Security Implications of IPv6

advertisement
Security Implications of IPv6
Tim Helming
Director of Product Management
Corey, Nachreiner, CISSP,
Sr. Network Security Strategist
,
Welcome to WatchGuard’s IPv6 Webinar
Series!
1
2
3
Security Implications of IPv6
• v6 in a v4 world
• v6 security
advantages/disadvantages
4
You’re here because v6 matters to you
We’re here to help!
Things we’ll answer:
• What are the security implications of
IPv6 in my IPv4 network (Transition)?
• What are the inherent security
advantages and disadvantages of IPv6?
Part 1: Security Implications of
IPv6 in a (mostly) IPv4 World
I’m Running IPv4…Does This Affect Me?
Your network may be IPv4…
…but your devices may be
another story!
Remember This?
Tunnels In My v4? Holy Teredo!
Teredo: IPv6 Tunneling Protocol
ISATAP: Windows v6 Transition Tool
6in4
6over4
Freenet6
Others Abound…
Talking Behind My Back?
Within the confines of your
network, many devices
may be communicating
over IPv6, even if they are
not sending packets to and
from the Internet!
Remember...
Visibility is Security
…Which means...
Invisibility is Insecurity!
Spotting and Controlling Rogue IPv6
Spotting:
• ipconfig and ifconfig
• Firewall logs
• SEIM
Controlling:
• Egress Filtering
• Application Control
Part 2: Security Implications of
IPv6
The Big IPv6 Security Question
•IPv6 Offers:
Security Benefits (The Good)
Security Drawbacks (The Bad)
Differences of Concern
(The Ugl... Uh, Different)
IPv6 Security:
The Good
Built-In IPSec Offers Better Security… Right?
IPSec is a mandatory part of the IPv6 Protocol
What’s IPSec Again?
Internet Protocol Security (IPSec) is a standard for
adding strong authentication, message integrity,
antireply, and encryption (confidentiality) to IP
packets, thus providing secure and private
communications.
Among other things, IPSec consists of:
• Authentication Headers (AH) – Provides data origin authentication
and integrity (protects against replay attacks)
• Encapsulating Security Payloads (ESP) – Adds encryption to the mix
to provide confidentiality
What are IPv6 Extension Headers?
Ext. headers may include:
Remember
Dropped
options
IPv6 header
need to
simplification?
go somewhere…
IPv6
Header
IPv6
Header
•Hop-by-hop options
•Destination Options
•Routing
IPv4 Header
IPv6
•Fragmentation
(20 bytes)
Payload (40
•AH Header
Traffic Type of
•ESP Header
Version
IHL
Flow
Total
Label
Length
Dropped
Class Service
•Etc…
Extension
Payload
Identification
Length
Header
Time to
Live
IPv6
Header
Next
Fragment
Flags Hop Limit
Header
Payload Offset
Protocol
Header Checksum
Source Address
Extension Source Address
Extension
Address
HeaderDestination
Header
Destination Address
Options
Padding
Payload
Built-In IPSec Offers Better Security… Right?
IPSec is a mandatory part of the IPv6 Protocol
What does this really mean?
•Part of IPv6 protocol stack, not an optional add-on
•Implemented with AH and ESP Extension Headers
•Follows one standard (less interop issues)
•Every IPv6 device can do IPSec
•However, IPSec usage is still OPTIONAL!
Wait! Doesn’t IPv4 Offer IPSec too?
Some truths about IPv6’s additional IPSec Security:
• IPv4 has it too (though, not “natively”)
• You don’t have to use it, and most don’t
• Still complex
• May require PKI Infrastructure
So is this really a security benefit?
• Short term – probably no measureable advantage over IPv4 IPSec
• Long term – More applications will leverage it now that it’s
mandatory!
So Long NAT! Hello, End-2-End Addressing
NAT does NOT provide
security!
End-2-End (public) addressing
increases accountability
Vast Address Space Naturally Thwarts Certain Attacks
(340 unidecillion)
Too big for automated reconnaissance and attack:
Average network port scans would take decades
Automated worm propagation would slow to a crawl
IPv6 Security:
The Bad
Immature Protocols = Increased Vulnerability & Risk
During the creation life-cycle of new standards and protocols:
•Security is often an after-thought
•Unexpected problems happen due to complex interactions
•Many issues don’t surface until the tech receives wider usage
These concepts have proven themselves with many new network protocols in
the past. Most experts suspect there are many security issues in IPv6, and
related protocols, that we have yet to uncover.
Unfamiliarity Causes Misconfigurations
Many network administrators
and IT practitioners are still
relatively unfamiliar with all
IPV6’s “ins and outs”
Common issues:
• Not realizing IPv6 is already in their network
•Ignorance of Tunneling Mechanisms
•Lack of ACL policy for IPv6 multi-homing
•Unawareness of potential privacy issues
•Over permissiveness, just to get it to work
Automatic Addressing May Pose Privacy Concerns
In the first webinar, we
showed one way SLAAC
could automatically
created a EUI-64 address.
1.
2.
3.
4.
MAC Address:
90-3A-2B-06-2C-D1
Split in half:
90-3A-2B
06-2C-D1
Insert FFFE:
90:3A:2B:FF:FE:06:2C:D1
Change 7th bit to 1: 92:3A:2B:FF:FE:06:2C:D1
However, this makes your
MAC public, which you
may consider a privacy
issue.
There are options to
rectify this issue:
• Privacy Enhanced Addresses [RFC 3041]
• Cryptographically Generated Addresses
(CGA) [RFC 3972]
A Look Back at IPv4 ARP Poisoning
And
Hey
I192.168.20.2,
also
Everyone.
have I
have
192.168.20.1
192.168.20.34
And …..
Who has
192.168.20.34?
I Do. Here’s
my MAC
No authentication or security
Neighborhood Discovery Suffers from Similar Issues
Neighbor Solicitation
I Do. Send
traffic to me
Neighbor Advertisement
ND Spoofing
Who
Who has
has
2001::3/64?
2001::3/64?
I Do. Here’s my
Layer 2 address
No authentication or security
Many Other Neighbor and Router Discovery Issues
Other ND related attacks:
•Duplicate Address Detection (DAD) DoS attack
•ND spoofing attack for router (allows for MitM)
•Neighbor Unreachability Detection (NAD) DoS attack
•Last Hop Router spoofing (malicious router advertisements)
•And many more… (http://rfc-ref.org/RFC-TEXTS/3756/chapter4.html)
Solution: SEcure Neighbor Discovery (SEND) – RFC 3971
•Essentially adds IPSec to ND communications
•Requires PKI Infrastructure
•Not available in all OSs yet.
•802.1X also an option
New Multicast Protocol Helps with Reconnaissance
In themulticast
IPv6
first webinar,
includes
we aintroduced
ton of reserved
IPv6 multicast
addresses.
addresses:
Here’s a few:
Multicast Address
Reservation
FF02::1
All Host Address
FF02::2
All Router Address (LL)
FF02::9
RIP Routers
FF02::A
EIGRP Routers
FF02::B
Mobile-Agents
FF02::1:2
All DHCP Agents
FF05::2
All Router Address (SL)
FF05::1:3
All DHCP Servers
FF05::1:4
ALL DHCP Relays
FF0X::101
NTP
FF0X::106
Name Service Server
Attackers can use
these multicast
addresses to
enumerate your
network.
 Note: RFC 2375
IPv6 Security Controls Lagging Hacking Arsenal/Tools
Attackeralready have many IPv6 capable tools:
THC-IPv6 Attack Suite
THC-IPv6 Attack Suite
Nmap
Alive6
Parasite6
COLD
Fake_mld6
Wireshark
Fake_Advertiser6
Spak6
SendPees6
Redir6
Multi-Generator
Fake_Router6
(MGEN)
Detect-New-IPv6
IPv6
Security Scanner (vscan6)
DoS-New-IPv6
Smurf6
TCPDump
Halfscan6
rSmurf6
TooBig6
Fake_MIPv6
Strobe
Netcat6
DNSDict6
Isic6 Hyenae
Trace6
Imps6-tools
Relay6
Unfortunately,
IPv6
security controls and
6tunnel
products seems to be
aNT6tunnel
bit behind.
SendIP
VoodooNet
Packit
Scapy6
4to6ddos
Metasploit (etc.)
6tunneldos
Web Browsers (XSS & SQLi)
Flood_Router6
Flood_Advertise6
Fuzz_IP6
etc…
IPv6 Security:
The Different
Neutral IPv6 Differences of Concern
Some of IPv6’s differences have security connotations that you
should know about. However, they aren’t necessarily inherently
good or bad
Typical IPv6 Devices Have Multiple Addresses
At least a Link-Local Address (FE80::/10)
Likely a Unique Global Address (2000::/3)
Possibly a Site-Local Address (FC00::/7)
You will probably need MULTIPLE
Firewall or ACL policies for these
extra networks within your
organization
Extra Security Can Cause Insecurity
Internet
Firewalls (and Admins) Must Learn New Tricks
How to filter ICMPv6?
Handling new extension
headers
Filtering Multicast and Anycast
Hosts w/multiple addresses
EXTRA: The Same
There are some security issues that IPv6 has little effect on:
Application-layer attacks
Sniffing
Rogue Devices
Man-in-the-Middle Attacks
Flooding/DoS Attacks
IPv6 Security:
Conclusion
So… Does/Will IPv6 Provide More Security?
• Probably Not. Few will
adopt/use the IPv6 related
security additions early on.
Furthermore, the protocol’s
“newness” and administrator’s
unfamiliarity may result in more
vulnerabilities at first. That said,
IPv6 security is NOT worse than
IPv4.
Short
Term
• Yes. If leveraged, some IPv6
additions can increase our
overall network security. As we
become more familiar with it,
and more network services
begin to leverage advanced
options, IPv6 should prove
slightly more security than IPv4.
Long Term
Wrapping It Up
Coming Up Next…(1 month from now)
1
2
3
4
What To Expect from IPv6
• ISP activities
• Connecting the Islands
Major References
• IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation
http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf
•IPv6 Security Challenges
https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IPv6SecurityChallenges.pdf
• IPv6 Security Challenges by Samuel Sotillo
http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf
•IPv6 Security Best Practices
http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf
•IPv6 Security Considerations and Recommendations
•http://technet.microsoft.com/en-us/library/bb726956.aspx
•NIST: Guidelines for the Secure Deployment of IPv6
http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
•IPv6 Transition/Coexistence Security Considerations (RFC 4942)
http://www.ietf.org/rfc/rfc4942.txt
•And many more….
Thank You!
Download