:22:22:22:22 IP2 aa:aa:aa:aa:aa:aa IP1 IP2 1 2 1 1 2 MAC1 = 11:11:11:11:11:11 MAC2 = 22:22:22:22:22:22 IPv6 ICMPv6 NA IPa NA.Target Addr IP2 MACa = aa:aa:aa:aa:aa:aa NA.Target Link-layer Addr aa:aa:aa:aa:aa:aa � 68

  25. NUD Failure (DoS attack) 2 NA NS Answer to NS 1 NUD to refresh IP host 2 in neighbour cache � 69

  26. DAD DoS Attack Answer to NS Answer to NS NS NA NS NS DAD for IP before configuring it � 70

  27. NDP Exercise 3.2-a

  28. Exercise 3.2-a NDP • Description : Create packets to poison neighbour cache • Goals : - Practice with Scapy tool - Learn how to modify the neighbour cache of another host in the same network • Time : 15 minutes • Tasks (at least one of them): - Generate NS packets that change other host’s neighbour cache - Generate NA packets that change other host’s neighbour cache � 72

  29. 3.2-a: Neighbour cache attack using NS Neighbour Cache # ip neighbour show IPb bb:bb:bb:bb:bb:bb IP2 22:22:22:22:22:22 IPb cc:cc:cc:cc:cc:cc IPa IPb 1 2 1 A B MACa = aa:aa:aa:aa:aa:aa MACb = bb:bb:bb:bb:bb:bbb IPc MACc = cc:cc:cc:cc:cc:cc IPv6 ICMPv6 NS C IPv6.Source IPv6 IPb IPv6.Destination IPv6 IPa NS.Target Addr IPa NS.Src Link-layer Addr cc:cc:cc:cc:cc:cc � 73

  30. 3.2-a: Neighbour cache attack using NA Neighbour Cache # ip neighbour show IPb bb:bb:bb:bb:bb:bb IP2 22:22:22:22:22:22 IPb cc:cc:cc:cc:cc:cc IPa IPb 1 2 1 A B MACa = aa:aa:aa:aa:aa:aa MACb = bb:bb:bb:bb:bb:bbb IPc MACc = cc:cc:cc:cc:cc:cc IPv6 ICMPv6 NA C NA.Target Addr IPb NA.Target Link-layer Addr cc:cc:cc:cc:cc:cc � 74

  31. Malicious Last Hop Router 2 2 (lifetime = 0) RA RA RS RA RA RA 1 Answer to RS Periodic RAs 1 � 75

  32. Bogus On-Link Prefix Prefixes on the Link google facebook amazon 2 RA DoS google is on the link � 76

  33. Bogus Address Configuration Prefix 2 RA this is your global prefix 2001:db8:bad:bad::/64 DoS � 77

  34. Parameter Spoofing ATTACKER’S DHCP SERVER 2 RA RA M: 1 Current Hop Limit: 3 O: 1 DoS DoS � 78

  35. Spoofed Redirect Message Routes on Host 1: Neighbour Cache ::/0 - fe80::a:b:c IP1 11:11:11:11:11:11 R IPr = fe80::a:b:c 2001:db8::face:b00c - fe80::a MACr = 12:34:56:78:9a:bc IPr 12:34:56:78:9a:bc IP1 1 1 1 MAC1 = 11:11:11:11:11:11 IPa = fe80::a MACa = aa:aa:aa:aa:aa:aa IPv6 ICMPv6 Redirect IPr = fe80::a:b:c IPv6.Source IPv6 IPv6.Destination IPv6 IP1 IPa = fe80::a Redirect.Target Addr 2001:db8::face:b00 Redirect.Dst Addr. c � 79

  36. Neighbour Discovery DDoS Attack Router Neighbour Cache IPa aa:aa:aa:aa:aa:aa IPb bb:bb:bb:bb:bb:bb IP1 = P::1 Internet IPr 12:34:56:78:9a:bc IP2 = P::2 IP1 ??? IP3 = P::3 . . . . . . IPn ??? IPn = P::n IPr = fe80::a:b:c MACr = 12:34:56:78:9a:bc NS 2 Network Prefix (P) IPb IPa 2001:db8:a:b::/64 � 80

  37. NDP Exercise 3.2-b

  38. Exercise 3.2-b NDP • Description : Send RA messages to perform attacks • Goals : - Practice with Scapy tool - Use RA messages to perform attacks on a link • Time: 20 minutes • Tasks : - Send RA messages with bogus address configuration prefix � 82

  39. First Hop Security • Security implemented on switches • There is a number of techniques available: - RA-GUARD - DHCPv6 Guard - IPv6 Snooping ( ND inspection + DHCPv6 Snooping ) - IPv6 Source / Prefix Guard - IPv6 Destination Guard ( or ND Resolution rate limiter ) - MLD Snooping � 83

  40. IPv6 Snooping IP1 2 IP2 1 1 1 2 MAC1 MAC2 NA NA NS NS NS NA IPa MACa � 84

  41. IPv6 Source / Prefix Guard IP2 1 1 2 MAC2 Source Source IPa MACa � 85

  42. IPv6 Destination Guard Internet Destination 2 IPb IPa � 86

  43. Rogue Router Advertisements RA � 87

  44. Rogue RA Solutions 2 1 SEND Link Monitoring 3 4 Host Packet Filtering MANUAL CONFIGURATION + Disable Autoconfig 5 6 Router Preference Option ACLs on Switches [ RFC4191 ] 7 RA Snooping on Switches ( RA GUARD ) � 88

  45. RA-GUARD [ RFC6105 ] • Easiest available solution • Only allows RAs on legitimate ports on L2 switches � 89

  46. RA-GUARD [ RFC6105 ] Stateless RA Guard Decision based on RA message or static configuration Stateful RA Guard Stateful RA Guard Learns dynamically � 90

  47. Filtering • Use Access Control Lists (ACLs) in switches Switches need to understand Ethernet IPv6 ICMPv6 ICMPv6 Type and Version 6 Ethertype 0x86DD Code for IPv6 Source/destination Source/destination MAC address IPv6 address Next Header � 91

  48. Filtering Example (config)#ipv6 access-list RA-GUARD (config-ipv6-acl)#sequence 3 deny icmp any any router-advertisement (config-ipv6-acl)#sequence 6 permit ipv6 any any (config-ipv6-acl)#exit (config)#interface FastEthernet0/5 (config-if)#ipv6 traffic-filter RA-GUARD in � 92

  49. Conclusions / Tips • NDP is an important, powerful and vulnerable protocol • Recommended : use available solutions to protect NDP • Detection (IDS/IPS) can be easier and recommended � 93

  50. MLD Section 3.3

  51. • MLD ( Multicast Listener Discovery ) is: - Multicast related protocol, used in the local link - Two versions: MLDv1 and MLDv2 - Uses ICMPv6 - Required by NDP and “IPv6 Node Requirements” - IPv6 nodes use it when joining a multicast group � 95

  52. MLDv1 QUERY REPORT DONE Listeners indicate Router asks for Listeners report that they’re done listeners themselves General Specific � 96

  53. Src: fe80::2 Dst: SolicitedNode(2) R 2 fe80::a fe80::2 REPORT SolicitedNode(2) QUERY Src: fe80::a Dst: FF02::1 � 97

  54. MLDv2 • Mandatory for all IPv6 nodes ( MUST ) [RFC8504] • Interoperable with MLDv1 • Adds Source-Specific Multicast filters: - Only accepted sources - Or all sources accepted except specified ones � 98

  55. MLDv2 QUERY REPORT-v2 Specifies multicast Current state and source addresses General State change (filter/sources) Specific Sent to FF02::16 � 99

  56. MLD Details • Nodes MUST process QUERY to any of its unicast or multicast addresses • MLDv2 needs all nodes using MLDv2 • All OSs join (REPORT) to the Solicited Node addresses � 100

Recommend


More recommend