Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Securely Operate an IPv6 Network Eric Vyncke, Distinguished 1.

Similar presentations


Presentation on theme: "How to Securely Operate an IPv6 Network Eric Vyncke, Distinguished 1."— Presentation transcript:

1 How to Securely Operate an IPv6 Network Eric Vyncke, Distinguished 1

2 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Foreword  All topics common to IPv4/IPv6 are unchanged: –Physical security –Role Base Access Control –....  I took the liberty to include Cisco configuration (as it may be useful for you) but I will not detail them

3 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Agenda  Management Plane  Control Plane –Routing Information –Neighbor Discovery –Control Plane Protection  Data Plane –Anti-spoofing –Access Control List –Tunnel loops  Telemetry  Forensic  Lawful Intercept  Summary 3

4 4 Management Plane

5 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Management over IPv6  SSH, syslog, SNMP, NetFlow all work over IPv6  Dual-stack management plane –More resilient: works even if one IP version is down –More exposed: can be attacked over IPv4 and IPv6  RADIUS over IPv6 is recent (IOS 15.2(1)T, IOS-XE rls 3.2S) –But, IPv6 RADIUS attributes can be transported over IPv4  As usual, infrastructure ACL is your friend (more to come) as well as out-of- band management 5

6 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public IPv6 ACL to Protect VTY ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty 0 4 ipv6 access-class VTY in In IOS-XR, the command is ‘ access-class VTY ingress ’, the IPv4 and IPv6 ACL must have the same name In IOS-XR, the command is ‘ access-class VTY ingress ’, the IPv4 and IPv6 ACL must have the same name Must be done before enabling IPv6 on any interface Beware there is no equivalent for HTTP => use ACL Must be done before enabling IPv6 on any interface Beware there is no equivalent for HTTP => use ACL 6 For Your Reference

7 Control Plane: Routing Protocols

8 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Preventing IPv6 Routing Attacks Protocol Authentication  BGP, IS-IS, EIGRP no change: –An MD5 authentication of the routing update  OSPFv3 originally pulled MD5 authentication from the protocol and instead relies on transport mode IPsec (for authentication and confidentiality) –But see RFC 6506 (not yet widely implemented)  IPv6 routing attack best practices –Use traditional authentication mechanisms on BGP and IS-IS –Use IPsec to secure protocols such as OSPFv3 8

9 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public OSPF or EIGRP Authentication 9 interface Ethernet0/0 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 500 md ABCDEF ABCDEF interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN key chain MYCHAIN key 1 key-string ABCDEF ABCDEF accept-lifetime local 12:00:00 Dec :00:00 Jan send-lifetime local 00:00:00 Jan :59:59 Dec No crypto maps, no ISAKMP: transport mode with static session keys For Your Reference

10 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public BGP Route Filters  Pretty obvious for customer links  For peering, a relaxed one ipv6 prefix-list RELAX deny 3ffe::/16 le 128 ipv6 prefix-list RELAX deny 2001:db8::/32 le 128 ipv6 prefix-list RELAX permit 2001::/32 ipv6 prefix-list RELAX deny 2001::/32 le 128 ipv6 prefix-list RELAX permit 2002::/16 ipv6 prefix-list RELAX deny 2002::/16 le 128 ipv6 prefix-list RELAX deny 0000::/8 le 128 ipv6 prefix-list RELAX deny fe00::/9 le 128 ipv6 prefix-list RELAX deny ff00::/8 le 128 ipv6 prefix-list RELAX permit 2000::/3 le 48 ipv6 prefix-list RELAX deny 0::/0 le 128 Source: 10 For Your Reference

11 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Link-Local Addresses vs. Global Addresses  Link-Local addresses, fe80::/10, (LLA) are isolated –Cannot reach outside of the link –Cannot be reached from outside of the link –LLA can be configured statically (not the EUI-64 default) to avoid changing neighbor statements when changing MAC interface FastEthernet 0/0 ipv6 address fe80::1/64 link-local 11

12 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Link-Local Addresses vs. Global Addresses  Could be used on the infrastructure interfaces –Routing protocols (inc BGP) work with LLA neighbor fe80::2%FastEthernet0/0 12 Case sensitive !

13 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public LLA-Only Pros and Cons Benefits: –no remote attack against your infrastructure links: implicit infrastructure ACL* –Smaller routing table (links do not appear) –Simpler configuration –Easier to renumber Cons: –need to provision loopback for:  ICMP for Traceroute  ICMP for PMTUD  SNMP/NetFlow/syslog/... –No interface ping 13 Special case for IXP: -Usually a specific /64 which is not routed => uRPF will drop ICMP generated (PMTUd) by routers in the IXP -LLA-only on the IXP interfaces => ICMP are generated from a non IXP interface *: loopbacks are still routable/reachable

14 Control Plane: Neighbor Discovery

15 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Scanning Made Bad for CPU Remote Neighbor Cache Exhaustion RFC 6583  Potential router CPU/memory attacks if aggressive scanning –Router will do Neighbor Discovery... And waste CPU and memory  Local router DoS with NS/RS/… :db8::/ :db8::1 2001:db8::2 2001:db8::3 NS: 2001:db8::1 NS: 2001:db8::2 NS: 2001:db8::3 NS: 2001:db8::1 NS: 2001:db8::2 NS: 2001:db8::3 NS: 2001:db8::1 NS: 2001:db8::2 NS: 2001:db8::3

16 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Mitigating Remote Neighbor Cache Exhaustion  Built-in rate limiter with options to tune it –Since 15.1(3)T: ipv6 nd cache interface-limit –Or IOS-XE 2.6: ipv6 nd resolution data limit –Destination-guard is part of First Hop Security phase 3 –Priority given to refresh existing entries vs. discovering new ones (RFC 6583)  Using a /64 on point-to-point links => a lot of addresses to scan! –Using /127 could help (RFC 6164)  Internet edge/presence: a target of choice –Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only  Using infrastructure ACL prevents this scanning –iACL: edge ACL denying packets addressed to your routers –Easy with IPv6 because new addressing scheme can be done 16

17 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Simple Fix for Remote Neighbor Cache Exhaustion  Ingress ACL allowing only valid destination and dropping the rest  NDP cache & process are safe  Requires DHCP or static configuration of hosts 2001:db8::/ :db8::1 2001:db8::2 2001:db8::3 NS: 2001:db8::1 NA: 2001:db8::1 2001:db8::2 2001:db8::3 17

18 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public ARP Spoofing is now NDP Spoofing: Threats  ARP is replaced by Neighbor Discovery Protocol –Nothing authenticated –Static entries overwritten by dynamic ones  Stateless Address Autoconfiguration –rogue RA (malicious or not) –All nodes badly configured  DoS  Traffic interception (Man In the Middle Attack)  Attack tools exist (from THC – The Hacker Choice) –Parasit6 –Fakerouter6 –... 18

19 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public ARP Spoofing is now NDP Spoofing: Mitigation  GOOD NEWS  GOOD NEWS: dynamic ARP inspection for IPv6 is available –First phase (Port ACL & RA Guard) available since Summer 2010 –Second phase (NDP & DHCP snooping) starting to be available since Summer 2011 –http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.htmlhttp://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html  (Kind of ) GOOD NEWS  (Kind of ) GOOD NEWS: Secure Neighbor Discovery –SeND = NDP + crypto –IOS 12.4(24)T –But not in Windows Vista, 2008 and 7, Mac OS/X, iOS, Android –Crypto means slower... GOOD NEWS  Other GOOD NEWS: –Private VLAN works with IPv6 –Port security works with IPv6 –IEEE 801.X works with IPv6 (except downloadable ACL) 19

20 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Mitigating Rogue RA: Host Isolation  Prevent Node-Node Layer-2 communication by using: –Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port) –WLAN in ‘AP Isolation Mode’ –1 VLAN per host (SP access network with Broadband Network Gateway)  Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm  Can break DAD –Advertise the SLAAC prefix without the on-link bit to force router to do ‘proxy-ND’ 20 Isolated Port RA RARA Promiscuous Port

21 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public First Hop Security: RAguard since 2010 RFC 6105  Port ACL blocks all ICMPv6 RA from hosts interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port  RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ) : also dropping all RA received on this port interface FastEthernet0/2 ipv6 nd raguard access-group mode prefer port  RA-guard (12.2(50)SY, 15.0(2)SE) ipv6 nd raguard policy HOST device-role host ipv6 nd raguard policy ROUTER device-role router ipv6 nd raguard attach-policy HOST vlan 100 interface FastEthernet0/0 ipv6 nd raguard attach-policy ROUTER 21 HOST Device-role HOST Device-role RA ROUTER Device-role ROUTER Device-role Can also enforce MTU, prefix,... In RA

22 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public IPv6 First Hop Security Platform Support Available NowNot AvailableRoadmap Feature/Platform Catalyst 6500 Series Catalyst 4500 Series Catalyst 2K/3K Series ASR1000 Router 7600 Router Catalyst 3850 Wireless LAN Controller ( Flex 7500, 5508, 2500, WISM-2) Nexus 3k/5k/6k/7k RA Guard 15.0(1)SY 15.1(2)SG 15.0.(2)SE15.2(4)S15.0(1)EX7.2NX-OS 7.2 IPv6 Snooping 15.0(1)SY (2)SG15.0.(2)SEXE 3.9.0S15.2(4)S15.0(1)EX7.2 NX-OS 7.2 DHCPv6 Guard 15.2(1)SY15.1(2)SG15.0.(2)SE15.2(4)S15.0(1)EX7.2 NX-OS 7.2 Source/Prefix Guard 15.2(1)SY 15.2(1)E 15.0.(2)SE 2 XE 3.9.0S 15.3(1)S 7.2 NX-OS 7.2 Destination Guard 15.2(1)SY 15.1(2)SG 15.2(1)EXE 3.9.0S15.2(4)S NX-OS 7.2 RA Throttler 15.2(1)SY15.2(1)E 15.0(1)EX7.2 ND Multicast Suppress 15.2(1)SY15.1(2)SG15.2(1)EXE 3.9.0S15.0(1)EX7.2 Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release For Your Reference

23 Control Plane Protection

24 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Control Plane Policing for IPv6 Protecting the Router CPU  Against DoS with NDP, Hop-by-Hop, Hop Limit Expiration...  See also RFC For Your Reference

25 Data Plane

26 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public R1 R2 Serial 0/0 2001:db8::1/64 Serial 0/0 2001:db8::2/64 1) To 2001:db8::3 2) To 2001:db8::3 3) To 2001:db8::3 4) To 2001:db8:: ) To 2001:db8::3 DoS Example Ping-Pong over Physical Point-to-Point  Same as in IPv4, on real P2P without NDP, if not for me, then send it on the other side... Could produce looping traffic  Classic IOS and IOS-XE platforms implement RFC 4443 so this is not a threat –Except on 76xx see CSCtg00387 (tunnels) and few others –IOS-XR see CSCsu62728 –Else use /127 on P2P link (see also RFC 6164) –Or use infrastructure ACL or only link-local addresses 26

27 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public IPv6 Intranet IPv6 Bogon and Anti-Spoofing Filtering  IPv6 nowadays has its bogons: –http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txthttp://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt  Every network should implement two forms of anti-spoofing protections: –Prevent spoofed addresses from entering the network –Prevent the origination of packets containing spoofed source addresses  Anti-spoofing in IPv6 same as IPv4 –=> Same technique for single-homed edge= uRPF Inter-Networking Device with uRPF Enabled IPv6 Unallocated Source Address X IPv6 Intranet/Internet No Route to SrcAddr => Drop 27

28 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Bogons Filtering  Detailed & updated list at: –http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txthttp://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt  Or simpler but more relaxed ipv6 access-list NO_BOGONS remark Always permit ICMP unreachable (Path MTU Discovery & co) permit icmp any any unreachable remark Permit only large prefix blocks from IANA permit ip 2001::/16 any permit ip 2002::/16 any permit ip 2003::/18 any permit ip 2400::/12 any permit ip 2600::/10 any permit ip 2800::/12 any permit ip 2a00::/12 any permit ip 2c00::/12 any Remark implicit deny at the end (but see later) Source: 28

29 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Remote Triggered Black Hole  RFC 5635 RTBH is easy in IPv6 as in IPv4  uRPF is also your friend for blackholing a source  RFC 6666 has a specific discard prefix –100::/64  29 Source: Wikipedia Commons

30 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Parsing the Extension Header Chain  Finding the layer 4 information is not trivial in IPv6 –Skip all known extension header MATCH –Until either known layer 4 header found => MATCH NO MATCH –Or unknown extension header/layer 4 header found... => NO MATCH 30 IPv6 hdrHopByHopRoutingAHTCPdataIPv6 hdrHopByHopRoutingAH Unknown L4 ???

31 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Parsing the Extension Header Chain Fragmentation Matters!  Extension headers chain can be so large than it must be fragmented!  RFC 3128 is not applicable to IPv6  Layer 4 information could be in 2 nd fragment IPv6 hdrHopByHopRoutingDestinationFragment1IPv6 hdrHopByHopFragment2TCPDataRouting Layer 4 header is in 2 nd fragment

32 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Parsing the Extension Header Chain Fragments and Stateless Filters  RFC 3128 is not applicable to IPv6 but –RFC 6980 ‘nodes MUST silently ignore NDP... If packets include a fragmentation header’ ;-)  Layer 4 information could be in 2 nd fragment  But, stateless firewalls could not find it if a previous extension header is fragmented IPv6 hdrHopByHopRoutingDestination …Fragment1 Layer 4 header is in 2 nd fragment, Stateless filters have no clue where to find it! IPv6 hdrHopByHopFragment2TCPDataRouting… Destination

33 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public IOS IPv6 Extended ACL  Can match on –Upper layers: TCP, UDP, SCTP port numbers, ICMPv6 code and type –TCP flags SYN, ACK, FIN, PUSH, URG, RST –Traffic class (only six bits/8) = DSCP, Flow label (0-0xFFFFF)  IPv6 extension header – routing matches any RH, routing-type matches specific RH – mobility matches any MH, mobility-type matches specific MH – dest-option matches any destination options – auth matches AH – hbh matches hop-by-hop (since 15.2(3)T)  fragments keyword matches –Non-initial fragments  undetermined-transport keyword does not match if –TCP/UDP/SCTP and ports are in the fragment –ICMP and type and code are in the fragment –Everything else matches (including OSPFv3, …) –Only for deny ACE 33 Check your platform & release as your mileage can vary… CRITICAL without this, there is a way to bypass STATELESS ACL!

34 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public IPv6 ACL Implicit Rules  Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery:  Nexus 7000 also allows RS & RA  Be careful when adding « deny ipv6 any any log » at the end permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log 34

35 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Example: Generic ACL on PE-CE or Peering 35 ipv6 access-list SIMPLE remark To be reviewed for potential customization (e.g. use of ULA) remark Drop evil routing header type 0 deny ipv6 any any routing-type 0 remark allow DAD permit IPv6 host :: 2000::/3 permit IPv6 host :: FE80::/10 remark Allow unicast global to other valid destinations permit ipv6 2000::/3 2000::/3 permit ipv6 2000::/3 FE80::/10 permit ipv6 2000::/3 FF00::/8 remark Allow link-local to other valid destinations permit ipv6 FE80::/64 FE80::/64 permit ipv6 FE80::/64 FF02::/10 permit ipv6 FE80::/ ::/3 remark Catch-up deny ipv6 any any For Your Reference

36 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Controls are Available For Example: Cisco IPv6 Security Products  ASA Firewall ( Since version 7.0 released 2005) –Flexibility: Dual stack, IPv6 only, IPv4 only –SSL VPN for IPv6 over IPv4 (ASA 8.0) over IPv6 (ASA 9.0) –Stateful-Failover (ASA 8.2.2) –Extension header filtering and inspection (ASA 8.4.2) –Dual-stack ACL & object grouping (ASA 9.0)  ASA-SM –Leverage ASA code base, same features ;-) 16 Gbps of IPv6 throughput  IOS Firewall ( IOS 12.3(7)T - released 2005; Zone-based firewall on IOS-XE )  IPS ( Since released 2008)  Security Appliance (ESA) under beta testing since 2010, IPv6 support since (May 2012)  Web Security Appliance (WSA) with explicit and transparent proxy  Cisco Cloud Web Security (ScanSafe) work in progress (need IPv6 connectivity for all towers...)  FIREpower NGIPS provides Decoder for IPv4 & IPv6 Packets 36

37 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Looping Attack Between 6to4 and ISATAP (RFC 6324)  Root cause –Same IPv4 encapsulation (protocol 41) –Different ways to embed IPv4 address in the IPv6 address  ISATAP router: –accepts 6to4 IPv4 packets –Can forward the inside IPv6 packet back to 6to4 relay  Symmetric looping attack exists 6to4 relay ISATAP router Prefix 2001:db8::/ Spoofed packet S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 2. IPv4 Packet to containing S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 3. IPv6 packet S: 2001:db8::200:5efe:c000:201 D: 2002:c000:202::1 Repeat until Hop Limit == 0 Mitigation: Easy on ISATAP routers: deny packets whose IPv6 is its 6to4 Less easy on 6to4 relay: block all ISATAP-like local address? Good news: not so many open ISATAP routers on the Internet Do not announce the 6to4 relay address outside of your AS and accepts protocol-41 packets only from your AS 37

38 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public IPv4 6to4/6rd router IPv6 Internet 6to4/6rd relay 6to4/6rd router tunnel Direct tunneled traffic ignores hub ACL ACL 6to4/6rd Tunnels Bypass Centralized ACL 6rd CPE router can be configured to always go through hub Direct CPE-CPE communication must then be forbidden by IPv4 network 6rd CPE router can be configured to always go through hub Direct CPE-CPE communication must then be forbidden by IPv4 network 38

39 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public 6rd Relay Security Issues  6rd is more constrained than 6to4, hence more secure  IPv4 ACL (or IPv4 routing) can limit the 6rd packets to the 6rd domain within the ISP –No more open relay –No more looping attacks 39

40 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Secure IPv6 over IPv4/6 Public Internet  No traffic sniffing  No traffic injection  No service theft 40 Public NetworkSite 2 SiteRemote Access IPv4  6in4/GRE Tunnels Protected by IPsec  DMVPN 12.4(20)T  ISATAP Protected by RA IPsec  SSL VPN Client AnyConnect IPv6  IPsec VTI 12.4(6)T  DMVPN 15.2(1)T  AnyConnect 3.1 & ASA 9.0

41 Telemetry IPv6 security is similar to IPv4 security No excuse to operate an insecure IPv6 network

42 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Available Tools  Usually IPv4 telemetry is available  SNMP MIB –Not always available yet on Cisco gears  Flexible Netflow for IPv6 –Available in : 12.4(20)T, 12.2(33)SRE –Public domain tools: nfsen, nfdump, nfcpad… 42

43 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public IPv6 MIB Implementation IP FWD (ROUTES) IPICMPTCPUDP Original IPv4 only IPv6 only Protocol Version Independent (PVI) rfc2096-update = 4292 rfc2011-update = 4293 = IP-MIB rfc2012-update = 4022 rfc2013-update = 4113  IPv4/IPv6 stats can be monitored from CLI “show interface accounting” on most platforms  RFC 4292 and 4293 – Interface Stats table are added, also required HW support  Tunnel MIB (RFC 4087) 43 For Your Reference

44 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Using SNMP to Read Interfaces Traffic 44 snmpwalk -c secret -v 1 udp6:[2001:db8::1] –Cw 70 -m IP-MIB ipNetToPhysicalPhysAddress SNMP table: IP-MIB::ipIfStatsTable index ipIfStatsInReceives ipIfStatsHCInReceives ipIfStatsInOctets ipv ? ipv ? ipv ? ipv ? snmpwalk -c secret -v 1 udp6:[2001:db8::1] –Cw 70 ifTabl SNMP table: IF-MIB::ifTable index ifIndex ifDescr ifType ifMtu ifSpeed 1 1 FastEthernet0/0 ethernetCsmacd FastEthernet0/1 ethernetCsmacd For Your Reference

45 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Using SNMP to Read IPv4/IPv6 Neighbors Cache 45 snmpwalk -c secret -v 1 udp6:[2001:db8::1] -m IP-MIB ipNetToPhysicalPhysAddress IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4." " = STRING: 0:13:c4:43:cf:e IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4." " = STRING: 0:23:48:2f:93:24 IP-MIB::ipNetToPhysicalPhysAddress.1.ipv4." " = STRING: 0:80:c8:e0:d4:be... IP- MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:07:e9:ff:fe:f2:a0:c6 " = STRING: 0:7:e9:f2:a0:c6 IP- MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:02:20:4a:ff:fe:bf:ff:5f " = STRING: 0:20:4a:bf:ff:5f IP- MIB::ipNetToPhysicalPhysAddress.2.ipv6."2a:02:05:78:85:00:01:01:30:56:da:9d:23:91:5e:ea " = STRING: 78:ca:39:e2:43:3... snmptable -c secret -v 1 udp6:[2001:db8::1] -Ci -m IP-MIB ipNetToPhysicalTable For Your Reference

46 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public NetFlow Versions 46 NetFlow VersionComments 1Original 5Standard and most common 7 Specific to Cisco Catalyst 6500 and 7600 Series Switches Similar to version 5, but does not include AS, Interface, TCP Flags, and ToS Information 8 Choice of 11 aggregation schemes Reduces resource usage 9 Flexible, extensible file export format to enable easier support of additional fields and technologies; coming out now are MPLS, Multicast, and BGP Next-Hop For Your Reference

47 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Flexible Flow Record: IPv6 Key Fields IPv6 IP (Source or Destination) Payload Size Prefix (Source or Destination) Packet Section (Header) Mask (Source or Destination) Packet Section (Payload) Minimum-Mask (Source or Destination) DSCP ProtocolExtension Traffic ClassHop-Limit Flow LabelLength Option HeaderNext-header Header LengthVersion Payload Length Interface Input Output Routing Destination AS Peer AS Traffic Index Forwarding Status Is-Multicast IGP Next Hop BGP Next Hop Transport Destination PortTCP Flag: ACK Source PortTCP Flag: CWR ICMP CodeTCP Flag: ECE ICMP TypeTCP Flag: FIN IGMP TypeTCP Flag: PSH TCP ACK NumberTCP Flag: RST TCP Header LengthTCP Flag: SYN TCP Sequence Number TCP Flag: URG TCP Window-Size UDP Message Length TCP Source PortUDP Source Port TCP Destination Port UDP Destination Port TCP Urgent Pointer Flow Sampler ID Direction 47 For Your Reference

48 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Flexible Flow Record: IPv6 Extension Header Map Bits 11-31Bit 10Bit 9Bit 8Bit 7Bit 6Bit 5Bit 4Bit 3Bit 2Bit 1Bit 0 ResESPAHPAYDSTHOPResUNKFRA0RHFRA1Res  FRA1: Fragment header – not first fragment  RH: Routing header  FRA0: Fragment header – First fragment  UNK: Unknown Layer 4 header (compressed, encrypted, not supported)  HOP: Hop-by-hop extension header  DST: Destination Options extension header  PAY: Payload compression header  AH: Authentication header  ESP: Encapsulating Security Payload header  Res: Reserved 48 For Your Reference

49 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Flexible NetFlow Exporter, Record and Monitor flow exporter FLOW-EXPORTER destination 2001:db8::1 <<< IPv6 is supported transport udp 9995 flow record FLOW-RECORD match ipv6 source address <<< key fields match ipv6 destination address match ipv6 protocol collect counter bytes <<< non key fields collect counter packets collect datalink mac source address input <<< can also collect MAC addresses ;- ) flow monitor FLOW-MONITOR ; record netflow ipv6 original-output <<< for traditional NetFlow records record FLOW-RECORD exporter FLOW-EXPORTER statistics packet protocol statistics packet size interface GigEthernet0/15 ipv6 flow monitor FLOW-MONITOR output 49 For Your Reference

50 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Netflow Reverse Usage  Scanning an IPv6 network is impossible (address space too large)  How can we run a security audit?  Easy –Get all IPv6 addresses from Netflow –Note: scanning link-local addresses requires layer-2 adjacency, i.e.  Ping6 ff02::1 50

51 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Vulnerability Scanning in a Dual-Stack World  Finding all hosts: –Address enumeration does not work for IPv6 –Need to rely on DNS or NDP caches or NetFlow  Vulnerability scanning –IPv4 global address, IPv6 global address(es) (if any), IPv6 link-local address –Some services are single stack only (currently mostly IPv4 but who knows...) –Personal firewall rules could be different between IPv4/IPv6  IPv6 vulnerability scanning MUST be done for IPv4 & IPv6 even in an IPv4-only network –IPv6 link-local addresses are active by default 51

52 Forensic

53 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Multiple Facets to IPv6 Addresses  Every host can have multiple IPv6 addresses simultaneously –Need to do correlation! –Alas, no Security Information and Event Management (SIEM) supports IPv6 –Usually, a customer is identified by its /48  Every IPv6 address can be written in multiple ways –2001:0DB8:0BAD::0DAD –2001:DB8:BAD:0:0:0:0:DAD –2001:db8:bad::dad (this is the canonical RFC 5952 format) –=> Grep cannot be used anymore to sieve log files… 53

54 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Perl to Canonical IPv6 Addresses #!/usr/bin/perl –w use strict ; use Socket ; use Socket6 ; my $word, $binary_address) ; ## go through the file one line at a time while (my $line = ) = split /[ \n]/, $line ; foreach $word { $binary_address = inet_pton AF_INET6, $word ; if ($binary_address) { print inet_ntop AF_INET6, $binary_address ; } else { print $word ; } print " " ; } print "\n" ; } 54 For Your Reference

55 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Perl Grep6 #!/usr/bin/perl –w use strict ; use Socket ; use Socket6 ; my $word, $binary_address, $address) ; $address = inet_pton AF_INET6, $ARGV[0] ; if (! $address) { die "Wrong IPv6 address passed as argument" ; } ## go through the file one line at a time while (my $line = ) = split /[ \n\(\)\[\]]/, $line ; foreach $word { $binary_address = inet_pton AF_INET6, $word ; if ($binary_address and $binary_address eq $address) { print $line ; next ; } 55 For Your Reference

56 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public How to Find the MAC Address of an IPv6 Address?  Easy if EUI-64 format as MAC is embedded –2001:db8::0226:bbff:fe4e:9434 –(need to toggle bit 0x20 in the first MAC byte = U/L) –Is 00:26:bb:4e:94:34 56

57 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public How to Find the MAC Address of an IPv6 Address?  DHCPv6 address or prefix… the client DHCP Unique ID (DUID) can be –MAC address: trivial –Time + MAC address: simply take the last 6 bytes –Vendor number + any number: no luck… next slide can help –No guarantee of course that DUID includes the real MAC address. # show ipv6 dhcp binding Client: FE80::225:9CFF:FEDC:7548 DUID: A00259CDC7548 Username : unassigned Interface : FastEthernet0/0 IA PD: IA ID 0x B, T , T Prefix: 2001:DB8:612::/48 preferred lifetime 3600, valid lifetime 3600 expires at Nov :22 PM (369) 57

58 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public DHCPv6 in Real Live…  Not so attractive   Only supported in Windows Vista, and Windows 7, Max OS/X Lion –Not in Linux (default installation), …  Windows Vista does not place the used MAC address in DUID but any MAC address of the PC # show ipv6 dhcp binding Client: FE80::FDFA:CB28:10A9:6DD0 DUID: DB0EA6001E33814DEE Username : unassigned IA NA: IA ID 0x F, T1 300, T2 480 Address: 2001:DB8::D09A:95CA:6918:967 preferred lifetime 600, valid lifetime 600 expires at Oct :02 PM (554 seconds) Actual MAC address: f Actual MAC address: f

59 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public How to Find the MAC Address of an IPv6 Address?  Last resort… look in the live NDP cache (CLI or SNMP)  If no more in cache, then you should have scanned and saved the cache…  EEM can be your friend  First-Hop Security phase II can generate a syslog event on each new binding – ipv6 neighbor binding logging #show ipv6 neighbors 2001:DB8::6DD0 IPv6 Address Age Link-layer Addr State Interface 2001:DB8::6DD f STALE Fa0/1 59

60 Lawful Intercept

61 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Which Target?  Target could be –Host address /128: probably very rare –Subscriber prefix /48 or /56 –Layer-2 address (MAC address) –Circuit –PPP session –Content of 6RD/MAP-T/DS-lit tunnel by intercepting the external addresses  Targets based not based on IPv6 addresses are ‘as usual’ and can be done as usual from a SP perspective –Of course mediation device & LEA must understand IPv6 61

62 Summary

63 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Key Takeaway /1  Management plane –Protect management plane with access-class  Control plane –Authenticate IGP –Consider the use of link-local on P-P links? –Mitigate rogue-RA with RA-guard –Configure control plane policing  Data plane –Beware of ping-pong on not /127 real P2P link –Apply anti-spoofing, anti-bogons –Disable source routing –Use ACL where applicable  ACL must permit NDP 63

64 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Key Takeaway /2  Telemetry –SNMP MIB and Netflow v9 are your friends –Netflow can be used for inventory  Forensic –Multiple addresses per node, multiple ways to write an IPV6 address –Finding MAC address from IPv6:  EUI-64,  DHCPv6 (not so trivial)  else periodic NDP cache dumps...  Lawful Interception –implemented, missing mediation device 64

65 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public Conclusion  As expected IPv6 secure operations are quite similar to IPv4 –Main differences at layer 2 –Tunnels complicate everything –Lack of correlation tools 65

66 Questions and Answers?

67

68 © 2014 Cisco and/or its affiliates. All rights reserved.Cisco Public List of Acronyms  6rd: 6 Rapid Deployment  AAA: Authentication, Authorization, Accounting  CGA: Cryptographically Generated Address  DUID: DHCP Unique ID  EUI-64: Extended Unique ID  IPSec: IP Security  ISATAP: Intra-Site Automatic Tunnel Addressing Protocol  LEA: Law Enforcement Agency  LLA: Link-Local Address  MD5: Message Digest 5  NDP: Neighbor Discovery Protocol  PIM: Protocol Independent Multicast  PMTUD: Path MTU Discovery  RA: Router Advertisement  RIPng: Routing Information Protocol Next Generation  SEND: Secure Neighbor Discovery  SSH: Secure SHell 68 For Your Reference


Download ppt "How to Securely Operate an IPv6 Network Eric Vyncke, Distinguished 1."

Similar presentations


Ads by Google