Presentation is loading. Please wait.

Presentation is loading. Please wait.

RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date: 2007.6.25.

Published byMelvyn Edwards Modified over 8 years ago

Similar presentations

Presentation on theme: "RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date: 2007.6.25."— Presentation transcript:

1 RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date: 2007.6.25

2 Outline Abstract Introduction 6to4 Router & Relay Router 6to4 Router 6to4 Relay Router Threat Analysis Attacks with Neighbor Discovery (ND) Messages Spoofing traffic to 6to4 nodes Reflecting traffic from 6to4 nodes Local IPv4 broadcast attack Reference

3 Abstract The IPv6 interim mechanism 6to4 (RFC3056) uses automatic IPv6-over-IPv4 tunneling to interconnect IPv6 networks This characteristic enables a number of security threats, mainly Denial of Service It also makes it easier for nodes to spoof IPv6 addresses This document discusses these issues in more detail and suggests enhancements to alleviate the problems.

4 Introduction (1/3)

5 Introduction (2/3) All 6to4 routers must accept and decapsulate IPv4 packets from every other 6to4 router, and from 6to4 relays. 6to4 relay routers must accept traffic from any native IPv6 node. The IPv4 and IPv6 headers may be spoofed => Denial of Service attacks

6 Introduction (3/3) 2001:db8::1 9.0.0.2 Spoofed Address Who!?

7 6to4 Router & Relay Router (1/2) 6to4 Router The 6to4 routers act as the border routers of a 6to4 domain 6to4 Relay Router The 6to4 relay router acts as a relay between all 6to4 domains and native IPv6 networks

8 6to4 Router & Relay Router (2/2) 6to4 relay router 6to4 router

9 6to4 Router (1/6) Provide IPv6 connectivity to local clients and routers. Forward packets sent to locally configured 6to4 addresses to the 6to4 network. Tunnel packets sent to foreign 6to4 addresses to the destination 6to4 router using IPv4. Tunnel packets sent to non-6to4 addresses to the configured/ closest-by-anycast 6to4 relay router. 6to4 addresses 6to4 router 6to4 relay router

10 6to4 Router (2/6) Decapsulate directly received IPv4 packets from foreign 6to4 addresses. Decapsulate IPv4 packets received via the relay closest to the native IPv6 sources. Note that it is not easily distinguishable whether the packet was received from a 6to4 relay router or from a spoofing third party. Foreign Relay

11 6to4 Router (3/6) Security Checks Disallow traffic: The private, broadcast, reserved IPv4 addresses From 6to4 routers in which IPv4 tunnel source does not match the 6to4 prefix The destination (IPv6) is not a global address Other 6to4 domains through 6to4 relay router or via some third party 6to4 router

12 6to4 Router (4/6) Security Checks IPv4 0.0.0.0/8(the system has no address assigned yet) 10.0.0.0/8 (private) 127.0.0.0/8 (loopback) 172.16.0.0/12 (private) 192.168.0.0/16 (private) 169.254.0.0/16 (IANA Assigned DHCP link-local) o 224.0.0.0/4 (multicast) 240.0.0.0/4 (reserved and broadcast)

13 6to4 Router (5/6) Security Checks IPv6 0::/16(compatible, mapped addresses, loopback, unspecified,...) fe80::/10 (link-local) fec0::/10 (site-local) ff00::/8 (any multicast)

14 6to4 Router (6/6) Security Checks Discard traffic received: From other 6to4 domain via a 6to4 relay router For other prefixes other than one’s own 6to4 prefix.

15 6to4 Relay Router (1/2) Decapsulates and forwards packets received from 6to4 addresses through tunneling, by using normal IPv6 routing (IPv6)  [Relay Router]  (6to4 address) Tunnels packets received through normal IPv6 routing from native addresses (IPn6)  [Relay Router]  (6to4 address)

16 6to4 Relay Router (2/2) Security Checks Disallow traffic: The private, broadcast, reserved IPv4 addresses From 6to4 routers in which IPv4 tunnel source does not match the 6to4 prefix The destination (IPv6) is not a global address Discard traffic received: From from 6to4 routers with the destination as a 6to4 prefix (IPv6)  [Relay Router]  [6to4 Router]

17 Threat Analysis (1/2) Types of threats Denial-of-Service (DoS) A malicious node prevents communication between the node under attack and other nodes Reflection Dos A malicious node reflects the traffic off unsuspecting nodes to a particular node (node under attack) Service theft A malicious node/site/operator may make unauthorized use of service

18 Threat Analysis (2/2) Type of attacks based on target Attacks on 6to4 networks. Attacks on IPv6 networks. Attacks on IPv4 networks. Attacks on the 6to4 nodes Attacks with Neighbor Discovery (ND) Messages Spoofing traffic to 6to4 nodes Reflecting traffic from 6to4 nodes Local IPv4 broadcast attack

19 Attacks with Neighbor Discovery (ND) Messages (1/2) ND message Dst_6 (fe80::1)Src_6 (fe80::2) Dst_4 (9.0.0.2)Src_4 (8.0.0.1) forged address 6to4 pseudo-interface

20 Attacks with Neighbor Discovery (ND) Messages (2/2) MITIGATION METHODS The usage of ND messages could be prohibited It would prohibit any sort of ND message and thus close the doors on development and use of other ND options The 6to4 pseudo-interface could be insulated from the other interfaces using a separate neighbor cache If ND messages are needed either IPsec or an extension of SEND could be used to secure packet exchange using the link-local address

21 Spoofing traffic to 6to4 nodes (1/3) The attacker - a malicious IPv4 or IPv6 node can send packets that are difficult to trace to a 6to4 node 2001:db8::1 9.0.0.2 Spoofed Address Who!? 8.0.0.1

22 Spoofing traffic to 6to4 nodes (2/3) EXTENSIONS - Reflection DoS 9.0.0.2 2001:db8::1 Spoofed Address 8.0.0.1 2001:db8::2 2001:db8::1 TCP SYN ACK, TCP RST, ICMPv6 Echo Reply, input sent to UDP echo service, ICMPv6 Destination Unreachable …

23 Spoofing traffic to 6to4 nodes (3/3) MITIGATION METHODS Ingress filtering in the native IPv6 networks to prevent packets with spoofed IPv6 sources from being transmitted Unfortunately, it would depend on significant (or even complete) ingress filtering everywhere in other networks Security checks in the 6to4 relay This has very little cost

24 Reflecting Traffic to 6to4 nodes (1/3) Reflection DoS Spoof source Traffic off target node Relay router seem to be a attacker

25 Reflecting Traffic to 6to4 nodes (2/3) EXTENSIONS - distributed Reflection DoS A large number of nodes are involved in sending spoofed traffic with the same src_v6

26 Spoofing traffic to 6to4 nodes (3/3) MITIGATION METHODS Implementation of ingress filtering by the IPv4 service providers Distributed Reflection DoS Legitimate user to be a illegitimate user Many IPv4 service providers don’t implement Implementation of ingress filtering by all IPv6 Expecting this to happen may not be practical Security Checks It would eliminate an attack launched from an IPv4 node, except when the IPv4 source address was also spoofed Rate limiting traffic at the 6to4 relays

27 Local IPv4 broadcast attack (1/5) First kind of attack 2002:0900:00ff::bbbb If 9.0.0.255 is the router’s broadcast address

28 Local IPv4 broadcast attack (2/5) First kind of attack Broadcast!Response!

29 Local IPv4 broadcast attack (3/5) Second kind of attack 2002:0900:00ff::bbbb

30 Local IPv4 broadcast attack (4/5) Second kind of attack Broadcast!

31 Local IPv4 broadcast attack (5/5) Second kind of attack The attack is based on the premise that the 6to4 router has to send a packet that embeds an invalid IPv4 address to an IPv6 address Such an attack is easily thwarted by ensuring that the 6to4 router does not transmit packets to invalid IPv4 addresses. Specifically, traffic should not be sent to broadcast or multicast IPv4 addresses

32 Reference RFC 3056 DoS http://en.wikipedia.org/wiki/Denial_of_service DRDos http://en.wikipedia.org/wiki/Distributed_Reflection _Denial_of_Service http://en.wikipedia.org/wiki/Distributed_Reflection _Denial_of_Service

Download ppt "RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date: 2007.6.25."

Similar presentations

Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.

Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.
IPv6 Introduction What is IPv6 Purpose of IPv6 (Why we need it)Purpose of IPv6 IPv6 Addressing Architecture IPv6 Header ICMP v6 Neighbor Discovery (ND)

IPv6 Introduction What is IPv6 Purpose of IPv6 (Why we need it)Purpose of IPv6 IPv6 Addressing Architecture IPv6 Header ICMP v6 Neighbor Discovery (ND)
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.

Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by 2008. Solution: Design a new IP with a larger address space, called the IP version.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
1 Teredo - Tunneling IPv6 through NATs Date: 2003-10-31 Speaker: Quincy Wu National Chiao Tung University.

1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.

IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Localized Mobility Management using DHCP

Network Localized Mobility Management using DHCP
資 管 Lee Lesson 12 IPv6 Mobility. 資 管 Lee Lesson Objectives Components of IPv6 mobility IPv6 mobility messages and options IPv6 mobility data structures.

資 管 Lee Lesson 12 IPv6 Mobility. 資 管 Lee Lesson Objectives Components of IPv6 mobility IPv6 mobility messages and options IPv6 mobility data structures.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.

Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

Similar presentations

Ads by Google