SO YOUR IPV6 IS PUBLIC…NOW WHAT? BY JOE SULLIVAN JOLIET JUNIOR COLLEGE, PROFESSOR APRIL 27 TH 2017 CCNP, Palo Alto ACE, CCNA Video, CCNA Voice, CVNS, CVNR, CCNA Collaboratjon, H.E. IPv6 Sage, Linux Essentjals, ECSVRv1, ECSERv2, CCNA Security, CCAI, CWTS
Background • IPv4 as a free pool has been depleted as of September 24, 2015, people can apply on the waitlist for unmet requests htups://www.arin.net/resources/request/waitjng_list.html • Conservatjon of IPv4 addresses began early on with the introductjon of VLSM and private address RFC 1918. • Since private addresses are used NAT has been in place to accommodate. Quickly we have found that this model necessitates a performance degradatjon and is challenging to work with real-tjme services and end-to-end applicatjons. Source: htups://www.arin.net/resources/request/waitjng_list.html
EXPLORING MYTHS: NAT SECURITY • NAT didn’t provide security. NAT actually hindered security by hindering Geolocatjon, DNSSEC and IPsec. • Reality is that stateful fjrewalls have provided security. The purpose of the stateful packet inspectjon is to remember which packets lefu the network and provide a mapping to the return traffjc fmags or headers. (NAT Overview clipping source: ) htup://www.cisco.com/c/en/us/support/docs/ip/network-address-translatjon-nat/6209-5.html
DEPLOYMENT MODELS • ISP’s have been resourceful in obtaining new address spaces in IPv6. Comcast has been startjng since 2011 and has a deployment model in place. (Source: htup://corporate.comcast.com/comcast- voices/ipv6-deployment-technology) • Comcast for instance, is very proactjve by deployment of Natjve dual stack, which means a customer gets both IPv6 and IPv4 addresses. Avoids the use of tunneling and NAT. • Natjve Dual stack avoids breaking or slowing applicatjons and maintains a faster broadband internet without the complicatjons of NAT. • With the removal of NAT, new tools have been developed to deploy address prefjx's to customers, we will look at a Dual stack device running Prefjx Delegatjon (PD) along with local link device issued with a / 64 and using SLAAC
IPV6 DEPLOYMENT • This research is not intended to detract from IPv6 merits, but merely to shed light on important deployment scenarios. • IPv6 is difgerent than IPv4 this we understand. There are several atuacks that exist in both IPv4 and IPv6 such as: • Applicatjon layer atuacks such as: cross-site scriptjng and sql injectjon. • Rogue devices such as, WiFi, Router with higher priority, and fmooding and DoS atuacks. • Man in-the-middle atuacks • Redirectjon, Spoofjng, False advertjsements
BACKGROUND ON IPV6 STRUCTURE • Link Local: FE80::7ADA:6EFF:FE5B:ACE0 • Global Unicast: 2010:AB8:0:1:7ADA:6EFF:FE5B:B478 • Mulitcast Groups: Joined group address(es): • FF02::1 • FF02::2 • FF02::A
INVESTIGATIVE TOOLS USED • KALI • THC-IPV6(8) htups://manned.org/thc-ipv6.8 • Investjgatjon focused on IPv6 Prefjx Delegatjon security concerns
NETWORK ATTACKS New neighbor found, possible gateway atuack successful
FLOOD ROUTERS Flood_router6 successful • Quickly send thousands of routers as neighbors within seconds we had thousands. • Memory atuack on router.
FRAGMENTATION ATTACK ON FIREWALL • High CPU usage • Investjgate fjrewall probe
PRINT ROUTER INFORMATION • Informatjon on Adjacency's
ASSESS DEVICE CAPABILITIES • Scans devices system services • Accessible through the WAN
FIREWALL PROBING • Snifger Detectjon packets • Scanning for systems responses • Fragmentatjon and Maximum Segment size atuacks
PROBE ROUTER • Send a series of known exploits to a intermediate device. • Actjvely probing devices.
NEIGHBOR DISCOVERY • NMAP discovers about 1 discovery every second. • Host machines do not start at ::1 and work upward • At /64 or 18 quad trillion hosts this can take years for full discovery. • Once you go to a corrupt site they will have your address, so you stjll need a fjrewall.
ATTACKS INSIDE LAN REMAIN DEVASTATING • Raises concerns for businesses. • With dual stack, an administrator has to defend both protocols. The logical footprint efgectjvely doubles.
HOW TO PLAN FOR IPV6 Start with ARIN htups://www.arin.net/resources/ipv6_plan ning.html Check with ISP for compatjble modems to obtain best performance. For example, htup://mynewmodemcomcast.net/ Get IPv6 Certjfjed for Free with Hurricane Electric (free T-shirt at Sage level) htups://ipv6.he.net/certjfjcatjon/ Research guidelines htups://www.apnic.net/community/ipv6-p rogram/ipv6-bcp/
BASIC STEPS BEFORE CONSIDERATION OF IPV6 1. Audit to include routers and switches as well as security DEPLOYMENT appliances, fjrewalls, and intrusion preventjon systems. (SOURCE: HTTP ://BLOGS.CISCO.COM/SMALLBUSINESS/3-STEPS-FOR-PREPARING-YO UR-NETWORK-FOR-IPV6 2. Gradually migrate your core networking components then all ) of your endpoints, don’t forget applicatjons that run on PC’s • Audit existjng infrastructure for compliance. 3. Ensure outward facing services are IPv6 Compliant. • Make a planned migratjon • Validate external services
IMPLICATIONS FOR DUAL STACK DEVICES • IPv6 has an abundance of hosts and exhibits an inherent “herd mentality” for protectjon. • Once discovered a host is directly communicable unless fjrewall rules are provisioned. • For IoT devices protectjon will lie solely in the front-end device protectjng it. Due to low batuery consumptjon and singular purpose design they leave litule in the way of security. • Provisioning systems for Dual-Stack does require a router or security device appropriate for each protocol. • Multjcast traffjc is detrimental to switches, recommendatjons are to have storm control and multjcast routjng provisioned. • Devices inside the LAN may sufger severely from atuacks. Workstatjons should have fjrewalls and IoT devices require protectjon of hardware fjrewall at L2. • Direct reachability for IPv6 is possible without a stateful fjrewall, ensure one is operatjonal
FINDINGS • Gettjng back to Comcast provisioning a natjve dual stack over DOCSIS. The logic of the move is that during our growing pains to IPv6 from our depleted IPv4 state, content providers have not readily adopted IPv6. Websites may draw on both IPv4 and IPv6 content. • Having a dual-stack confjguratjon allows us to see an Internet page with both protocols. Miss one protocol and the content changes. • There are browser add-ons to check for dual protocol support on websites (see link). • Supportjng both protocols is necessary untjl every service provider and website transitjons to IPv6. htups://chrome.google.com/webstore/detail/ipvfoo/ecanpcehfgngcegjmadlcijfolapggal?hl=en
FINDINGS CONTINUED • DNS lookups return both protocol optjons. • AAAA record (the DNS A record for IPv6). If it exists, it tries using IPv6, falling back to the A record and IPv4
IDENTIFIERS OF IPV6 WEBSITES • Logo may be included on a website to show IPv6 compliance, such as: World IPv6 Launch htup://www.worldipv6launch.org/ • Test your IPv6: htup://ipv6test.google.com/
SETUP FIREWALL FOR NEW PROTOCOL • Certjfjed IPv6 Ready devices for small business: htups://www.ipv6ready.org/
• Fragmented Packet Inspectjon and reorder • IPv6 DoS mitjgatjon • Tunneled packet inspectjon at tunnel endpoint • Stateful packet inspectjon • Stateful packet inspectjon for IPv4-to-IPv6 originatjons WAN SIDE BUSINESS • ACL pertaining to extension header informatjon CLASS SERVICES • Port to Applicatjon mapping. • Firewall Alerts, Audit trails, system logging, netglow • Router hardening for routjng protocols • Multjcast thresholds • Neighbor Advertjsement, Cryptographically Generated Addresses using SEcure Neighbor Discovery (SEND)
• Stateful packet failover, FHRP • Control plane policing per-user microfmow • Use of Protocol Independent Multjcast V2 and Multjcast Listener Discovery V2 • Use of General Prefjx names to simplify deployment. LAN SIDE BUSINESS • Standard fare: CLASS IPV6 • DHCP snooping PRECAUTIONS • QoS mechanisms • Load budget under dual protocol environment, consider multj- protocol aggregatjon
SCANNING VALIDATION TOOLS Home Tools for IPv6 htup://www.subnetonline.com/pages/ipv6- network-tools/online-ipv6-tracepath.php htup://www.ipv6scanner.com/cgi-bin/main .py
ADDITIONAL RESOURCES router confjgurations.txt
Recommend
More recommend