IPv6 insecurities at First Hop

Gawe Mikoajczyk gmikolaj@cisco.com

SETTING THE STAGE

IPv6 Neighbor Discovery Fundamentals

RFC 4861, Neighbor Discovery for IP Version 6 (IPv6) RFC 4862, IPv6 Stateless Address Autoconfiguration Used for:
Router discovery IPv6 Stateless Address Auto Configuration (SLAAC) IPv6 address resolution (replaces ARP) Neighbor Unreachability Detection (NUD) Duplicate Address Detection (DAD) Redirection

Operates above ICMPv6

Relies heavily on multicast (including L2-multicast) Works with ICMP messages and messages options

IPv4 to IPv6 Link model shift

Announces default router Announces link parameters

Router

DHCP server An IPv6 link An IPv4 link DHCP server

Assign addresses Assign addresses

IPv4 link model is DHCP-centric

Assign addresses Announces default router Announces link parameters

IPv6 link model is essentially distributed, with DHCP playing a minor role

Securing Link Operations: First Hop Trusted Device

Advantages
central administration, central operation Complexity limited to first hop Transitioning lot easier

Cisco Current Roadmap IETF SAVI WG

Certificate server

Efficient for threats coming from the link

Efficient for threats coming from outside
Time server

Disadvantages
Applicable only to certain topologies
Requires first-hop to learn about end-nodes First-hop is a bottleneck and single-point of failure

TARGETING THE HOSTS

IPv6 Address Resolution comparing with IPv4 ARP

Creates neighbor cache entry, resolving IPv6 address into MAC address.
Messages: Neighbor Solicitation (NS), Neighbor Advertisement (NA)

ICMP type = 135 (Neighbor Solicitation) Src = A NS Dst = Solicited-node multicast address of B Data = B Option = link-layer address of A Query = what is Bs link-layer address? ICMP type = 136 (Neighbor Advertisement) Src = one Bs IF address NA Dst = A Data = B Option = link-layer address of B
A and B can now exchange packets on this link

Attacking IPv6 Address Resolution

Attacker can claim victim's IPv6 address.
A B C

NS Dst = Solicited-node multicast address of B Query = what is Bs link-layer address?

NS

NA

Src = B or any Cs IF address Dst = A Data = B Option = link-layer address of C

Countermeasures: Static Cache Entries, Address GLEAN, SeND (CGA) on routers, Integrity Guard (Address-Watch).

Address GLEAN
Gleaning means inspecting the
Binding table
IPv6
A1 A21 A22

H1

H2

H3

MAC
MACH1 MACH2 MACH2 MACH3

VLAN
100 100 100 100

IF
P1 P2 P2 P3

DHCPserver

NS [IP source=A1, LLA=MACH1]

A3

REQUEST [XID, SMAC = MACH2] REPLY[XID, IPA21, IPA22]

data [IP source=A3, SMAC=MACH3] DAD NS [IP source=UNSPEC, target = A3] NA [IP source=A1, LLA=MACH3]

DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY

H1

H2

H3

IPv6 Duplicate Address Detection (DAD)

Verify IPv6 address uniqueness, verify no neighbors claims the address Required (MUST) by SLAAC, recommended (SHOULD) by DHCP Messages: Neighbor Solicitation, Neighbor Advertisement
A B

ICMP type = 135 (Neighbor Solicitation) Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already?

NS

Node A starts using the address

Attack On DAD
Attacker hacks any victim's DAD attempts. Victim can't configure IP address and can't communicate. DoS condition.
A

Src = UNSPEC Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NA its mine !

NS Src = any Cs IF address Dst = A Data = A Option = link-layer address of C

Device tracking
Goal: to track active addresses (devices) on the link
IPv6 MAC
MACH1 H1 MACH2 H2 MACH2 H2 MACH3

VLAN
100 100 100 100

IF
P1 P2 P2 P3

STATE
REACH STALE REACH REACH STALE

H1

H2

A1 1

H3

A21 21

Address GLEAN

A22 22 A3

Binding table

Keep track of device state Probe devices when becoming stale Remove inactive devices from the binding table Record binding creation/deletion/changes
DAD NS [IP source=UNSPEC, target = A1] NA [target = A1LLA=MACH1] DAD NS [IP source=UNSPEC, target = A3]

IPv6 Source Guard

Validating the source address of IPv6 traffic sourced from the link
IPv6 MAC MACA1 MACA21 MACA22 MACA3 VLAN 100 100 100 100 IF P1 P2 P2 P3

Binding table

A1 A21 A22

H1

H2

H3

Address GLEAN
DAD NS [IP source=UNSPEC, target = A3] NA [target = A1LLA=MACA3]

A3

DHCP LEASEQUERY DHCP LEASEQUERY_REPLY

P3 ::A3, MACA3 P1:: data, src= A1, SMAC = MACA1

Allow traffic sourced with known IP/SMAC Deny traffic sources with unknown IP/SMAC

P2:: data src= A21, SMAC = MACA21

P3:: data src= A3, SMAC = MACA3

TARGETING THE ROUTER

Why should you care about router stealing?

$ ifconfig en1 en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether 00:26:bb:xx:xx:xx Is there an prefixlen 64 scopeid 0x6 inet6 fe80::226:bbff:fexx:xxxx%en1 IPv6 Network? inet 10.19.19.118 netmask 0xfffffe00 broadcast 10.19.19.255 media: autoselect status: active $ ping6 -I en1 ff02::1%en1 PING6(56=40+8+8 bytes) fe80::226:bbff:fexx:xxxx%en1 --> ff02::1 16 bytes from fe80::226:bbff:fexx:xxxx%en1, icmp_seq=0 hlim=64 time=0.140 ms . . . Are there any IPv6 peers? 16 bytes from fe80::cabc:c8ff:fec3:fdef%en1, icmp_seq=3 hlim=64 time=402.112 ms ^C --- ff02::1%en1 ping6 statistics --4 packets transmitted, 4 packets received, +142 duplicates, 0.0% packet loss round-trip min/avg/max/std-dev = 0.140/316.721/2791.178/412.276 ms $ ndp -an Neighbor Linklayer Address Netif Expire St Flgs Prbs Configure a tunnel, enable forwarding, transmit RA 2001:xxxx:xxxx:1:3830:abff:9557:e33c 0:24:d7:5:6b:f0 en1 23h59m30s S . . . $ ndp -an | wc -l 64

IPv6 Router Discovery

Find default/first-hop routers Discover on-link prefixes => which destinations are neighbors Messages: Router Advertisements (RA), Router Solicitations (RS)

Internet ICMP Type = 133 (Router Solicitation) Src = UNSPEC (or Host link-local address) Dst = All-routers multicast address (FF02::2) Query = please send RA

RS

RA

ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Option = Prefix, lifetime

Use B as default gateway

Attacking IPv6 Router Discovery

Attacker tricks victim into accepting him as default router Based on rogue Router Advertisements The most frequent threat by non-malicious user
B A C

Internet

RA

Src = Bs link-local address Dst = All-nodes Data = router lifetime=0 Src = Cs link-local address Dst = All-nodes Data = router lifetime, autoconfig flag Options = subnet prefix, slla

RA

Node A sending off-link traffic to C

IPv6 RA-Guard Securing Router Discovery

A C

RA
Verification succeeded? Forward RA

I am the default gateway Router Advertisement Option: prefix(s)

Switch selectively accepts or rejects RAs based on various criteria ACL (configuration) based, learning-based or challenge (SeND) based. Hosts see only allowed RAs, and RAs with allowed content.
More countermeasures: static routing, SeND, VLAN segmentation, PACL.

IPv6 Stateless Address Auto-Configuration (SLAAC)

Stateless, based on prefix information delivered in Router Advertisements. Messages: Router Advertisements, Router Solicitations
A B

Internet ICMP Type = 133 (Router Solicitation) Src = UNSPEC (or Host link-local address) Dst = All-routers multicast address (FF02::2) Query = please send RA

RS

RA
Computes X::x, Y::y, Z::z and DADs them

ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Options = Prefix X,Y,Z, lifetime

NS
Source traffic with X::x, Y::y, Z::z

Attacking IPv6 Stateless Address Auto-Configuration

Attacker spoofs Router Advertisement with false on-link prefix Victim generates IP address with this prefix Access router drops outgoing packets from victim (ingress filtering) Incoming packets can't reach victim A C
Internet

RA
Deprecates X::A Computes BAD::A and DAD it

Src = Bs link-local address Dst = All-nodes Options = prefix X Preferred lifetime = 0 Src = Bs link-local address Dst = All-nodes Options = prefix BAD, Preferred lifetime

RA

Node A sourcing off-link traffic to B with BAD::A Router B filters out BAD::A

Cryptographically Generated Addresses CGA RFC 3972 (Simplified)

Each devices has a RSA key pair (no need for cert)

Ultra light check for validity

Prevent spoofing a valid CGA address RSA Keys Priv Pub

Modifier Public Key Subnet Prefix

SHA-1

Signature

CGA Params
Subnet Prefix Interface Identifier

SeND Messages

Crypto. Generated Address

Using SeND for router authorization

Certificate Authority Certificate C0

Certificate Authority CA0 1

provision
Router certificate request

Subject Name contains the list of authorized IPv6 prefixes

Router certificate CR

3
provision

2 host
A
ROUTER ADVERTISEMENT (SRC = R)

Router R

4 5 6 7

Certificate Path Solicit (CPS): I trust CA0, who are you R?

Certificate Path Advertise (CPA): I am R, this is my certificate CR signed by CA0

Verify CR against CA0 Insert R as default route

Each node takes care of its own security Verifies router legitimacy Verifies address ownership

SeND Deployment Challenges with boundaries

ADMINISTRATIVE BOUNDARY

CA CA

CA

Host

Router

Router Host

Nodes must be provisioned with CA certificate(s)

A chain of trust is easy to establish within the administrative boundaries, but very hard outside
Very few IPv6 stacks support SeND today

EXHAUSTING THE CACHE

Reconnaissance in IPv6? Easy with Multicast.

No need for reconnaissance anymore 3 site-local multicast addresses (not enabled by default)
FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers

Several link-local multicast addresses (enabled by default)

FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP,
Source Destination Payload DHCP Attack 2001:db8:2::50 2001:db8:1::60

Attacker FF05::1:3

2001:db8:3::70

http://www.iana.org/assignments/ipv6-multicast-addresses/

Remote address resolution cache exhaustion

X

Gateway

PFX::/64
X scanning 2 64 addresses (ping PFX::a, PFX::b, PFX::z)
Dst = Solicited-node multicast address of PFX::a Query = what is PFX::a s link-layer address?

NS
Dst = Solicited-node multicast address of PFX::b Query = what is PFX::b s link-layer address?

3 seconds history

NS
Dst = Solicited-node multicast address of PFX::z Query = what is PFX::zs link-layer address?

NS
Countermeasures: address provisioning mechanisms and filtering on routers, Destination Guard on switches

Destination guard mitigating cache exhaustion

L3 switch
host
Binding table Neighbor cache

Internet
Address glean
Src=D1 Src=Dn

Scanning {P/64}

Lookup D1 NO
found

Forward packet

Mitigate prefix-scanning attacks and Protect ND cache Useful at last-hop router and L3 distribution switch Drops packets for destinations without a binding entry

Mitigating Remote Neighbor Cache Exhaustion

Built-in rate limiter but no option to tune it
Since 15.1(3)T: ipv6 nd cache interface-limit

Or IOS-XE 2.6: ipv6 nd resolution data limit

Destination-guard is coming with First Hop Security phase 3

Using a /64 on point-to-point links => a lot of addresses to scan!

Using /127 could help (RFC 6164)

Internet edge/presence: a target of choice

Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only

Using infrastructure ACL prevents this scanning

iACL: edge ACL denying packets addressed to your routers
Easy with IPv6 because new addressing scheme can be done

YOUR IPS CAN HELP, PROBABLY

Detecting native IPv6 Traffic

Example: ICMPv6 Traffic for Neigbor discovery / Router advertisements

Usage of Dual-Stack on all Engines

Service HTTP

What your IPS should support now

Can detect IPv6 tunnels in IPv4
IPv6 in IPv4 IPv6 in MPLS tunnel Teredo destination IP address Teredo source port Teredo destination port Teredo data packet

And more?
Detect DNS request for ISATAP Detect traffic to 6to4 anycast server

Intrusion Prevention for L2 Security

ICMPv6 Signatures for Attack mitigation and visibility, including NA, NS, RA, RS.

IPS for Virtual Switching with ERSPAN

Extends the Local SPAN to send packets outside local host (VEM) Can be used to monitor the traffic on Virtual Switch remotely One or more source:
NAM ERSPAN DST

ID:2

ID:1

Type: Ethernet, Vethernet, Port-Channel, VLAN

Direction: Receive (Ingress) / Transmit (Egress) / Both

IP based destination ERSPAN ID provides segmentation Permit protocol type header 0x88be for ERSPAN GRE
VM
ERSPAN

Management Console

VMkernel

NEXUS 1000v

VM

VM

VM

ESXi

PUTTING IT ALL TOGETHER

Features for IPv6 First-Hop Security

Switches do/will integrate a set of monitoring, inspection and guard features for a variety of security-centric purposes:
1. RA-guard 2. Address NDP address glean/inspection (NDP+DHCP+data) 3. Integrity guard (Address watch/ownership enforcement)

4. Device Tracking
5. DHCP-guard 6. DAD/Resolution proxy 7. Source-guard (SAVI) 8. Destination-guard 9. DHCP L2 relay

Ask your vendor.for current support and serious roadmap. cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html

First Hop Security Phase I in 2010 Protecting against Rogue RA

Port ACL (see later) blocks all ICMPv6 Router Advertisements from hosts
interface FastEthernet3/13
RA

switchport mode access ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port

RA

RA-guard feature in host mode (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port
interface FastEthernet3/13 switchport mode access ipv6 nd raguard access-group mode prefer port
RA RA RA

IPv6 Snooping Phase II and III

Phase II
DHCP Guard Source Guard Multi Switch operation RA Throttler NDP Multicast Suppress

Phase III
Destination Guard Prefix Guard DAD Proxy Binding Table Recovery SVI support

The bottom line

Look inside NetFlow records
Protocol 41: IPv6 over IPv4 or 6to4 tunnels IPv4 address: 192.88.99.1 (6to4 anycast server) UDP 3544, the public part of Teredo, yet another tunnel

Look into DNS server log for resolution of ISATAP

Beware of the IPv6 latent threat: Your IPv4-only network may be vulnerable to IPv6 attacks now.

THANK YOU.