Security Considerations for IPv6 Networks

Yannis Nikolopoulos yanodd@otenet.gr

!" #!$% &' $ ()*+*& ,-./ 0 1234 56 7*8 59::

Agenda

,ntrodu;tion < =a>or ?eatures in ,-./ ,-./ @ore se;ure tAan ,-.BC ,-De; ,-.B .s ,-./E a FAreat Go@parison NH re.isited NH0related FAreatsE an I.er.ieJ De;urity Kisks Huring ,-.B,-./ Fransition Lo@e ,-./ NetJork KeMeren;es NppendiO ,

Major Features in IPv6

Extended Address Space Autoconfiguration Header Structure / Extension Headers Mandatory IPSec Support QoS Route Aggregation Efficient Transmission

IPv6 more secure than IPv4

Lets agree that IPv6 is (will) not inherently be more or less secure than IPv4

IPv6 more secure than IPv4

Lets agree that IPv6 is (will) not inherently be more or less secure than Ipv4 In many cases, IPv4 security practices and policies can be replicated for IPv6

IPv6 more secure than IPv4

Fairly ne

and undisco!ered territory

"ncalculated Factors# tunneling and all $to/in% &ac' of understanding (ulnera)ilities un'no n

IPv6 more secure than IPv4

Fairly ne

and undisco!ered territory

"ncalculated Factors# tunneling and all $to/in% &ac' of understanding (ulnera)ilities un'no n

What about IPSec??

IPSec

Aut*enticate and +optionally, encrypt IP pac'ets end-to-end Mandatory implementation in IP!$

)ut...

IPSec

Aut*enticate and +optionally, encrypt IP pac'ets end-to-end Mandatory implementation in IP!$

)ut...

"se of IPSec not re/uired 0ill IPSec )e used more fre/uently in IP!$1 Pro)a)ly not2 3omplexity Issues +'ey management4 configuration complexity etc,

IPv4 vs IPv6! a "hreat Com#arison

Reconnaissance Attac's *arder to ac*ie!e

it* IP!$ +)ut still possi)le,

ARP +IP!%, attac's replaced )y 56-related +IP!$, attac's &ac' of 7roadcast in IP!$ means no more amplification attac's +may)e, "naut*ori8ed access to IP!$ net or's could )e more idespread +at first, start, 5o significant c*ange in Application-le!el attac's +after a slo

IPv4 vs IPv6! a "hreat Com#arison

$econnaissance Attacks harder to achieve with IPv6 %&ut sti'' #ossi&'e( ARP +IP!%, attac's replaced )y 56-related +IP!$, attac's &ac' of 7roadcast in IP!$ means no more amplification attac's +may)e, "naut*ori8ed access to IP!$ net or's could )e more idespread +at first, start, 5o significant c*ange in Application-le!el attac's +after a slo

IPv4 vs IPv6! a "hreat Com#arison

Reconnaissance Attac's *arder to ac*ie!e

it* IP!$ +)ut still possi)le,

A$P %IPv4( attacks re#'aced &y N)*re'ated %IPv6( attacks &ac' of 7roadcast in IP!$ means no more amplification attac's +may)e, "naut*ori8ed access to IP!$ net or's could )e more idespread +at first, start, 5o significant c*ange in Application-le!el attac's +after a slo

IPv4 vs IPv6! a "hreat Com#arison

Reconnaissance Attac's *arder to ac*ie!e

it* IP!$ +)ut still possi)le,

ARP +IP!%, attac's replaced )y 56-related +IP!$, attac's +ack of ,roadcast in IPv6 means no more am#'ification attacks %may&e( "naut*ori8ed access to IP!$ net or's could )e more idespread +at first, start, 5o significant c*ange in Application-le!el attac's +after a slo

IPv4 vs IPv6! a "hreat Com#arison

Reconnaissance Attac's *arder to ac*ie!e

it* IP!$ +)ut still possi)le,

ARP +IP!%, attac's replaced )y 56-related +IP!$, attac's &ac' of 7roadcast in IP!$ means no more amplification attac's +may)e, -nauthori.ed access to IPv6 networks cou'd &e more wides#read %at first( 5o significant c*ange in Application-le!el attac's +after a slo start,

IPv4 vs IPv6! a "hreat Com#arison

Reconnaissance Attac's *arder to ac*ie!e

it* IP!$ +)ut still possi)le,

ARP +IP!%, attac's replaced )y 56-related +IP!$, attac's &ac' of 7roadcast in IP!$ means no more amplification attac's +may)e, "naut*ori8ed access to IP!$ net or's could )e more idespread +at first, No significant change in A##'ication*'eve' attacks %after a s'ow start(

IPv4 vs IPv6! a "hreat Com#arison * Mitigation

Efficient use of different types of addressing Increase difficulty in net or' scanning +random su)nets4 random interface I6s, "se IPSec for aut*entication 6e!ise a proper I3MP!$ filtering policy (see Appendix I) Secure tunnelled en!ironments +complicated,

IPv4 vs IPv6! a "hreat Com#arison * Mitigation

6efault 6E59 is still considered )est practice 7loc' IP!$ traffic on IP!%-only net or's and !ice-!ersa

N) $evisited

IP!$ Address Autoconfiguration 6etermine 5et or' Prefixes +and ot*er configuration info, 6uplicate Address 6etection +6A6, 5eig*)or "nreac*a)ility 6etection +5"6, 6etect c*anges in lin'-layer addresses

N) $evisited

N)*$e'ated "hreats! an /verview

Rogue RAs# rogue routers inserted on &A5 Rogue RAs# rogue RAs from :legitimate; nodes Spoofed responses to 6A6 messages < 6=S attac' Spoofed 5S/5A messages can cause redirect attac's

SeND (Secure ND) addresses some of the issues

N)*$e'ated "hreats! a Case Study

Neigh&or So'icitation0Advertisement S#oofing

Host A +A>A :t*e !ictim;, sends 5eig*)or Solicitation +5S, to Host 7 Host 3 +A>A :t*e attac'er;, replies it* 5eig*)or Ad!ertisement +5A, instead of t*e real *ost 7 to gracious 5eig*)or Solicitation +5S, message )y *ost A. Host A updates its 56P cac*e )inding t*e lin'-layer address of t*e attac'er to t*e legitimate IP address of *ost 7. T*e !ictim ill send pac'ets to t*e attac'er instead of legitimate Host 7.

N)*$e'ated "hreats! a Case Study

Neigh&or So'icitation0Advertisement S#oofing

N)*$e'ated "hreats! a Case Study

Neigh&or So'icitation0Advertisement S#oofing

Security $isks )uring IPv4 to IPv6 "ransition

Added 3omplexity )y dual stac' operations Immaturity +or e!en lac', of IP!$ security products / lac' of !endor support "naut*ori8ed/un'no n IP!$ clients "se of IP!$ )y t*e :attac'er; community (ulnera)ilities in IP!$

Security $isks )uring IPv4 to IPv6 "ransition

Added Com#'e1ity &y dua' stack o#erations ? x configurations < ? x t*ings t*at can go IP!% still supported for legacy systems Immaturity +or lac', of IP!$ security products / lac' of !endor support "naut*ori8ed/un'no n IP!$ clients "se of IP!$ )y t*e :attac'er; community (ulnera)ilities in IP!$ rong Security infrastructure possi)ly not a are of dual en!ironment

Security $isks )uring IPv4 to IPv6 "ransition

Added 3omplexity )y dual stac' operations Immaturity %or 'ack( of IPv6 security #roducts 0 'ack of vendor su##ort Security !endors are aiting for customer demand (arious le!els of IP!$ :support; offered &ac' of standardi8ation of IP!$ support "naut*ori8ed/un'no n IP!$ clients "se of IP!$ )y t*e :attac'er; community (ulnera)ilities in IP!$

Security $isks )uring IPv4 to IPv6 "ransition

Added 3omplexity )y dual stac' operations Immaturity +or e!en lac', of IP!$ security products / lac' of !endor support -nauthori.ed0unknown IPv6 c'ients IP!$ support is often ena)led )y default Acti!e $to% interfaces "se of IP!$ )y t*e :attac'er; community (ulnera)ilities in IP!$

Security $isks )uring IPv4 to IPv6 "ransition

Added 3omplexity )y dual stac' operations Immaturity +or e!en lac', of IP!$ security products / lac' of !endor support "naut*ori8ed/un'no n IP!$ clients -se of IPv6 &y the 2attacker3 community Fire alls often ignore IP!$ traffic Attac'ers ena)ling IP!$ on compromised systems IP!$ traffic usually not monitored (ulnera)ilities in IP!$

Security $isks )uring IPv4 to IPv6 "ransition

Added 3omplexity )y dual stac' operations Immaturity +or e!en lac', of IP!$ security products / lac' of !endor support "naut*ori8ed/un'no n IP!$ clients "se of IP!$ )y t*e :attac'er; community 4u'nera&i'ities in I#v6 56-related +as discussed, @-day exploits

5ome IPv6 Network

5ome IPv6 Network

5ome IPv6 Network * CP6

&ayered Approac*# 3PE is t*e first layer

5ome IPv6 Network * CP6

5ome IPv6 Network * CP6

"se 5et or' Filters +stateless,to )loc' un anted traffic +spoofed4 Martians etc, "se stateful fire alls for fine grained access I3MP!$ Filtering +as discussed, Management Interfaces s*ould not )e offered !ia 0A5 "se Se56 +if a!aila)le,

0*en in )ridged mode4 )e are of router !ulnera)ilities

+e.g. linux it* no fire all turned on,

5ome IPv6 Network 7 CP6! 4+AN #rotection

&ayered Approac*# Protect your (&A5S

5ome IPv6 Network 7 CP6! 4+AN #rotection

5ome IPv6 Network * +AN

&ayered Approac*# End 6e!ices

5ome IPv6 Network * +AN

5ome IPv6 Network * +AN

6eploy pac'et filters +ipta)les4 pf etc, "se RA guards +if applica)le, 5o :*iding; )e*ind 5AT anymore2 "se pri!acy extensions A!oid Man In T*e Middle +MITM, attac's # use IPSec

5ome IPv6 Network * +AN

Semi-Paranoid# Exposed MA3 addresses due to S&AA3 +eui-$%, may result to specific */ fla Paranoid! Interface can )e trac'ed *en mo!ing around +from static interface I6,

5ome IPv6 Network * Services

&ayered Approac*# Ser!ices Protection

5ome IPv6 Network * Services

5ome IPv6 Network * Summary

As mentioned4 lessons learned from IP!%4 can )e re-used 6efense in dept*

5ome IPv6 Network * Summary

As mentioned4 lessons learned from IP!%4 can )e re-used 6efense in dept* Patc*ing

5ome IPv6 Network * Summary

As mentioned4 lessons learned from IP!%4 can )e re-used 6efense in dept* Patc*ing Sane 3onfiguration Management

5ome IPv6 Network * Summary

As mentioned4 lessons learned from IP!%4 can )e re-used 6efense in dept* Patc*ing Sane 3onfiguration Management Access 3ontrol

5ome IPv6 Network * Summary

As mentioned4 lessons learned from IP!%4 can )e re-used 6efense in dept* Patc*ing Sane 3onfiguration Management Access 3ontrol Fre/uent re!ision of security policies

$eferences 0 Further $eading

IP!$ Security +T*eory !s Practice, A Meri'e >aeo

.dou)les*otsecurity.com

IP!$ Routing Header Security - P*ilippe 7iondi4 Arnaud E)alard Buidelines for t*e Secure 6eployment of IP!$ A 5IST Special Pu)lication C@@-DDE Se56 - *ttp#//tools.ietf.org/*tml/rfcFEGD Rogue RAs - *ttp#//tools.ietf.org/*tml/rfc$D@% RA Buard - *ttp#//tools.ietf.org/*tml/rfc$D@H Simple Security for IP!$ 3PEs - *ttp#//tools.ietf.org/*tml/rfc$@E? Pri!acy Extensions for S&AA3 in IP!$ - *ttp#//tools.ietf.org/*tml/rfc%E%D IP!$ Implications for 5et or' Scanning - *ttp#//tools.ietf.org/*tml/rfcHDHG Filtering I3MP!$ in Fire alls - *ttp#//tools.ietf.org/*tml/rfc%CE@ Routing &oop Attac' / auto Ip!$ Tunnels *ttp#//tools.ietf.org/searc*/draft-ietf-!$ops-tunnel-loops-@G

A##endi1 I 7 ICMPv6 Fi'tering

AttpEPPip./.ote.gr AttpEPPtJitter.;o@Poteip./ ip./@otenet.gr