[BruCON] Transition to IPv6 on the internet: Threats and Mitigation techniques
September 18, 2009
Posted by on
Eric Vyncke – Transition to IPv6 on the internet: Threats and Mitigation techniques
Has been running IPv6 at home for 6-7 years.
- Why IPv6, What is IPv6 ?
- Shared issues by IPv4 and IPv6
- Specific issues of IPv6
- Enforcing a Security policy in IPv6
Current estimates are that IPv4 will be exhausted by the beginning of 2011
Currently seeing <1Gbps of IPv6 traffic through the Amsterdam Internet Exchange — This is not much
Four big changes introduced by IPv6
- Larger addresses (128 bits vs 32 bits)
- Multiple addresses per node (correlation more difficult)
- Optional extension headers (complexity for ACL)
- ARP is replaced by Neighbor Discovery Protocol
A lot of these changes are a security implication (good and bad)
- Due to address space issues, scanning methods will need to change
- Public servers will be DNS resolvable
- Increased reliance on Dynamic DNS
- Administrators will tend to pick easy-to-remember addresses
- By compromising a host an attacker can learn new addresses to scan
Scanning an IPv6 subnet could be an attack on the router due to the amount of traffic needed to find hosts within a reasonable timeframe.
(Viruses and Worms)
- Worms cannot scan subnets like they did with IPv4 (see Reconnaissance)
- Use email to propagate (No change)
IPv6 Privacy Extension (RFC 3041)
- Should be used as a consumer, but not inside networks
- changing addresses make your logs useless
- Significant changes
- More relied upon than ICMPv4 (not so easy to just block it all)
- Firewalls will need to reply to some ICMPv6 messages (Type 133/134, etc….)
Neighbor Discovery Issues
- Stateless autoconfiguration – Attackers can send fake router advertisements due to lack of authentication
- Neighbor solicitation – No authentication (much like ARP spoofing for IPv6)
- Duplicate address detection – System sends request to see if a conflict exists (attacker can DoS a system)
ARP spoofing is now NDP spoofing !
Solution coming that uses Secure Neighbor Discovery – SEND = NDP + crypto (RFC 3971)
Bugs in IPv6 exist just like they have/do in IPv4. The more it’s implemented the more problems can be found and fixed. However attack tools exist for IPv6 already.
Specific IPv6 issues
(The IPSEC myth)
- IPv6 mandates the implementation of IPv6, but doesn’t require it’s use
- IPSEC has scaling issues
- Firewalls, IDS cannot read your traffic
- Network services like QoS are hindered
(IPv4 to IPv6 Transition challenges)
- 16+ Methods !
- Dual Stack – Dual attack surface ! You are only as strong as your weakest stack
- Jumping from an IPv6 attack into an IPv4 “No split tunneling” VPN possible
- Your network doesn’t run IPv6, however it doesn’t need to if you PC enables it by default
- Most transition mechanisms don’t include authentication – Spoofing
Tools like Teredo that make tunnels through the NAT can be used to transport traffic that would normally by blocked when using IPv4. A single opening in the NAT can be used to attack the internal host.
Enforcing the policy
ACL’s need to be able to pass more complex chains to support IPv4 and IPv6.
Training for network engineers and everybody on what IPv6 is and what impact it will have.