Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist , Welcome to WatchGuard’s IPv6 Webinar Series! 1 2 3 Security Implications of IPv6 • v6 in a v4 world • v6 security advantages/disadvantages 4 You’re here because v6 matters to you We’re here to help! Things we’ll answer: • What are the security implications of IPv6 in my IPv4 network (Transition)? • What are the inherent security advantages and disadvantages of IPv6? Part 1: Security Implications of IPv6 in a (mostly) IPv4 World I’m Running IPv4…Does This Affect Me? Your network may be IPv4… …but your devices may be another story! Remember This? Tunnels In My v4? Holy Teredo! Teredo: IPv6 Tunneling Protocol ISATAP: Windows v6 Transition Tool 6in4 6over4 Freenet6 Others Abound… Talking Behind My Back? Within the confines of your network, many devices may be communicating over IPv6, even if they are not sending packets to and from the Internet! Remember... Visibility is Security …Which means... Invisibility is Insecurity! Spotting and Controlling Rogue IPv6 Spotting: • ipconfig and ifconfig • Firewall logs • SEIM Controlling: • Egress Filtering • Application Control Part 2: Security Implications of IPv6 The Big IPv6 Security Question •IPv6 Offers: Security Benefits (The Good) Security Drawbacks (The Bad) Differences of Concern (The Ugl... Uh, Different) IPv6 Security: The Good Built-In IPSec Offers Better Security… Right? IPSec is a mandatory part of the IPv6 Protocol What’s IPSec Again? Internet Protocol Security (IPSec) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications. Among other things, IPSec consists of: • Authentication Headers (AH) – Provides data origin authentication and integrity (protects against replay attacks) • Encapsulating Security Payloads (ESP) – Adds encryption to the mix to provide confidentiality What are IPv6 Extension Headers? Ext. headers may include: Remember Dropped options IPv6 header need to simplification? go somewhere… IPv6 Header IPv6 Header •Hop-by-hop options •Destination Options •Routing IPv4 Header IPv6 •Fragmentation (20 bytes) Payload (40 •AH Header Traffic Type of •ESP Header Version IHL Flow Total Label Length Dropped Class Service •Etc… Extension Payload Identification Length Header Time to Live IPv6 Header Next Fragment Flags Hop Limit Header Payload Offset Protocol Header Checksum Source Address Extension Source Address Extension Address HeaderDestination Header Destination Address Options Padding Payload Built-In IPSec Offers Better Security… Right? IPSec is a mandatory part of the IPv6 Protocol What does this really mean? •Part of IPv6 protocol stack, not an optional add-on •Implemented with AH and ESP Extension Headers •Follows one standard (less interop issues) •Every IPv6 device can do IPSec •However, IPSec usage is still OPTIONAL! Wait! Doesn’t IPv4 Offer IPSec too? Some truths about IPv6’s additional IPSec Security: • IPv4 has it too (though, not “natively”) • You don’t have to use it, and most don’t • Still complex • May require PKI Infrastructure So is this really a security benefit? • Short term – probably no measureable advantage over IPv4 IPSec • Long term – More applications will leverage it now that it’s mandatory! So Long NAT! Hello, End-2-End Addressing NAT does NOT provide security! End-2-End (public) addressing increases accountability Vast Address Space Naturally Thwarts Certain Attacks (340 unidecillion) Too big for automated reconnaissance and attack: Average network port scans would take decades Automated worm propagation would slow to a crawl IPv6 Security: The Bad Immature Protocols = Increased Vulnerability & Risk During the creation life-cycle of new standards and protocols: •Security is often an after-thought •Unexpected problems happen due to complex interactions •Many issues don’t surface until the tech receives wider usage These concepts have proven themselves with many new network protocols in the past. Most experts suspect there are many security issues in IPv6, and related protocols, that we have yet to uncover. Unfamiliarity Causes Misconfigurations Many network administrators and IT practitioners are still relatively unfamiliar with all IPV6’s “ins and outs” Common issues: • Not realizing IPv6 is already in their network •Ignorance of Tunneling Mechanisms •Lack of ACL policy for IPv6 multi-homing •Unawareness of potential privacy issues •Over permissiveness, just to get it to work Automatic Addressing May Pose Privacy Concerns In the first webinar, we showed one way SLAAC could automatically created a EUI-64 address. 1. 2. 3. 4. MAC Address: 90-3A-2B-06-2C-D1 Split in half: 90-3A-2B 06-2C-D1 Insert FFFE: 90:3A:2B:FF:FE:06:2C:D1 Change 7th bit to 1: 92:3A:2B:FF:FE:06:2C:D1 However, this makes your MAC public, which you may consider a privacy issue. There are options to rectify this issue: • Privacy Enhanced Addresses [RFC 3041] • Cryptographically Generated Addresses (CGA) [RFC 3972] A Look Back at IPv4 ARP Poisoning And Hey I192.168.20.2, also Everyone. have I have 192.168.20.1 192.168.20.34 And ….. Who has 192.168.20.34? I Do. Here’s my MAC No authentication or security Neighborhood Discovery Suffers from Similar Issues Neighbor Solicitation I Do. Send traffic to me Neighbor Advertisement ND Spoofing Who Who has has 2001::3/64? 2001::3/64? I Do. Here’s my Layer 2 address No authentication or security Many Other Neighbor and Router Discovery Issues Other ND related attacks: •Duplicate Address Detection (DAD) DoS attack •ND spoofing attack for router (allows for MitM) •Neighbor Unreachability Detection (NAD) DoS attack •Last Hop Router spoofing (malicious router advertisements) •And many more… (http://rfc-ref.org/RFC-TEXTS/3756/chapter4.html) Solution: SEcure Neighbor Discovery (SEND) – RFC 3971 •Essentially adds IPSec to ND communications •Requires PKI Infrastructure •Not available in all OSs yet. •802.1X also an option New Multicast Protocol Helps with Reconnaissance In themulticast IPv6 first webinar, includes we aintroduced ton of reserved IPv6 multicast addresses. addresses: Here’s a few: Multicast Address Reservation FF02::1 All Host Address FF02::2 All Router Address (LL) FF02::9 RIP Routers FF02::A EIGRP Routers FF02::B Mobile-Agents FF02::1:2 All DHCP Agents FF05::2 All Router Address (SL) FF05::1:3 All DHCP Servers FF05::1:4 ALL DHCP Relays FF0X::101 NTP FF0X::106 Name Service Server Attackers can use these multicast addresses to enumerate your network. Note: RFC 2375 IPv6 Security Controls Lagging Hacking Arsenal/Tools Attackeralready have many IPv6 capable tools: THC-IPv6 Attack Suite THC-IPv6 Attack Suite Nmap Alive6 Parasite6 COLD Fake_mld6 Wireshark Fake_Advertiser6 Spak6 SendPees6 Redir6 Multi-Generator Fake_Router6 (MGEN) Detect-New-IPv6 IPv6 Security Scanner (vscan6) DoS-New-IPv6 Smurf6 TCPDump Halfscan6 rSmurf6 TooBig6 Fake_MIPv6 Strobe Netcat6 DNSDict6 Isic6 Hyenae Trace6 Imps6-tools Relay6 Unfortunately, IPv6 security controls and 6tunnel products seems to be aNT6tunnel bit behind. SendIP VoodooNet Packit Scapy6 4to6ddos Metasploit (etc.) 6tunneldos Web Browsers (XSS & SQLi) Flood_Router6 Flood_Advertise6 Fuzz_IP6 etc… IPv6 Security: The Different Neutral IPv6 Differences of Concern Some of IPv6’s differences have security connotations that you should know about. However, they aren’t necessarily inherently good or bad Typical IPv6 Devices Have Multiple Addresses At least a Link-Local Address (FE80::/10) Likely a Unique Global Address (2000::/3) Possibly a Site-Local Address (FC00::/7) You will probably need MULTIPLE Firewall or ACL policies for these extra networks within your organization Extra Security Can Cause Insecurity Internet Firewalls (and Admins) Must Learn New Tricks How to filter ICMPv6? Handling new extension headers Filtering Multicast and Anycast Hosts w/multiple addresses EXTRA: The Same There are some security issues that IPv6 has little effect on: Application-layer attacks Sniffing Rogue Devices Man-in-the-Middle Attacks Flooding/DoS Attacks IPv6 Security: Conclusion So… Does/Will IPv6 Provide More Security? • Probably Not. Few will adopt/use the IPv6 related security additions early on. Furthermore, the protocol’s “newness” and administrator’s unfamiliarity may result in more vulnerabilities at first. That said, IPv6 security is NOT worse than IPv4. Short Term • Yes. If leveraged, some IPv6 additions can increase our overall network security. As we become more familiar with it, and more network services begin to leverage advanced options, IPv6 should prove slightly more security than IPv4. Long Term Wrapping It Up Coming Up Next…(1 month from now) 1 2 3 4 What To Expect from IPv6 • ISP activities • Connecting the Islands Major References • IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf •IPv6 Security Challenges https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IPv6SecurityChallenges.pdf • IPv6 Security Challenges by Samuel Sotillo http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf •IPv6 Security Best Practices http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf •IPv6 Security Considerations and Recommendations •http://technet.microsoft.com/en-us/library/bb726956.aspx •NIST: Guidelines for the Secure Deployment of IPv6 http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf •IPv6 Transition/Coexistence Security Considerations (RFC 4942) http://www.ietf.org/rfc/rfc4942.txt •And many more…. Thank You!