IPv6 Security – Prevention is better than cure
Early days of Internet, interconnected systems consisted of research organizations and universities. There wasn’t a sinister dark side and the Internet was used for trusted sharing, designed without security in mind. Things rapidly changed and now Internet consists of commercial interconnected groups of systems running both IPv4 and IPv6. Now, Internet-facing components are challenged with large-scale Internet threats, such as malware, worms, and various service exhaustion DoS attacks. IP networks carry both data and control packets in a common “pipe”. The common “pipe” and its payload require secured infrastructure. Legacy is the same for both versions of IP protocol. IPv4 and IPv6 systems need security to protect the “pipe” from outside intrusion.
The main difference between IPv6 and IPv4 is the size of addresses: 128 bits for IPv6 versus 32 bits for IPv4. The increase in address size results in larger IPv6 header. The minimum size of IPv6 header is twice the size of IPv4 minimum header. The Internet has evolved to use both IPv6 and the new structures of IPv6. The threats have also evolved to cope with the size and hierarchical nature of IPv6.
One of the most basic forms of IPv6 security is ingress and egress filtering at Internet Edge. Attackers can forge an IPv6 packet with specially crafted packets and spoofed IPv6 address so filtering based on IP address is a requirement. Spoofing modifies source IP address or ports to appear if packets are initiated from another location.
IPv4 networks are susceptible to “Smurf” broadcast amplification attacks where a packet from a forged unknowing victims address is sent to subnet broadcast of an IPv4 segment. Type of attack employs the technique of Spoofing where the victims IP address is used as the source of the attack. The broadcast subnet is the all-ones host address of each subnet (example 192.168.1.255 255.255.255.0). As we are sending to broadcast address all hosts on the subnet receive a packet which consists of an ICMP-ECHO with a payload. Hosts automatically send back an ECHO-REPLY to victim’s spoofed address. The victim gets bombarded with packets (ECHO-REPLIES); forcing CPU interrupts, eventually resulting in Denial of Service (DoS) attack. Cisco IOS have the command “no ip directed broadcast” on by default, but some badly designed networks use directed broadcast for next-hop processing.
So we don’t have to worry about this in IPv6? IPv6 uses multicasts and not broadcast for communication?
Multicast amplification attacks
IPv6 does not use broadcast as its form of communication, but it does use a variety of multicast address. Essentially doing the same thing but in a different way. Multicast is the method for one-to-many communications. For this reason-IPv6 multicast addresses can be used for traffic amplification.
The Smurf6 tools are a type of Smurf attack run with Kali Linux. It generates lots of local ICMPv6 traffic used to DoS attack-local systems. Smurf6 sends locally generated ICMPv6 ECHO REQUEST packets towards the“all routers” multicast address of FF02::2. As this multicast address represents all routers on the segment, they all respond back with ICMPv6 ECHO RESPONSE to victims source address. The multicast address can be used for DoS attacks. Important to control who can send to these multicast addresses and who can respond to a multicast packet.
Important IPv6 RFC’s
RFC 2463 “Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 Specification” states that no ICMP message can be generated in response to an IPv6 packet destined to multicast groups. This does add some protection if your hosts IPv6 stack is designed with RFC 2463 specification. Smurf attacks should not be a threat if all hosts are compliant with RFC 2463. However, there are two exemptions to this rule. “The “packet too big” and “parameter problem ICMP” are generated in response to packets destined to a multicast group.
Prevent uncontrolled forwarding of these ICMPv6 message types, filter based on ICMPv6 type. To prevent packet amplification attacks for “packet too big” and “parameter problem ICMP” filter based on ICMPv6 Type 2: “Packet too big” and ICMPv6 Type 4 : “Parameter problem”. You can also rate limit these messages types with ipv6 ICMP rate-limit command.
RFC 4890 outlines guidelines for filtering ICMPv6 messages in firewalls. In summary, make sure you either filter these options or only allow trusted sources and deny everything else. If you are unsure hosts are compliant with these RFC’s perform ingress filtering of packets with IPv6 multicast source addresses. As a recommendation purchase firewalls that support stateful filtering of IPv6 packets and ICMPv6 messages. It’s always better to prevent an attack than react to one.