Korea Information Security Agency KISA

1
IPv6 Security threat and Countermeasures
The 11th ASTAP Expert Group on Information
Security

• 2006. 6
• Korea Information Security Agency (KISA)
• DongMyung Shin

2
Contents

• IPv6 Security Overview
• Security Issues on IPv6 Protocol
• Conclusion

3

• 1. IPv6 Security Overview
• Trends of IPv6 Security
• New Security Considerations
• Security Issues on IPv4/v6 translation

4
Trends of IPv6 Security(1/2)

• IETF ngtrans working group is shut down. Instead,
  v6ops WG is open in July 2002
• 62th IETF meeting(March, 2005)
• v6Ops Working Group
• Standardization of IPv6 security countermeasures
  on IPv4/IPv6
• DRAFT
• IPv6 Transition/Co-existence Security
  Considerations (Oct. 2005)
• Using IPsec to Secure IPv6-in-IPv4 Tunnels (Aug.
  2005.)
• Best Current Practice for Filtering ICMPv6
  Messages in Firewalls (Oct. 2005)
• RFC
• Security Considerations for 6to4 (RFC 3964)
  (Dec. 2004)

5
Trends of IPv6 Security(2/2)

• 6NET(Europe, www.6net.org)
• WP3 Basic Network Services
• D3.1.2 IPv6 cookbook for routing, DNS,
  intra-domain multicast, inter-domain multicast,
  and security, 2nd Version
• D3.5.1 Secure IPv6 Operation Lessons learned
  from 6NET, 3rd Version
• WP6 Network Management Architecture and Tools
• D6.2.2 Operational procedures for secured
  management with transition mechanisms, 2nd
  Version
• Japan
• IPv6 Promotion Council
• Deployment WG - Security SWG
• Security edition in IPv6 Deployment Guideline
  (2005)
• Secure Operational Guide on IPv6
• CISCO
• NETWORKERS 2004 - security session
• Introduce IPv6 Security Threats and
  Countermeasures

6
New Security Considerations

• IPv4/IPv6 Security Issues
• Sniffing, Spoofing
• Attack on transport layer
• Rogue device attack
• Man-in-the-Middle attack
• Packet flooding, DoS attack
• New IPv6 Security Issues
• Issues on IPv6 Infrastructure
• Extened Address space
• Using Anycast
• ICMPv6
• Routing Header
• Hop-by-Hop option Header
• Issues on IPv6 Hosts
• Access Control
• Privacy Extensions
• Fragmentation
• Link Local attack

7
Security Issues on IPv4/v6 translation

• Packet Inspection to filtering on Firewall
• IPsec tunneling Issues
• Avoidance to tracing address of attacker between
  IPv4 and IPv6
• Abuse of IPv6 Privacy extension
• Validation of IPv6 address
• Ingress filtering
• Tunneled IPv4 / IPv6 address Filtering
• Verification of address integrity
• Abuse of Broadcast on IPv4 network
• Abuse of Multicast on IPv6 network

8

• 2. IPv6 Security Issues
• Overview of IPv6 header
• Security Issues on IPv6 Infrastructure
• Extension of address space
• Using Anycast
• ICMPv6
• Routing Header
• Hop-by-Hop Option Header
• Security Issues on IPv6 Hosts
• Access Control
• Privacy Extensions
• Fragmentation
• Link Local attack
• Ingress Filtering Routing attack

9
Overview of IPv6 Header
10
Extension of Address Space(1/3)
Changes on network scanning

• Extension issues of address space
• Security Issues
• Guessing internal NW address
• Weakness of EUI-64 reserved field
• Countermeasure
• Random address allocation
• Filtering internal-use IPv6 addr.

• New Site-Local Multicast Address (RFC2375)
• All Routers(FF052)
• All DHCP servers(FF0513)
• Security Issues
• Setting multicast address on destination address
  field to scan the whole network
• Countermeasure
• Filtering the abnormal address

Subnet A Link-Local
Subnet B
Subnet D
Subnet C
Site-Local
11
Extension of Address Space(2/3)
Difficulties in scanning IPv6 Network
fe80757460579c423442/64
fe8091d3d0a7ccfd7423/64
fe80280dae3a10a139a3/64
attacker
Laptop 2
Laptop 3
Laptop 1
2001DB8872139F4/64
?
IPv6
Laptop 5
Laptop 6
Laptop 4
Router 1
2001DB88721AC4B/64
2001DB88721/48
12
Extension of Address Space(3/3)
Elapsed time of scanning sub-network
There are about 8340 OUIs assigned, total, not
224 (16 Million) 24-bit serial number can be
anything (start at beginning?) Middle 16-bits is
always FF-FE Assume ping scan, 48 bytes is
minimal IPv6 ICMPv6 packet (40 8 0), which is
384 bits Send 2MBit/sec, which is 2667 probes/sec
(at 48 bytes per probe, both directions) (Slammer
easily achieved more than 4000 probes/second in a
real-world example) 9,600,000 probes/hr or
230,400,000 probes/day or 84,096,000,000
probes/year or 84,096,000,000,000
probes/millennium Possible locations on the
subnet are 224 x 8340 gt
139,921,981,440 Time to scan network for single
host is 139,921,981,440/230,400,000
gt 607 days Assuming 100 machines on each
subnet, evenly distributed Time to find first
host gt 607 days/100 gt 6.07 days
Elapsed time of port-scanning is same to IPv4
and IPv6 (Vertical Scanning)
13
Anycast

• Anycast Service (RFC3513)
• Search optimized path to reach anycast group
  (Short hop-distance, Low cost, RTT etc)
• Server response to anycast request by unicast
• Security Issues
• Masquerade attack (anycast request ? Unicast
  response
• Sniffing network by anycast service
• Countermeasure
• Filtering anycast address
• Suppress anycast request from external network
• Using IPsec tunnel

Anycast Group
Request Anycast Addr.
host A
AR
host B
Client
Reply Global Uncast Addr.
host C
14
ICMPv6 (1/4)

• ICMPv4 vs. ICMPv6

Application
Application
Application
TCP/UDP
TCP/UDP
TCP/UDP
IGMP
ICMPv4
IGMP
ICMPv4
ICMPv6
ICMPv6
IPv6
IPv4
IPv4
RARP
ARP
RARP
ARP
Ethernet
Ethernet
Ethernet
15
ICMPv6 (2/4)

• ICMPv6 response message with multicast address is
  allowed
• Security Issues
• Source address Spoofing of multicast packet
• DOS attack using exceptional messages
• Packet Too Big , Parameter Problem message
• Countermeasure
• Additional Filtering of exceptional message is
  needed

• Security Issues
• Broadcast false Router solicitation/advertisement
  to Link-Local network
• Wrong IPv6 Prefix
• Countermeasure
• Using IPsec AH(RFC 2461) manual keying
  available
• Signature, CGA(Cryptographically Generated
  Address),
• SEND(SEcureNeighbourDiscovery)

16
ICMPv6 (3/4)
Neighbor Solicitation/Neighbor Advertisement
Discarding NS ICMPv6
sending NS
Enterprise
Client E
Client B
IPv6 Interior Router
Server D
IPv6 Interior Router
Client A
IPv6 Edge Router/Firewall C
IPv6 Interior Router
Not to disturbing IPv6 ICMP operation, - Smart
filtering for echo-request message is needed
17
ICMPv6 (4/4)
Processing Packet Too Big Message
Issues for blocking Packet Too Big message to
prevent DOS attack -Disturbing IPv6 Path
MTU -DOS Attack using Packet Too Big message is
possible for global network -Additional
filtering rules for exceptional messages are
needed
18
Routing Header(1/3)

• Routing Type 0 Source Routing, No limit to
  hop count
• Routing Type 2 MIPv6 , Limit to 1 hop
  (Segment Left1)

19
Routing Header(2/3)
3.Reflection attack
All the IPv6 hosts should process routing
header(RFC2460)
InternalServer B
Firewall
IPv6 Internet
Attacker A
1. Avoidance Access Control
Internal Server C
2. DOS attack by spoofing Src address

• Countermeasure
• Firewall Filtering both destination address and
  routing header info

20
Routing Header(3/3)
Attacker can abuse source routing to bypass
firewalls
Other Enterprise B 2001DB8ABC/48
Secure Enterprise A 2001DB83/48
Back-to-back routers, no firewall
Protected Server Q 2001DB8350234/64
DMZ 2001DB8ABC75/64
F0/1 1
X
Tightly managed, highly-secure firewall
Poorly managed, insecure firewall
Internet-based Attacker
IPv6 Internet(/0)

• Countermeasure
• Host and Router should process a routing header
  with type 0 carefully

21
Hop-by-Hop Option Header(1/2)
All the IPv6 nodes should process a Hop-by-Hop
option header (RFC2460)
22
Hop-by-Hop Option Header(2/2)
Normal
Under Attack
By setting invalid parameters into Router Alert
option, Attacker can cause overhead of MLD Router
23
Access control(1/3)
IPv6 filtering Consideration

• Parsing IPv6 basic header and extension header is
  needed to inspect upper layer protocol info
• Upper layerTCP(6), UDP(17),
• SCTP(132) etc and next header(0-255)
• L4 port number
• Ex) In case of inspecting L4 port info
• Parsing info
• basic header
• Traffic class DSCP
• Flow Label(0-0xFFFFF)
• ICMPv6 code type
• syn, ack, fin, psh, urg, rst ?
• Extension header
• Routing
• AH
• ESP
• Fragmentation
• Payload compression ?

24
Access control(2/3)
Bogon Filtering in IPv6

• IPv6 bogon filtering in IPv6 is different from
  IPv4
• IPv4 Prefer filtering bogon address rather than
  non-bogons
• IPv6 Top-level aggregation identifiers with
  6Bone or 6to4 address etc are allowed

X
IPv6Internet
Internal Server 3FFE20CF15c161/64
IPv6 Unallocated Address
Internetworking Device with IPv6 Bogon Filtering
25
Access control(3/3)
IPsec Filtering Considerations

• Firewall cant inspect encrypted header or
  payload with IPsec
• Distributed (personal) firewalls can inspect
  message after decryption of packet is done
• Also, By using IPsec-AH mode, Firewall can
  inspect message

Distributed Firewall
Network Firewall
IPv6 Net
Src A
Dst B
IPv6 IPsec Tunnel
26
Privacy Extensions(1/4)
Privacy Extensions(RFC3041) I-D.ietf-ipv6-privacy
-addrs-v2 - allocate temporary address for IPv6
host applications- prevent exposure of address
from others by changing interface identifier-
Random 64bit Interface ID
27
Privacy Extensions(2/4)
DSL modem or DHCP server cant provide privacy of
host address
28
Privacy Extensions(3/4)
Examples Multiple address in Windows XP -
assign multiple IPv6 address to one network
interface
29
Privacy Extensions(4/4)

• Security Issues
• Difficulties in tracing attackers address
• Overhead of DDNS(Dynamic DNS) ? DOS attack
• Countermeasure
• Smart filtering rule support privacy extensions
• Limit to internal network use
• Using IPsec between hosts and DDNS, Adjust period
  of update

Blocking normal packet
After change 20010DB8C152
Firewall
X
IPv6 Internet
Before change 20010DB8C151
Internal Server 20010DB8C161
30
Fragmentation(1/2)

• Security Issues
• Fragmentation and re-assembly of packet is
  processed in host
• ?Tiny fragmentation issuesdraft-manral-v6ops-tiny
  -fragments-issues (2005)

Seq.
Attacker send the following fragment packets
HDR
US
HDR
1.
Time
ER
HDR
2.
HDR
ro
3a.
HDR
fo
3b.
4.
HDR
ot
In case of 3a USER root , 3b USER foot
31
Fragmentation(2/2)

• Security Issues (cont)
• cause to drain memory resources by sending
  packets with false offset info

• Countermeasure
• Firewall and NIDS should provide re-assembly of
  fragmented packet

32
Link Local attack (1/3)

• Security Issues
• Attacker C disguised as a user B send Neighbor
  Advertisement message

Malicious Host C link 00-08-74-01-02-03 link-loca
l FE80020874FFFE01203 IPv6 2001DB8AB35
Legit Host D link 00-08-74-0D-0E-0F link-local
FE80020874FFFE0DE0F IPv6 2001DB8AB6B
Legit Host B link 00-08-74-0A-0B-0C link-local
FE80020874FFFE0AB0C IPv6 2001DB8ABEF
Legit Host A
33
Link Local attack (2/3)

• Security Issues
• Attacker C send a spoofed duplicated message
  during DAD(Duplicate Address Detection) of host D

Malicious Host C link 00-08-74-01-02-03 link-loca
l FE80020874FFFE01203 IPv6 2001DB8AB35
Legit Host D link 00-08-74-0D-0E-0F link-local
FE80020874FFFE0DE0F IPv6 2001DB8AB6B
Legit Host B link 00-08-74-0A-0B-0C link-local
FE80020874FFFE0AB0C IPv6 2001DB8ABEF
Legit Host A
34
Link Local attack (3/3)

• Security Issues
• Attacker F request many fasle NS to routers
• If requested address doesnt exist in ARP table,
  router sends NS message to host

Malicious Host F
Legit Host D link 00-08-74-0D-0E-0F link-local
FE80020874FFFE0DE0F (TENTATIVE!) IPv6
2001DB8AB6B
Legit Host B link 00-08-74-0A-0B-0C link-local
FE80020874FFFE0AB0C IPv6 2001DB8ABEF
Legit Host A
35
IPv6 Firewall Issues

• Filtering tunneling protocol and tunneled packet
• All the security equipment (Firewall, NIDS, IPS
  etc),
• Between router and subnet,
• All the VPN,
• Should provide filtering of tunneling protocol
• IDS/IPS should monitoring IPv6 link protocol
• Neighbor Discovery
• Router Advertisement
• NIDS should distinguish tunneled IPv6 from pure
  IPv6 packet
• Firewall should be able to inspect IPv6 packet
• Process IPv6 extension header chain
• Support IPv4/IPv6 transition

36
3. Conclusion

• IPv6 Security Issues and Countermeasure
• Additional filtering rules for supporting ICMPv6
  and extension header
• Countermeasure of masquerading IPv4/v6
  translator, DOS attack etc
• Recommend IPv6 Firewall, IDS etc
• Using Authentication mechanism (SSL, IPsec, AAA
  etc)
• IPv6 Security Practice for example
• IPv6 Firewall should aware the new extension
  header of IPv6
• NIDS should be aware of the new type of IP
  packets
• Network manager should use unpredictable address
  or static address allocation as possible
• Router should prohibit the packet with multicast
  address as a destination
• Network manager should use IPsec authentication
  to provide the address information of network for
  the router/host solicitation request

37
Q A