IPv6 Security

Deploying IPv6 changes nothing above the Layer 3 “Network” layer. Both IPv4 and IPv6 are network layer protocols, protocols above and below remain the same for either IP version. Existing problems such as lack of session layer with Transmission Control Protocol ( TCP ) continue to exist in IPv6. The limitations exposed with multihoming and the exponential growth of Default Free Zone ( DFZ ) table size are not solved by deploying IPv6.

Attacks against any IPv6 network fall within the following areas:

 

Network Attacks

Network Attacks

 

We have similar security problems but with different countermeasures. For example, instead of  IPv4 ARP spoofing we have IPv6 ND spoofingExisting network attacks such as Flooding / DOS, eavesdropping, session hijacking, DNS, man-in-the-middle attacks,  and routing security problems are still present with IPv6. The majority of vulnerabilities are at  the Application layer. Application Layer attacks in IPv4 and IPv6 are identical and security concerns with SQL injections still occur at layers operating over IPv6. However, new IPv6 security considerations such as Dual-Stack-exposures and Tunneling exposures that are not a concern with IPv4 must be addressed with IPv6.

 

IPv6 Dual-Stack Problems

Running both IPv4 and IPv6 at the same time is called Dual-Stack. A router can support two or more different routed protocols and forward for each type of traffic. The two protocols, IPv4, and IPv6 can share the same physical node but act independently. Dual stacking refers to the concept known as “ships-in-the-night-routing”; packets from each protocol can pass each other without affecting one another.

 

Dual Stack

Dual Stack

 

It is recommended to stay away from Dual Stack as the Multi-Protocol world is tricky. The problem may arise that someone configures IPv6 without prior knowledge, all servers and hosts would then expose themselves to IPv6 threats. Imagine, you have a protected server segment-running IP tables on the servers, NIC level firewalls, and stateful aggregation layer firewalls. Best practices are followed resulting in a protected segment. What you do not control is whether servers have IPv6 enabled. The minute a router sends Router Advertisement ( RA ) messages, these servers will auto-configure themselves and become reachable over IPv6 transport. This may not be a problem with Windows servers. Windows firewall works for both IPv4 and IPv6. Unfortunately, Linux servers have different IP tables for IPv4 and IPv6; Iptable for IPv4 and IP6tables for IPv6.

IPv6 Common Mistakes

IPv6 Common Mistakes

 

Linux hosts receive RA messages, some Linux host that are dual stack with Link-Local addresses establish outbound IPv6 sessions. The link local is local to the link and the first hop router sends back ICMP reply saying “out of scope”.  Most Linux OS will terminate IPv6 sessions so you can fall back to IPv4. Other versions of Linux hat do not fall back immediately and waits for TCP to time out; causing considerable application outages.

As a temporary measure, people started to build IPv6 tunnels. As a result, tunnel related exposes exist. Teredo is the most notorious. All IPv6 tunnels should be blocked by the firewall.

 

IPv6 First Hop Vulnerabilities

Fake RA Messages

Fake RA Messages

 

Fake Router Advertisement ( RA ) Messages

IPv6 routers advertise themselves via router advertisement ( RA ) messages. Hosts listen to these messages and with this information can figure out what the first hop / gateway router is. If a host needs to send traffic off its local LAN ( off-net traffic ), it sends it to the first hop router with the best RA message. RA messages contain priority fields that can be used for backup routing.

Intruders can advertise itself as IPv6 first hop router and any hosts that believe it will send the intruder its off-net traffic. Once intercepted, attackers have numerous attacking options. It can respond to hosts Domain Name System ( DNS ) request, instead of sending it to a legitimate DNS server. Potential DoS attacking hosts.

 

Countermeasure: The best way to mitigate RA attacks is host isolation with Private VLANs. The problem with Private VLANS is you disable communication between hosts on the same subnet that could be needed for Duplicate Address Detection ( DAD ).

RFC 6101 introduced mitigation technique in the way of Port ACL, RA-guard lite and RA-guard.

 

IPv6 DHCPv6 Attacks

An intruder could pretend to be DHCPv6 server. If hosts are using Stateless Address Autoconfiguration ( SLAAC ) for address configuration, they still require the address of IPv6 DNS server. Hosts obtain its IPv6 address automatically, its sends out DHCP information request asking for IPv6 address of DNS server. Intruders can intercept and send in Bogus IPv6 for the host names that the client is querying for.

 

Countermeasure: Deny UDP on port 546 so the intruder may try to reply but his reply will be dropped by input ACL on the L2 switches. You also have DHCPv6 guard.

 

Fake Neighbor Advertisement Messages

When a device receives a neighbor solicitation, it looks into the source address of neighbor solicitation message and stores the result in cache. Excessive neighbor solicitation from an intruder can fill up this cache-causing router ND cache overflow and increased CPU load on the router; overloading the control plane.

 

Countermeasure: Mitigate with control plane protection, ND inspection and per-interface ND cache limits.

 

 

Typical Attacks

Typical Attacks

 

Remote Neighbor Discovery Attacks

Remote Neighbor Discovery occurs when an intruder scans IPv6 subnets with “valid” IPv6 packets, either “valid” TCP SYN packets or PINGs.

Unknown directly connected destination IPv6 addresses trigger Router Solicitation neighbor discovery mechanism causing ND cache overload and CPU overload. Key point is attacker can trigger the attack remotely.

This may not have been too much of a problem with IPv4 as subnets are small. But in IPv6 you have large subnets you can try to scan them and generate neighbor cache problems on the last layer 3 switch.

 

Countermeasure: Input ACL that allow known IPv6 subnets. But there are devices that do ND process before checking the inbound ACL. Check the order of operation in the forwarding path. Control plane policing. Cache limits. Prefix longer than /64. People are using /128 on server subnets. Use with care. Better to use Inbound ACL and not with longer prefixes.

 

Duplicate Address Detection ( DAD ) Attacks

Auto configuration works when hosts create their own IPv6 address and sends out a packet asking does anyone else using this address. An intruder can then reply and say yes I do which disables auto configuration on that LAN.

 

Countermeasure: ND inspection.

 

IPv6 Fragmented DOS Attacks

IPv6 has numerous extension headers, offering attackers-tremendous options for attack. Potentially, stuff too many extension headers attempting to generate fragments. Generating fragments hides the real TCP and UDP port number into fragments where firewalls can’t immediately see them. Firewalls should be configured to drop fragmented headers.

Hop-by-hop Header tells each switch to inspect this header and act on it. Can lead to a great DoS tool.

Routing header, which is the same as IP source-route in IPv4. Should drop by default.

Firewalls and ACLs should be able to filter on extension headers. But performing Deep Packet Inspection (DPI) on an IPv6 packet that contains many extensions headers is resource intensive.

Firewalls should limit the number of extension headers.

 

About Matt Conran

Matt Conran has created 163 entries.

Leave a Reply