Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ......
Transcript of Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ......
![Page 1: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/1.jpg)
Securely Deploying IPv6
James Leinweber
State Laboratory of Hygiene
School of Medicine & Public Health
![Page 2: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/2.jpg)
Lockdown 2017 Securely Deploying IPv6 2
v4 & v6 BGP connectivity - CAIDA 2009
![Page 3: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/3.jpg)
Lockdown 2017 Securely Deploying IPv6 3
![Page 4: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/4.jpg)
Lockdown 2017 Securely Deploying IPv6 4
State of IPv6 rollout – pessimists view
Countries <1% IPv6
DMZalexa 1000
ISP backbone
![Page 5: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/5.jpg)
Lockdown 2017 Securely Deploying IPv6 5
State of IPv6 rollout – optimists view
Datacenter
Datacenter
CDN
Akamai, Limelight, ...
DMZVerizon wireless
ISP backbonedual-stack
Last mile
broadband, 4G/LTE, IOT
Belgiumtraffic
world populationhigh IPv6 countries
![Page 6: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/6.jpg)
Lockdown 2017 Securely Deploying IPv6 6
If a v6 client wants a v4 server …
v6v4
NAT64 + DNS64
v6 v4
464xlat
v6 app
v4 app
![Page 7: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/7.jpg)
Lockdown 2017 Securely Deploying IPv6 7
TCP/IP layers (v4, v6)
● 5 layer model
● each has header or structured data
● OS layers API's too
● socket, protocol, device driver, ...
● IPv4 and IPv6 are at layer 3
● WAN addressing and routing
● helper protocols find addresses:
● 7 → 3 (name → IP): DNS
– v4: A v6: AAAA
● 3 → 2 (IP → ethernet):
– v4: ARP v6: ND
![Page 8: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/8.jpg)
Lockdown 2017 Securely Deploying IPv6 8
packet headers: IPv4 versus IPv6
keptgonesimilarnew
Source address
Destination Address
Payload lengthFlow Label
Next Header
Hop Limit
Traffic Class
ver
Source addressDestination AddressOptions Pad
Header checksum
protoTTLFrag ID
Total lengthTOS
OffsetLver
flag
![Page 9: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/9.jpg)
Lockdown 2017 Securely Deploying IPv6 9
About those 128-bit IPv6 addresses
2607:f388:1084:2050:0000:0000:0053:000b
● written as 8 colon-separated 16-bit parcels of 4 hex characters
● two abbreviations:
● 1+ contiguous all-zero parcels → ::, drop leading zeros
– e.g. loopback address compresses to ::1● routing prefix: ISP /13-/32; customers /48 (business) - /60 (home)
3 9 20 16 16 64IETF IANA
to RIRRIRto ISP
ISPto end site
subnets Host / VLAN
2 60
7f388 1084 20 50 :: 53:b
![Page 10: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/10.jpg)
Lockdown 2017 Securely Deploying IPv6 10
IPv6: what’s similar to IPv4? WAN
● packet switched, next hop routing based on variable length prefixes, best effort delivery
● ... the threat model is basically the same● Used with same upper & lower layer protocols
● Similar speed● LAN max throughput 4% less (1500 bytes)
– So use jumbo frames● WAN speed up to 15% faster (facebook);
– v4 delayed by Carrier NAT?
![Page 11: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/11.jpg)
Lockdown 2017 Securely Deploying IPv6 11
IPv6: The LAN behavior is very different
1: fe80 DAD listen ff02::1
2: multicast RS (ff02::2)
3: RA
4: multicast DHCPv6 agents (ff02::1:2)
5: DHCPv6 negotiation
6: multicast NS(ff02::1:ffxx:xxxx)
7: NA response
![Page 12: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/12.jpg)
Lockdown 2017 Securely Deploying IPv6 12
v4 versus v6 – network parameters
parameter IPv4 IPv6
gateway DHCP option ICMPv6 RA sender (link-local; can be 100% fe80::1)
address
DHCP lease
SLAAC privacy, EUI-64, ...
DHCPv6 lease
DNS DHCP options
DHCPv6 optionsICMPv6 RA DNS options
(or fallback to v4 DHCP)
other options DHCP DHCPv6 (static DHCPv6 ?)
layer 2 address ARP ICMPv6 neighbor discovery (NS/NA)
![Page 13: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/13.jpg)
Lockdown 2017 Securely Deploying IPv6 13
address scopes: node, link, site, global (of 7)
global – internet2000::/3external / all uses
link local – lanfe80::/64 (v4: 169.254.0.0/16)DHCP, ND, RS, ...
site / org / autonomous system - unique localfd + 40 random + 16 subnet + 64 host (v4: rfc-1918)internal private cross-vlan client-server
node – host loopback::1 (v4: 127.0.0.1/8)
![Page 14: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/14.jpg)
Lockdown 2017 Securely Deploying IPv6 14
an IPv6 host has at least 5 addresses ...
scope kind usage IPv6 address
node unicast loopback ::1 (v4: 127.0.0.1)
link multicast All-nodes (RA, MLD destination)
ff02::1 (v4: 224.0.0.1)
link unicast RS/RA, ND,DHCP source
fe80::214:5eff:fea4:7386
link multicast NS destination ff02::1:ffa4:7386
global unicast Public destination,ND, MLD source
2607:f388:1084:2050::53:b
link multicast NS destination ff02::1:ff53:b
![Page 15: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/15.jpg)
Lockdown 2017 Securely Deploying IPv6 15
Getting IPv6 address space – ask your ISP
● Big org – ask ARIN for /32 or /48● AS backbone routing prefixes /13../48
● UW departments – open a Cherwell ticket● Ask DoIT for /48 (+/-4)
● Wiscnet customers – ask
● Business ISP – should be available● Getting static v4 could be hard, v6 easy
● Home ISP – Real Soon Now● homework: ask when● Initially probably /64, eventually /60
![Page 16: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/16.jpg)
Lockdown 2017 Securely Deploying IPv6 16
Design a routing and subnet architecture
● Think big – a /48 is like being MIT● Subnets and addressess are not scarce
– all subnets /64 at the vlan● Think long term – adapt to 20 years changes
● new or renumbered vlans, new or split subnets, new locations, routing topology changes, ...
● Renumbering hosts is much easier in v6, but ...● Think easy
● Easy to document, easy to implement
![Page 17: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/17.jpg)
Lockdown 2017 Securely Deploying IPv6 17
WSLH IPv6 architecture (3rd try)
● route /52 (wan), firewall /60 (security), subnet /64 (vlan)
● 4-bit alignment, start in the middle, reserve growth gaps, use meaningful semantics, avoid vlan tags & v4 subnets
campus backbone
mgmt 2607:f388:1084:10a0::/64
lan 2607:f388:1084:1010::/64
465 Henry Malldmz 2607:f388:1084:2050::/64
mgmt 2607:f388:1084:20a0::/64
lan1 2607:f388:1084:2010::/64
2810 Walton Commons LN
dmz 2607:f388:1084:1050::/64
2607:f388:1084:2000::/522607:f388:1084:1000::/52
lan2 2607:f388:1084:2018::/64
![Page 18: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/18.jpg)
Lockdown 2017 Securely Deploying IPv6 18
IPv6 network forensics: snoop the port/host
● host interfaces will have multiple active v6 addresses
● link-local (fe80::/64) & global (2000::/3) scopes● might have multiple global scope addresses
● v6 host parts may change● windows default is new privacy addresses daily
● dual-stack clients use both v4, v6 protocols● IPv6 sites are IPv6-mostly, rarely IPv6-only
● destinations will be both unicast & multicast● senders are always unicast & have host MAC
![Page 19: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/19.jpg)
Lockdown 2017 Securely Deploying IPv6 19
Dual-stack network monitoring
● SIEM / log analysis - multiple IP text formats● v4 dotted quad (DNS A)● v6 native (DNS AAAA) ● v4 mapped as v6 ::ffff:p.q.r.s
● if you use SNMP to poll ARP tables, add v6 ND
● antimalware tools – need v6 support● AV, reputation blacklists, URL filtering, snort, …
● network & scanning tools – learn v6 options● ping, traceroute, wireshark, nmap, nessus, ...
![Page 20: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/20.jpg)
Lockdown 2017 Securely Deploying IPv6 20
switches – layer 2 defenses
● layer 3 switches can use ACL’s to block unwanted DHCP, ICMP
● probably separate v4 and v6 rules● block client ICMP redirect● block client ICMPv6 RA
● also block too many MAC’s● v4: ARP poisoning; v6: ICMPv6 ND poisoning
● use what ever subset of features makes sense● ACL, mac lock, port security, DHCP snooping,
RA guard, ...
![Page 21: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/21.jpg)
Lockdown 2017 Securely Deploying IPv6 21
v4 & v6 Cisco switch ACL example (partial)
ip access-list list4 deny udp any eq 68 any eq 67 deny icmp any any 9 deny icmp any any 5 permit ip any any
sdm prefer dual-ipv4-and-ipv6 default
ipv6 access-list list6 deny udp any eq 547 any eq 546 deny icmp any any 134 deny icmp any any 137 permit ip any any
interface Gi1/0/3 switchport port-security switchport port-security aging-time 1440 ip access-group list4 in ipv6 traffic-filter list6 in
![Page 22: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/22.jpg)
Lockdown 2017 Securely Deploying IPv6 22
firewalls
● for v6, mimic v4 application / port filtering● e.g. no egress for 445/tcp
● Cisco ASA● 8.x: make separate ipv6 access-lists
– use two access-group statements per interface● 9.x: unified access-lists, new address wildcards
any4, any6– plain any becomes dual-protocol
![Page 23: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/23.jpg)
Lockdown 2017 Securely Deploying IPv6 23
firewalls – filter on ICMPv6 type codes
● transparent: allow RS/RA, NS/NA (133-136)
● only routers should do redirect (137)
● allow errors (1-4)● 1=unreachable, 2=too big, 3=ttl, 4=param
– routers don’t fragment v6 - need PMTU discovery – v6 minimum is 1280 bytes … servers, be kind.
● echo request/reply: match v4 policy (128-129)
● block the rest to start with● unless you are using multicast, mobility, …● no accidental router renumbering! (138)
![Page 24: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/24.jpg)
Lockdown 2017 Securely Deploying IPv6 24
firewalls - block tunnels (or protocols)
● automatic tunnels turned out to be bad ideas● unreliable, latency, jitter, no security inspection● only 3 of some dozen proposed got deployed:
ISATAP, 6to4 (2002::/16), Teredo (2001:0::/32)● windows: netsh interface XXX set state disabled
● block IPv6 over IPv4 automatic tunnels by:● deny protocol 41 (v4 header, v6 payload)● deny port 3544/udp (teredo server)
● for v4 only, block IPv6 ethertype 0x86dd
● for v6 only, block IPv4 types 0x0800, 0x0806
![Page 25: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/25.jpg)
Lockdown 2017 Securely Deploying IPv6 25
routing – 3 methods
● static routes: both v4 and v6
● dynamic routes:● usual protocols (BGP, IS-IS, RIP, OSPF, EIGRP)
are all extended to handle IPv6● v4 and v6 will use separate peering sessions
● DHCPv6 prefix delegation● popular for ISP provider-aggregated space
– up to /48 available for business use● especially likely for home broadband
– probably /64 for now, /60 likely in future
![Page 26: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/26.jpg)
Lockdown 2017 Securely Deploying IPv6 26
DNS
● forward IPv6: AAAA records & v6 address● IN AAAA 2607:f388:1084:2050::53:b
● reverse IPv6: PTR under ip6.arpa● b.0.0.0.3.5.0.0.0.0.0.0.0.0.0.0.0.5.0.2.4.8.0.1.8.8.3.f.7.0.6.2.ip6.arpa.
● zone delegation: similar to IPv4● don’t forget to ask for IPv6 prefix delegation● add the v6 addresses to your nameservers
● dynamic DNS is your friend● for BIND zone files, so is $ORIGIN
● use tools (ipv6calc, arpaname, web, ...)
![Page 27: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/27.jpg)
Lockdown 2017 Securely Deploying IPv6 27
IPv6 Application pain: compare Y2K
● big challenge: web applications and logging
● Recent OS, e-mail, web, and DB services support IPv6
● … but stored IP addresses change format and get much bigger
● IPv6 rework is easier than similar Y2K rework
● IP addresses are less pervasive and less manipulated
● no hard deadline
● your entire backend doesn't have to be v6 yet
● just front end, stored addresses, log analysis (security, web stats)
● application code switches to new dual-stack library APIs
● getaddrinfo() returns prioritized list of v6 and v4 addresses to try for a DNS hostname
● IPv6 socket & IPV6_V6ONLY option = 0 can do mapped v4 ::ffff:p.q.r.s
![Page 28: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/28.jpg)
Lockdown 2017 Securely Deploying IPv6 28
deployment priorities
where priority why issues
lan low? ? easy (7 weeks?); not much breaksneeded if a v6-only service is popular
dmz - dns high needed early
dmz - https
medium mobile clients
3rd party libraries, analytics, cookies
dmz - smtp
low ? spam - IPv6 reputation lists lag v4
datacenter low out of v4? going v6-only could take 7 years(HVAC monitoring, 3rd party vendors)
![Page 29: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/29.jpg)
Lockdown 2017 Securely Deploying IPv6 29
Questions ?
Slide & Handout URL
http://go.wisc.edu/svv199
● start small
“don’t try to boil an ocean in a day”● test before deploying to production
● all large deployments found vendor glitches
![Page 30: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/30.jpg)
Lockdown 2017 Securely Deploying IPv6 30
Extra Slides
![Page 31: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/31.jpg)
Lockdown 2017 Securely Deploying IPv6 31
wireshark packet trace: native IPv6
● Duplicate address detection – NS to self
● MLD leave to ff02::16 – turn off multicast traffic
● ICMPv6 solicit & advertise, for routers & neighbors
● uses both link-local & global address scopes
● uses both unicast & multicast destinations
● DNS and HTTP behave similarly over v6 & v4
● Web browsers typically use a mix of v4 and v6
![Page 32: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/32.jpg)
Lockdown 2017 Securely Deploying IPv6 32
IPv6 security: longstanding paranoia
![Page 33: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/33.jpg)
Lockdown 2017 Securely Deploying IPv6 33
IPv6 is not inherently secure, but ...
● IPSEC fantasies notwithstanding
● end point security, protocol stack quality, and feature parity all problematic
● Industry record of inadequate security design extends far beyond IPv6
● Wifi WEP, DVD CSS, Mifare stored value cards, cell phone GSM, ...
● similar security disasters in progress today deploying over IPv6:
● Power industry smartgrid, FAA next generation air traffic control
● Reality: IPv4 security and IPv6 security are very similar
● same internet architecture → same threat model → same security measures
● only 3 variations: extension header + fragmentation resource exhaustion DOS, RA spoofing, many addresses
![Page 34: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/34.jpg)
Lockdown 2017 Securely Deploying IPv6 34
A few well known IPv6 prefixes
prefix usage
:: Unspecified link source, never a destination
::ffff:p.q.r.s Mapped IPv4; used in dual-stacked API's
2000::/3 IANA global unicast (v4: non [rfc-6890])
2001:0000::/32 Deprecated Teredo tunnel prefix
2001:db8::/32 Documentation examples (v4: 192.0.2.0/24, ...)
2002::/16 Deprecated 6to4 tunnel prefix
fd00::/7 Unique Local Addresses (v4: [rfc-1918] private)
fe80::/10 Link scope addresses [rfc-4862]; replaces IPv4 zeroconf; autoconfigured & required
ff02::/8 multicast – required (v4: 224.0.0.0/4)
![Page 35: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/35.jpg)
Lockdown 2017 Securely Deploying IPv6 35
IPv6 Multicast: ff + flags + scope + group
Scopes (y): 1=node 2=link ... 5=site … e=global
ff02::1 Link scope - all hosts (v4: 224.0.0.1)
ff02::2 Link scope - all routers (v4: 224.0.0.2)
ff02::16 Link scope – all MLDv2 routers
ff02::1:2 Link scope - DHCP relay agents (v4: 224.0.0.12)
ff05::1:3 Site scope - DHCP servers (from relay agents)
ff0y::101 any scope - NTP (v4: 224.0.1.1)
ff0y::130 any scope - UPnP
ff0y::fb any scope - mDNSv6 (v4: 224.0.0.251)
ff0y::c any scope - SSDP (v4: 239.255.255.250)
![Page 36: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/36.jpg)
Lockdown 2017 Securely Deploying IPv6 36
address preference pain
● multiple interfaces & addresses – pick which?
● complicated; ~18 rules just in [rfc-6724], plus [rfc-5220], policy table,...
– local or global scope, lifetime temporary or permanent, valid or invalid, preferred or deprecated, mobility home or care-of, ...
● Simple case: one v4 address, one active global v6 address
1) match destination protocol family, either v4 or v6
2) prefer native source to tunneled
● update: [rfc-1918] private now preferred to 6to4 & Teredo
3) prefer v6 source to v4
● default getaddrinfo() policy can be changed by vendor or admin
● linux: edit /etc/gai.conf
● windows: netsh interface ipv6 set prefixpolicies
● per-connection override: specify protocol and “zone” (interface)
![Page 37: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/37.jpg)
Lockdown 2017 Securely Deploying IPv6 37
IPv6 and “happy eyeballs” (rfc-6555)
● waiting for DNS or connection timeouts on mono-stack sites annoys users
● start v6 (AAAA) and v4 (A) DNS queries in parallel
● start TCP connections to destinations as DNS answers
● v6 usually gets a 300 ms head start● use the first connection to complete
● reset the other one if necessary● implemented:
● Google Chrome, Firefox, Mac Os-X, ...● Windows 10 checks for native IPv6 & adjusts v4/v6
policy table preference
![Page 38: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/38.jpg)
Lockdown 2017 Securely Deploying IPv6 38
RFC pain: IPv6 is a moving target
● deprecated addresses & names
● 5f00::/8, 3ffe::/16 (6bone) … use 2000::/3 globals
● ::/96 (v4 embedded) … use ::ffff:p.q.r.s
● fec0::/10 (site local) … use fd::/7 unique local
● ip6.int (DNS PTR) … use ip6.arpa
● deprecated protocols
● A6, DNAME (DNS) … use AAAA, PTR
● automatic tunnels … use 6in4, 6rd, 6pe
– 6over4, 6to4, Teredo, ISATAP● NAT-PT (a nat46 try) … use dual-stack
![Page 39: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/39.jpg)
Lockdown 2017 Securely Deploying IPv6 39
e-mail spam risk: lots of addresses
● can send each message from a different IPv6 host address
● with /48 from shady registrar / hosting provider has 65k networks
● … but fewer than 200k real SMTP hosts worldwide, all with v4
Countermeasures:
● wait a few more years before turning on v6 for SMTP
● switch to a reputation whitelist instead of a blacklist
● use v6 reputation lists based on v6 prefixes, not hosts
● using prefixes increases collateral damage
![Page 40: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/40.jpg)
Lockdown 2017 Securely Deploying IPv6 40
NAT translation considered harmful
● NAT46 breaks lots of stuff [rfc-4966]
● multichannel protocols with embedded ports or addresses
– multimedia, VoIP, FTP, ...● signed packets: IPSEC, DNSSEC, ...
● multicast, geolocation, inbound connections (gaming), …
● Fixup requires protocol-specific application gateways
● fixup fails if there are multiple NAT layers, e.g. NAT444
– (donley): streaming stutters; breaks v6 tunnels, P2P, FTP
● can't cover many protocols, nor scale to many clients
![Page 41: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/41.jpg)
Lockdown 2017 Securely Deploying IPv6 41
NAT translation: addresses, maybe protocols
● NAT46: IPv4 → IPv6 is intractable
● e.g. NAT-PT can't reliably fake DNS A for AAAA● NAT64: IPv6 → IPv4 is possible (but inferior)
● at least for simple TCP connections● NAT44: IPv4 → IPv4 is possible at CPE or ISP
● remember NAT444 at both CPE and ISP is bad● NAT66: IPv6 → IPv6 doesn't exist
● and IAB really wants to prevent it: [rfc-5902]
![Page 42: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/42.jpg)
Lockdown 2017 Securely Deploying IPv6 42
meep ... there's no NAT66
● NAT44 is not what provides IP security
● site-scope addresses → application proxies → statefull firewalls
● PCI-DSS is OK with firewalling global scope v6
● private / site-scope IP addresses don't block reconnaissance
● speed bump, yes
– browser javascript enumeration exploits, DNS queries, ARP or ND poisoning, multicast probes, ...
● NAT is evil because it prevents protocol innovation
● evading future congestion collapses needs innovation
![Page 43: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/43.jpg)
Lockdown 2017 Securely Deploying IPv6 43
IPv6 and the SLAAC attack … an IPv4 MITM
Suppose a v4-only network with good v4 defenses but no v6 monitoring has dual-capable hosts ...
● attack station multicast's RA's with global unicast prefix with self as router, DHCPv6, and DNS server
● dual-stack hosts autoconfigure v6 & prefer it
● so potential v4 traffic tries attacker on v6 first● attacker proxies evil outside v4 to inside v6 via
NAT-PT
● especially DNS
![Page 44: Securely Deploying IPv6 - UW–Madison · Lockdown 2017 Securely Deploying IPv6 5 State of ... Lockdown 2017 Securely Deploying IPv6 6 If a v6 client wants a ... don’t forget to](https://reader035.fdocuments.us/reader035/viewer/2022062504/5b2e61047f8b9a594c8d4674/html5/thumbnails/44.jpg)
Lockdown 2017 Securely Deploying IPv6 44
(accidental?) WiFi hijacking
● suppose a windows 7 laptop with internet connection sharing and tunneled v6 shows up on a v4 wifi network
● how many nearby dual-stack devices will believe it's RA's and switch to v6 routed through a really bad tunnel?
● miscreants already show up in public spaces with rogue v4 access points