brksec-2003
TRANSCRIPT
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRSEC-200314343_04_2008_c2 2
IPv6 Security Threats and Mitigations
BRKSEC-2003
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-200314343_04_2008_c2
Session Objectives
IPv6 vs. to IPv4 from a threat and mitigation perspective
Advanced IPv6 security topics like transition options and dual stack environments
Requirements: Basic knowledge of the IPv6 and IPsec protocols as well as IPv4 security best practices
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKSEC-200314343_04_2008_c2
For Reference Slides
There are more slides in the hand-outs than presented during the class
Those slides are mainly for reference and are indicated by the book icon on the top right corner (as on this slide)
For YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKSEC-200314343_04_2008_c2
Agenda
Shared Issues by IPv4 and IPv6
Specific Issues for IPv6IPsec everywhere, dual-stack, tunnels and 6VPE
IPv6 Security Best Common Practice
Enforcing a Security Policy in IPv6ACL, Firewalls and Host IPS
Enterprise Secure DeploymentSecure IPv6 transport over public network
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKSEC-200314343_04_2008_c2
Shared Issues
Security Issues Shared by IPv4 and IPv6
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKSEC-200314343_04_2008_c2
Reconnaissance in IPv4
1. DNS/IANA crawling (whois) to determine ranges
2. Ping sweeps and port scans
3. Application vulnerability scans
[tick:/var] scott# nmap -sP 10.1.1.0/24Starting nmap V. 3.00 ( www.insecure.org/nmap/ )Host (10.1.1.0) seems to be a subnet broadcast …Host (10.1.1.1) appears to be up.Host (10.1.1.12) appears to be up.Host (10.1.1.22) appears to be up.Host (10.1.1.23) appears to be up.Host (10.1.1.101) appears to be up.Host (10.1.1.255) seems to be a subnet broadcast …Nmap run completed -- 256 IP addresses (7 hosts up) scanned in 4 seconds
Relatively Easy to Perform
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKSEC-200314343_04_2008_c2
Reconnaissance in IPv6
Default subnets in IPv6 have 264 addresses 10 Mpps = More than 50 000 years
NMAP doesn’t even support ping sweeps on IPv6 networks
Subnet Size Difference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKSEC-200314343_04_2008_c2
Reconnaissance in IPv6
Public servers will still need to be DNS reachable More information collected by Google...
Cfr SensePost BiDiBLAH
Increased deployment/reliance on dynamic DNSMore information will be in DNS
Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0 or simply IPv4 last octet for dual stack)
By compromising hosts in a network, an attacker can learn new addresses to scan
Scanning Methods Are Likely to Change
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKSEC-200314343_04_2008_c2
Reconnaissance in IPv6?
For example, all routers (FF05::2) and all DHCP servers (FF05::1:3)
No need for reconnaissance anymore
Some deprecated (RFC 3879) site-local addresses are still used
FEC0:0:0:FFFF::1 DNS server
2001:0410::50
2001:0410::60
2001:0410::70
Attacker FF05::1:3
Source Destination Payload
DHCP Attack
Easy with Multicast!
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKSEC-200314343_04_2008_c2
Preventing Reconnaissance with IPv6 Multicast
The site-local/anycast addresses must be filtered at the border in order to make them unreachable from the outside
ACL block ingress/egress traffic toBlock FEC0::/10 (site-local addresses)
Permit mcast to FF02::/16 (link-local scope)
Permit mcast to FF0E::/16 (global scope)
Block all mcast
Organization A
Organization B
ipv6 access-list NO_RECONNAISSANCEdeny any fec0::/10permit any ff02::/16permit any ff0e::/16deny any ff00::/8permit any any
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKSEC-200314343_04_2008_c2
Viruses and Worms in IPv6
Viruses and email worms: IPv6 brings no change
Other worms:IPv4: reliance on network scanning
IPv6: not so easy (see reconnaissance) will use alternative techniques
Worm developers will adapt to IPv6
IPv4 best practices around worm detection and mitigation remain valid
Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery...
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKSEC-200314343_04_2008_c2
IPv6 Privacy Extensions (RFC 3041)
Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detectionbefore using itRate of change based on local policy
2001
/32 /48 /64/23
Interface ID
Recommendation: Use Privacy Extensions for External Communication but Not for Internal Networks (Troubleshooting and Attack Trace Back)
Temporary addresses for IPv6 host client application, e.g. web browser
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKSEC-200314343_04_2008_c2
How to Prevent Privacy Extension
Microsoft WindowsDeploy a Group Policy Object (GPO)
or
AlternativelyUse DHCP (see later) to a specific pool
Ingress filtering allowing only this pool
netsh interface ipv6 set global randomizeidentifiers=disablednetsh interface ipv6 set global randomizeidentifiers=disabled store=persistentnetsh interface ipv6 set privacy state=disabled store=persistent
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKSEC-200314343_04_2008_c2
IPv6 Intranet
Access Control in IPv6 Privacy Extension
Good to protect the privacy of a host/user
Hard to define authorization policy when the Layer 3 information is always changing :-)
Firewall
Management System IPv6 Address—2001:DB8:F15:C15::1*
Management System New IPv6 Address—2001:DB8:F15:C15::2*
Internal Server2001:DB8:F15:c16::1/64
*Not real RFC3041 derived addresses
X
Deny
Permit
Action
AnyAny
80Any2001:DB8:F15:c16::1
2001:DB8:F15:C15::1
Dst PortSrc PortDestSrc
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKSEC-200314343_04_2008_c2
L3-L4 Spoofing in IPv4
L4 spoofing can be done in concert with L3 spoofing to attack systems (most commonly running UDP, i.e. SNMP, Syslog, etc.)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKSEC-200314343_04_2008_c2
IPv6 Intranet
IPv6 Bogon Filtering
In IPv4, easier to block bogons than to permit non-bogons
In IPv6, in the beginning when a small amount of top-level aggregation identifiers (TLAs) has been allocated
Easier to permit non-bogons
Now, more complex: http://www.cymru.com/Bogons/ipv6.txt
Now IPv6 is in a similar situation as IPv4 Same technique = uRPF
Inter-Networking Device with uRPF Enabled
IPv6 Unallocated Source Address
X IPv6 Intranet/Internet
No Route to SrcAddr Drop
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKSEC-200314343_04_2008_c2
L3 Spoofing in IPv6
Access Layer
Inter-Networking Device with uRPF Enabled
Spoofed IPv6Source Address
X IPv6 Intranet/Internet
No Route to Src Addr PrefixDrop
Access Layer
Inter-Networking Device with uRPF Enabled
Spoofed IPv6Source Address
X IPv6 Intranet/Internet
No Route to Src Addr Prefix out the Packet Inbound Interface Drop
uRPF Loose Mode
uRPF Strict Mode
uRPF Remains the Primary Tool for Protecting Against L3 Spoofing
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKSEC-200314343_04_2008_c2
ICMPv4 vs. ICMPv6
Significant changes
More relied upon
ICMP policy on firewalls needs to change
XMobile IPv6 Support
XMulticast Group Management
XAddress Resolution
XAddress AssignmentXXFragmentation Needed Notification
Informational/Error Messaging
Connectivity Checks
ICMP Message Type
XX
XX
ICMPv6ICMPv4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKSEC-200314343_04_2008_c2
Generic ICMPv4
Internet
Internal Server A
Permit
Permit
Permit
Permit
Permit
Action
Time Exceeded—TTL Exceeded011AAny
Dst. Unreachable—Frag. Needed43AAny
Dst. Unreachable—Net Unreachable03AAny
Echo Request08AAny
Echo Reply00 AAny
NameICMPv4 Code
ICMPv4 TypeDstSrc
For YourReference
Border Firewall Policy
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
11
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKSEC-200314343_04_2008_c2
Equivalent ICMPv6
*RFC 4890
For YourReference
Border Firewall Policy*
Internet
Internal Server A
Permit
Permit
Permit
Permit
Permit
Action
Time Exceeded—TTL Exceeded03AAny
Packet Too Big02AAny
No Route to Dst.01AAny
Echo Request0129AAny
Echo Reply0128 AAny
NameICMPv6 Code
ICMPv6 TypeDstSrc
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKSEC-200314343_04_2008_c2
Internet
Internal Server A
Potential Additional ICMPv6 Firewall B
*RFC 4890
Permit
Permit
Permit
Permit
Permit
Action
Parameter Problem04BAny
Neighbor Solicitation and Advertisement0133/134BAny
Multicast Listener0130–132BAny
Packet too Big02BAny
Parameter Problem04AAny
NameICMPv6 Code
ICMPv6 TypeDstSrc
For YourReference
Border Firewall Policy*
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKSEC-200314343_04_2008_c2
Fragmentation Used in IPv4 by Attackers
Great evasion techniques
Tools like whisker, fragrout, etc.
Makes firewall and network intrusion detection harder
Used mostly in DoSing hosts, but can be used for attacks that compromise the host
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKSEC-200314343_04_2008_c2
Fragment Header
Fragment Header: IPv6
In IPv6 fragmentation is done only by the end system
Reassembly done by end system like in IPv4
Attackers can still fragment in intermediate system on purpose
a great obfuscation tool
Fragment Data
IPv6 Basic HeaderNext Header = 44 Fragment
Header
Fragment Header
IdentificationReserved Fragment OffsetNext Header
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
13
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKSEC-200314343_04_2008_c2
IPv6 Fragmentation: Still Need Reassembly in the Firewall and NIPS
Should we consider 2.1a part of the data stream “USER root”?
Or is 2.1b part of the data stream? “USER foot”If the OS makes a different decision than the monitor: bad
Even worse: different OSs have different protocol interpretations
TCP USIP11
ERIP12
IP21a TCP ro
IP22 ot
1.1
1.2
2.1b
2.2
IP21b TCP fo
2.1a
Time
Imagine an Attacker Sends:
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKSEC-200314343_04_2008_c2
IPv6 Fragmentation
Procedure1. Parse the next headers until the fragment header
Extract the flags and offset
2. Parse further NHs until the upper layer protocol
3. Check if enough of the upper Layer protocol header is within the first fragment
This makes matching against the first fragment non-deterministic: TCP/UDP/ICMP might not be thereBut in a later fragment
Need for stateful inspection
Issues for Non-Stateful Filtering Devices
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
14
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKSEC-200314343_04_2008_c2
IPv6 Fragmentation
fragment keyword matches Non-initial fragments (same as IPv4)
And the first fragment if the L4 protocol cannot be determined
Best common practiceDeny IPv6 fragments destined to an internetworking device (DoS vector)
Infrastructure ACL
Fragment Keyword in IPv6 ACL
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKSEC-200314343_04_2008_c2
IPv6 Routing Header
An extension header
Processed by the listed intermediate routers
Two typesType 0: Similar to IPv4 source routing (multiple intermediate routers)
Type 2: Used for mobile IPv6
Routing Header
Routing Header Data
IPv6 Basic HeaderNext Header = 43 Routing Header
Routing HeaderExt Hdr LengthNext Header RH Type Segments Left
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
15
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKSEC-200314343_04_2008_c2
Type 0 Routing Header
Rule on the Firewall
Allow proto tcp from any to webserver port 80
Deny proto tcp from any to any
Firewall
Host1
Host2
Web
src=host1,dst=web,
payload proto=tcp, dport=80rtheader=host2, segments left=1 src=host1,
dst=host2rtheader=web,segments left=0
payload proto=tcp, dport=80IPv6
Network
Issue #1: Traffic Rebound
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKSEC-200314343_04_2008_c2
Type 0 Routing Header
What if attacker sends a packet with RH containingA B A B A B A B A ...
Packet will loop multiple time on the link R1-R2
An amplification attack!
A B
Issue #2: Amplification Attack
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKSEC-200314343_04_2008_c2
IPv6 Type 2 Routing Header
Required by mobile IPv6 (see later)
Rebound/amplification attacks impossibleOnly one intermediate router: the mobile node home address
Routing Header
Mobile Node Home Address
IPv6 Basic HeaderNext Header = 43 Routing Header
Routing HeaderExt Hdr LengthNext Header RH Type = 2 Segments Left = 1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKSEC-200314343_04_2008_c2
Preventing Routing Header Attacks
Apply same policy for IPv6 as for Ipv4: Block Routing Header type 0
Prevent processing at the intermediate nodesno ipv6 source-route
Windows, Linux, MacOS: default setting
At the edgeWith an ACL blocking routing header
RFC 5095 (December 2007) RH0 is deprecatedDefault Cisco IOS® will change in 12.5T
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKSEC-200314343_04_2008_c2
Quick Refresh
With ARP misuse host W can claim to be the default gateway and hosts X and Y will route traffic through him; man in the middle attack
1.2.3.0/24
Host W.4
.1
Host Y.2
Host X.3
• With DHCP it is similar except the attacker just needs to put a DHCP server on the wire delivering false information (gateways, DNS servers, etc.)
ARP and DHCP Attacks in IPv4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKSEC-200314343_04_2008_c2
Neighbor Discovery Issue #1
Router Solicitations are sent by booting nodes to request router advertisements for configuring
2. RA:Src = Router Link-local AddressDst = All-nodes multicast addressICMP Type = 134Data= options, prefix, lifetime, autoconfig flag
2. RA2. RA1. RS
ICMP without Any Authentication Gives Exactly Same Level of Security as ARP for IPv4 (None)
Attack Tool:fake_router6
Can Make Any IPv6 Address the Default Router
Stateless Autoconfiguration
1. RS:Src = ::
Dst = All-Routers multicast Address
ICMP Type = 133
Data = Query: please send RA
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
18
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKSEC-200314343_04_2008_c2
Neighbor Discovery Issue #2
Src = ADst = Solicited-node multicast of BICMP type = 135Data = link-layer address of A
Query: what is your link address?
A B
Src = BDst = AICMP type = 136Data = link-layer address of B
A and B Can Now Exchange
Packets on This Link
Security Mechanisms Built into Discovery Protocol = None
Very Similar to ARP
Attack Tool:Parasite6Answer to All NS, Claiming to Be All Systems in the LAN...
Neighbor Solicitation
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKSEC-200314343_04_2008_c2
Neighbor Discovery Issue #3
Duplicate Address Detection (DAD) uses neighbor solicitation to verify the existence of an address to be configured
Src = ::Dst = Solicited-node multicast of AICMP type = 135 Data = link-layer address of A
Query = what is your link address?
A BFrom RFC 2462:
« If a Duplicate @ Is Discovered…the Address Cannot Be Assigned to the Interface »
What If: Use MAC@ of the Node You Want to DoS and Claim Its IPv6 @
Attack Tool:dos-new-ipv6
Duplicate Address Detection
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
19
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKSEC-200314343_04_2008_c2
ICMP Issue #4
Redirect is used by a router to signal the reroute of a packet to a better router
Original packet has to be included...
Redirect:Src IP: R2 (Default Router)Dst IP: AData: Good Router = R1
2001:DB8:C18:2::/64
R1
R2A B
Src: ADst IP: 2001:DB8:C18:2::1Dst Ethernet: R2 (Default Router)
Original Packet Has to Be Included to Prevent Spoofed Redirect…ButWhat if Attacker First Sent ICMP Echo Request? The Reply Packet Is Predictable…
In IPv4: « no ip icmp redirect »In IPv6: « no ipv6 redirect »
Spoofed Redirect
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKSEC-200314343_04_2008_c2
Neighbor Discovery Attacks inIPv6 RFC 3756
Redirect attacks A malicious node redirects packets away from a legitimate receiver to another node on the link
Denial-of-service attacks A malicious node prevents communication between the node under attack and other nodes
Flooding denial-of-service attacksA malicious node redirects other hosts’ traffic to a victim node creating a flood of bogus traffic at the victim host
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
20
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKSEC-200314343_04_2008_c2
Secure Neighbor Discovery (SEND)RFC 3971
Certification pathsAnchored on trusted parties, expected to certify the authority of the routers on some prefixes
Cryptographically Generated Addresses (CGA)IPv6 addresses whose the interface identifier is cryptographically generated
RSA signature optionProtect all all messages relating to neighbor and router discovery
Timestamp and nonce optionsPrevent replay attacks
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKSEC-200314343_04_2008_c2
Cryptographically Generated Addresses CGA RFC 3972 (Simplified)
Each devices has a RSA key pair (no need for cert)Ultra light check for validityPrevent spoofing a valid CGA address
SHA-1
RSA KeysPriv Pub
SubnetPrefix
InterfaceIdentifier
Crypto. Generated Address
Signature
SEND Messages
Modifier(nonce)Public
KeySubnetPrefix
CGA Params
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKSEC-200314343_04_2008_c2
Secure Neighbor Discovery: Caveats
Private/public key pair on all devices for CGAOverhead introduced
Routers have to do many public/private key calculation (some may be done in advance of use)
Potential DoS targetRouters need to keep more state
Available: LinuxMicrosoft: no support on Vista, probably Windows 2008Future implementation: Cisco IOS
BRKSEC-4003: Advanced IPv6 Security: Secure Neighbor Discovery
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKSEC-200314343_04_2008_c2
DHCPv6 Threats
Note: use of DHCP is announced in Router Advertisements
Rogue devices on the network giving misleading information or consuming resources (DoS)
Rogue DHCPv6 client and servers on the network (same threat as IPv4)
Rogue DHCPv6 servers on the site local multicast address (FF05::1:3) (new threat in IPv6)
Tampering of communication between DHCPv6 relays and servers
Scanning possible if leased addresses are consecutive
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
22
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKSEC-200314343_04_2008_c2
DHCPv6 Threat Mitigation
Rogue clients and servers can be mitigated by using the authentication option in DHCPv6
There are not many DHCPv6 client or server implementations using this today
Cisco Network Registrar®
DHCPv6 Server
Leased addresses are random scanning difficult
Can also lease temporary addresses (like privacy extension)
For really paranoid: Protect the relay to server communications with IPsec (similar to IPv4)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKSEC-200314343_04_2008_c2
Quick Reminder
ICMP REQ D=160.154.5.255 S= 172.18.1.2
160.154.5.0
Attempt toOverwhelm WAN
Link to Destination
ICMP REPLY D=172.18.1.2 S=160.154.5.19
ICMP REPLY D=172.18.1.2 S=160.154.5.18
ICMP REPLY D=172.18.1.2 S=160.154.5.17
ICMP REPLY D=172.18.1.2 S=160.154.5.16
ICMP REPLY D=172.18.1.2 S=160.154.5.15
ICMP REPLY D=172.18.1.2 S=160.154.5.14
172.18.1.2
BelgianSchtroumpf
IPv4 Broadcast Amplification: Smurf
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
23
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKSEC-200314343_04_2008_c2
IPv6 and Broadcasts
There are no broadcast addresses in IPv6
Broadcast address functionality is replaced with the appropriate link local multicast address
Link Local All Nodes Multicast—FF02::1
Link Local All Routers Multicast—FF02::2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKSEC-200314343_04_2008_c2
IPv6 and Other Amplification Vectors
Specific mention is made in ICMPv6 RFC that no ICMP error message should be generated in response to a packet with a multicast destination address
The exceptions are the packet too big message and the parameter problem ICMP messages
RFC 2463 Section 2.4 (e.2)
Implement Ingress Filtering of Packets withIPv6 Multicast Source AddressesRate Limit ICMP Packets
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKSEC-200314343_04_2008_c2
Preventing IPv6 Routing Attacks
BGP, ISIS, EIGRP no change: An MD5 authentication of the routing update
OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPsec
RIPng also relies on IPsec
IPv6 routing attack best practicesUse traditional authentication mechanisms on BGP and IS-IS
Use IPsec to secure protocols such as OSPFv3 and RIPng
Protocol Authentication
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKSEC-200314343_04_2008_c2
OSPF or EIGRP Authenticationinterface Ethernet0/0ipv6 ospf 1 area 0ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF
interface Ethernet0/0ipv6 authentication mode eigrp 100 md5ipv6 authentication key-chain eigrp 100 MYCHAIN
key chain MYCHAINkey 1
key-string 1234567890ABCDEF1234567890ABCDEF accept-lifetime local 12:00:00 Dec 31 2006 12:00:00 Jan 1 2008
send-lifetime local 00:00:00 Jan 1 2007 23:59:59 Dec 31 2007
For YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
25
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKSEC-200314343_04_2008_c2
IPv6 Attacks with Strong IPv4 Similarities
SniffingWithout IPsec, IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
Application layer attacksEven with IPsec, the majority of vulnerabilities on the Internet today are at the application layer, something that IPsec will do nothing to prevent
Rogue devicesRogue devices will be as easy to insert into an IPv6 network as in IPv4
Man-in-the-Middle Attacks (MITM)Without IPsec, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4
FloodingFlooding attacks are identical between IPv4 and IPv6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKSEC-200314343_04_2008_c2
IPv6 Stack Vulnerabilities
IPv6 stacks are new and could be buggy
IPv6 enabled application can have bugs
Some examplesApple Mac OS X IPv6 Packet Processing Double-Free Memory Corruption (November 2007)
Cisco Security Advisory: IPv6 Routing Header (May 2007)
OpenBSD remote code execution in IPv6 stack (March 07)
Python getaddreinfo() remote IPv6 buffer overflow
Apache remote IPv6 buffer overflow
...
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
26
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKSEC-200314343_04_2008_c2
By the Way: It Is Real
Sniffers/packet captureSnortTCPdumpSun Solaris snoopCOLDEtherealAnalyzerWindumpWinPcapNetPeekSniffer Pro
WormsSlapper
Advisories/field noticeshttp://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtmlhttp://www.kb.cert.org/vuls/id/658859
ScannersIPv6 security scannerHalfscan6NmapStrobeNetcat
DoS Tools6tunneldos4to6ddosImps6-tools
Packet forgersScapy6SendIPPackitSpak6
Complete toolhttp://www.thc.org/thc-ipv6/
IPv6 Hacking ToolsLet the Games Begin
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKSEC-200314343_04_2008_c2
By the Way: It Is Real
Sniffers/packet captureSnortTCPdumpSun Solaris snoopCOLDEtherealAnalyzerWindumpWinPcapNetPeekSniffer Pro
WormsSlapper
Advisories/field noticeshttp://www.cisco.com/warp/public/707/cisco-sa-20050126-ipv6.shtmlhttp://www.kb.cert.org/vuls/id/658859
ScannersIPv6 security scannerHalfscan6NmapStrobeNetcat
DoS Tools6tunneldos4to6ddosImps6-tools
Packet forgersScapy6SendIPPackitSpak6
Complete toolhttp://www.thc.org/thc-ipv6/
IPv6 Hacking ToolsLet the Games Begin
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKSEC-200314343_04_2008_c2
Specific IPv6 Issues
Issues Applicable Only to IPv6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKSEC-200314343_04_2008_c2
IPv6 Header Manipulation
Unlimited size of header chain (spec-wise) can make filtering difficultPotential DoS with poor IPv6 stack implementations
More boundary conditions to exploitCan I overrun buffers with a lot of extension headers?
Perfectly Valid IPv6 Packet According to the Sniffer
Destination Options Header Should Be the Last
Header Should Only Appear Once
Destination Header Which Should Occur at Most Twice
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
28
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKSEC-200314343_04_2008_c2
The IPsec Myth
IPv6 mandates the implementation of IPsec
IPv6 does not require the use of IPsec
Some organizations believe that IPsec should be used to secure all flows...
Interesting scalability issue (n2 issue with IPsec)
Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall
Network telemetry is blinded: NetFlow of little use
Network services hindered: What about QoS?
Recommendation: Do not use IPsec end to end within an administrative domain
Suggestion: Use IPsec for residential
IPsec End-to-End Will Save the World
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKSEC-200314343_04_2008_c2
IPv4 to IPv6 Transition Challenges
16+ methods, possibly in combinationIP spoofing
Dual stackConsider security for both protocols
Cross v4/v6 abuse
Resiliency (shared resources)
TunnelsBypass firewalls (protocol 41 or UDP)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
29
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKSEC-200314343_04_2008_c2
Dual Stack Host Considerations
Host security on a dual-stack deviceApplications can be subject to attack on both IPv6 and IPv4
Host security controls should block and inspect traffic from both IP versions
Host intrusion prevention, personal firewalls, VPNclients, etc.
Dual Stack Client
IPv4 IPsecVPN with No Split Tunneling
Does the IPsec Client Stop an Inbound IPv6 Exploit?
IPv6 HDR IPv6 Exploit
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKSEC-200314343_04_2008_c2
Dual Stack with Enabled IPv6 by Default
Your host:IPv4 is protected by your favorite personal firewall...
IPv6 is enabled by default (Vista, Linux, MacOS, ...)
Your network:Does not run IPv6
Your assumption:I’m safe
RealityYou are not safe
Attacker sends Router Advertisements
Your host configures silently to IPv6
You are now under IPv6 attack
Probably time to think about IPv6 in your network
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKSEC-200314343_04_2008_c2
Enabling IPv6 on a Remote Host(In this Case MacOS)
1. Dual-Stack MacOS: Any IPv6 Router?2. Hacker: I’m the Router
3. Newly Enabled IPv6 MacOS Does DAD
4. The Full IPv6 Address of the MacOS
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKSEC-200314343_04_2008_c2
IPv6 Tunneling Summary
RFC 1933/2893 configured and automatic tunnels
RFC 2401 IPsec tunnel
RFC 2473 IPv6 generic packet tunnel
RFC 2529 6over4 tunnel
RFC 3056 6to4 tunnel
ISATAP tunnel
MobileIPv6 (uses RFC2473)
Teredo tunnels
Only allow authorized endpoints to establish tunnels
Static tunnels are deemed as “more secure,” but less scalable
Automatic tunneling mechanisms are susceptible to packet forgery and DoS attacks
These tools have the same risk as IPv4, just new avenues of exploitation
Automatic IPv6 over IPv4 tunnels could be secured by IPv4 IPsec
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
31
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKSEC-200314343_04_2008_c2
IPv6 in IPv4Tunnel
L3–L4 Spoofing in IPv6 When Using IPv6 over IPv4 Tunnels
Most IPv4/IPv6 transition mechanisms have no authentication built in
an IPv4 attacker can inject traffic if spoofing on IPv4 and IPv6 addresses
Public IPv4 Internet
Server B Server A
Tunnel Termination
TunnelTermination
IPv6 Network IPv6 Network
IPv6 ACLs Are Ineffective Since IPv4 and IPv6 Is Spoofed Tunnel Termination Forwards the Inner IPv6 PacketIPv4
IPv6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKSEC-200314343_04_2008_c2
Transition Threats: ISATAP
Unauthorized tunnels—firewall bypass (protocol 41)
IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in the enterprise
This has implications on network segmentation and network discovery
No authentication in ISATAP—rogue routers are possible
Host security needs IPv6 support
ISATAP Router
ISATAP Tunnels
Direct Communication
Any Host Can Talk to the Router
IPv4 Network ~ Layer 2 for IPv6 Service
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
32
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKSEC-200314343_04_2008_c2
Teredo?
Teredo Navalis A shipworm drilling holes in boat hulls
Teredo MicrosoftisIPv6 in IPv4 punching holes in NAT devices
Source: United States Geological Survey
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKSEC-200314343_04_2008_c2
Teredo Tunnels (1 of 3)
Without Toredo TunnelsAll outbound traffic inspected: e.g., P2P is blockedAll inbound traffic blocked by firewall
IPv4 Intranet
IPv4 Firewall
IPv6 Internet
Teredo Relay
IPv4 Internet
Without Teredo: Controls Are in Place
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
33
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKSEC-200314343_04_2008_c2
Teredo Tunnels (2 of 3)
Teredo threats—IPv6 over UDP (port 3544)Internal users wants to get P2P over IPv6Configure the Teredo tunnel (already enabled by default!)FW just sees IPv4 UDP traffic (may be on port 53)No more outbound control by FW
IPv4 FirewallTeredo Relay
IPv4 Intranet
IPv6 InternetIPv4 Internet
No More Outbound Control
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKSEC-200314343_04_2008_c2
Teredo Tunnels (3 of 3)
Once Teredo is configuredInbound connections are allowedIPv4 firewall unable to controlIPv6 hackers can penetrateHost security needs IPv6 support now
Teredo Relay
No More Outbound Control
IPv4 Intranet
IPv6 InternetIPv4 Internet
IPv4 Firewall
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
34
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKSEC-200314343_04_2008_c2
Understand the Behavior of Vista
IPv6 is preferred over IPv4Vista sends IPv6 NA/NS/RS upon link-up
Attempts DHCP for IPv6
Else wait for local RA received with Global or ULA
Else try ISATAP
Else try Teredo
Else use IPv4—last resort
http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKSEC-200314343_04_2008_c2
Can We Block Rogue Tunnels?
Rogue tunnels by naïve users:Sure, block IP protocol 41 and UDP/3544
In Windows:
Really rogue tunnels (covert channels)No easy way...
Teredo will run over a different UDP port of course
Network devices can be your friend (more to come)
Deploying native IPv6 (including IPv6 firewalls) is probably a better alternative
Or disable IPv6 on Windows through GPO or CSA 6.0
netsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabled
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
35
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKSEC-200314343_04_2008_c2
Can the Network Block Rogue Tunnels?
Use Flexible Packet Matching (FPM)Blocking all Teredo addresses 2001::/32 in the UDP payload
FPMAvailable in software since 12.4(4)THardware implementation in PISA (requires Sup32 and Cat6K)Classify on multiple attributes within a packetString match and regexExpressed in XML
0111111010101010000111000100111110010001000100100010001001
Match Pattern And Or Not
http://www.cisco.com/go/fpm
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKSEC-200314343_04_2008_c2
load protocol bootdisk:ip.phdfload protocol bootdisk:udp.phdf
class-map type stack match-all cm-ip-udpmatch field IP protocol eq 17 next UDP
class-map type access-control match-all cm-teredo1match start udp payload-start offset 0 size 1 eq 0x60 mask 15match start udp payload-start offset 8 size 4 eq 0x20010000
class-map type access-control match-all cm-teredo2match start udp payload-start offset 0 size 1 eq 0x60 mask 15match start udp payload-start offset 24 size 4 eq 0x20010000
policy-map type access-control pm-teredoclass cm-teredo1dropclass cm-teredo2drop
policy-map type access-control pm-udp-teredoclass cm-ip-udp
service-policy pm-teredo
interface GigabitEthernet1/36service-policy type access-control in pm-udp-teredo
FPM Configuration to Block Teredo
The trick is to block all packets containing a Teredo source or destination address in the UDP payload
Teredo addresses are in the 2001::/32 (note 32) prefix
IP Version = 6
Teredo Prefix as Embedded Address
For YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
36
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKSEC-200314343_04_2008_c2
SP Transition Mechanism: 6VPE
6VPE: the MPLS-VPN extension to also transport IPv6 traffic over a MPLS cloud and IPv4 BGP sessions
PE1
2001:db8:1:1:/64
PE3
PE4
IPv4 only MPLS
10.1.1.0/24
PE2
v4 and v6 VPN
10.1.1.0/242001:db8:1:1:/64
v4 only VPN
2001:db8:1:2:/64
v4 and v6 VPN
10.1.2.0/242001:db8:1:2:/64
v4 only VPN
10.1.2.0/24
v6 VPN v6 VPN
VRF VRF
VRF
VRF
VRF
VRF
Dual-StackIPv4-IPv6
PE Routers
Dual-StackIPv4-IPv6
PE Routers
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKSEC-200314343_04_2008_c2
6VPE Security
Identical to IPv4 MPLS-VPN, see RFC 4381MPLS VPNs can be secured as well as ATM/FR VPNsSecurity depends on correct operation and implementation
QoS prevent flooding attack from one VPN to another onePE routers must be secured: AAA, iACL, CoPP …
MPLS backbones can be more secure than “normal”IP backbones
Core not accessible from outsideSeparate control and data plane
Key: PE securityAdvantage: Only PE-CE interfaces accessible from outsideMakes security easier than in “normal” networks
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
37
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKSEC-200314343_04_2008_c2
IPv6 Security: Best Common Practice
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKSEC-200314343_04_2008_c2
Candidate Best Practices
Implement privacy extensions carefully
Filter internal-use IPv6 addresses at the enterprise border routers
Filter unneeded services at the firewall
Selectively filter ICMP
Maintain host and application security
Determine what extension headers will be allowed through the access control device
Block Type 0 Routing Header at the edge
Determine which ICMPv6 messages are required
Deny IPv6 fragments destined to an internetworking device when possible
Ensure adequate IPv6 fragmentation filtering capabilities
For YourReference
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
38
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKSEC-200314343_04_2008_c2
Candidate Best Practices (Cont.)
Implement RFC 2827-like filtering and encourage your ISP to do the sameDocument procedures for last-hop tracebackUse cryptographic protections where criticalUse static neighbor entries for critical systemsImplement ingress filtering of packets with IPv6 multicast source addresses Use traditional authentication mechanisms on BGP and IS-ISUse IPsec to secure protocols such as OSPFv3 and RIPngUse static tunneling rather than dynamic tunnelingImplement outbound filtering on firewall devices to allow only authorized tunneling endpointsTrain your network operators and security managers on IPv6
For YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKSEC-200314343_04_2008_c2
Enforcing a Security Policy
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
39
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKSEC-200314343_04_2008_c2
Cisco IOS IPv6 Access Control Lists
Can filter traffic based on source and destination address
Can filter traffic inbound or outbound to a specific interface
Implicit “deny all” at the end of access list
Very much like in IPv4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKSEC-200314343_04_2008_c2
Cisco IOS IPv6 Access Control Lists
Filtering inbound traffic from one specific source address
Prefix: 2001:db8:2c80:1000::/64
IPv6 Internet
2001:db8:2c80:1000::1
Others
Serial 0
ipv6 access-list MY_ACLpermit any 2001:db8:2c80:1000::1/128 deny any 2001:db8:2c80:1000::/64
interface Serial 0ipv6 traffic-filter MY_ACL in
A Trivial Example
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
40
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKSEC-200314343_04_2008_c2
IPv6 Extended Access Control Lists
Upper layers: ICMP, TCP, UDP, SCTP, any value
ICMPv6 code and type
TCP SYN, ACK, FIN, PUSH, URG, RST
L4 port numbers
Traffic class (only six bits/8) = DSCP
Flow label (0-0xFFFFF)
IPv6 header optionsFragments
Routing header type
Destination header type
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKSEC-200314343_04_2008_c2
IPv6 ACL Implicit Rules
The following implicit rules exist at the end of each IPv6 ACL to allow ICMPv6 neighbor discovery:
Be careful when adding « deny ipv6 any anylog » at the end
permit icmp any any nd-napermit icmp any any nd-nsdeny ipv6 any any
permit icmp any any nd-napermit icmp any any nd-nsdeny ipv6 any any log
Implicit Permit for Enable Neighbor Discovery
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
41
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKSEC-200314343_04_2008_c2
IPv6 ACL to Protect VTY
ipv6 access-list VTYpermit ipv6 2001:db8:0:1::/64 any
line vty 0 4ipv6 access-class VTY in
For YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKSEC-200314343_04_2008_c2
Control Plane Policing for IPv6
Against DoS with Neighbor Discovery...Can also throttle IPv6 traffic when processed in SW while IPv4 is in HW (legacy platform)
Beware of CSCso03034
If in doubt: show proc cpu | include IPv6
class-map match-all ipv6match protocol ipv6
policy-map CoPPclass ipv6police rate 100 ppsconform-action transmit exceed-action drop
control-planeservice-policy input CoPP
For YourReference
Protecting the Router CPU
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
42
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKSEC-200314343_04_2008_c2
Cisco IOS Firewall IPv6 Support
Stateful protocol inspection (anomaly detection) of IPv6 fragmented packets, TCP, UDP, ICMP and FTP traffic
Stateful inspection and translation services of IPv4/IPv6 packets
IPv6 DoS attack mitigation
IPv4/v6 coexistence, no need for new hardware, just software
Recognizes IPv6 extension header information such as routing header, hop-by-hop options header, fragment header, etc.
IPv4Site 3
IPv6Site 2 IPv6 IPv6
Dual Stack Router
IPv6 Router withCisco IOS Firewall
Internet (IPv4)
IPv6Site 1IPv6 Router with
Cisco IOS Firewall
IPv6 Router withCisco IOS Firewall
IPv6 Router withCisco IOS Firewall
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKSEC-200314343_04_2008_c2
ASA Firewall IPv6 Support
Since version 7.0
Dual-stack, IPv6 only, IPv4 only
Extended IP ACL with stateful inspection
Application awarenessHTTP, FTP, telnet, SMTP, TCP, SSH, UDP
uRPF and v6 Frag guard
IPv6 header security checks
Management access via IPv6Telnet, SSH, HTTPS
Caveat: no fail-over support (should be in 8.2)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
43
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKSEC-200314343_04_2008_c2
ASA: Sample IPv6 Topology
2001
:db8
:c00
0:10
52::/
64
..::7Inside..::8
Outside2001:db8:c000:1051::37/64
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKSEC-200314343_04_2008_c2
ASA 7.x: ACL
interface Ethernet0nameif outsideipv6 address 2001:db8:c000:1051::37/64ipv6 enableinterface Ethernet1nameif insideipv6 address 2001:db8:c000:1052::1/64ipv6 enable
ipv6 route outside ::/0 2001:db8:c000:1051::1
ipv6 access-list SECURE permit tcp any host 2001:db8:c000:1052::7 eq telnet ipv6 access-list SECURE permit icmp6 any 2001:db8:c000:1052::/64
access-group SECURE in interface outside
For YourReference
Very Similar to Cisco IOS
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
44
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKSEC-200314343_04_2008_c2
ASA 7.x: Stateful Inspection
ASA# show conn4 in use, 7 most usedICMP out fe80::206:d7ff:fe80:2340:0 in fe80::209:43ff:fea4:dd07:0 idle 0:00:00 bytes 16UDP out 2001:db8:c000:1051::138:53 in 2001:db8:c000:1052::7:50118 idle 0:00:02 flags -TCP out 2001:200:0:8002:203:47ff:fea5:3085:80 in 2001:db8:c000:1052::7:11009 idle 0:00:14 bytes 8975 flags UfFRIOTCP out 2001:db8:c000:1051::1:11008 in 2001:db8:c000:1052::7:23 idle 0:00:04 bytes 411 flags UIOB
For YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRSEC-200314343_04_2008_c2 88
“There is no reason anymore to let your site be wide open for IPv6.”
An IPv6 Site AdministratorPreviously Fully Opened in IPv6
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
45
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKSEC-200314343_04_2008_c2
Cisco Security Agent and IPv6
IPv6 ACL (only on Vista)
Disable IPv6 (XP and Vista) Deny
To Any IPv6 Addresses
IPv6 Support for Windows in CSA 6.0 (May 2008)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKSEC-200314343_04_2008_c2
CSA 6.0 in Action
IPv6 traffic is denied by CSA...
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
46
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKSEC-200314343_04_2008_c2
Enterprise Deployment: Secure IPv6 Connectivity
How to Secure IPv6 over the WAN
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKSEC-200314343_04_2008_c2
Secure IPv6 over IPv4/6 Public Internet
No traffic sniffing
No traffic injection
N/AIPsec VTI 12.4(6)TIPv6
ISATAP Protected by RA IPsec
SSL VPN Client AnyConnect
6in4/GRE Tunnels Protected by IPsec
DMVPN 12.4(20)TIPv4
Remote AccessSite 2 SitePublic Network
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
47
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93BRKSEC-200314343_04_2008_c2
IPv6 in IPv4 Tunnel
IPv4
IPv6
Net
wor
k
Secure Site to Site IPv6 Traffic over IPv4 Public Network
IPv6
Net
wor
k
IPsec Protects IPv4 Unicast Traffic... The Encapsulated IPv6 Packets
IPsec
GRE Tunnel Can Be Used to Transport BothIPv4 and IPv6 in the Same Tunnel
See reference slides for more details
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKSEC-200314343_04_2008_c2
Secure Site to Site IPv6 Traffic over IPv4 Public Network with DMVPN
IPv6 packets over DMVPN IPv4 tunnelsIn IOS release 12.4(20)T (July 2008)
IPv6 and/or IPv4 data packets over same GRE tunnel
Complete set of NHRP commandsnetwork-id, holdtime, authentication, map, etc.
NHRP registers two addressesLinkLink--locallocal for routing protocol (Automatic or Manual)
GlobalGlobal for packet forwarding (Mandatory)
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
48
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKSEC-200314343_04_2008_c2
DMVPN for IPv6 Phase 1 Configuration
interface Tunnel0! Optional IPv4 DMVPN configuration
ipv6 address 2001:db8:100::1/64ipv6 eigrp 1no ipv6 split-horizon eigrp 1no ipv6 next-hop-self eigrp 1ipv6 nhrp map multicast dynamicipv6 nhrp network-id 100006ipv6 nhrp holdtime 300tunnel source Serial2/0tunnel mode gre multipointtunnel protection ipsec profile PROF
!interface Ethernet0/0
ipv6 address 2001:db8:0::1/64ipv6 eigrp 1
!interface Serial2/0
ip address 172.17.0.1172.17.0.1 255.255.255.252!ipv6 router eigrp 1
no shutdown
interface Tunnel0! Optional IPv4 DMVPN configuration
ipv6 address 2001:db8:100::11/64ipv6 eigrp 1ipv6 nhrp map multicast 172.17.0.1172.17.0.1ipv6 nhrp map 2001:db8:100::1/128 172.17.0.1172.17.0.1ipv6 nhrp network-id 100006ipv6 nhrp holdtime 300ipv6 nhrp nhs 2001:db8:100::1tunnel source Serial1/0tunnel mode gre multipointtunnel protection ipsec profile PROF
!interface Ethernet0/0
ipv6 address 2001:db8:1::1/64ipv6 eigrp 1
!interface Serial1/0
ip address 172.16.1.1172.16.1.1 255.255.255.252!ipv6 router eigrp 1
no shutdown
SpokeHub
For YourReference
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKSEC-200314343_04_2008_c2
Secure Site to Site IPv6 Traffic over IPv6 Public Network
Since 12.4(6)T, IPsec also works for IPv6
Using the Virtual Interface
interface Tunnel0no ip addressipv6 address 2001:DB8::2811/64ipv6 enabletunnel source Serial0/0/1tunnel destination 2001:DB8:7::2tunnel mode ipsec ipv6tunnel protection ipsec profile ipv6
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
49
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97BRKSEC-200314343_04_2008_c2
IPv6 for Remote Devices Solutions
Enabling IPv6 traffic inside the Cisco VPN Client tunnelNAT and Firewall traversal support
Allow remote host to establish a v6-in-v4 tunnel either automatically or manually
ISATAP—Intra Site Automatic Tunnel Addressing Protocol
Fixed IPv6 address enables server’s side of any application to be configured on an IPv6 host that could roam overthe world
Use of ASA 8.0 and SSL VPN Client AnyConnectCan transfer IPv6 traffic over public IPv4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98BRKSEC-200314343_04_2008_c2
ISATAP
IPv4
Secure RA IPv6 Traffic over IPv4 Public Network: ISATAP in IPsec
IPv6
Net
wor
k
IPsec with NAT-T Can Traverse NATISATAP Encapsulates IPv6 into IPv4
IPsec Protects IPv4 Unicast Traffic... The Encapsulated IPv6 Packets
IPsec
ISATAPTunnel Server
on Dual Stack Router
EnterpriseVPN Head-End (ASA,
Cisco IOS, ...)
See reference slides for more details
IPv6 PC
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
50
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99BRKSEC-200314343_04_2008_c2
Secure RA IPv6 Traffic over IPv4 Public Network: AnyConnect SSL VPN Client
IPv4
IPv6
Net
wor
k
ASA 8.0SSL VPN
ConcentratorDual Stack
IPv6 PCAnyConnect
IPsec with NAT-T Can Traverse NATISATAP Encapsulates IPv6 into IPv4
IPv4 and IPv6 Transport in SSL
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100BRKSEC-200314343_04_2008_c2
ASA 8.0 and AnyConnect 2.0 for IPv6 Transport
Since 8.0 ASA SSL VPN and AnyConnect can transport IPv6
same-security-traffic permit inter-interfacesame-security-traffic permit intra-interface
ipv6 local pool POOL_V6 2001:db8:5fff:81::1:1/64 8
tunnel-group DefaultWEBVPNGroup general-attributes...ipv6-address-pool POOL_V6
Ethernet adapter Cisco AnyConnect VPN Client Connection:
Connection-specific DNS Suffix . : cisco.comIP Address. . . . . . . . . . . . : 192.168.0.200Subnet Mask . . . . . . . . . . . : 255.255.255.0IP Address. . . . . . . . . . . . : 2001:db8:5fff:81::1:1IP Address. . . . . . . . . . . . : fe80::205:9aff:fe3c:7a00%13Default Gateway . . . . . . . . . : 192.168.0.1
2001:db8:5fff:81::
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
51
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101BRKSEC-200314343_04_2008_c2
Conclusion
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102BRKSEC-200314343_04_2008_c2
Key Take Away
So, nothing really new in IPv6Lack of operation experience may hinder security for a while
Security enforcement is possibleControl your IPv6 traffic as you do for IPv4
Leverage IPsec to secure IPv6 when possible
Beware of the IPv6 latent threat: Your network may be vulnerable to IPv6 attacks
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
52
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103BRKSEC-200314343_04_2008_c2
Q and A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104BRKSEC-200314343_04_2008_c2
Related Sessions
BRKSEC-4003: Advanced IPv6 Security: Secure Neighbor Discovery
BRKRST-2301: Enterprise IPv6 deploymentBRKSEC-2105: Securing IP Network Traffic PlanesBRKSEC-2002: Understanding and Preventing
Layer 2 AttacksBRKSEC-4010: Advanced Concepts of Dynamic
Multipoint VPN
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
53
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105BRKSEC-200314343_04_2008_c2
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press®
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106BRKSEC-200314343_04_2008_c2
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes; winners announced daily
Receive 20 Passport points for each session evaluation you complete
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
54
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107BRKSEC-200314343_04_2008_c2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108BRKSEC-200314343_04_2008_c2
Reference Slides
For Reference Only
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
55
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109BRKSEC-200314343_04_2008_c2
IP Mobility
Mobility Means:Mobile devices are fully supported while movingBuilt-in on IPv6
Any node can use it
Optimized routing means performance for end-usersFiltering challenges
Optimized RoutingNot Possible in IPv4
2001:db8:c18::1
2001:2:a010::5
Home Agent
Correspondent Node
Mobile Node
Mobile Node
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110BRKSEC-200314343_04_2008_c2
Mobile IPv6 Security Features Overview
Protection of binding updates both to home agents and correspondent nodes
IPsec (specially for HA)
Or binding authorization data option through the return routability procedure
Protection of mobile prefix discoveryThrough the use of IPsec extension headers
Protection of data packets transportHome address destination option and type two routingheader specified in a manner which restricts their usein attacks
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
56
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111BRKSEC-200314343_04_2008_c2
Mobile IPv6 Security
Provides reasonable assurance that the MN is addressable at its claimed CoA and at its HoA
Test whether packets addressed to the two claimed addresses are routed back to the MN
Mobile Node Home Agent Correspondent NodeHome Test Init (HoTI)
Care-of Test Init (CoTI)
Home Test (HoT) (Key Mat 1)
Care-of Test (CoT) (Key Mat 2)
Binding Update (Computed from Key Mat 1 and 2)
Return Routability Test
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 112BRKSEC-200314343_04_2008_c2
MIPv6 Security Protections
BU/BA to HA must be secured through IPsec
MN and HA should use an IPsec SA to protect the integrity and authenticity of the mobile prefix solicitations and advertisements
Payload packets exchanged with MN can follow the same protection policy as other IPv6 hosts
Specific security measures are defined to protect the specificity of MIPv6
Home address destination option
Type 2 Routing header
Tunnelling headers
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
57
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 113BRKSEC-200314343_04_2008_c2
MIPv6 Security Challenges
Unlike IPv4 Mobility, IPv6 enables the MN and the CN to communicate directly through Route Optimization
Security tools such as IDS/Firewall and Regulation implementation such as LI can be bypassed by design in the case of MIPv6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 114BRKSEC-200314343_04_2008_c2
IPv6 for Remote Devices
ipv6 unicast-routing!interface FastEthernet0/0description TO VPN 3000ip address 20.1.1.1 255.255.255.0!interface FastEthernet0/1description TO Campus Networkipv6 address 2001:db8:C003:111C::2/64!interface Tunnel0no ip addressipv6 address 2001:db8:C003:1101::/64 eui-64no ipv6 nd suppress-ratunnel source FastEthernet0/0tunnel mode ipv6ip isatap
Dual-stack router configuration
Interface ID
IPv4 Addr.64-bit Unicast Prefix 0000:5EFE:32-bit32-bit
ISATAP Address Format:
2001:db8:c003:1101:0:5efe:20.1.1.1
IPsec Hub
CorporateNetwork
Dual-StackRouter
F0/0
F0/1
For YourReference
Router Configuration: ISATAP
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
58
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 115BRKSEC-200314343_04_2008_c2
Interface 2: Automatic Tunneling Pseudo-Interface
Addr Type DAD State Valid Life Pref. Life Address--------- ---------- ------------ ------------ -----------------------------Public Preferred 29d23h56m5s 6d23h56m5s 2001:db8:c003:1101:0:5efe:10.1.99.102
Link Preferred infinite infinite fe80::5efe:10.1.99.102
netsh interface ipv6>show routeQuerying active state...
Publish Type Met Prefix Idx Gateway/Interface Name------- -------- ---- ------------------------ --- ---------------------no Autoconf 9 2001:db8:c003:1101::/64 2 Automatic Tunneling Pseudo-Interface
no Manual 1 ::/0 2 fe80::5efe:20.1.1.1
IPv6 for Remote Devices
IPsec HubDual-Stack
RouterWindows XP
Client
10.1.99.102—VPN Address2001:db8:c003:1101:0:5efe:10.1.99.102—IPv6 Address
Does It Work?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 116BRKSEC-200314343_04_2008_c2
192.1
68.20
4.0/30
Serial 0/0 Dynamic.22
Tunnel 4 (IPv6 in IPv4)
Spoke Hub
Loopback 0 192.168.52.4 Loopback 0 192.168.52.7
IPsec SAIPsec SA Protects All IPv6 in IPv4 Packets Between the Static
Loopbacks
Hub IPsec Is Using Dynamic Crypto Maps
2001
:DB
8:C
000:
1051
::/64
2001
:DB
8:C
000:
1053
::4/1
28 IPv6 Tunnel Is Between the
Two Static IPv4 Loopbacks
Secure Site-to-Site For YourReference
IPv6 Connectivity
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
59
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 117BRKSEC-200314343_04_2008_c2
Secure Site-to-Site IPv6 Connectivity
Requires a fixed IPv4 address for hub
IPv6-in-IPv4 tunnels are anchored on IPv4 loopbacksTunnels requires static sources and destinations
IPsec dynamic crypto maps are usedAllows for dynamic spoke IPv4 addresses
IPsec works on IPv4 packets (containing the IPv4 packets)
Traffic initiated from spokes (hub is using dynamic crypto maps)
Key Design Points
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 118BRKSEC-200314343_04_2008_c2
Spoke Configuration (1 of 2)
interface Loopback0ip address 192.168.52.4 255.255.255.255
interface Tunnel4no ip addressipv6 unnumbered FastEthernet0/0ipv6 enabletunnel source Loopback0tunnel destination 192.168.52.7tunnel mode ipv6ip
!ip route 192.168.52.0 255.255.255.0 Serial0/0
Static IPv4 Addresses
For YourReference
IPv6 Tunnels
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
60
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 119BRKSEC-200314343_04_2008_c2
Spoke Configuration (2 of 2)
crypto ipsec transform-set 3DES esp-3des !crypto map IPV6_SEC 10 ipsec-isakmp set peer 192.168.204.26set transform-set 3DES match address SELECTOR
!interface Serial0/0crypto map IPV6_SEC
!ip access-list extended SELECTORpermit 41 host 192.168.52.4 host 192.168.52.7
IPv4 Address of Hub
IPsec Traffic Selectors: Fixed IPv4 Loopback Addresses, i.e., Encapsulated IPv6 Traffic
For YourReference
IPv6 IPsec
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 120BRKSEC-200314343_04_2008_c2
Hub Configuration (1 of 2)
interface Loopback0ip address 192.168.52.7 255.255.255.255
!interface Tunnel4no ip addressipv6 unnumbered FastEthernet0/1ipv6 enabletunnel source Loopback0tunnel destination 192.168.52.4tunnel mode ipv6ip
… a lot more interfaces Tunnel…
ip route 192.168.52.0 255.255.255.0 Serial0/0
Static IPv4 Addresses
For YourReference
IPv4 Tunnels
© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr
61
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 121BRKSEC-200314343_04_2008_c2
Hub Configuration (2 of 2)
crypto ipsec transform-set 3DES esp-3des !crypto dynamic-map TEMPLATE 10set transform-set 3DES match address SELECTOR
! crypto map IPV6_SEC 10 ipsec-isakmp dynamic TEMPLATE!interface Serial0/0ip address 192.168.204.26 255.255.255.252crypto map IPV6_SEC
!ip access-list extended SELECTORpermit 41 host 192.168.52.7 192.168.52.0 0.0.0.255
Dynamic Crypto Map:Allow IPsec from Every IP Address with Correct IKE Authentication
IPsec Traffic Selectors: Fixed IPv4 Loopback Addresses, i.e., Encapsulated IPv6 Traffic
For YourReference
IPv4 IPsec
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 122BRKSEC-200314343_04_2008_c2
IPv6 Integration on MPLS VPN Infrastructure: 6VPE
MPLS/IPv4 Core Infrastructure is IPv6-unawarePEs are updated to support Dual Stack/6VPE IPv6 VPN can co-exist with IPv4 VPN—same scope and policies6VPE—RFC 4659—Cisco authored for IPv6 VPN over MPLS/IPv4 infrastructureShipping in:
12.2(33)SRB (Barracuda – C7600), Q1CY’0712.4(pi7)T (C7200, C7301, C2800, C3800), Q3CY’0712.2(x)SB (Exodus Rel5 – C10000), Q3CY’0712.2(33)SXI (Whitney 2.0 – C6500), Q4CY’07
Site-1
Site-2PE1PE2
P2P1CE2
VRF Red
VRF RedCE1
iGP-v4 (OSPF, ISIS) LDP-v4
MP-eBGP SessionAddress-family IPv4Address-family IPv6 MP-eBGP Session
Address-family IPv4Address-family IPv6
Dual-Stack Network
Dual-Stack Network
Dual-Stack Server
2001:101::/6410.101/16
MP-iBGP SessionAddress-family VPNv4Address-family VPNv6
vrf definition site1 rd 100:1route-target import 100:1route-target export 100:1address-family ipv4address-family ipv6
!interface ethernet0/0vrf forwarding site1ip address 10.100.1.2 255.255.0.0ipv6 address 2001:100::72b/64
2001:201::/6410.201/16
vrfAddress-family IPv4Address-family IPv6
Dual-Stackipv4 addresses: 10.100/16ipv6 addresses: 2001:100::/64