Introduction to IPv6 Security - IPv6 Business Conference 2013
Transcript of Introduction to IPv6 Security - IPv6 Business Conference 2013
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Eric Vyncke, Distinguished Engineer, [email protected]
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
• Security Myths of IPv6
• Shared Issues by IPv4 and IPv6
• Specific Issues for IPv6
IPsec everywhere, dual-stack, tunnels and 6VPE
• Enforcing a Security Policy in IPv6
Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. 3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Sometimes, newer means better and more secure
Sometimes, experience IS better and safer!
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
• Public servers will still need to be DNS reachable
More information collected by Google...
• Increased deployment/reliance on dynamic DNS
More information will be in DNS
• Using peer-to-peer clients gives IPv6 addresses of peers
• Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0, :ABBA:BABE or simply IPv4 last octet for dual stack)
• By compromising hosts in a network, an attacker can learn new addresses to scan
• Transition techniques (see further) derive IPv6 address from IPv4 address
can scan again
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Remote
• Remote router CPU/memory DoS attack if aggressive scanning
Router will do Neighbor Discovery... And waste CPU and memory
• Local router DoS with NS/RS/…
2001:db8::/64
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
NS: 2001:db8::1
NS: 2001:db8::2
NS: 2001:db8::3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
• Built-in rate limiter with options to tune it
Since 15.1(3)T: ipv6 nd cache interface-limit
Or IOS-XE 2.6: ipv6 nd resolution data limit
Destination-guard is part of First Hop Security phase 3
Priority given to refresh existing entries vs. discovering new ones
• Using a /64 on point-to-point links => a lot of addresses to scan!
Using /127 could help (RFC 6164)
• Internet edge/presence: a target of choice
Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only
• Using infrastructure ACL prevents this scanning
iACL: edge ACL denying packets addressed to your routers
Easy with IPv6 because new addressing scheme
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
• Ingress ACL allowing only valid destination and dropping the rest
• NDP cache & process are safe
• Requires DHCP or static configuration of hosts
2001:db8::/64
NS: 2001:db8::1
NA: 2001:db8::1
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
• Viruses and email, IM worms: IPv6 brings no change
• Other worms:
IPv4: reliance on network scanning
IPv6: not so easy (see reconnaissance) => will use alternative techniques
Worm developers will adapt to IPv6
IPv4 best practices around worm detection and mitigation remain valid
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
• IPv6 originally mandated the implementation of IPsec (but not its use)
• Now, RFC 6434 “IPsec SHOULD be supported by all IPv6 nodes”
• Some organizations still believe that IPsec should be used to secure all flows...
Interesting scalability issue (n2 issue with IPsec)
Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall
IOS 12.4(20)T can parse the AH
Network telemetry is blinded: NetFlow of little use
Network services hindered: what about QoS?
Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets EXACTLY as for IPv4
Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. 11
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
IPv6
Intranet
• Same as in IPv4
• Bogon filtering (data plane & BGP route map): http://www.cymru.com/Bogons/ipv6.txt
• Anti-spoofing: uRPF
Inter-Networking Device
with uRPF Enabled
IPv6 Unallocated
Source Address
X IPv6
Intranet/Internet
No Route to SrcAddr => Drop
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
1. RS:
Data = Query: please send RA
2. RA:
Data= options, prefix, lifetime, A+M+O flags
2. RA 1. RS
RA w/o Any Authentication Gives Exactly Same Level of Security as DHCPv4 (None)
Router Advertisements contain: -Prefix to be used by hosts -Data-link layer address of the router -Miscellaneous options: MTU, DHCPv6 use, …
Last come, first used
2. RA
DoS MITM
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
1. RS:
Src = ::
Dst = All-Routers multicast Address
ICMP Type = 133
Data = Query: please send RA
2. RA:
Src = Router Link-local Address
Dst = All-nodes multicast address
ICMP Type = 134
Data= options, prefix, lifetime, autoconfig flag
2. RA 2. RA 1. RS
RA/RS w/o Any Authentication Gives Exactly Same Level of Security as ARP for IPv4 (None)
Router Solicitations Are Sent by Booting Nodes to Request Router Advertisements for Stateless Address Auto-Configuring
Attack Tool: fake_router6 Can Make Any IPv6 Address the Default Router
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
• GOOD NEWS: dynamic ARP inspection for IPv6 is available
First phase (Port ACL & RA Guard) available since Summer 2010
Second phase (NDP & DHCP snooping) available since Summer 2011
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html
• (kind of) GOOD NEWS: Secure Neighbor Discovery
SeND = NDP + crypto
IOS 12.4(24)T
But not in Windows Vista, 2008 and 7, Mac OS/X, iOS, Android
Crypto means slower...
• Other GOOD NEWS:
Private VLAN works with IPv6
Port security works with IPv6
IEEE 801.X works with IPv6 (except downloadable ACL)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Isolated Port
• Prevent Node-Node Layer-2 communication by using:
Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port)
WLAN in ‘AP Isolation Mode’
1 VLAN per host (SP access network with Broadband Network Gateway)
• Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm done by rogue RA
Side effect: it also disables DAD... If prefix is advertised as on-link
RA
RA
RA
RA
RA
Promiscuous Port
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
• Port ACL blocks all ICMPv6 RA from hosts
interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
access-group mode prefer port
• RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port
interface FastEthernet0/2
ipv6 nd raguard
access-group mode prefer port
• RA-guard (12.2(50)SY, 15.0(2)SE)
ipv6 nd raguard policy HOST device-role host
ipv6 nd raguard policy ROUTER device-role router
ipv6 nd raguard attach-policy HOST vlan 100
interface FastEthernet0/0
ipv6 nd raguard attach-policy ROUTER
RA
RA
RA
RA
RA
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Trusted-port
done
Y
host-port
N
Y
Check
Min hop-limit ?
N
Advertised limit
<= cfglimit ?
Check
Max hop-limit ?
N
Advert limit
< cfglimit ?
Y N
Check
M flag?
N
Advert M flag
= conf value ?
Y
N
Check
O flag ?
N
Advert O flag
= conf value?
Y
N
Check
Router pref ?
N
Advert router pref
<= conf value ?
Y
Check
Message SRC ?
N
Message SRC in
Configured Access-list ?
DROP
DROP
Y
Y
Y
Y
Y N
N
Check
adv prefixes in RA?
N
Advertised prefixes in
Configured prefix-list
Y
N
Check CGA if
Option present
Y
KO OK
Y
Y
Y
N
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
IPv6 FHS C6K C4K C3K C2K WLC
RA Guard 12.2(50)SY
and
15.0(1)SY
12.2(54)S
G 15.0(2)SE 15.0(2)SE 7.2
DHCP Guard 2013
XE
3.4.xSG
15.1(2)SG
15.0(2)SE 15.0(2)SE 7.2
Binding Integrity Guard 2013
XE
3.4.xSG
15.1(2)SG
15.0(2)SE 15.0(2)SE 7.2
Source Guard 2013 MID 2013 15.0(2)SE 15.0(2)SE 7.2
Destination Guard 2013
XE
3.4.xSG
15.1(2)SG
15.0(2)SE 15.0(2)SE 7.2
Key Takeaway: Catalyst & WLAN most secure IPv6 capable Products for your customer’s access layer
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
• Significant changes
• More relied upon
• => ICMP policy on firewalls needs to change
ICMP Message Type ICMPv4 ICMPv6
Connectivity Checks X X
Informational/Error Messaging X X
Fragmentation Needed Notification X X
Address Assignment X
Address Resolution X
Router Discovery X
Multicast Group Management X
Mobile IPv6 Support X
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
For Your Reference
RFC 4890: Border Firewall Transit Policy
Internet
Internal Server A
Action Src Dst ICMPv6
Type ICMPv6
Code Name
Permit Any A 128 0 Echo Reply
Permit Any A 129 0 Echo Request
Permit Any A 1 0 No Route to Dst.
Permit Any A 2 0 Packet Too Big
Permit Any A 3 0 Time Exceeded— TTL Exceeded
Permit Any A 4 0 Parameter Problem
Needed for Teredo traffic
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Internet
Internal Server A
Firewall B
Action Src Dst ICMPv6
Type ICMPv6
Code Name
Permit Any B 2 0 Packet too Big
Permit Any B 4 0 Parameter Problem
Permit Any B 130–132 0 Multicast Listener
Permit Any B 135/136 0 Neighbor Solicitation and Advertisement
Deny Any Any
For Your Reference
RFC 4890: Border Firewall Receive Policy
For locally generated traffic
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
• BGP, ISIS, EIGRP no change:
An MD5 authentication of the routing update
• OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPsec (for authentication and confidentiality)
IPsec means crypto image
But see RFC 6506
• IPv6 routing attack best practices
Use traditional authentication mechanisms on BGP and IS-IS
Use IPsec to secure protocols such as OSPFv3
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
• Application layer attacks
The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent
• Rogue devices
Rogue devices will be as easy to insert into an IPv6 network as in IPv4
• Man-in-the-Middle Attacks (MITM)
Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4
• Flooding
Flooding attacks are identical between IPv4 and IPv6
• Sniffing
IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
Good news IPv4 IPS signatures can be re-
used
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
• IPv6 stacks were new and could be buggy
• Some examples
Source: http://cve.mitre.org/cve/
CVE-2011-2393 Feb 2012 FreeBSD OpenBSD NetBSD and others
Local users DoS with RA flooding
CVE-2012-4444 Dec 2012 Linux Bypassing fragmentation protection
CVE-2012-4623 Oct 2012 IOS Remote DoS against DHCPv6 server
CVE-2008-1576 Jun 2008 Apple Mac OS X Buffer overflow in Mail over IPv6
CVE-2012-0179 May 2012 Microsoft Local privilege escalation
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
• Sniffers/packet capture
Snort
TCPdump
Sun Solaris snoop
COLD
Wireshark
Analyzer
Windump
WinPcap
• Scanners
IPv6 security scanner
Halfscan6
Nmap
Strobe
Netcat
• DoS Tools
6tunneldos
4to6ddos
Imps6-tools
• Packet forgers
Scapy
SendIP
Packit
Spak6
• Complete tools
http://www.thc.org/thc-ipv6/
http://www.si6networks.com/tools/ipv6toolkit/
Let the Games Begin
Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. 27
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
• Temporary addresses for IPv6 host client application, e.g. web browser
Inhibit device/user tracking
Random 64 bit interface ID, then run Duplicate Address Detection before using it
Rate of change based on local policy
• Enabled by default in Windows, Android, iOS 4.3, Mac OS/X 10.7
2001
/32 /48 /64 /23
Interface ID
Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back)
IETF Work in progress: unpredictable but stable addresses
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
• Microsoft Windows
Deploy a Group Policy Object (GPO)
Or
• Alternatively disabling stateless autoconfiguration for DHCP
Send Router Advertisements with
all prefixes with A-bit set to 0 (disable SLAAC)
M-bit set to 1 to force stateful DHCPv6
Use DHCP to a specific pool + ingress ACL allowing only this pool
netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy state=disabled store=persistent
For Your Reference
interface fastEthernet 0/0
ipv6 nd prefix default no-autoconfig
ipv6 dhcp server . . . (or relay)
ipv6 nd managed-config-flag
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
• Network Prefix Translation, RFC 6296,
1:1 stateless prefix translation allowing all inbound/outbound packets.
Main use case: multi-homing
• Else, IETF has not specified any N:1 stateful translation (aka overload NAT or NAPT) for IPv6
• Do not mix stateful firewall and NAPT even if they are often co-located
• Nowadays, NAPT (for IPv4) does not help security
Host OS are way more resilient than in 2000
Hosts are mobile and cannot always be behind your ‘controlled NAPT’
Malware are not injected from ‘outside’ but are fetched from the ‘inside’ by visiting weird sites or installing any trojanized application
Nearly 80% of the Torpig-infected hosts were behind a NAPT...
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
• Payment Card Industry Data Security Standard (latest revision October 2010):
Requirement 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.
Note: Methods to obscure IP addressing may include, but are not limited to: Network Address Translation (NAT)
• how to comply with PCI DSS
Application proxies or SOCKS
Strict data plane filtering with ACL
Strict routing plane filtering with BGP route-maps
• PCI DSS 2.0 Third Edition (Summer 2013) should be IPv6 aware
• Cisco IPv6 design for PCI with IPv6
http://www.cisco.com/en/US/docs/solutions/Enterprise/Compliance/Compliance_DG/PCI_20_DG.pdf
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
• Unlimited size of header chain (spec-wise) can make filtering difficult
• Potential DoS with poor IPv6 stack implementations
More boundary conditions to exploit
Can I overrun buffers with a lot of extension headers?
• Mitigation: use firewall or IPS to drop packets which violate extension header specification
Perfectly Valid IPv6 Packet According to the Sniffer
Destination Options Header Should Be the Last
Header Should Only Appear Once
Destination Header Which Should Occur at Most Twice
See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
• HbH: for router alerts RFC 6398, similar to IPv4 options
Goes to the CPU => Denial of Service
See draft-krishnan-ipv6-hopbyhop
• Main uses:
MLD (multicast): but link-local only, so, not too bad
RSVP (QoS, IntServ): only within one administrative domain
Can have other options
• My advice:
Block all HbH at the routers after MLD inspection _EXCEPT_ if you run RSVP
• This is also a self-defeating attack as it only harms the first vulnerable router…
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
• Finding the layer 4 information is not trivial in IPv6
Skip all known extension header
Until either known layer 4 header found => MATCH
Or unknown extension header/layer 4 header found... => NO MATCH
IPv6 hdr HopByHop Routing AH TCP data
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
• Extension headers chain can be so large than it must be fragmented!
• RFC 3128 is not applicable to IPv6
• Layer 4 information could be in 2nd fragment
IPv6 hdr HopByHop Routing Destination Fragment1
Layer 4 header is in 2nd fragment
IPv6 hdr HopByHop Fragment2 TCP Data Routing
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
• RFC 3128 is not applicable to IPv6
• Layer 4 information could be in 2nd fragment
• But, stateless firewalls could not find it if a previous extension header is fragmented
IPv6 hdr HopByHop Routing Destination … Fragment1
Layer 4 header is in 2nd fragment, Stateless filters have no clue
where to find it!
IPv6 hdr HopByHop Fragment2 TCP Data Routing … Destination
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
• This makes matching against the first fragment non-deterministic:
layer 4 header might not be there but in a later fragment
Need for stateful inspection
• fragment keyword matches
Non-initial fragments (same as IPv4)
• undertermined-transport keyword does not match
If non-initial fragment
Or if TCP/UDP/SCTP and ports are in the fragment
Or if ICMP and type and code are in the fragment
Else Everything else matches (including OSPFv3, RSVP, GRE, EIGRP, PIM …)
Only for deny ACE
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
• RFC 3128 is not applicable to IPv6, extension header can be fragmented
• ICMP header could be in 2nd fragment after a fragmented extension header
• RA Guard works like a stateless ACL filtering ICMP type 134
• THC fake_router6 –FD implements this attack which bypasses RA Guard
• Partial work-around: block all fragments sent to ff02::1
• If supported, deny undetermined-transport blocks this attack (work item at IETF)
IPv6 hdr HopByHop Routing Destination … Fragment1
ICMP header is in 2nd fragment, RA Guard has no clue where to
find it!
IPv6 hdr HopByHop Fragment2 ICMP type=134 Routing … Destination
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
• Host security on a dual-stack device
Applications can be subject to attack on both IPv6 and IPv4
Fate sharing: as secure as the least secure stack...
• Host security controls should block and inspect traffic from both IP versions
Host intrusion prevention, personal firewalls, VPN clients, etc.
Dual Stack Client
IPv4 IPsecVPN with No Split Tunneling
Does the IPsec Client Stop an Inbound IPv6 Exploit?
IPv6 HDR IPv6 Exploit
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
• Your host:
IPv4 is protected by your favorite personal firewall...
IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)
• Your network:
Does not run IPv6
• Your assumption:
I’m safe
• Reality
You are not safe
Attacker sends Router Advertisements
Your host configures silently to IPv6
You are now under IPv6 attack
• => Probably time to think about IPv6 in your network
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
$ ping6 -I en1 ff02::1%en1
PING6(56=40+8+8 bytes) fe80::226:bbff:fexx:xxxx%en1 --> ff02::1
16 bytes from fe80::226:bbff:fexx:xxxx%en1, icmp_seq=0 hlim=64 time=0.140 ms
. . .
16 bytes from fe80::cabc:c8ff:fec3:fdef%en1, icmp_seq=3 hlim=64 time=402.112 ms
^C
--- ff02::1%en1 ping6 statistics ---
4 packets transmitted, 4 packets received, +142 duplicates, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.140/316.721/2791.178/412.276 ms
$ ifconfig en1
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:26:bb:xx:xx:xx
inet6 fe80::226:bbff:fexx:xxxx%en1 prefixlen 64 scopeid 0x6
inet 10.19.19.118 netmask 0xfffffe00 broadcast 10.19.19.255
media: autoselect
status: active
$ ndp -an
Neighbor Linklayer Address Netif Expire St Flgs Prbs
2001:xxxx:xxxx:1:3830:abff:9557:e33c 0:24:d7:5:6b:f0 en1 23h59m30s S
. . .
$ ndp -an | wc -l
64
Humm… Is there an
IPv6 Network?
Humm… Are there any IPv6
peers?
Let’s have some fun here… Configure a tunnel, enable forwarding and
transmit RA
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
• Finding all hosts:
Address enumeration does not work for IPv6
Need to rely on DNS or NDP caches or NetFlow
• Vulnerability scanning
IPv4 global address, IPv6 global address(es) (if any), IPv6 link-local address
Some services are single stack only (currently mostly IPv4 but who knows...)
Personal firewall rules could be different between IPv4/IPv6
• IPv6 vulnerability scanning MUST be done for IPv4 & IPv6 even in an IPv4-only network
IPv6 link-local addresses are active by default
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
• Most IPv4/IPv6 transition mechanisms have no authentication built in
• => an IPv4 attacker can inject traffic if spoofing on IPv4 and IPv6 addresses
Public IPv4
Internet
Server B Server A
Tunnel
Termination
Tunnel
Termination
IPv6 Network IPv6 Network
IPv6 in IPv4
IPv6 ACLs Are Ineffective Since IPv4 & IPv6 Is Spoofed
Tunnel Termination Forwards the Inner IPv6 Packet
IPv4
IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
• Root cause
Same IPv4 encapsulation (protocol 41)
Different ways to embed IPv4 address in the IPv6 address
• ISATAP router:
accepts 6to4 IPv4 packets
Can forward the inside IPv6 packet back to 6to4 relay
• Symmetric looping attack exists
6to4 relay 192.0.2.1
ISATAP router Prefix 2001:db8::/64 192.0.2.2
1. Spoofed packet S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1
2. IPv4 packet to 192.0.2.2 containing
S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1
3. IPv6 packet S: 2001:db8::200:5efe:c000:201
D: 2002:c000:202::1
Repeat until Hop Limit == 0
Mitigation: •Easy on ISATAP routers: deny packets whose IPv6 is its 6to4 •Less easy on 6to4 relay: block all ISATAP-like local address? •Enterprise block all protocol 41 at the edge which are not known tunnels •Good news: not so many open ISATAP routers on the Internet
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
• Transport IPv6 packets over IPv4 UDP: goal traverse NAPT
• Main implementation: Microsoft Windows (+ Miredo for Linux)
• Enabled by default on Windows
If the firewall is enabled
If not connected to an Active Directory network
OR IF USER ENABLES IT
• Never preferred if there is native IPv4 or IPv6
• BUT: NAPT is often co-located with NAPT, users can force Teredo to be used (for BitTorrent), and if free UDP is allowed by security policy
=> Once tunnel is open, the whole IPv6 Internet has access to your machine
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
• 6VPE: the MPLS-VPN extension to also transport IPv6 traffic over a MPLS cloud and IPv4 BGP sessions
PE1
2001:db8:1:1:/64
PE3
PE4
IPv4 only MPLS
10.1.1.0/24
PE2
v4 and v6 VPN
10.1.1.0/24
2001:db8:1:1:/64
v4 only VPN
2001:db8:1:2:/64
v4 and v6 VPN
10.1.2.0/24
2001:db8:1:2:/64
v4 only VPN
10.1.2.0/24
v6 VPN v6 VPN
Dual-Stack
IPv4-IPv6
PE Routers
Dual-Stack
IPv4-IPv6
PE Routers
VRF
VRF
VRF
VRF
VRF
VRF
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
• 6PE (dual stack without VPN) is a simple case
• Security is identical to IPv4 MPLS-VPN, see RFC 4381
• Security depends on correct operation and implementation
QoS prevent flooding attack from one VPN to another one
PE routers must be secured: AAA, iACL, CoPP …
• MPLS backbones can be more secure than “normal” IP backbones
Core not accessible from outside
Separate control and data planes
• PE security
Advantage: Only PE-CE interfaces accessible from outside
Makes security easier than in “normal” networks
IPv6 advantage: PE-CE interfaces can use link-local for routing
draft-ietf-opsec-lla-only
=> completely unreachable from remote (better than IPv4)
Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. 48
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
• Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery:
• Nexus 7000 also allows RS & RA
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
ipv6 access-list VTY
permit ipv6 2001:db8:0:1::/64 any
line vty 0 4
ipv6 access-class VTY in
For Your Reference
MUST BE DONE before ‘ipv6 enable’ on any interface!
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
• Since version 7.0 (April 2005)
• IPv6 header security checks (length & order)
• Management access via IPv6: Telnet, SSH, HTTPS, ASDM
• Routed & transparent mode, fail-over
• v6 App inspection includes: DNS,FTP, HTTP, ICMP, SIP, SMTP, and IPSec pass-through
• IPv6 support for site-to-site VPN tunnels was added in 8.3 (IKEv1 in ASA 8.3.1, and IKEv2 in ASA 8.4.1)
• Selective permit/deny of extension headers (ASA 8.4.2)
• OSPFv3, DHCPv6 relay, stateful NAT64/46/66, mixed mode objects (ASA 9.0)
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
object network my_host
host 192.168.1.1
object network my_host_ipv6
host 2620:144:b20::200
access-list global_access line 1 extended permit ip any object-group my_host_group
access-group global_access global
object-group network my_host_group
network-object object my_host
network-object object my_host_ipv6
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
• ASA Firewall
Since version 7.0 (released 2005)
Flexibility: Dual stack, IPv6 only, IPv4 only
SSL VPN for IPv6 over IPv4 (ASA 8.0) over IPv6 (ASA 9.0)
Stateful-Failover (ASA 8.2.2)
Extension header filtering and inspection (ASA 8.4.2)
Dual-stack ACL & object grouping (ASA 9.0)
• ASA-SM
Leverage ASA code base, same features ;-) 16 Gbps of IPv6 throughput
• IOS Firewall
IOS 12.3(7)T (released 2005)
Zone-based firewall on IOS-XE 3.6 (2012)
• IPS
Since 6.2 (released 2008)
• Email Security Appliance (ESA) under beta testing since 2010, IPv6 support since 7.6.1 (May 2012)
• Web Security Appliance (WSA) with explicit proxy then transparent mode, work in progress (end of 2013 or early 2014)
• Cisco Cloud Web Security (ScanSafe) expected to be available in 2013 or early 2014
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
IPv6 in IPv4 tunnel
IPv4
IPv6
Ne
two
rk
IPv6
Ne
two
rk
GRE tunnel can be used to transport both IPv4 and IPv6 in the same tunnel
IPsec protects IPv4 unicast traffic... The encapsulated IPv6 packets
IPsec
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
IPv4 and IPv6 Transport in SSL
IPv4 or IPv6 IPv6 Windows
IPv6 Mac OS/X
IPv6 Linux
AnyConnect
Du
al-
Sta
ck N
etw
ork
ASA 9.0
SSL VPN Concentrator
Dual Stack
Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. 56
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
• So, nothing really new in IPv6
Reconnaissance: address enumeration replaced by DNS enumeration
Spoofing & bogons: uRPF is our IP-agnostic friend
NDP spoofing: RA guard and more features coming
ICMPv6 firewalls need to change policy to allow NDP
Extension headers: firewall & ACL can process them
Fragmentation: undetermined-transport is your friend
Potential loops between tunnel endpoints: ACL must be used
• Lack of operation experience may hinder security for a while: training is required
• Security enforcement is possible
Control your IPv6 traffic as you do for IPv4
• Leverage IPsec to secure IPv6 when suitable
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
• Easy to check!
• Look inside NetFlow records
Protocol 41: IPv6 over IPv4 or 6to4 tunnels
IPv4 address: 192.88.99.1 (6to4 anycast server)
UDP 3544, the public part of Teredo, yet another tunnel
• Look into DNS server log for resolution of ISATAP
• Beware of the IPv6 latent threat: your IPv4-only network may be vulnerable to IPv6 attacks NOW
Cisco Public © 2011 Cisco and/or its affiliates. All rights reserved. 59
Thank you.