Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Securely Operate an IPv6 Network

Similar presentations

Presentation on theme: "How to Securely Operate an IPv6 Network"— Presentation transcript:

1 How to Securely Operate an IPv6 Network
Eric Vyncke, Distinguished

2 Foreword All topics common to IPv4/IPv6 are unchanged:
Physical security Role Base Access Control .... I took the liberty to include Cisco configuration (as it may be useful for you) but I will not detail them

3 Agenda Management Plane Control Plane Routing Information
Neighbor Discovery Control Plane Protection Data Plane Anti-spoofing Access Control List Tunnel loops Telemetry Forensic Lawful Intercept Summary

4 Management Plane 4 4

5 Management over IPv6 SSH, syslog, SNMP, NetFlow all work over IPv6
Dual-stack management plane More resilient: works even if one IP version is down More exposed: can be attacked over IPv4 and IPv6 RADIUS over IPv6 is recent (IOS 15.2(1)T, IOS-XE rls 3.2S) But, IPv6 RADIUS attributes can be transported over IPv4 As usual, infrastructure ACL is your friend (more to come) as well as out-of- band management

6 IPv6 ACL to Protect VTY For Your Reference ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty ipv6 access-class VTY in Must be done before enabling IPv6 on any interface Beware there is no equivalent for HTTP => use ACL In IOS-XR, the command is ‘access-class VTY ingress’, the IPv4 and IPv6 ACL must have the same name

7 Control Plane: Routing Protocols

8 Preventing IPv6 Routing Attacks Protocol Authentication
BGP, IS-IS, EIGRP no change: An MD5 authentication of the routing update OSPFv3 originally pulled MD5 authentication from the protocol and instead relies on transport mode IPsec (for authentication and confidentiality) But see RFC 6506 (not yet widely implemented) IPv6 routing attack best practices Use traditional authentication mechanisms on BGP and IS-IS Use IPsec to secure protocols such as OSPFv3

9 OSPF or EIGRP Authentication
For Your Reference interface Ethernet0/0 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 500 md ABCDEF ABCDEF interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN key chain MYCHAIN key 1 key-string ABCDEF ABCDEF accept-lifetime local 12:00:00 Dec :00:00 Jan send-lifetime local 00:00:00 Jan :59:59 Dec 8:15 No crypto maps, no ISAKMP: transport mode with static session keys

10 BGP Route Filters Pretty obvious for customer links
For Your Reference Pretty obvious for customer links For peering, a relaxed one ipv6 prefix-list RELAX deny 3ffe::/16 le 128 ipv6 prefix-list RELAX deny 2001:db8::/32 le 128 ipv6 prefix-list RELAX permit 2001::/32 ipv6 prefix-list RELAX deny 2001::/32 le 128 ipv6 prefix-list RELAX permit 2002::/16 ipv6 prefix-list RELAX deny 2002::/16 le 128 ipv6 prefix-list RELAX deny 0000::/8 le 128 ipv6 prefix-list RELAX deny fe00::/9 le 128 ipv6 prefix-list RELAX deny ff00::/8 le 128 ipv6 prefix-list RELAX permit 2000::/3 le 48 ipv6 prefix-list RELAX deny 0::/0 le 128 Source:

11 Link-Local Addresses vs. Global Addresses
Link-Local addresses, fe80::/10, (LLA) are isolated Cannot reach outside of the link Cannot be reached from outside of the link  LLA can be configured statically (not the EUI-64 default) to avoid changing neighbor statements when changing MAC interface FastEthernet 0/0 ipv6 address fe80::1/64 link-local

12 Link-Local Addresses vs. Global Addresses
Could be used on the infrastructure interfaces Routing protocols (inc BGP) work with LLA neighbor fe80::2%FastEthernet0/0 Case sensitive !

13 LLA-Only Pros and Cons Benefits: Cons: Special case for IXP:
no remote attack against your infrastructure links: implicit infrastructure ACL* Smaller routing table (links do not appear) Simpler configuration Easier to renumber Cons: need to provision loopback for: ICMP for Traceroute ICMP for PMTUD SNMP/NetFlow/syslog/ ... No interface ping Special case for IXP: Usually a specific /64 which is not routed => uRPF will drop ICMP generated (PMTUd) by routers in the IXP LLA-only on the IXP interfaces => ICMP are generated from a non IXP interface *: loopbacks are still routable/reachable

14 Control Plane: Neighbor Discovery

15 Scanning Made Bad for CPU Remote Neighbor Cache Exhaustion RFC 6583
Potential router CPU/memory attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Local router DoS with NS/RS/… NS: 2001:db8::1 NS: 2001:db8::2 NS: 2001:db8::3 2001:db8::1 2001:db8::2 2001:db8::3 NS: 2001:db8::1 NS: 2001:db8::2 NS: 2001:db8::3 NS: 2001:db8::1 NS: 2001:db8::2 NS: 2001:db8::3 2001:db8::/64

16 Mitigating Remote Neighbor Cache Exhaustion
Built-in rate limiter with options to tune it Since 15.1(3)T: ipv6 nd cache interface-limit Or IOS-XE 2.6: ipv6 nd resolution data limit Destination-guard is part of First Hop Security phase 3 Priority given to refresh existing entries vs. discovering new ones (RFC 6583) Using a /64 on point-to-point links => a lot of addresses to scan! Using /127 could help (RFC 6164) Internet edge/presence: a target of choice Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only Using infrastructure ACL prevents this scanning iACL: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done 

17 Simple Fix for Remote Neighbor Cache Exhaustion
Ingress ACL allowing only valid destination and dropping the rest NDP cache & process are safe Requires DHCP or static configuration of hosts 2001:db8::2 2001:db8::1 2001:db8::2 2001:db8::3 2001:db8::3 NS: 2001:db8::1 NA: 2001:db8::1 2001:db8::/64

18 ARP Spoofing is now NDP Spoofing: Threats
ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones Stateless Address Autoconfiguration rogue RA (malicious or not) All nodes badly configured DoS Traffic interception (Man In the Middle Attack) Attack tools exist (from THC – The Hacker Choice) Parasit6 Fakerouter6 ...

19 ARP Spoofing is now NDP Spoofing: Mitigation
GOOD NEWS: dynamic ARP inspection for IPv6 is available First phase (Port ACL & RA Guard) available since Summer 2010 Second phase (NDP & DHCP snooping) starting to be available since Summer 2011 (Kind of ) GOOD NEWS: Secure Neighbor Discovery SeND = NDP + crypto IOS 12.4(24)T But not in Windows Vista, 2008 and 7, Mac OS/X, iOS, Android Crypto means slower... Other GOOD NEWS: Private VLAN works with IPv6 Port security works with IPv6 IEEE 801.X works with IPv6 (except downloadable ACL)

20 Mitigating Rogue RA: Host Isolation
Prevent Node-Node Layer-2 communication by using: Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port) WLAN in ‘AP Isolation Mode’ 1 VLAN per host (SP access network with Broadband Network Gateway) Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm Can break DAD Advertise the SLAAC prefix without the on-link bit to force router to do ‘proxy-ND’ RA Promiscuous Port RA Isolated Port RA

21 First Hop Security: RAguard since 2010 RFC 6105
Port ACL blocks all ICMPv6 RA from hosts interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port ipv6 nd raguard RA-guard (12.2(50)SY, 15.0(2)SE) ipv6 nd raguard policy HOST device-role host ipv6 nd raguard policy ROUTER device-role router ipv6 nd raguard attach-policy HOST vlan 100 interface FastEthernet0/0 ipv6 nd raguard attach-policy ROUTER RA ROUTER Device-role RA HOST Device-role Can also enforce MTU, prefix, ... In RA RA

22 IPv6 First Hop Security Platform Support
For Your Reference Feature/Platform Catalyst 6500 Series Catalyst 4500 Series Catalyst 2K/3K Series ASR1000 Router 7600 Router Catalyst 3850 Wireless LAN Controller (Flex 7500, 5508, 2500, WISM-2) Nexus 3k/5k/6k/7k RA Guard 15.0(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2 NX-OS 7.2 IPv6 Snooping 15.0(1)SY1 XE 3.9.0S DHCPv6 Guard 15.2(1)SY Source/Prefix Guard 15.2(1)E 15.0.(2)SE2 15.3(1)S Destination Guard RA Throttler ND Multicast Suppress Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release Near future: - Cat6k – 15.1(1)SY ships in Oct 2012 (adds Sup720 support) - Cat4k – 15.1(2)SG - ships in Nov 2012 – 15.3(1)S – adds some more features - ships in Nov 2012 - NG3k (1)EX - ships in Jan 2013 - ASR1k – 15.3(2)S - ships in 03/29/13 - Cat3k/4k – 15.2(1)E – ships in Summer 2013 Shipped: 1. Cat6k – 15.0(1)SY shipped on Sept 2011 (Sup2T only) 2. WLC – 7.2 release shipped in Jan 2012 3. Cat3k – 15.0(2)SE shipped in July 2012 – 15.2(4)S shipped in July 2012 Available Now Not Available Roadmap

23 Control Plane Protection

24 Control Plane Policing for IPv6 Protecting the Router CPU
For Your Reference Against DoS with NDP, Hop-by-Hop, Hop Limit Expiration... See also RFC 6192

25 Data Plane 25

26 DoS Example Ping-Pong over Physical Point-to-Point
Same as in IPv4, on real P2P without NDP, if not for me, then send it on the other side... Could produce looping traffic Classic IOS and IOS-XE platforms implement RFC 4443 so this is not a threat Except on 76xx see CSCtg00387 (tunnels) and few others IOS-XR see CSCsu62728 Else use /127 on P2P link (see also RFC 6164) Or use infrastructure ACL or only link-local addresses 1) To 2001:db8::3 2) To 2001:db8::3 3) To 2001:db8::3 R2 R1 Serial 0/0 2001:db8::1/64 Serial 0/0 2001:db8::2/64 4) To 2001:db8::3 .... 5) To 2001:db8::3

27 IPv6 Bogon and Anti-Spoofing Filtering
IPv6 nowadays has its bogons: Every network should implement two forms of anti-spoofing protections: Prevent spoofed addresses from entering the network Prevent the origination of packets containing spoofed source addresses Anti-spoofing in IPv6 same as IPv4 => Same technique for single-homed edge= uRPF Inter-Networking Device with uRPF Enabled IPv6 Intranet X IPv6 Intranet/Internet IPv6 Unallocated Source Address No Route to SrcAddr => Drop

28 Bogons Filtering Detailed & updated list at:
Or simpler but more relaxed ipv6 access-list NO_BOGONS remark Always permit ICMP unreachable (Path MTU Discovery & co) permit icmp any any unreachable remark Permit only large prefix blocks from IANA permit ip 2001::/16 any permit ip 2002::/16 any permit ip 2003::/18 any permit ip 2400::/12 any permit ip 2600::/10 any permit ip 2800::/12 any permit ip 2a00::/12 any permit ip 2c00::/12 any Remark implicit deny at the end (but see later) Source:

29 Remote Triggered Black Hole
RFC 5635 RTBH is easy in IPv6 as in IPv4 uRPF is also your friend for blackholing a source RFC 6666 has a specific discard prefix 100::/64 Source: Wikipedia Commons

30 Parsing the Extension Header Chain
Finding the layer 4 information is not trivial in IPv6 Skip all known extension header Until either known layer 4 header found => MATCH Or unknown extension header/layer 4 header found... => NO MATCH IPv6 hdr HopByHop Routing AH TCP data IPv6 hdr HopByHop Routing AH Unknown L4 ??? 8H45

31 Parsing the Extension Header Chain Fragmentation Matters!
Extension headers chain can be so large than it must be fragmented! RFC 3128 is not applicable to IPv6 Layer 4 information could be in 2nd fragment IPv6 hdr HopByHop Routing Destination Fragment1 IPv6 hdr HopByHop Fragment2 TCP Data Routing Layer 4 header is in 2nd fragment

32 Parsing the Extension Header Chain Fragments and Stateless Filters
RFC 3128 is not applicable to IPv6 but RFC 6980 ‘nodes MUST silently ignore NDP ... If packets include a fragmentation header’ ;-) Layer 4 information could be in 2nd fragment But, stateless firewalls could not find it if a previous extension header is fragmented IPv6 hdr HopByHop Routing Fragment1 Destination … IPv6 hdr HopByHop Routing Fragment2 … Destination TCP Data Layer 4 header is in 2nd fragment, Stateless filters have no clue where to find it!

33 CRITICAL without this, there is a way to bypass STATELESS ACL!
IOS IPv6 Extended ACL Can match on Upper layers: TCP, UDP, SCTP port numbers, ICMPv6 code and type TCP flags SYN, ACK, FIN, PUSH, URG, RST Traffic class (only six bits/8) = DSCP, Flow label (0-0xFFFFF) IPv6 extension header routing matches any RH, routing-type matches specific RH mobility matches any MH, mobility-type matches specific MH dest-option matches any destination options auth matches AH hbh matches hop-by-hop (since 15.2(3)T) fragments keyword matches Non-initial fragments undetermined-transport keyword does not match if TCP/UDP/SCTP and ports are in the fragment ICMP and type and code are in the fragment Everything else matches (including OSPFv3, …) Only for deny ACE CRITICAL without this, there is a way to bypass STATELESS ACL! Check your platform & release as your mileage can vary…

34 IPv6 ACL Implicit Rules Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery: Nexus 7000 also allows RS & RA Be careful when adding « deny ipv6 any any log » at the end permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log IPv6 neighbour discovery uses ICMPv6 which can be blocked by an IPv6 ACL. The IPv4 equivalent, ARP cannot be blocked by an IP ACL. The implicit permit rules bring the IPv6 ACL behaviour into line with IPv4 ACLs. The implicit permit rules only take effect for incoming ACLs, since self-originating traffic from the router cannot be blocked by an ACL. For IPv6 standard ACL 12.2(2)T where matching against protocol type is not possible, rules permitting link-local fe80::/16 any any are required to enable name resolution. The user can override the implicit rules by adding the equivalent ‘deny icmp’ within an ACL.

35 Example: Generic ACL on PE-CE or Peering
For Your Reference ipv6 access-list SIMPLE remark To be reviewed for potential customization (e.g. use of ULA) remark Drop evil routing header type 0 deny ipv6 any any routing-type 0 remark allow DAD permit IPv6 host :: 2000::/3 permit IPv6 host :: FE80::/10 remark Allow unicast global to other valid destinations permit ipv6 2000::/3 2000::/3 permit ipv6 2000::/3 FE80::/10 permit ipv6 2000::/3 FF00::/8 remark Allow link-local to other valid destinations permit ipv6 FE80::/64 FE80::/64 permit ipv6 FE80::/64 FF02::/10 permit ipv6 FE80::/ ::/3 remark Catch-up deny ipv6 any any

36 Controls are Available For Example: Cisco IPv6 Security Products
ASA Firewall (Since version 7.0 released 2005) Flexibility: Dual stack, IPv6 only, IPv4 only SSL VPN for IPv6 over IPv4 (ASA 8.0) over IPv6 (ASA 9.0) Stateful-Failover (ASA 8.2.2) Extension header filtering and inspection (ASA 8.4.2) Dual-stack ACL & object grouping (ASA 9.0) ASA-SM Leverage ASA code base, same features ;-) 16 Gbps of IPv6 throughput IOS Firewall (IOS 12.3(7)T - released 2005; Zone-based firewall on IOS-XE ) IPS (Since released 2008) Security Appliance (ESA) under beta testing since 2010, IPv6 support since (May 2012) Web Security Appliance (WSA) with explicit and transparent proxy Cisco Cloud Web Security (ScanSafe) work in progress (need IPv6 connectivity for all towers...) FIREpower NGIPS provides Decoder for IPv4 & IPv6 Packets

37 Looping Attack Between 6to4 and ISATAP (RFC 6324)
6to4 relay 1. Spoofed packet S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 ISATAP router Prefix 2001:db8::/64 2. IPv4 Packet to containing S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 3. IPv6 packet S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 Repeat until Hop Limit == 0 Root cause Same IPv4 encapsulation (protocol 41) Different ways to embed IPv4 address in the IPv6 address ISATAP router: accepts 6to4 IPv4 packets Can forward the inside IPv6 packet back to 6to4 relay Symmetric looping attack exists Mitigation: Easy on ISATAP routers: deny packets whose IPv6 is its 6to4 Less easy on 6to4 relay: block all ISATAP-like local address? Good news: not so many open ISATAP routers on the Internet Do not announce the 6to4 relay address outside of your AS and accepts protocol-41 packets only from your AS

38 6to4/6rd Tunnels Bypass Centralized ACL
IPv6 Internet 6to4/6rd relay tunnel ACL IPv4 6to4/6rd router Direct tunneled traffic ignores hub ACL 6to4/6rd router 6rd CPE router can be configured to always go through hub Direct CPE-CPE communication must then be forbidden by IPv4 network

39 6rd Relay Security Issues
6rd is more constrained than 6to4, hence more secure IPv4 ACL (or IPv4 routing) can limit the 6rd packets to the 6rd domain within the ISP No more open relay No more looping attacks

40 Secure IPv6 over IPv4/6 Public Internet
No traffic sniffing No traffic injection No service theft Public Network Site 2 Site Remote Access IPv4 6in4/GRE Tunnels Protected by IPsec DMVPN 12.4(20)T ISATAP Protected by RA IPsec SSL VPN Client AnyConnect IPv6 IPsec VTI 12.4(6)T DMVPN 15.2(1)T AnyConnect 3.1 & ASA 9.0

41 9H00 Telemetry IPv6 security is similar to IPv4 security
No excuse to operate an insecure IPv6 network Telemetry 9H00 41

42 Available Tools Usually IPv4 telemetry is available SNMP MIB
Not always available yet on Cisco gears Flexible Netflow for IPv6 Available in : 12.4(20)T, 12.2(33)SRE Public domain tools: nfsen, nfdump, nfcpad…

43 IPv6 MIB Implementation
For Your Reference IP FWD (ROUTES) IP ICMP TCP UDP Original IPv4 only 2096 2011 2012 2013 IPv6 only 2465 2466 2452 2454 Protocol Version Independent (PVI) rfc2096-update = 4292 rfc2011-update 4293 = IP-MIB rfc2012-update 4022 rfc2013-update 4113 IPv4/IPv6 stats can be monitored from CLI “show interface accounting” on most platforms RFC 4292 and 4293 – Interface Stats table are added, also required HW support Tunnel MIB (RFC 4087)

44 Using SNMP to Read Interfaces Traffic
For Your Reference snmpwalk -c secret -v 1 udp6:[2001:db8::1] –Cw 70 -m IP-MIB ipNetToPhysicalPhysAddress SNMP table: IP-MIB::ipIfStatsTable index ipIfStatsInReceives ipIfStatsHCInReceives ipIfStatsInOctets ipv ? ipv ? ipv ? ipv ? snmpwalk -c secret -v 1 udp6:[2001:db8::1] –Cw 70 ifTabl SNMP table: IF-MIB::ifTable index ifIndex ifDescr ifType ifMtu ifSpeed FastEthernet0/0 ethernetCsmacd FastEthernet0/1 ethernetCsmacd

45 Using SNMP to Read IPv4/IPv6 Neighbors Cache
For Your Reference snmpwalk -c secret -v 1 udp6:[2001:db8::1] -m IP-MIB ipNetToPhysicalPhysAddress IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4." " = STRING: 0:13:c4:43:cf:e IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4." " = STRING: 0:23:48:2f:93:24 IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4." " = STRING: 0:80:c8:e0:d4:be ... IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:07:e9:ff:fe:f2:a0:c6" = STRING: 0:7:e9:f2:a0:c6 IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:20:4a:ff:fe:bf:ff:5f" = STRING: 0:20:4a:bf:ff:5f IP-MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:30:56:da:9d:23:91:5e:ea" = STRING: 78:ca:39:e2:43:3 snmptable -c secret -v 1 udp6:[2001:db8::1] -Ci -m IP-MIB ipNetToPhysicalTable

46 NetFlow Versions NetFlow Version Comments 1 Original 5
For Your Reference NetFlow Version Comments 1 Original 5 Standard and most common 7 Specific to Cisco Catalyst 6500 and 7600 Series Switches Similar to version 5, but does not include AS, Interface, TCP Flags, and ToS Information 8 Choice of 11 aggregation schemes Reduces resource usage 9 Flexible, extensible file export format to enable easier support of additional fields and technologies; coming out now are MPLS, Multicast, and BGP Next-Hop

47 Flexible Flow Record: IPv6 Key Fields
For Your Reference IPv6 IP (Source or Destination) Payload Size Prefix (Source or Destination) Packet Section (Header) Mask (Source or Destination) Packet Section (Payload) Minimum-Mask (Source or Destination) DSCP Protocol Extension Traffic Class Hop-Limit Flow Label Length Option Header Next-header Header Length Version Payload Length Routing Destination AS Peer AS Traffic Index Forwarding Status Is-Multicast IGP Next Hop BGP Next Hop Transport Destination Port TCP Flag: ACK Source Port TCP Flag: CWR ICMP Code TCP Flag: ECE ICMP Type TCP Flag: FIN IGMP Type TCP Flag: PSH TCP ACK Number TCP Flag: RST TCP Header Length TCP Flag: SYN TCP Sequence Number TCP Flag: URG TCP Window-Size UDP Message Length TCP Source Port UDP Source Port TCP Destination Port UDP Destination Port TCP Urgent Pointer Flow Sampler ID Direction Interface Input Output Router(config-flow-record)#match trans tcp flags ? ack TCP acknowledgement flag cwr TCP congestion window reduced flag ece TCP ECN echo flag fin TCP finish flag psh TCP push flag rst TCP reset flag syn TCP synchronise flag urg TCP urgent flag

48 Flexible Flow Record: IPv6 Extension Header Map
For Your Reference Bits 11-31 Bit 10 Bit 9 Bit 8 Bit 7 Bit 6 Bit 5 Bit 4 Bit 3 Bit 2 Bit 1 Bit 0 Res ESP AH PAY DST HOP UNK FRA0 RH FRA1 FRA1: Fragment header – not first fragment RH: Routing header FRA0: Fragment header – First fragment UNK: Unknown Layer 4 header (compressed, encrypted, not supported) HOP: Hop-by-hop extension header DST: Destination Options extension header PAY: Payload compression header AH: Authentication header ESP: Encapsulating Security Payload header Res: Reserved 48

49 Flexible NetFlow Exporter, Record and Monitor
For Your Reference flow exporter FLOW-EXPORTER destination 2001:db8::1 <<< IPv6 is supported transport udp 9995 flow record FLOW-RECORD match ipv6 source address <<< key fields match ipv6 destination address match ipv6 protocol collect counter bytes <<< non key fields collect counter packets collect datalink mac source address input <<< can also collect MAC addresses ;-) flow monitor FLOW-MONITOR ; record netflow ipv6 original-output <<< for traditional NetFlow records record FLOW-RECORD exporter FLOW-EXPORTER statistics packet protocol statistics packet size interface GigEthernet0/15 ipv6 flow monitor FLOW-MONITOR output

50 Netflow Reverse Usage Scanning an IPv6 network is impossible (address space too large) How can we run a security audit? Easy Get all IPv6 addresses from Netflow Note: scanning link-local addresses requires layer-2 adjacency, i.e. Ping6 ff02::1

51 Vulnerability Scanning in a Dual-Stack World
Finding all hosts: Address enumeration does not work for IPv6 Need to rely on DNS or NDP caches or NetFlow Vulnerability scanning IPv4 global address, IPv6 global address(es) (if any), IPv6 link-local address Some services are single stack only (currently mostly IPv4 but who knows...) Personal firewall rules could be different between IPv4/IPv6 IPv6 vulnerability scanning MUST be done for IPv4 & IPv6 even in an IPv4-only network IPv6 link-local addresses are active by default

52 Forensic 52

53 Multiple Facets to IPv6 Addresses
Every host can have multiple IPv6 addresses simultaneously Need to do correlation! Alas, no Security Information and Event Management (SIEM) supports IPv6 Usually, a customer is identified by its /48  Every IPv6 address can be written in multiple ways 2001:0DB8:0BAD::0DAD 2001:DB8:BAD:0:0:0:0:DAD 2001:db8:bad::dad (this is the canonical RFC 5952 format) => Grep cannot be used anymore to sieve log files…

54 Perl to Canonical IPv6 Addresses
For Your Reference #!/usr/bin/perl –w use strict ; use Socket ; use Socket6 ; my $word, $binary_address) ; ## go through the file one line at a time while (my $line = <STDIN>) { @words = split /[ \n]/, $line ; foreach $word { $binary_address = inet_pton AF_INET6, $word ; if ($binary_address) { print inet_ntop AF_INET6, $binary_address ; } else { print $word ; } print " " ; print "\n" ;

55 Perl Grep6 For Your Reference #!/usr/bin/perl –w use strict ;
use Socket ; use Socket6 ; my $word, $binary_address, $address) ; $address = inet_pton AF_INET6, $ARGV[0] ; if (! $address) { die "Wrong IPv6 address passed as argument" ; } ## go through the file one line at a time while (my $line = <STDIN>) { @words = split /[ \n\(\)\[\]]/, $line ; foreach $word { $binary_address = inet_pton AF_INET6, $word ; if ($binary_address and $binary_address eq $address) { print $line ; next ; }

56 How to Find the MAC Address of an IPv6 Address?
Easy if EUI-64 format as MAC is embedded 2001:db8::0226:bbff:fe4e:9434 (need to toggle bit 0x20 in the first MAC byte = U/L) Is :26:bb:4e:94:34

57 How to Find the MAC Address of an IPv6 Address?
DHCPv6 address or prefix… the client DHCP Unique ID (DUID) can be MAC address: trivial Time + MAC address: simply take the last 6 bytes Vendor number + any number: no luck… next slide can help No guarantee of course that DUID includes the real MAC address. # show ipv6 dhcp binding Client: FE80::225:9CFF:FEDC:7548 DUID: A00259CDC7548 Username : unassigned Interface : FastEthernet0/0 IA PD: IA ID 0x B, T , T Prefix: 2001:DB8:612::/48 preferred lifetime 3600, valid lifetime 3600 expires at Nov :22 PM (369) 9H15

58 DHCPv6 in Real Live… Actual MAC address: # show ipv6 dhcp binding
Not so attractive  Only supported in Windows Vista, and Windows 7, Max OS/X Lion Not in Linux (default installation), … Windows Vista does not place the used MAC address in DUID but any MAC address of the PC Actual MAC address: 0022.5f # show ipv6 dhcp binding Client: FE80::FDFA:CB28:10A9:6DD0 DUID: DB0EA6001E33814DEE Username : unassigned IA NA: IA ID 0x F, T1 300, T2 480 Address: 2001:DB8::D09A:95CA:6918:967 preferred lifetime 600, valid lifetime 600 expires at Oct :02 PM (554 seconds)

59 How to Find the MAC Address of an IPv6 Address?
Last resort… look in the live NDP cache (CLI or SNMP) If no more in cache, then you should have scanned and saved the cache… EEM can be your friend First-Hop Security phase II can generate a syslog event on each new binding ipv6 neighbor binding logging #show ipv6 neighbors 2001:DB8::6DD0 IPv6 Address Age Link-layer Addr State Interface 2001:DB8::6DD f STALE Fa0/1

60 Lawful Intercept 60

61 Which Target? Target could be
Host address /128: probably very rare Subscriber prefix /48 or /56 Layer-2 address (MAC address) Circuit PPP session Content of 6RD/MAP-T/DS-lit tunnel by intercepting the external addresses Targets based not based on IPv6 addresses are ‘as usual’ and can be done as usual from a SP perspective Of course mediation device & LEA must understand IPv6 

62 Summary 62

63 Key Takeaway /1 Management plane Control plane Data plane
Protect management plane with access-class Control plane Authenticate IGP Consider the use of link-local on P-P links? Mitigate rogue-RA with RA-guard Configure control plane policing Data plane Beware of ping-pong on not /127 real P2P link Apply anti-spoofing, anti-bogons Disable source routing Use ACL where applicable ACL must permit NDP

64 Key Takeaway /2 Telemetry Forensic Lawful Interception
SNMP MIB and Netflow v9 are your friends Netflow can be used for inventory Forensic Multiple addresses per node, multiple ways to write an IPV6 address Finding MAC address from IPv6: EUI-64, DHCPv6 (not so trivial) else periodic NDP cache dumps... Lawful Interception implemented, missing mediation device

65 Conclusion As expected IPv6 secure operations are quite similar to IPv4 Main differences at layer 2 Tunnels complicate everything Lack of correlation tools

66 Questions and Answers?

67 4/14/2017 Cisco Live 2013

68 List of Acronyms 6rd: 6 Rapid Deployment
For Your Reference 6rd: 6 Rapid Deployment AAA: Authentication, Authorization, Accounting CGA: Cryptographically Generated Address DUID: DHCP Unique ID EUI-64: Extended Unique ID IPSec: IP Security ISATAP: Intra-Site Automatic Tunnel Addressing Protocol LEA: Law Enforcement Agency LLA: Link-Local Address MD5: Message Digest 5 NDP: Neighbor Discovery Protocol PIM: Protocol Independent Multicast PMTUD: Path MTU Discovery RA: Router Advertisement RIPng: Routing Information Protocol Next Generation SEND: Secure Neighbor Discovery SSH: Secure SHell

Download ppt "How to Securely Operate an IPv6 Network"

Similar presentations

Ads by Google