1 / 109

Architectural Risks and Mitigations in IPv6

Architectural Risks and Mitigations in IPv6. James R Lindley CISSP-ISSAP/ISSEP/ISSMP, CISA, CHS-III Senior Computer Engineer (Security Architectures) IRS IT Security Architectures & Engineering. Disclaimers. Information scope is limited, additional readings required

ince
Télécharger la présentation

Architectural Risks and Mitigations in IPv6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Architectural RisksandMitigationsin IPv6 James R Lindley CISSP-ISSAP/ISSEP/ISSMP, CISA, CHS-III Senior Computer Engineer (Security Architectures) IRS IT Security Architectures & Engineering

  2. Disclaimers • Information scope is limited, additional readings required • Presentation Organization: • A SHORT review of the IPv6 Protocol Suite • Architectural Insecurities • Possible Mitigations Features and Security Considerations for IPv6

  3. Features of Network Layer Protocols • Logical Addressing • Route Discovery • Quality of Service • Packet Header Structures • Fragmentation Methods • Supporting Protocols Features and Security Considerations for IPv6

  4. Lots of small networks (255.255.255.0) Very few huge networks (255.0.0.0) Subnets and Hosts from the same 32 bit pool 32 bits - fixed IPv4 with Subnet Mask Subnet /1 /32 /48 /8 /64 Network IPv6 Address Space How to Use 128 Bits • We really don’t get 3.3*1038 32-bits = 4,294,967,295 18,014,398,509,481,983@54 18,446,744,073,709,551,615 potential hosts 4,294,967,295@32 65,535@48 64 bits - Host A /16 = 281,474,976,710,655 networks Features and Security Considerations for IPv6

  5. IPv6 Address Types • Unicast • Address of a single interface • One to one delivery to single interface • Multicast • Address of a set of interfaces • One to many - delivery to all interfaces in the set • Anycast • Address of a set of interfaces • One to one-of-many - delivery to the closest single interface in the set • No more broadcast addresses Features and Security Considerations for IPv6

  6. Unicast IPv6 Addresses • Aggregatable Global Unicast Addresses (AGUA) • Link-local addresses • Site-local addresses (not SLA – see later) (deprecated) • Unique Local Addresses (replaces Site-local) • Special addresses • Compatibility addresses • NSAP addresses (Network Service Access Point) Features and Security Considerations for IPv6

  7. IPv6 Address Summary • Global • Typically begins with 2 or 3 (ARIN = 2600::0) • Unique for the entire IPv6 Internet • Link-local • Begin with FE80 • Unique for a single link • Site-local (deprecated) • Begins with FEC0 • Local • Begin with FD00 • Multicast • Begin with FF00 Features and Security Considerations for IPv6

  8. Multiple Addresses on a Node • Unlike IPv4, an IPv6 node always has multiple addresses • Link-local, site-local, global, etc. • It is the job of the node’s protocol stack to decide most efficient address to use to reach the destination • Greatly simplifies routing Features and Security Considerations for IPv6

  9. Assigning Interface Addresses • Two ways to assign addresses • Static assignment • Automatic assignment • via DHCP (stateful) • via autoconfiguration (stateless) • Static assignment will be challenging because of the address size • Automatic assignment will be much more common Features and Security Considerations for IPv6

  10. Six Paths to an IPv6 Interface ID (Address) • Extended Unique Identifier (EUI-64) address • Randomly generated value (SeND) • A value assigned by a stateful address configuration protocol such as DHCPv6 • Expanded IPv4 Address • A manually configured value • A value assigned during the establishment of a Point-to-Point Protocol connection Features and Security Considerations for IPv6

  11. Extended Unique Identifier (EUI-64) address • Derived from IEEE MAC-48 address • Privacy considerations in host ID • MAC-48 structured address architecture makes range scanning easier Features and Security Considerations for IPv6

  12. Randomly generated value (SeND) • RGV = Randomly Generated Value • Sometimes AKA Cryptographically Generated Address (CGA) • Greater privacy (RGV also used in EUI-64 privacy extensions) • Maximum range scanning difficulty due to unstructured address architecture • Loss of administrative address control Features and Security Considerations for IPv6

  13. IPv6 Interface ID Configuration – DHCPv6 • Value assigned by a stateful address configuration protocol (i.e., DHCPv6) • Requires router Managed Address parameter configuration • Requires DHCPv6 server and administration • May result in address assignment patterns that make range scanning easier Features and Security Considerations for IPv6

  14. IPv6 Interface ID Configuration – eXIPv4 • Expanded IPv4 Address • Used with 4to6 and 6over4 and ISATAP tunneling • May reveal IPv4 use and address • May make U-Turn Attacks easier Features and Security Considerations for IPv6

  15. IPv6 Interface ID Configuration – Manual/PPP • Manually configured value • More labor required • Pattern establishment possible • Does not make best use of dynamic and automatic IPv6 address assignment tools • Value assigned during the establishment of a Point-to-Point Protocol connection • Used only with PPP • Found only with MODEM dialup connections Features and Security Considerations for IPv6

  16. Stateless Autoconfiguration • Hosts generate IP address automatically by combining link information with Interface ID • EUI-64 • Privacy Extensions • Link information is retrieved via Router Solicitations (RS) or Advertisements (RA) Features and Security Considerations for IPv6

  17. Router Advertisements • RA/RSs are a subset of Neighbor Discovery (ND) protocol • All routers send RAs every 5 minutes from each defined link local address to FF02::1 (All-nodes-on-link) • If the Default Router field has a non-zero time listed, it may be used as a default router • RAs have a Managed Address flag – if set, it means host must contact DHCP server to generate Global Unicast Addresses (Stateful configuration mandated) Features and Security Considerations for IPv6

  18. Quality of Service • IPv4 Type of Service header field has been renamed Traffic Class in IPv6 with identical bit assignment and processing • IPv4 has no mechanism for recognizing data streams, focuses on “guarantees” of delivery and TOS field • IPv6 has a Flow Control header field that routers use to prioritize data stream processing • Integrated Services (RFC 1633) prioritization without Transport Layer data inspection • Requires Resource Reservation Protocol (RSVP) [RFC 2205] • Eliminates redundant route resolution processing • No standard definition of FC field values • Introduces a potential “DOS” vulnerability Features and Security Considerations for IPv6

  19. Packet Header Changes • IPv4 has variable length packet header • Many fields unused • Use of options add to variability • Variability led to integrity check calculation processing requirement • Options limited in complexity • IPv6 has fixed length packet header • All fields used • Options are well-defined • No requirement for integrity check processing • Multiple options may be “stacked” Features and Security Considerations for IPv6

  20. Version TrafficClass ( RFC 2474 ) Flow Label ( RFC 3697 ) ( RFC 2780 ) 1 Byte 20 bits 4 bits Payload Length Next Header Hop Limit 2 Bytes 1 Byte 1 Byte Source Address 4 Bytes Source Address 4 Bytes Source Address 4 Bytes Source Address 4 Bytes Destination Address 4 Bytes Destination Address 4 Bytes Destination Address 4 Bytes Destination Address 4 Bytes IPv6 Header (Fixed length, 40 bytes) RFC 2460 Features and Security Considerations for IPv6

  21. IPv6 Header Detail: Flow Control • Defined in RFC 3697 • Size is 20 bits (2.5 bytes) • A random number selected by the sending host used to specify a particular ‘flow’ of data • Not fully defined yet, but has the potential to reduce processing latency for a ‘flow’ of data, even if it comes from different applications • Routers keep track of flows and once received, do not have to reprocess routing information for additional packets in that flow Features and Security Considerations for IPv6

  22. IPv6 Header Detail: Next Header • Size is 1 byte • Was called Protocol Type field in v4 • Specifies what type of header is coming next in the packet (TCP/UDP/ICMPv6, etc) • If extension headers are used, the type of extension header is listed here • Common values: 6 (TCP), 17 (UDP), 58 (ICMP6) Features and Security Considerations for IPv6

  23. IPv6 Header Next Header = 6 (TCP) TCP Segment IPv6 Header Next Header = 43 (Routing) Routing Header Next Header = 6 (TCP) TCP Segment IPv6 Header Next Header = 43 (Routing) Routing Header Next Header = 51 (AH) Authentication Header Next Header = 6 (TCP) TCP Segment IPv6 Extension Headers Features and Security Considerations for IPv6

  24. Extension Headers – Intermediate Nodes • Hop-by-Hop Options Header • Jumbo Payload option • Router Alert option – Router must process the datagram • Destination Options header • Used by intermediate nodes when Routing header is present • Routing header • Used for source routing and MobileIP Features and Security Considerations for IPv6

  25. Extension Headers – Destination Node • Fragment header • Used only by the source and destination nodes • IPSec specific headers • Authentication header (AH) • Encapsulating Security Payload (ESP) header • Destination Options header • Used only by destination node when Routing Header is not present • Used by MobileIP Features and Security Considerations for IPv6

  26. IPv4 Fragmentation Control • Maximum Transmission Unit (MTU) defines the largest amount of data in octets that a device can send or forward in a single datagram • Path MTU (PMTU) is the smallest MTU of all the devices between a source and destination host • IPv4 has no PMTU discovery mechanism and sends packets at the size defined in the source host configuration • An IPv4 intermediate node receiving a packet larger than the node’s MTU divides a packet into several smaller packets before forwarding the new, smaller packets • This introduces latency and increased traffic into the network Features and Security Considerations for IPv6

  27. IPv6 Fragmentation Control • Before sending a packet, IPv6 sends a test packet sized to the source host’s pre-defined MTU to the destination • IPv6 listens for ICMP “Packet too large” messages and, if one is received, sends progressively smaller packets until a “Packet too large” message is not returned • IPv6 resizes the “real” packets to match the discovered PMTU • IPv6 requires ICMPv6 to pass thru firewalls Features and Security Considerations for IPv6

  28. IPSec for IPv6 • Mandatory inclusion in implementation • Three User Options • No Use • Gateway-Gateway (Available in IPv4) • Peer-Peer • Use Requires a Security Association • IKE – RFC 2409 • PKI/PKM (static keying is possible but problematic) • Two Modes • Transport (Peer-Peer) • Tunnel (VPN Gateway-Gateway) • Modes can be combined • Two Header Options • Authenticated Header (AH) • Encapsulating Security Payload (ESP) • Options can be combined Features and Security Considerations for IPv6

  29. IPSec for IPv6 • Authentication Header (AH) • RFC 2402 • Whole packet integrity • Source authentication • Replay protection • Does NOT Encrypt, Uses Checksum • Does NOT provide Confidentiality Features and Security Considerations for IPv6

  30. IPSec for IPv6 • Encapsulating Security Payload (ESP) • RFC 2406) • Confidentiality • Integrity of the Encapsulated Packet • Authentication of the source • Anti-replay protection • Encrypts • Has more limited integrity check than AH • Encapsulating Packet is NOT protected Features and Security Considerations for IPv6

  31. DHCPv6 • RFC 3315 • Totally rewritten protocol • Required for Managed Address systems • “Stateful” Configuration • Automatic Address Assignment Features and Security Considerations for IPv6

  32. DHCPv6 • Many benefits: • Uses multicast instead of broadcast • Verifies that client is on-link (only supplies addresses from link-local addresses) • Relay agent is simplified since it doesn’t need a list of DHCPv6 servers – just sends to All-DHCP-servers address • Server can ‘push’ an update when changes occur • Address “Lease” Lifetime is infinite – when changes occur, they are pushed – less traffic Features and Security Considerations for IPv6

  33. Neighbor Discovery (ND) Protocol • Neighbor Discovery has two main subsets • Router Solicitation/Router Advertisement (RS/RA) to communicate with Routers • Neighbor Solicitation/Neighbor Advertisements (NS/NA) to communicate with hosts on link • The ultimate job of ND is to allow a node that knows an IPv6 address to determine the MAC address of the on-link recipient node • Very similar to ARP in IPv4, but uses multicast rather than broadcast Features and Security Considerations for IPv6

  34. Why Neighbor Discovery? • Doesn’t an IPv6 address advertise the MAC address? • No, it advertises the EUI-64 address, from which one can determine the MAC address • The EUI-64 isn’t guaranteed to be accurate: • It could have been randomly entered by the node owner • It could be randomly changing to protect privacy • The Layer 2 might not require MAC addresses (Frame Relay) • Therefore ND is always performed (unless already cached) • Next slide explains IEEE EUI-64 & MAC-64 Features and Security Considerations for IPv6

  35. EUI-64: IEEE Extended Unique Identifier–64 bits • To facilitate the creation of globally unique node addresses using the network adapter’s Media Access Code (MAC) number, the IEEE established 2 new standards: EUI-64 and MAC-64. • Both MAC-64 and EUI-64 split the current EUI-48 & MAC-48 bit numbers into two 24-bit sections and then insert either FFFF (MAC-64) or FFFE (EUI-64) between the two sections • MAC-64 is meant to be used with network adapters, but the IPv6 specification writers used the EUI-64 standard instead Features and Security Considerations for IPv6

  36. Solicited Node Multicast Address (SNMA) • SNMA is used to avoid duplicate IPv6 addresses • Created by adding FF + (last 24 bits of Interface ID) onto FF02::1 • Client’s IPv6 address is 3001:B00:0:1:212:6BFF:FE3A:9E9A • Take the last 24 bits 3001:B00:0:1:212:6BFF:FE3A:9E9A • Prepend FF onto 3A:9E9A • Append the result to the SNMA Prefix FF02::1:FF3A:9E9A • Host listens on the SNMA corresponding to each assigned IPv6 address Features and Security Considerations for IPv6

  37. Duplicate Address Detection (DAD) • As a function of ND, when a node generates (or receives) a IPv6 address, it automatically sends a NS packet to the SNMA that it is configuring • If a NA is received, node knows that address is in use and address is not used Features and Security Considerations for IPv6

  38. Secure Neighbor Discovery (SeND) • Requires each node to have a “trusted router certificate” list • List different for each network segment • Uses Cryptographically Generated Addresses (CGA) (RFC 3972) to verify neighbor’s address ownership • Solves “router trust” security problems in IPv6 “Neighbor Discovery” node address configuration • No IPv6 “automatic” method for creating or updating host and router certificate lists Features and Security Considerations for IPv6

  39. ICMPv6 • In IPv4, the Internet Control Messaging Protocol (ICMP) was used for some utilities such as ping and tracert • Many organizations block in/out ICMP at the firewall • In IPv6, Neighbor Discovery utilizes ICMPv6, and ND is mandatory for delivering packets • Path MTU discovery is ICMPv6 based • Therefore, ICMPv6 is mandatory in IPv6 and *cannot* be shut off completely at the firewall Features and Security Considerations for IPv6

  40. DNSv6 • Same functionality as DNS in IPv4 • IPv6 uses “AAAA” records, IPv4 uses “A” • DNS queries return AAAA before A records • Some implementations will not return an IPv4 address if an IPv6 address exists for the host • DNS server with faked IPv6 record for IPv4-only box will refer all traffic to IPv6 site • DNS Server discovery mechanisms still a work in progress Features and Security Considerations for IPv6

  41. MobileIP • Present in IPv4 (RFC 3344), difficult to use • MobileIPv4: • Mobile Node • Home Agent • Foreign Agent • UDP-based • Home Agent-(Server) centric Features and Security Considerations for IPv6

  42. MobileIP • “Visited” networks must open their firewalls to special IPv6 packets • IPv6 Modes • Bi-directional Tunneling (Home Agent centric) • Route Optimization (Peer-to-Peer) • You can do Binding Updates with any correspondent to establish a direct path, but ONLY after establishing a security association with the home agent or correspondent. Features and Security Considerations for IPv6

  43. MobileIP • Do not confuse “MobileIP” with “Mobile Telephony”, which concerns ISO Layers 1 & 2 devices. • MobileIP is ISO Layer 3 • Requires a functioning Layer 1 & 2 network infrastructure • Requires a way to establish security associations (PKI?) Features and Security Considerations for IPv6

  44. Key Risk Considerations • Each network layer has characteristic types of attacks • Internet Protocol is an address management and traffic delivery protocol suite • Characteristic attacks and activities at the IP level are Address Manipulation, Denials of Service, and supporting activities (reconnaissance, etc.) • Some attacks utilize upper layer protocols that support IP functionality (ICMP, TCP, UDP, etc.) • Almost all IPv6 security enhancements require a way to establish a security association (PKI?) (SeND, IPSec, etc.) Features and Security Considerations for IPv6

  45. Key Considerations • IPv6 address management suite • Neighbor Discovery / Router Identification • Autoconfiguration • Domain Name Service • Dynamic Host Control Protocol • ICMP • Packet Header Changes • Supporting Activities Features and Security Considerations for IPv6

  46. Neighbor Discovery • Key concerns • Neighbor Solicitations / Advisories • Router Solicitations / Advisories • ICMP messages • Secure ND requires trust lists • IPv6 = IPv4 (NDAC = ARP, etc.) • Attacks • DoS • Redirects • Configuration Attacks Features and Security Considerations for IPv6

  47. Neighbor Discovery • Neighbor Solicitation and Advertisement (NS/NA) Spoofing • N3 sends an NS or NA with N1, N2, or R1 addresses and N3 link-layer address. • Traffic goes to N3 instead of valid neighbors. Features and Security Considerations for IPv6

  48. Neighbor Discovery • Fake on-link Prefix • N3 executes NA/NS Spoofing • N3 sends RA with invalid prefix identified as on-link • Off-link traffic to the prefix is either denied or sent to N3 Features and Security Considerations for IPv6

  49. Neighbor Discovery • Neighbor Unreachability Detection (NUD) Denial of Service • N3 sends NA responding to NUD NS messages of all or some of others on network • NUDed nodes are now considered unreachable by other nodes, who cease sending Features and Security Considerations for IPv6

  50. Neighbor Discovery • Router Flood • N3 sends randomly addressed packets • R1 sends NS messages that are never answered Features and Security Considerations for IPv6

More Related