rsz_ipv6_fragmentatin

IPv6 Host Exposure

 

ipv6 security vulnerabilities

 

IPv6 Host Exposure

The Internet Protocol version 6 (IPv6) has emerged as the next-generation addressing protocol in today’s interconnected world. With the depletion of IPv4 addresses, IPv6 offers a larger address space and improved security features. However, the widespread adoption of IPv6 has also introduced new challenges, particularly regarding host exposure. In this blog post, we will explore the concept of IPv6 host exposure, its implications, and effective mitigation strategies.

IPv6 host exposure refers to the visibility or accessibility of a particular host or device connected to the IPv6 network. Unlike IPv4, where Network Address Translation (NAT) provides security by hiding internal IP addresses, IPv6 assigns globally unique addresses to each device. This means that every device connected to the IPv6 network is directly reachable from the Internet, making it more susceptible to potential risks.

 

Highlights: IPv6 Host Exposure

  • No NAT in IPv6

IPv6, or Internet Protocol version 6, is the latest version of the Internet Protocol, designed to replace the older IPv4. IPv6 provides a larger address space, improved security, and better support for mobile devices and multimedia applications. However, as with any new technology, IPv6 introduces new security challenges, including IPv6 host exposure.

Host exposure refers to a host being directly accessible from the Internet without any network address translation (NAT) or firewall protection. In IPv4, host exposure is typically prevented by using NAT, which maps private IP addresses to public IP addresses and hides the internal network from the outside world. However, in IPv6, there is no need for NAT, as each device can have a unique public address.

This means IPv6 hosts are more exposed to the Internet than their IPv4 counterparts. Attackers can scan for and exploit vulnerabilities in IPv6 hosts directly without penetrating any firewalls or NAT devices. Therefore, taking appropriate measures to protect IPv6 hosts from exposure is essential.

  • The Role of Firewalls and IPsec

One way to protect IPv6 hosts is to use firewalls that support IPv6. These firewalls can filter incoming and outgoing traffic based on predefined rules, providing protection similar to NAT in IPv4. It is also important to regularly apply security patches and updates to IPv6 hosts to prevent known vulnerabilities from being exploited.

Another way to protect IPv6 hosts is to use IPv6 security protocols, such as IPsec. IPsec provides authentication and encryption for IPv6 packets, ensuring they are not tampered with or intercepted by attackers. IPsec can secure communication between hosts or between hosts and routers.

 

Before you proceed, you may find the following post helpful:

  1. SITT IPv6
  2. Port 179
  3. Technology Insight For Microsegmentation
  4. ICMPv6
  5. IPv6 Fragmentation

 



IPv6 Attacks

Key IPv6 Host Exposure Discussion Points:


  • Introduction to IPv6 Host Exposure and what is involved.

  • Highlighting the details of the different types of IPv6 attacks.

  • Critical points on IPv6 security vulnerabilities. 

  • Technical details on the issues with dual stack ( IPv4 & IPv6 ) deployments.  

  • Technical details on IPv6 First Hop vulnerabilities.

 

Back to basics with IPv6 Security.

IPv6 Security 

IPv6 security is an essential component of modern network architecture. By utilizing the latest security technology, organizations can ensure their networks are secure from malicious actors and threats. IPv6 is an upgrade from the IPv4 protocol and has many advantages. It is faster, with a larger address space and more efficient routing protocols. It also provides better options for network segmentation, making it easier to create secure networks.

So, what is IPv6 Host Exposure? Firstly, IPv6 as a protocol suite isn’t inherently more or less secure than its predecessor. However, as with IPv4, most IPv6 attacks and security incidents arise from design and implementation issues rather than weaknesses in the underlying technology. Therefore, we need to consider critical areas of IPv6 security, such as IPv6 host exposure and the numerous ipv6 security vulnerabilities that IPv6 stacks are susceptible to.

Many organizations already have IPv6 running on their networks and must realize it. In addition, many computer operating systems now default to running both IPv4 and IPv6. This is known as dual-stack mode, which could cause security vulnerabilities if one is less secure than the other. IPv6 security vulnerabilities currently exist, and as the popularity of the IPv6 protocol increases, so does the number of IPv6 security vulnerabilities and threats.

 

  • A key point: Lab on IPv6 security with access lists

Access lists in IPv6 are used more a less the same as they are in IPv4. Access lists are used for filtering and selecting traffic. If you recall that IPv6 access lists have 3 invisible statements at the bottom:

  1. permit icmp any any nd-na
  2. permit icmp any any nd-ns
  3. deny ipv6 any any

In the following screenshot, I have IPv6 access set inbound on R1 to permit telnet traffic from R2 explicitly. Any other type of traffic, such as ping, will be blocked by the access list, known as an access filter. As a security best practice, I recommend you also turn on “no ipv6 unreachables” on the interface.  This will stop the AAAA from appearing, which is a security threat.

You don’t want a bad actor to know that an access filter is dropping their packets, as they will try to circumvent it. With the following command enabled under the interface, packets are dropped silently.

IPv6 security
Diagram: IPv6 security

 

Implications of IPv6 Host Exposure:

1. Increased attack surface: The larger address space in IPv6 makes it easier for attackers to scan and identify vulnerable devices. With direct access to each device, attackers can exploit security vulnerabilities, potentially leading to unauthorized access, data breaches, or service disruptions.

2. Lack of visibility: Traditional security tools and monitoring systems primarily designed for IPv4 networks may struggle to detect and defend against threats in an IPv6 environment effectively. This lack of visibility can leave organizations unaware of potential security breaches or ongoing attacks.

3. Misconfiguration risks: IPv6 addressing and configuration complexity can result in misconfigurations, inadvertently exposing hosts to the Internet. These misconfigurations can open up opportunities for attackers to exploit and compromise devices or networks.

4. Privacy concerns: IPv6 addresses can contain unique identifiers, potentially compromising users’ privacy. This can enable tracking and profiling of individuals, raising privacy concerns for individuals and organizations.

 

Challenges with IPv4 designs

In IPv4’s initial design, network security was given minor concern. However, as IPv4 was developed and the Internet explosion occurred in the 1990s, Internet threats became prolific, and we were essentially wide open to attack. If the current circumstances of Internet threats could have been predicted when IPv4 was being developed, the protocol would have had more security measures incorporated.

IP Next Generation (IPng) was created, becoming IPv6 (RFC 1883). IPv6 is the second network layer standard protocol that follows IPv4, offers several compelling functions, and is the next step in the evolution of the Internet Protocol.

IPv6 provides several improvements over its predecessor. The following list summarizes the characteristics of IPv6 and the improvements it can deliver:

  1. Larger address space: Increased address size from 32 bits to 128 bits
  2. Streamlined protocol header: Improves packet-forwarding efficiency
  3. Stateless autoconfiguration: The ability for nodes to determine their address
  4. Multicast: Increased use of efficient one-to-many communications
  5. Jumbograms: The ability to have huge packet payloads for greater efficiency
  6. Network layer security: Encryption and authentication of communications
  7. Quality of service (QoS) capabilities: QoS markings of packets and flow labels that help identify priority traffic,

 

IPv6 security
Diagram: IPv6 security. Source is Varonis

 

Nothing changes above the Layer 3 “Network” layer.

Deploying IPv6 changes nothing above the Layer 3 “Network” layer. IPv4 and IPv6 are network layer protocols, and protocols above and below remain the same for either IP version. Problems such as a lack of a session layer with Transmission Control Protocol ( TCP ) continue to exist in IPv6, along with new security issues of IPv6 fragmentation. In addition, the limitations of multihoming and the exponential growth of the Default Free Zone ( DFZ ) table size are not solved by deploying IPv6. Attacks against any IPv6 network fall within the following areas and are similar to those related to IPv4 attacks,

Securty Attack

Security Attack Area

Attack Type 1

Internet ( DMZ, fragmentation, web pages )

Attack Type 2

IP Spoofing, protocol fuzzing, header manipulation, sessions hijacking

Attack Type 3

Buffer overflows, SQL Injection, cross-site  scripting

Attack Type 4

Email ( attachements, phishing )

Attack Type 5

Worms, viruses, DDoS

Attack Type 6

Chat, peer to peer

We have similar security problems but with different countermeasures. For example, instead of IPv4 ARP spoofing, we have IPv6 ND spoofingExisting network attacks such as Flooding / DDoS, eavesdropping, session hijacking, DNS attacks, man-in-the-middle attacks, and routing security problems are still present with IPv6.

 

Application-level attacks

The majority of vulnerabilities are at the application layer. Application layer attacks in IPv4 and IPv6 are identical, and security concerns with SQL injections still occur at layers operating over IPv6. However, new IPv6 security considerations such as Dual-Stack-exposures and Tunneling exposures not concerned with IPv4 must be addressed as some of the principal IPv6 security vulnerabilities.

 

IPv6 Security Vulnerabilities

IPv6 dual-stack problems

Running both IPv4 and IPv6 at the same time is called Dual-Stack. A router can support two or more different routed protocols and forward for each type of traffic. The IPv4 and IPv6 protocols can share the same physical node but act independently. Dual stacking refers to the concept known as “ships-in-the-night-routing”; packets from each protocol can pass without affecting one another.

Diagram: IPv6 security vulnerabilities and Dual Stack mode.

 

Avoid Dual Stack when possible.

It is recommended to avoid Dual Stack as the Multi-Protocol world is tricky. The problem may arise if someone configures IPv6 without prior knowledge. All servers and hosts would then expose themselves to IPv6 threats. For example, imagine you have a protected server segment-running IP tables, NIC-level firewalls, and stateful aggregation layer firewalls on the servers.

Best practices are followed, resulting in a protected segment. What you do not control is whether servers have IPv6 enabled. When a router sends IPv6 Router Advertisement ( RA ) messages, these servers will auto-configure themselves and become reachable over IPv6 transport. This may not be a problem with Windows servers. Windows firewall works for both IPv4 and IPv6. Unfortunately, Linux servers have different IP tables for IPv4 and IPv6; Iptable for IPv4 and IP6tables for IPv6.

ipv6 host exposure
Diagram: IPv6 host exposure and common mistakes.

 

Linux hosts receive IPv6 RA messages, and some Linux hosts that are dual-stack with link-local addresses establish outbound IPv6 sessions. The link-local is local to the link, and the first-hop router sends an ICMP reply saying “out of scope.” Most Linux OS will terminate IPv6 sessions so you can fall back to IPv4.

However, other versions of Linux do not fall back immediately and wait for TCP to time out, causing significant application outages. As a temporary measure, people started to build IPv6 tunnels. As a result, tunnel-related exposure exists. Teredo is the most notorious attack on IPv6. Therefore, all IPv6 tunnels should be blocked by the firewall.

 

Pay Close Attention To Tunnels

To handle mixed networks, IPv4 and IPv6 are not natively compatible. Using tunnels, IPv6 traffic can be carried over IPv4 native networks. However, tunnels may have security drawbacks, such as reducing visibility into traffic, traversing them, and bypassing firewalls. In addition, the traffic flow can also be manipulated by an attacker by abusing auto-tunneling mechanisms.

As a result, tunnels should be treated with caution. Generally, static tunnels are preferred over dynamic tunnels, and they should only be enabled when explicitly needed. It is also possible to control which hosts can act as tunnel endpoints at the firewall level by filtering.

 

  • A key point: Lab with IPv6 RA

In the following we address IPv6 RA. IPv6 Router Advertisement (RA) is a key mechanism in IPv6 networks that allows routers to inform neighboring hosts and networks about their presence and provide essential network configuration information. Routers periodically send RA messages, enabling hosts to autoconfigure their network settings, such as IPv6 addresses, default gateways, and other parameters.

The command: ipv6 address autoconfig default creates a static route on R2, potentially creating a security flaw in certain use cases.

 

IPv6 RA
Diagram: IPv6 RA

 

Use a random addressing scheme instead of a predictable one

The predictability of IPv6 addresses has contributed significantly to the success of reconnaissance attacks against IPv6 subnets. Even though this can be helpful for network administration, it dramatically hinders IPv6 security. In many cases, these attacks can be mitigated by using random addresses, especially for static assignments.

Autoconfiguration once resulted in Layer 3 IPv6 addresses being derived partly from Layer 2 MAC addresses where autoconfiguration is used. As a result, attackers may find it easier to discover hosts. Now, most operating systems can generate random or pseudo-random addresses, so check if this feature is enabled on your endpoints when autoconfiguration is allowed.

 

IPv6 First Hop Vulnerabilities

Fake router advertisement ( RA ) messages

IPv6 routers advertise themselves via router advertisement ( RA ) messages. Hosts listen to these messages and can figure out what the first hop/gateway router is. If a host needs to send traffic off its local LAN ( off-net traffic ), it sends it to the first-hop router with the best RA message. In addition, RA messages contain priority fields that can be used for backup routing.

IPv6 router advertisements
Diagram: Fake IPv6 router advertisements and IPv6 host exposure.

 

IPv6 first-hop routers

Intruders can advertise themselves as IPv6 first-hop routers, and any hosts that believe it will send the intruder its off-net traffic. Once intercepted, attackers have numerous attacking options. It can respond to hosts’ Domain Name System ( DNS ) requests instead of sending them to a legitimate DNS server. Potential DoS attacking hosts. RFC 6101 introduced mitigation techniques in Port ACL, RA-guard lite, and RA-guard.

 

IPv6 DHCPv6 attacks

An intruder could pretend to be a DHCPv6 server. If hosts use Stateless Address Autoconfiguration ( SLAAC ) for address configuration, they still require the address of the IPv6 DNS server. Hosts obtain their IPv6 address automatically; it’s sent out DHCP information requests asking for the IPv6 address of the DNS server. Intruders can intercept and send in Bogus IPv6 for the hostnames that the client is querying for.

 

Fake neighbor advertisement messages

When a device receives a neighbor solicitation, it looks into the source address of the message and stores the result in the cache. Excessive neighbor solicitation from an intruder can fill up this, cache-causing router ND cache overflow and increased CPU load on the router, overloading the control plane.

Well-known problems

Well-known countermeasures

Large scale flooding

Traffic scrubbing

Source address spoofing 

RPF checks

TCP SYN attacks

TCP SYN cookies

TCP slowdown attacks

Load balancers and Proxies

Application-level attacks

Web Application Firewalls ( WAFs )

IP Fragmentation attacks

ACL's and stateless filters

 

Remote neighbor discovery attacks

Remote neighbor discovery occurs when an intruder scans IPv6 subnets with “valid” IPv6 packets, either “valid” TCP SYN packets or PINGs. Unknown directly connected destination IPv6 addresses trigger Router Solicitation neighbor discovery mechanism causing ND cache overload and CPU overload. The critical point is an attacker can trigger the attack remotely.

This may not have been a problem with IPv4, as subnets are small. But in IPv6, you have large subnets; you can try to scan them and generate neighbor cache problems on the last layer 3 switches.

Input ACL that allows known IPv6 subnets. But some devices do the ND process before checking the inbound ACL. Check the order of operation in the forwarding path. Control plane policing. Cache limits. Prefix longer than /64. People are using /128 on server subnets. Use with care. Better to use Inbound ACL and not with longer prefixes. 

 

IPv6 security
Diagram: IPv6 security. The source is Varonis.

 

Duplicate address detection ( DAD ) attacks

Autoconfiguration works when hosts create their IPv6 address and send a packet asking if anyone else uses it. An intruder can then reply and say yes, I do, which disables auto-configuration on that LAN.

 

IPv6 host exposure and IPv6 fragmented DOS attacks

IPv6 has multiple extension headers, offering attackers-tremendous options for attack. Potentially, stuff too many extension headers attempting to generate fragments. Generating fragments hides the real TCP and UDP port numbers into fragments where firewalls can’t immediately see them. Firewalls should be configured to drop fragmented headers.

  1. Hop-by-hop Header tells each switch to inspect this Header and act on it. It can lead to a great DoS tool.
  2. Routing header, which is the same as IP source-route in IPv4. It should drop by default.

 

  • A key point: Filter on the IPv6 extension headers

Firewalls and ACLs should be able to filter on extension headers. But performing Deep Packet Inspection (DPI) on an IPv6 packet that contains many extension headers is resource-intensive. Firewalls should limit the number of extension headers. 

 

Mitigation Strategies:

1. Network segmentation: By properly segmenting the network and implementing firewalls, organizations can limit the exposure of IPv6 hosts. This approach helps isolate critical assets from threats and reduces the attack surface.

2. Continuous monitoring: Organizations should use network monitoring tools to detect and analyze IPv6 traffic. This ensures timely detection of potential security incidents and allows for effective response and mitigation.

3. Regular security assessments: Conducting periodic security and penetration testing can help identify vulnerabilities and weaknesses in IPv6 deployments. Addressing these issues promptly can prevent potential host exposure and minimize risks.

4. Proper configuration and patch management: Organizations should ensure that IPv6 devices are appropriately configured and regularly updated with the latest security patches. This reduces the likelihood of misconfigurations and minimizes the risk of known vulnerabilities being exploited.

5. Education and awareness: Organizations should prioritize educating their employees about the risks associated with IPv6 host exposure and provide guidelines for secure IPv6 deployment. This empowers individuals to make informed decisions and helps create a security-conscious culture.

Conclusion:

As organizations continue to embrace IPv6, it is crucial to understand the potential risks associated with host exposure. By implementing effective mitigation strategies, such as network segmentation, continuous monitoring, regular security assessments, proper configuration, and education, organizations can enhance their IPv6 security posture and protect against evolving threats. Proactive measures are essential to ensure a secure and resilient IPv6 network environment.

 

ipv6 host exposure