Securing the Data Plane in IPv6 Environments © 2012 Cisco and/or its affiliates All rights reserved Contents In this chapter, you learn how to the following: • Explain the need for IPv6 from the general perspective of the transition to IPv6 from IPv4 • List and describe the fundamental features of IPv6, as well as enhancements when compared to IPv4 • Analyze the IPv6 addressing scheme, components, and design principles and configure IPv6 addressing • Describe the IPv6 routing function • Evaluate how common and specific threats affect IPv6 • Develop and implement a strategy for IPv6 security © 2012 Cisco and/or its affiliates All rights reserved The Need for IPv6 © 2012 Cisco and/or its affiliates All rights reserved IPv6 Features and Enhancements IPv6 is a powerful enhancement to IPv4 Several features in IPv6 offer functional improvements What IP developers learned from using IPv4 suggested changes to better suit current and probable network demands: • Larger address space: • Simpler header: • Mobility and security: • Transition richness: © 2012 Cisco and/or its affiliates All rights reserved IPv6 Headers The new IPv6 header is simpler than the IPv4 header, in the following ways: • Half of the previous IPv4 header fields are removed This enables simpler processing of the packets, enhancing the performance and routing efficiency • All fields are aligned to 64 bits, which enables direct storage and access in memory by fast lookups • No checksum occurs at the IP layer, and no recalculation is performed by the routers Error detection is done by the link layer and transport layer © 2012 Cisco and/or its affiliates All rights reserved Stateless Address Autoconfiguration © 2012 Cisco and/or its affiliates All rights reserved IPv4 and IPv6 Compared © 2012 Cisco and/or its affiliates All rights reserved Transition to IPv6 • Manually • IPv6-in-IPv4 • GRE (not discussed) • VPN (not discussed) • Semiautomatically • Tunnel broker (proxying) • Automatically • 6to4 • ISATAP • Teredo © 2012 Cisco and/or its affiliates All rights reserved IPv6 Address Representation © 2012 Cisco and/or its affiliates All rights reserved IPv6 Address Types • Unicast • Address is for a single interface • IPv6 has several types (for example, global, reserved, link-local, and site-local) • Multicast • One-to-many • Enables more efficient use of the network • Uses a larger address range • Anycast • One-to-nearest (allocated from unicast address space) • Multiple devices share the same address • All anycast nodes should provide uniform service • Source devices send packets to anycast address • Routers decide on closest device to reach that destination • Suitable for load balancing and content delivery services © 2012 Cisco and/or its affiliates All rights reserved 10 Assigning IPv6 Global Unicast Addresses There are several ways to assign an IPv6 address to a device: • Static assignment using a manual interface ID • Static assignment using an EUI-64 interface ID • Stateless autoconfiguration • DHCP for IPv6 (DHCPv6) © 2012 Cisco and/or its affiliates All rights reserved 14 IPv6 EUI-64 Interface Identifier © 2012 Cisco and/or its affiliates All rights reserved 15 IPv6 Address Configuration Example R1(config)# ipv6 unicast-routing R1(config)# interface fa0/0 R1(config-if)# ipv6 address 2001:db8:c18:1::/64 eui-64 R1# show ipv6 interface fa0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::218:B9FF:FE21:9278 Global unicast address(es): 2001:DB8:c18:1:218:B9FF:FE21:9278, subnet is 2000:1:2:3::/64 Joined group address(es): FF02::1:FF21:9278 FF02::1 FF02::2 MTU is 1500 bytes © 2012 Cisco and/or its affiliates All rights reserved 16 Routing Considerations for IPv6 • Static • RIPng (RFC 2080) • OSPFv3 (RFC 2740) • IS-IS for IPv6 • MP-BGP4 (RFC 2545/2858) • EIGRP for IPv6 © 2012 Cisco and/or its affiliates All rights reserved 17 Revisiting Threats: Considerations for IPv6 In general, many types of attacks are similar between IPv4 and IPv6, as listed below For some attack types, additional information is provided • • Reconnaissance – Not so easy in IPv6 due to large address space – Scanners will make router trigger NDP, wasting CPU and resources – Attack tools exist today (Parasit6, Fakerouter6, Scapy6, others) Viruses and worms – • Scanning will probably use alternative techniques Application layer attacks – Same implications – Peer-to-peer nature of IPv6 augments the problem © 2012 Cisco and/or its affiliates All rights reserved 18 Revisiting Threats: Considerations for IPv6 • Unauthorized access • Man-in-the-middle attacks – Still a possibility – Myth: mandatory IPsec resolves the issue – Reality: IPsec is a mandatory part of the stack, but you still have to configure it • Sniffing or eavesdropping • Denial of service (DoS) attacks • Spoofed packets: forged addresses and other fields • Still a possibility • Bogons (bogus IP addresses) a reality today • Attacks against routers and other networking devices • Attacks against the physical or data link layers © 2012 Cisco and/or its affiliates All rights reserved 19 Revisiting Threats: Considerations for IPv6 However, there is also some bad news IPv6 is a bit different and, as such, there are threats that have been slightly changed by the fact that IPv6 does things slightly differently than IPv4 The following is a list of threats that are only slightly modified by IPv6: • LAN-based attacks (NDP) • Attacks against DHCP or DHCPv6 • DoS against routers (hop-by-hop extension headers rather than router alerts) • Fragmentation (IPv4 routers performing fragmentation versus IPv6 hosts using a fragment extension header) • Packet amplification attacks (IPv4 uses broadcast; IPv6 uses multicast) © 2012 Cisco and/or its affiliates All rights reserved 20 List of threats that are unique to IPv6 networks • Reconnaissance and scanning worms: Brute-force discovery is more difficult • Attacks against ICMPv6: ICMPv6 is a required component of IPv6 • Extension header (EH) attacks: EHs need to be accurately parsed • Autoconfiguration: NDP attacks are simple to perform • Attacks on transition mechanisms: Migration techniques are required by IPv6 • Mobile IPv6 attacks: Devices that roam are susceptible to multiple vulnerabilities • IPv6 protocol stack attacks: Because of the code freshness of IPv6, bugs in the protocol stack exist © 2012 Cisco and/or its affiliates All rights reserved 21 IPv6 introduces the following difficulties or vulnerabilities • Training and planning • Lack of knowledge, poor planning even for basic security controls (example: weak ingress filtering, or no filtering at all) • End nodes are exposed to many threats: • Address configuration parameters: Rogue configuration parameters • Address initialization: Denial of address insertion • Address resolution: Address stealing • Default gateway discovery: Rogue routers • Neighbor reachability tracking: Rogue neighbor status • Header extensions • Hosts process routing headers (RH) • Header extensions can be exploited (example: routing header for source routing and reconnaissance) • Amplification attacks based on routing header © 2012 Cisco and/or its affiliates All rights reserved 22 Examples of Possible IPv6 Attacks Traffic Loop from Exploiting Routing Header • • The attacker manipulates the routing header to create a traffic loop • • • RH0 packets could be created with a list of embedded IPv6 addresses DoS attacks can be performed using this feedback loop to consume resources or amplify the packets that are sent to a victim The packet would be forwarded to every system in the list before finally being sent to the destination address If the embedded IPv6 addresses in an RH0 packet were two systems on the Internet listed numerous times, it could cause a type of feedback loop © 2012 Cisco and/or its affiliates All rights reserved 23 Network Scan from Exploiting NDP • The attacker abuses NDP by using a router to amplify a network scan • The router sends Neighbor Solicitation (NS) messages to all the hosts in the LAN segment, using the all-nodes multicast address © 2012 Cisco and/or its affiliates All rights reserved 24 Combo Attack on IPv6 © 2012 Cisco and/or its affiliates All rights reserved 25 Recommended Practices • Ingress filtering is key: • Deny Bogon addresses • Filter multicast packets at your perimeter based on their scope • Permit only packets that have as a destination address your allocated block of addresses or multicast group address or your link-local address for NDP • Granularly filter ICMPv6 messages at the perimeter (remember, ICMPv6 is needed for protocol operations such as NDP) • Drop RH0 packets and unknown extension headers at the perimeter and throughout the interior of the network • Favor dual stack as the transition mechanism, but secure each protocol equally • Control the use of tunneling: • Configure manual tunnels if possible • Do not allow tunnels through the perimeter unless required • Consider current and future security enhancements: • Secure NDS (SeND) from RFC 3971 provides a cryptographic method to Neighbor Discovery • RA Guard, from RFC 6105, is an alternative and complement to SeND, filtering at Layer © 2012 Cisco and/or its affiliates All rights reserved 26 References • For additional information, refer to these resources: – Cisco Systems, Inc Cisco IOS IPv6 Configuration Guide, Release 12.4, Implementing IPv6 Addressing and Basic Connectivity, http:// www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.html – Cisco Systems, Inc IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation (v1.0), http:// www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf – – – – – RFC 2464, “Transmission of IPv6 Packets over Ethernet Networks,” http://www.ietf.org/rfc/rfc2464.txt RFC 3146, “Transmission of IPv6 Packets over IEEE 1394 Networks,” http://www.ietf.org/rfc/rfc3146.txt RFC 3587, “IPv6 Global Unicast Address Format,” http://www.ietf.org/rfc/rfc3587.txt RFC 4007, “IPv6 Scoped Address Architecture,” http://www.ietf.org/rfc/rfc4007.txt RFC 4291, “IP Version Addressing Architecture,” http://tools.ietf.org/html/rfc4291 © 2012 Cisco and/or its affiliates All rights reserved 27 © 2012 Cisco and/or its affiliates All rights reserved 28 ... In this chapter, you learn how to the following: • Explain the need for IPv6 from the general perspective of the transition to IPv6 from IPv4 • List and describe the fundamental features of IPv6, ... Analyze the IPv6 addressing scheme, components, and design principles and configure IPv6 addressing • Describe the IPv6 routing function • Evaluate how common and specific threats affect IPv6 •... reserved IPv6 Headers The new IPv6 header is simpler than the IPv4 header, in the following ways: • Half of the previous IPv4 header fields are removed This enables simpler processing of the packets,