Gaweł Mikołajczyk [email protected]
IPv6 insecurities at First Hop
SETTING THE STAGE
IPv6 Neighbor Discovery Fundamentals
RFC 4861, Neighbor Discovery for IP Version 6 (IPv6)
RFC 4862, IPv6 Stateless Address Autoconfiguration
Used for:
Router discovery
IPv6 Stateless Address Auto Configuration (SLAAC)
IPv6 address resolution (replaces ARP)
Neighbor Unreachability Detection (NUD)
Duplicate Address Detection (DAD)
Redirection
Operates above ICMPv6
Relies heavily on multicast (including L2-multicast)
Works with ICMP messages and messages “options”
DHCP server
Router
Assign addresses Announces default router Announces link parameters
IPv4 link model is DHCP-centric
„An IPv4 link”
Announces default router Announces link parameters
– Assign addresses Assign addresses
IPv6 link model is essentially distributed, with DHCP playing a minor role
„An IPv6 link”
IPv4 to IPv6 – Link model shift
DHCP server
Securing Link Operations: First Hop Trusted Device
Advantages
– central administration, central operation
– Complexity limited to first hop
– Transitioning lot easier
– Efficient for threats coming from the link
– Efficient for threats coming from outside
Disadvantages
– Applicable only to certain topologies
– Requires first-hop to learn about end-nodes
– First-hop is a bottleneck and single-point of failure
Cisco Current Roadmap IETF SAVI WG
Time server
Certificate
server
„TARGETING THE HOSTS”
A and B can now exchange packets on this link
IPv6 Address Resolution – comparing with IPv4 ARP
Creates neighbor cache entry, resolving IPv6 address into MAC address.
Messages: Neighbor Solicitation (NS), Neighbor Advertisement (NA)
A B C
NS
ICMP type = 135 (Neighbor Solicitation)
Src = A
Dst = Solicited-node multicast address of B
Data = B
Option = link-layer address of A
Query = what is B’s link-layer address?
NA
ICMP type = 136 (Neighbor Advertisement) Src = one B’s IF address Dst = A Data = B
Option = link-layer address of B
Attacking IPv6 Address Resolution
Attacker can claim victim's IPv6 address.
NS
Src = B or any C’s IF address Dst = A
Data = B Option = link-layer address of C
NA
A B C
Dst = Solicited-node multicast address of B
Query = what is B’s link-layer address? NS
Countermeasures: Static Cache Entries, Address GLEAN, SeND (CGA) on routers, Integrity Guard (Address-Watch).
Address GLEAN
H1
Binding table
NS [IP source=A1, LLA=MACH1]
DHCP-server
REQUEST [XID, SMAC = MACH2]
REPLY[XID, IPA21, IPA22]
H2 H3
data [IP source=A3, SMAC=MACH3]
DAD NS [IP source=UNSPEC, target = A3]
NA [IP source=A1, LLA=MACH3]
IPv6 MAC VLAN IF
A1 MACH1 100 P1
A21 MACH2 100 P2
A22 MACH2 100 P2
A3 MACH3 100 P3
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
H1 H2 H3
Gleaning means inspecting the
IPv6 Duplicate Address Detection (DAD)
Verify IPv6 address uniqueness, verify no neighbors claims the address
Required (MUST) by SLAAC, recommended (SHOULD) by DHCP
Messages: Neighbor Solicitation, Neighbor Advertisement
ICMP type = 135 (Neighbor Solicitation)
Src = UNSPEC = 0::0
Dst = Solicited-node multicast address of A
Data = A
Query = Does anybody use A already?
NS
Node A starts using the address
A B C
Attack On DAD
Attacker hacks any victim's DAD attempts.
Victim can't configure IP address and can't communicate. DoS condition.
NS
Src = any C’s IF address Dst = A
Data = A Option = link-layer address of C
NA “it’s mine !”
A C
Src = UNSPEC
Dst = Solicited-node multicast address of A
Data = A
Query = Does anybody use A already?
Device tracking
H1
Binding table
IPv6 MAC VLAN IF STATE
A1 MACH1 100 P1 STALE
A21 MACH2 100 P2 REACH
A22 MACH2 100 P2 REACH
A3 MACH3 100 P3 STALE
H2 H3
Address GLEAN
DAD NS [IP source=UNSPEC, target = A1]
DAD NS [IP source=UNSPEC, target = A3]
NA [target = A1LLA=MACH1]
IPv6 MAC VLAN IF STATE
A1 MACH1 100 P1 REACH
A21 MACH2 100 P2 REACH
A22 MACH2 100 P2 REACH
– Keep track of device state – Probe devices when becoming stale – Remove inactive devices from the binding table – Record binding creation/deletion/changes
Goal: to track active addresses (devices) on the link
IPv6 Source Guard
H1
Binding table
IPv6 MAC VLAN IF
A1 MACA1 100 P1
A21 MACA21 100 P2
A22 MACA22 100 P2
A3 MACA3 100 P3
H2 H3
Address GLEAN
– Allow traffic sourced with known IP/SMAC – Deny traffic sources with unknown IP/SMAC
P1:: data, src= A1, SMAC = MACA1
P2:: data src= A21, SMAC = MACA21
P3:: data src= A3, SMAC = MACA3
P3 ::A3, MACA3
DAD NS [IP source=UNSPEC, target = A3]
NA [target = A1LLA=MACA3]
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
Validating the source address of IPv6 traffic sourced from the link
„TARGETING THE ROUTER”
Why should you care about router stealing?
$ ping6 -I en1 ff02::1%en1
PING6(56=40+8+8 bytes) fe80::226:bbff:fexx:xxxx%en1 --> ff02::1
16 bytes from fe80::226:bbff:fexx:xxxx%en1, icmp_seq=0 hlim=64 time=0.140 ms
. . .
16 bytes from fe80::cabc:c8ff:fec3:fdef%en1, icmp_seq=3 hlim=64 time=402.112 ms
^C
--- ff02::1%en1 ping6 statistics ---
4 packets transmitted, 4 packets received, +142 duplicates, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.140/316.721/2791.178/412.276 ms
$ ifconfig en1
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:26:bb:xx:xx:xx
inet6 fe80::226:bbff:fexx:xxxx%en1 prefixlen 64 scopeid 0x6
inet 10.19.19.118 netmask 0xfffffe00 broadcast 10.19.19.255
media: autoselect
status: active
$ ndp -an
Neighbor Linklayer Address Netif Expire St Flgs Prbs
2001:xxxx:xxxx:1:3830:abff:9557:e33c 0:24:d7:5:6b:f0 en1 23h59m30s S
. . .
$ ndp -an | wc -l
64
Is there an IPv6 Network?
Are there any IPv6 peers?
Configure a tunnel, enable forwarding, transmit RA
ICMP Type = 133 (Router Solicitation)
Src = UNSPEC (or Host link-local address)
Dst = All-routers multicast address (FF02::2)
Query = please send RA
RS
ICMP Type = 134 (Router Advertisement)
Src = Router link-local address
Dst = All-nodes multicast address (FF02::1)
Data = router lifetime, retranstime, autoconfig flag
Option = Prefix, lifetime
RA
Use B as default gateway
Find default/first-hop routers
Discover on-link prefixes => which destinations are neighbors
Messages: Router Advertisements (RA), Router Solicitations (RS)
B
IPv6 Router Discovery
A
Internet
Attacking IPv6 Router Discovery
Attacker tricks victim into accepting him as default router
Based on rogue Router Advertisements
The most frequent threat by non-malicious user
Src = C’s link-local address
Dst = All-nodes
Data = router lifetime, autoconfig flag
Options = subnet prefix, slla
RA
Node A sending off-link traffic to C
B
C A
Src = B’s link-local address
Dst = All-nodes
Data = router lifetime=0
RA
Internet
IPv6 RA-Guard – Securing Router Discovery
Verification succeeded?
Forward RA
Switch selectively accepts or rejects RAs based on various criteria – ACL (configuration) based, learning-based or challenge (SeND) based. Hosts see only allowed RAs, and RAs with allowed content. More countermeasures: static routing, SeND, VLAN segmentation, PACL.
A C
“I am the default gateway” Router Advertisement Option: prefix(s)
RA
IPv6 Stateless Address Auto-Configuration (SLAAC)
Stateless, based on prefix information delivered in Router Advertisements.
Messages: Router Advertisements, Router Solicitations
ICMP Type = 133 (Router Solicitation)
Src = UNSPEC (or Host link-local address)
Dst = All-routers multicast address (FF02::2)
Query = please send RA
RS
ICMP Type = 134 (Router Advertisement)
Src = Router link-local address
Dst = All-nodes multicast address (FF02::1)
Data = router lifetime, retranstime, autoconfig flag
Options = Prefix X,Y,Z, lifetime
RA
Source traffic with X::x, Y::y, Z::z
Computes X::x, Y::y, Z::z and DADs them
NS
A B
Internet
Attacking IPv6 Stateless Address Auto-Configuration
Attacker spoofs Router Advertisement with false on-link prefix
Victim generates IP address with this prefix
Access router drops outgoing packets from victim (ingress filtering)
Incoming packets can't reach victim
B
Router B filters out BAD::A
Computes BAD::A and DAD it
RA Src = B’s link-local address
Dst = All-nodes
Options = prefix X Preferred lifetime = 0
Src = B’s link-local address
Dst = All-nodes
Options = prefix BAD, Preferred lifetime
RA Deprecates X::A
Node A sourcing off-link traffic to B with BAD::A
A C
Internet
Cryptographically Generated Addresses CGA RFC 3972 (Simplified)
Each devices has a RSA key pair (no need for cert)
Ultra light check for validity
Prevent spoofing a valid CGA address
SHA-1
RSA Keys Priv Pub
Subnet Prefix
Interface Identifier
Crypto. Generated Address
Signature
SeND Messages
Modifier
Public Key
Subnet Prefix
CGA Params
Router R host
Certificate Authority CA0 Certificate Authority Certificate C0
Router certificate request
Router certificate CR
Certificate Path Solicit (CPS): I trust CA0, who are you R?
Certificate Path Advertise (CPA): I am R, this is my certificate CR signed by CA0
1
2
3
4
5
6 Verify CR against CA0
7 Insert R as default route
ROUTER ADVERTISEMENT (SRC = R)
provision
provision
Using SeND for router authorization
A
Each node takes care of its own security Verifies router legitimacy Verifies address ownership
Subject Name contains the list of authorized IPv6 prefixes
SeND Deployment Challenges with boundaries
Nodes must be provisioned with CA certificate(s)
A chain of trust is easy to establish within the administrative boundaries, but very hard outside
Very few IPv6 stacks support SeND today
ADMINISTRATIVE BOUNDARY
CA
Router Host
CA
Router Host
CA
„EXHAUSTING THE CACHE”
Reconnaissance in IPv6? Easy with Multicast.
No need for reconnaissance anymore
3 site-local multicast addresses (not enabled by default)
FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers
Several link-local multicast addresses (enabled by default)
FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP, …
2001:db8:2::50
2001:db8:1::60
2001:db8:3::70
Attacker FF05::1:3
Source Destination Payload
DHCP Attack
http://www.iana.org/assignments/ipv6-multicast-addresses/
X scanning 2 64 addresses
(ping PFX::a, PFX::b, …PFX::z)
Gateway
PFX::/64
NS
Dst = Solicited-node multicast address of PFX::a
Query = what is PFX::a ’s link-layer address?
NS
Dst = Solicited-node multicast address of PFX::b
Query = what is PFX::b ’s link-layer address?
NS
Dst = Solicited-node multicast address of PFX::z
Query = what is PFX::z’s link-layer address?
3 seconds history
X
Remote address resolution cache exhaustion
Countermeasures: address provisioning mechanisms and filtering on routers, Destination Guard on switches
host
Forward packet
Mitigate prefix-scanning attacks and Protect ND cache Useful at last-hop router and L3 distribution switch Drops packets for destinations without a binding entry
Lookup D1
found
B
NO
L3 switch
Src=D1
Internet
Address glean Scanning
{P/64}
Src=Dn
Binding table Neighbor cache
Destination guard – mitigating cache exhaustion
Mitigating Remote Neighbor Cache Exhaustion
Built-in rate limiter but no option to tune it
Since 15.1(3)T: ipv6 nd cache interface-limit
Or IOS-XE 2.6: ipv6 nd resolution data limit
Destination-guard is coming with First Hop Security phase 3
Using a /64 on point-to-point links => a lot of addresses to scan!
Using /127 could help (RFC 6164)
Internet edge/presence: a target of choice
Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only
Using infrastructure ACL prevents this scanning
iACL: edge ACL denying packets addressed to your routers
Easy with IPv6 because new addressing scheme can be done
YOUR IPS CAN HELP, PROBABLY
Detecting native IPv6 Traffic
Example:
ICMPv6 Traffic for Neigbor discovery / Router advertisements
Usage of Dual-Stack on all Engines Service HTTP
What your IPS should support now
Can detect IPv6 tunnels in IPv4
IPv6 in IPv4
IPv6 in MPLS tunnel
Teredo destination IP address
Teredo source port
Teredo destination port
Teredo data packet
And more?
Detect DNS request for ISATAP
Detect traffic to 6to4 anycast server
Intrusion Prevention for L2 Security
ICMPv6 Signatures for Attack mitigation and visibility, including NA, NS, RA, RS.
ERSPAN
IPS for Virtual Switching with ERSPAN
Extends the Local SPAN to send packets outside local host (VEM)
Can be used to monitor the traffic on Virtual Switch remotely
One or more source:
Type: Ethernet, Vethernet, Port-Channel, VLAN
Direction: Receive (Ingress) / Transmit (Egress) / Both
IP based destination
ERSPAN ID provides segmentation
Permit protocol type header 0x88be for ERSPAN GRE
Management Console
NAM
ERSPAN DST
ID:1 ID:2
VMkernel
NEXUS 1000v
ESXi VM VM VM VM
PUTTING IT ALL TOGETHER
Features for IPv6 First-Hop Security
Switches do/will integrate a set of monitoring, inspection and guard features for a variety of security-centric purposes:
1. RA-guard
2. Address NDP address glean/inspection (NDP+DHCP+data)
3. Integrity guard (Address watch/ownership enforcement)
4. Device Tracking
5. DHCP-guard
6. DAD/Resolution proxy
7. Source-guard (SAVI)
8. Destination-guard
9. DHCP L2 relay
Ask your vendor.for current support and serious roadmap.
cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html
First Hop Security Phase I in 2010 Protecting against Rogue RA
Port ACL (see later) blocks all ICMPv6 Router Advertisements from hosts
interface FastEthernet3/13
switchport mode access
ipv6 traffic-filter ACCESS_PORT in
access-group mode prefer port
RA-guard feature in host mode (12.2(33)SXI4 &
12.2(54)SG ): also dropping all RA received on this port
interface FastEthernet3/13
switchport mode access
ipv6 nd raguard
access-group mode prefer port
RA
RA
RA
RA
RA
IPv6 Snooping Phase II and III
Phase II
DHCP Guard
Source Guard
Multi Switch operation
RA Throttler
NDP Multicast Suppress
Phase III
Destination Guard
Prefix Guard
DAD Proxy
Binding Table Recovery
SVI support
The bottom line
Look inside NetFlow records
Protocol 41: IPv6 over IPv4 or 6to4 tunnels
IPv4 address: 192.88.99.1 (6to4 anycast server)
UDP 3544, the public part of Teredo, yet another tunnel
Look into DNS server log for resolution of ISATAP
Beware of the IPv6 latent threat:
Your IPv4-only network may be vulnerable to IPv6 attacks now.
THANK YOU.