Professional Documents
Culture Documents
in the LAN
Eric Levy-Abegnoli, Technical Leader
BRKSEC-3003
It introduces security features at the First Hop, such RA Guard, Source Guard,
Destination guard, etc
frag6
syn6_flood
thcping6
scan6
fake_router6
OPERATIONS
ATTACKS
MITIGATIONS
Enterprise
SP Access
Datacenter
Agenda
Example, demo
Mitigating Vulnerabilities
Layer-2 domain:
Nodes:
Link operations:
Security perimeter:
First hop:
For Your
Reference
Link operations
LINK OPERATIONS
PROTOCOLS
IPv6 RFC
(IPV4)
IPv6
ROUTER DISCOVERY
DHCP
RFC4861
PREFIX DISCOVERY
RFC3633
PARAMETER DISCOVERY
DHCP
RFC4861
ADDRESS ASSIGNMENT
DHCP
RFC4861, RFC4862
RFC3315
ARP
Neighbor Discovery
RFC4862
ADDRESS RESOLUTION
ARP
Neighbor Discovery
RFC4861
ARP
Neighbor Discovery
RFC4861
REDIRECTION
ICMP
Neighbor Discovery
RFC4861
Router Discovery
Address Resolution
Address Assignment
R
RS
multicast
multicast
RA
RIB ::0/0
LLR
10
IF1
RA
RIB ::0/0
ADR-DB
IF1
RIB ::0/0
ADR-DB
IF1
LLB
X::A
Y::A
LLC
X::A
Y::A
Z::A
Source = LLB
Data = router lifetime, preference=M
Option = Prefix X,Y, lifetime
RA
Source = LLC
Data = router lifetime, preference=H
Option = Prefix Z, lifetime
11
X
C
IF1
RA
RIB
::0/0
ND
LLB
cache
LLB
Source = LLB
Data = router lifetime, preference=M
Option = Prefix X,Y, lifetime, SLLA (MACB)
MACB
Destination X, NH=LLB/MACB
REDIRECT
RIB
::0/0 LLB
X/128 LLC
Destination X, NH=LLC/MACC
12
B
MAC B
Neighbor
cache
NS-lookup
A
MACA
STALE
Neighbor
cache
INCMPL
NA
B MAC B REACH
data
13
IF1
MAC B
data
Neighbor
cache
B MAC B STALE
NS-NUD
Traffic sent while entry is not yet confirmed
data
NA-NUD
B MAC B REACH
14
B
MAC B
Neighbor
cache
B MAC B REACH
MAC BB
NA-override unsolicited
B MAC BB REACH
15
Address assignment
Several assignment methods:
Static
Modified EUI-64
Privacy extensions
Cryptographic Generated Address (CGA)
16
Address assignment
StateLess Address Auto Configuration (DAD success)
A
router
host
EUI-64
CGA
Privacy
RA
Computes HOSTID
Builds A =
HOSTID
DAD A
NS-DAD
17
Address assignment
StateLess Address Auto Configuration (DAD failure)
A
host
EUI-64
CGA
Privacy
host
RA
Computes HOSTID
Builds A =
HOSTID
router
DAD A
NS-DAD
multicast
NA, target=A
18
relay
router
server
SOLICIT (ALL_SERVERS_AND_RELAY)
ADVERTISE
REQUEST, option: can I use A
REPLY: Your address is A
ICMP type = 135 (Neighbor Solicitation)
Source = UNSPEC
Destination = SOLA, target = A
Query = Does anybody use A already?
NS-DAD
19
host
relay
router
server
SOLICIT (ALL_SERVERS_AND_RELAY)
ADVERTISE
REQUEST
REPLY
ICMP type = 135 (Neighbor Solicitation)
Source = UNSPEC
Destination = SOLA, target = A
Query = Does anybody use A already?
NS-DAD
multicast
NA, target=A
DECLINE
Address cannot be used
20
router
relay
server
LLGW
SOLICIT
ADVERTISE
REQUEST-prefix, source-LLGW
RA
RIB
P1
LLGW
Computes HOSTID
Builds A =
HOSTID
P1
DAD A
Source=A
21
Agenda
Router theft
Address (Identity) theft
DoS attacks
Misdirect attacks
Example, demo
22
23
RIB
RA
::0/0
LLR
Session via R
RA
::0/0
LLC
Session via C
24
Address Theft
25
ND cache
B
MAC B
Session established
(unsolicited) NA
B
MAC C
Source = B
Destination = ALL-NODES
Target = B
Option: SLLA= MACC
Session re-established
26
RIB
::0/0
LLR
RA
ND cache
LLR
MAC R
Session via R / MACR
(unsolicited) NA
LLR
MAC C
Source = R
Destination = ALL-NODES
Target = LLR
Option: SLLA= MACC
27
DoS attacks
28
attacker
RA
Computes A = {P,
HOSTID}
its mine !
router
ICMP Type = 134
Destination = ALL-NODES
Options = Prefix P
NS-DAD, target=A
NA, target=A
29
attacker
relay
router
server
SOLICIT (ALL_SERVERS_AND_RELAY)
ADVERTISE
ADVERTISE, preference=255
REQUEST
REPLY, NoAddrsAvail
REPLY, IA=BOGUS
30
DoS
attack: denial of address configuration
Attacker spoofs Router Advertisement with false on-link prefix
Victim generates (topology-bogus) IP address with this prefix
Access router drops outgoing packets from victim (ingress filtering)
Or return path is broken
host
RA
Autoconf BAD::A
and DAD it
attacker
router
OR NOT
31
MAC B
NS-lookup
Neighbor
cache
INCMPL
NA
Src = B
Dst = A
Options = TLLA (MACFAKE)
Src = B
Dst = A
Options = TLLA (MACB)
32
PFX::/64
NS
NS
NS
X scanning 2 64 addresses
(ping dest. PFX::a, PFX::b, PFX::z)
Session to A
Max
3
capacity
seconds
history
STOP! reached
Neighbor cache
33
PFX::/64
Neighbor cache
X claims 2 64 addresses
NS, Src=PFX::1, Dst=SOLR, SLLA = MAC1
NS, Src=PFX::2, Dst=SOLR, SLLA = MAC2
NS, Src=PFX::2 64, Dst=SOLR, SLLA = MACZ
STOP!
PFX::1 MAC1
STALE
PFX::1 MAC1
PFX::2 MAC2
STALE
STALE
PFX::1
PFX::2
PFX::2 64
MAC1
MAC2
MACZ
STALE
STALE
STALE
34
Misdirecting attacks
35
Misdirecting responses
Router theft
HOST
PEER
SWITCH
VILLAIN
CAT
38
Router theft
Title
link
http://www.youtube.com/watch?v=YbDg33vV-0E
http://www.youtube.com/watch?v=EjqimySPv7U
http://www.youtube.com/watch?v=QDyqV7u4HSY
http://www.youtube.com/watch?v=-vOY0xXLoj0
40
Agenda
Example, demo
Mitigating Vulnerabilities
41
The toolbox
Vulnerability
Attack tool
Mitigation
Where
Security level
Deployability
Router
Host
Host
Switch
Switch
Switch
Host
Host
Switch
Switch
Weak
Very Strong
Very Strong
Very Strong
Medium
Medium-Strong
Very Strong
Very Strong
Strong
Strong
Very Strong
Strong
Strong
Medium-Strong
Medium
Medium-Strong
Strong
Medium
Weak
Very Strong
Very Strong
Very Strong
Weak
Low
Medium-Low
Low
Medium
Medium-High
Medium-High
Low
Low
High
High
Medium
High
Low
Medium-High
Medium
Medium-High
Medium
Medium-Low
Low
Very High
Very High
Low
Low
thc, si6,..
Router Role theft
fake_router6
flood_router6
redir6
parasite6
dos-new-IPv6
denial6
fake_advertiser6
thcping6
dos-new-IPv6
frag6
scan6
dos-new-IPv6
dos-new-IPv6
flood_advertise6
syn6_flood
Misdirecting responses
Switch
Host
Switch
Switch
Switch
Router
Router
Router
Switch
Switch
Router
Router
42
43
Router R
A
Back-end
Provisioning
My certificate is CA0
Verifies CERTR
against CA0
Insert R as default route
44
CA
CA
Host
CA
Router
Host
Router
45
Private VLANs (PVLAN) where nodes (isolated port) can only contact
the official router (promiscuous port)
Promiscuous
Port
RA
RA
one VLAN per host (SP access network with Broadband Network
Gateway)
RA
RA
46
Port ACL:
RA
interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
access-group mode prefer port
Authorized Port
RA
RA-guard:
hop-limit
M & O flag
Router preference
Source
Prefix list
CGA credentials
Port Not
Authorize
d
RA
interface FastEthernet0/2
ipv6 nd raguard
access-group mode prefer port
RA
RA
interface FastEthernet0/0
ipv6 nd raguard attach-policy ROUTER
47
Problem
RA Guard works like a stateless ACL filtering ICMP type 134 (no reassembly)
Attackers can exploit that to evade RA guard by pushing ULP header (RA) into second fragment
They can even use overlapping fragments to disguise RA into some other valid message
RFC 3128 is not applicable to IPv6
THC fake_router6 FD implements this attack which bypasses RA Guard
Possible solutions
How about overlapping fragments? Forbidden: RFC 5722- Use a compliant host stack!
48
Each FH feature provides commands to attach policies to targets: box, vlan, port
vlan configuration 100
ipv6 nd raguard attach-policy host
ipv6 snooping
interface e 0/0
ipv6 nd raguard attach-policy router
Packets are processed by the lowest-level matching policy for each feature
Packets received on e0/0 are processed by policy ra-guard router AND policy snooping
default
Packets received on any other port of vlan 100 are processed by policy ra-guard host AND
policy snooping default
For Your
Reference
Configuration examples
Step1: Configure
policies
Vlan
Port
interface Ethernet0/0
ipv6 nd raguard attach-policy ROUTER
vlan configuration 100,101
ipv6 snooping attach-policy NODE
interface Ethernet1/0
ipv6 snooping attach-policy SERVER
50
IPv6
Dual
Vlan
Port
IPv4
IPv6
device-tracking binding
Dual
51
Configuration
Before
Configure policy
Attach policy
IPv4
IPv6 ipv6 snooping policy xxx
ip device tracking
ipv6 snooping attach-policy xxx
Configure static
ip source binding
ipv6 neighbor binding
IPv4
IPv6
After
device-tracking binding
Upgrade command
Exec commands
device-tracking upgrade-cli
Show commands
Clear commands
Before
clear ip device-tracking
clear ipv6 neighbor binding
After
52
STOP
53
1.
2.
3.
Sources ND message with A , includes KEY, sign with KEY and include SIGNATURE
Source = A
ND-message
4.
SIGNATUR
E
Extracts A, KEY & SIGNATURE
5.
6.
KEY
54
hash= SHA-1(pub+pfx)
262
attempts
hash = hash[0..61]
hash
=
hash
done
NO
done
55
Delay is
here!
yes
Increment mod
no
message = mod || prefix || col || key
hash = SHA-1 (message)
no
Increment col
col<2
Compute address =
bytes 0 7 = prefix
bytes 8 15 = hash, bytes 0 7
bits 64 66 = sec
bits 70, 71 = 0 (u and g)
No response
duplicate
yes
Report error
Do
DAD
Start using address
56
H2
H3
ADR
MAC
VLAN
IF
Preference
A1
MACH1
100
P1
A21
MACH2
100
P2
A22
MACH2
100
P2
A3
MACH3
100
P3
DHCPserver
Binding
table
host
Address glean
Control (NDP, DHCP, )
N
Valid
?
Y
Source
Guard
Upon collision, choose highest preference (for instance static, trusted, CGA, DHCP
preferred over dynamic, not-trusted, not-CGA, SLACC)
For collision with same preference, choose First Come, First Serve or poll old location
58
STOP
59
ADVERTISE
interface FastEthernet0/2
ipv6 traffic-filter CLIENT_PORT in
access-group mode prefer port
ADVERTISE
- Source
- Prefix list
- CGA credentials
SOLICIT
DHCPserver
60
host
A
IFA
ICMP DAD-Neighbor Solicitation
Source = UNSPEC, Destination = SOL A
target = A
Query = Does anybody use A already?
IFC
NS-DAD, target=A
A
its mine !
NA, target=A
address A ready to use
61
attacker
C
RA
router
B
Autoconf GOOD::A
and DAD it
router
host
Internet
Address glean
Scanning {P/64}
Destination = D1 Dn
Lookup D1
NO
found
Forward packet
IFA
A
X
PFX::/64
IFX
Binding table
PFX::1 MAC1 IFX
Neighbor cache
PFX::1 MAC1 STALE
64
Misdirecting mitigation
65
A1
A2
A3
IPv6
MAC
VLAN
IF
A1
MACA1
100
P1
A21
MACA21
100
P2
A22
MACA22
100
P2
Address glean
Allow traffic sourced with known IP/SMAC
Deny traffic sources with unknown IP/SMAC
Tries recovering unknown addresses
66
A1
A2
A3
IPv6
MAC
VLAN
IF
A1
MACA1
100
P1
A21
MACA21
100
P2
A22
MACA22
100
P2
A3
MACA3
100
P3
Address glean
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY
Rate limiting
P3, data src= A3, SMAC = MACA3
P3, data src= A3
67
Home
gateway
G1
P1
L2 switch:
- FH security
- DHCP tag
L3 switch:
- FH security
- DHCP relay
Shared
vlan
p1
p2
p3
G2
G3
DHCP server
Prefix MAC
P1
VLAN Port
MACG1 100
Binding table
p1
Prefix NH
P1
LLG1
FIB
DHCP-PD request
DHCP-PD reply: PREFIX=P1
RA [P1]
SLACC
src = P1::iid
src = BAD::iid
68
Agenda
Example, demo
Mitigating Vulnerabilities
69
DataCenter
WAN
Building
Campus core
Wireless
Building
70
DoS
Misdirect
DataCenter
WAN
Router theft
Address theft
Session hijack
DoS
Misdirect
Building
Campus core
Wireless
Building
Router theft
Address theft
Session hijack
DoS
Misdirect
71
Access List
DataCenter
WAN
Destination Guard
Building
RA guard/PACL
DHCP guard/PACL
Source guard
ipv6
snooping/Binding
guard
Campus core
IPv6 snooping/trusted
Wireless
Building
RA guard/PACL
DHCP guard/PACL
Source guard
ipv6
snooping/Binding
guard
RA throlling
AR proxying
DAD filtering
72
DSL router
ATM
DSLAM
SWITCHES
BRAS/BNG
Firewall
ISP
Internet
DSL router
Enterprise
Ethernet SWITCHES
Ethernet Bridge
CMTS
Provisioning services
DOCSIS 3.0
Cable router
73
Router theft
Address (Next-Hop) theft
Session hijack
DoS
Misdirect
ATM
DSL router
DSLAM
SWITCHES
BRAS/BNG
Firewall
ISP
Internet
Enterprise
Ethernet SWITCHES
Ethernet Bridge
CMTS
Provisioning services
DOCSIS 3.0
Cable router
74
Secure box
PVLAN*
DSL router
ATM
DSLAM
SWITCHES
BRAS/BNG
Firewall
ISP
Internet
DSL router
Enterprise
Ethernet SWITCHES
Ethernet Bridge
CMTS
Provisioning services
DOCSIS 3.0
Cable router
75
Core
Transitioning services
L3
L2
Firewall
Load balancing
Aggregation
Access
VEM
VEM
VM VM VM VM
1 2 3 4
VM VM VM VM
1 2 3 4
Servers
76
DoS
Misdirect
WAN
Core
Transitioning services
L3
L2
Firewall
Load balancing
Router theft
Address theft
Session hijack
DoS
Misdirect
Aggregation
Access
VEM
VEM
VM VM VM VM
3 4
1 2
VM VM VM VM
1 2 3 4
Servers
77
Core
WAN
Transitioning
services
Core
Load
balancin
g
Access List
PVLAN
L3
L2
RA guard/PACL
Aggregation
Access
Servers
DHCP guard/PACL
Source guard
ipv6 snooping/Binding guard
Aggregation
Access
VEM
VEM
VM VM VM VM
3 4
1 2
VM VM VM VM
1 2 3 4
Servers
78
For Your
Reference
15.2(4)S
15.0(1)EX
7.2
15.2(4)S
15.0(1)EX
7.2
15.2(4)S
15.0(1)EX
7.2
Catalyst 6500
Series
Catalyst
4500 Series
Catalyst
2K/3K Series
RA Guard
15.0(1)SY
15.1(2)SG
15.0.(2)SE
IPv6 Snooping
15.0(1)SY1
15.1(2)SG
15.0.(2)SE
DHCPv6 Guard
15.2(1)SY
15.1(2)SG
15.0.(2)SE
Source/Prefix
Guard
15.2(1)SY
15.2(1)E
15.0.(2)SE2
XE 3.9.0S
15.3(1)S
Destination Guard
15.2(1)SY
15.1(2)SG
15.2(1)E
XE 3.9.0S
15.2(4)S
RA Throttler
15.2(1)SY
15.2(1)E
15.2(1)E
ND Multicast
Suppress
15.2(1)SY
15.1(2)SG
15.2(1)E
Feature/Platform
ASR1000
Router
Wireless
LAN
Controller
(Flex 7500,
XE 3.9.0S
XE 3.9.0S
7600 Router
5508, 2500,
WISM-2)
7.2
Nexus
3k/5k/6k/7k/
9k
NX-OS 7.3
NX-OS 7.3
NX-OS 7.3
NX-OS 7.3
NX-OS 7.3
15.0(1)EX
7.2
15.0(1)EX
7.2
Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped
Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release
Available Now
Not Available
Roadmap
79
At first glance, nothing really new in IPv6, but devil in the the details
Deploy FHS IF you have deployed dynamic ARP inspection, DHCP snooping and IP
Source Guard. Attacks on IPv6 NDP are similar in causes and damages
At minimum, deploy protection against rogue routers
Lack of operation experience may hinder security for a while: training is required
Recommended Reading
For reading material and further resources for this session, please
visit www.pearson-books.com/CLMilan2014
Table Topics
Related sessions
Thank you