Download IPv6 Security: Challenges and Countermeasures and more Thesis International Relations in PDF only on Docsity!
IPv6 Security
Ivan Pepelnjak (@ioshints, [email protected]) NIL Data Communications Eric Vyncke (@evyncke, [email protected]) Cisco Systems This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
2 © ipSpace.net / NIL Data Communications 2012 IPv6 Security
Revision history
2012 - 07 - 07 Early first draft 2012 - 10 - 02 Minor fixes Server RA exposure 2012 - 10 - 12 Included Eric Vyncke’s detailed explanations and Cisco-related material This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
4 © ipSpace.net / NIL Data Communications 2012 IPv6 Security
Who is Eric Vyncke... In 30 seconds
Research Assistant at Univ Liège, Belgium Head of R&D at NRB, system integrator
- First multi-protocol network in Belgium SW project manager at Siemens
- Firewall, military X. Since 1997, Distinguished Engineer at Cisco Co-chair of www.ipv6council.be Main focus
- Security and security and security ;-) (VoIP, IPsec, layer-2, ...)
- IPv6 (see also www.vyncke.org/ipv6status) This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
5 © ipSpace.net / NIL Data Communications 2012 IPv6 Security
The Bigger Picture: IPv6 Webinars
Availability
- Live sessions
- Recordings of individual webinars
- Yearly subscription Other options
- Customized webinars
- ExpertExpress
- On-site workshops More information @ http://www.ioshints.info/Webinars IPv6 Security Market Trends in SP Networks Building IPv6 Service Provider Networks Enterprise IPv6 – First Steps Upcoming Internet Challenges Service Provider IPv6 Introduction NAT64 and DNS Planned in 2012 This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
- Application layer attacks The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent
- Rogue devices Rogue devices will be as easy to insert into an IPv6 network as in IPv
- Man-in-the-Middle Attacks (MITM) Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv
- Flooding Flooding attacks are identical between IPv4 and IPv
- Sniffing IPv6 is no more or less likely to fall victim to a sniffing attack than IPv Good news IPv4 IPS signatures can be re- used This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
- Viruses and email, IM worms: IPv6 brings no change
- Other worms: IPv4: reliance on network scanning IPv6: not so easy (see reconnaissance) => will use alternative techniques Worm developers will adapt to IPv IPv4 best practices around worm detection and mitigation remain valid This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
- Public servers will still need to be DNS reachable More information collected by Google...
- Increased deployment/reliance on dynamic DNS More information will be in DNS
- Using peer-to-peer clients gives IPv6 addresses of peers
- Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0, :ABBA:BABE or simply IPv4 last octet for dual stack)
- By compromising hosts in a network, an attacker can learn new addresses to scan
- Transition techniques (see further) derive IPv6 address from IPv address can scan again This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
11 © ipSpace.net / NIL Data Communications 2012 IPv6 Security
First Hop Vulnerabilities
This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
- Prevent Node-Node Layer- 2 communication by using: Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port) WLAN in ‘AP Isolation Mode’ 1 VLAN per host (SP access network with Broadband Network Gateway)
- Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm Isolated Port RA RA RA RA RA Promiscuous Port This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
- Port ACL blocks all ICMPv6 RA from hosts interface FastEthernet0/ ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port
- RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port interface FastEthernet0/ ipv6 nd raguard access-group mode prefer port
- RA-guard (12.2(50)SY) ipv6 nd raguard policy HOST device-role host ipv6 nd raguard policy ROUTER device-role router ipv6 nd raguard attach-policy HOST vlan 100 interface FastEthernet0/ ipv6 nd raguard attach-policy ROUTER RA RA RA RA RA This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
16 © ipSpace.net / NIL Data Communications 2012 IPv6 Security
Fake DHCPv6 Replies
Intruder responds to DHCPv6 requests
- DNS IPv6 address injection (DNS interception)
- Denial-of-service attack (bogus IPv6 address allocation) DHCPv6 Information Request DHCPv6 Reply Rtr First-Hop Vulnerabilities DHCPv6 Reply Countermeasure: DHCPv6 guard This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
17 © ipSpace.net / NIL Data Communications 2012 IPv6 Security
Fake Neighbor Advertisement Messages
Intruder responds to ICMPv6 Neighbor Solicitation requests
- Traffic interception
- Denial-of-service attack ND NS ND NA Rtr First-Hop Vulnerabilities ND NA Countermeasures: DHCPv6 snooping, ND inspection, SEND This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
- Certification paths Anchored on trusted parties, expected to certify the authority of the routers on some prefixes
- Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated
- RSA signature option Protect all messages relating to neighbor and router discovery
- Timestamp and nonce options Prevent replay attacks
- Requires IOS 12.4(24)T This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
- Each devices has a RSA key pair (no need for cert)
- Ultra light check for validity
- Prevent spoofing a valid CGA address
SHA- 1
RSA Keys Priv Pub Subnet Prefix Interface Identifier Crypto. Generated Address
Signature
SeND Messages
Modifier Public Key Subnet Prefix
CGA Params
This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars