IPv6 Access Security Tim Martin

CCIE #2020

Solutions Architect

4 Nov. 2015

Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Agenda •  Why IPv6, Why Now •  IPv6 Host Asignments •  IPv6 First Hop Security •  SeND •  802.1x •  Alternatives •  Summary

Market Factors Driving IPv6 Adoption

IPv6

IPv4 Address Depletion

2011

National IPv6 Strategies STEM

Mandate

Infrastructure Evolution

4G, DOCSIS 3.0, CGN

IPv6 OS, Content & Applications

Preferred by App’s & Content

RF Mesh (IEEE 802.15.4), PLC (IEEE 1901.2), LTE, Bluetooth LE, 6LoWPAN, RPL

IPv6 for the Enterprise in 2015

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/whitepaper_c11-586154.pdf

Framing the Attack Surface

•  Layer 2 tyipcally involves Ethernet (switches) or WiFi (controllers) links •  Security is only as strong as your weakest link •  When it comes to networking, layer 2 can be a relativley weak link

Physical Links

MAC Addresses

IP Addresses

Protocols/Ports

Application Stream Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Presentation

Session

Transport

Network

Data Link

Physical

Initial Compromise

Com

prom

ised

IPv6 Host Address Assingments

IPv6 Host Portion Address Assignment

Similar to IPv4 New in IPv6

Manually configured StateLess Address AutoConfiguration SLAAC EUI64

SLAAC Privacy Extensions

Assigned via DHCPv6

00 90 27 ff fe 17 fc 0f

OUI Device Identifier

00 90 27 17 fc 0f

02 90 27 ff fe 17 fc 0f

0000 00U0 U= 1 = Universel/unique

0 = Local/not unique U bit must be flipped

ff fe 00 90 27 17 fc 0f

IPv6 Privacy Extensions (RFC 4941)

•  Generated on unique 802 using MD5, then stored for next iteration •  Enabled by default in Windows, Android, iOS, Mac OS/X, Linux •  Temporary or Ephemeral addresses for client application (web browser)

Recommendation: Good for the mobile user, but not for your organization/corporate networks (Troubleshooting and accountability)

2001 DB8

/32 /48 /64

Random Generated Interface ID 0000 1234

Stable Interface ID Generation (RFC 7217)

•  RID = hash (Prefix, Net_Iface, DAD_Counter, secret_key) •  Generate IID’s that are Stable/Constant for Each Network Interface •  IID’s Change As Hosts Move From One Network to Another

10

Implementation of the RID is left to the OS Vendor and MAY differ between Client and Server

2001 DB8

/32 /48 /64

Random ID 0000 1234

DHCPv6

DHCPv6 Server 2001:db8::feed:1

DHCPv6 Solicit

•  Source – fe80::1234, Destination - ff02::1:2 •  Client UDP 546, Server UDP 547

•  Original Multicast Encapsulated in Unicast (Relay)

•  DUID – Different from v4, used to identify clients •  ipv6 dhcp relay destination 2001:db8::feed:1

DHCPv6 Relay

DHCPv6 Relay

SOLICIT (any servers)

ADVERTISE (want this address)

REQUEST (I want that address)

REPLY (It’s yours)

Disabling Ephemeral Addressing

•  Enable DHCPv6 via the M flag •  Disable auto configuration via the A bit in option 3 •  Enable Router preference to high •  Enable DHCPv6 relay

interface fastEthernet 0/0 ipv6 address 2001:db8:1122:acc1::1/64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1

IPv6 First Hop Security

•  Catalyst Integrated Security Features (CISF)

•  Dsniff - Dug Song

•  Ettercap – source forge

IPv4 vulnerabilities & Countermeasures

Port Security

IPv6 Hacking Tool’s

•  ARP is replaced by Neighbor Discovery Protocol •  Nothing authenticated •  Static entries overwritten by dynamic ones

•  Stateless Address Autoconfiguration •  rogue RA (malicious or not)

•  Attack tools are real! •  Parasit6 •  Fakerouter6 •  Alive6 •  Scapy6 •  …

15

IPv6 Snooping

IPv6 First Hop Security (FHS)

IPv6 FHS RA

Guard DHCPv6 Guard

Source/Prefix Guard

Destination Guard

Protection: •  Rogue or

malicious RA •  MiM attacks

Protection: •  Invalid DHCP

Offers •  DoS attacks •  MiM attacks

Protection: •  Invalid source

address •  Invalid prefix •  Source address

spoofing

Protection: •  DoS attacks •  Scanning •  Invalid

destination address

RA Throttler

ND Multicast Suppress

Reduces: •  Control traffic

necessary for proper link operations to improve performance

Core Features Advance Features Scalability & Performance

Facilitates: •  Scale

converting multicast traffic to unicast

Address Exhaustion – Parasite6

•  Attacker hacks any victim's DAD attempts

•  Victim will need manual intervention to configure IP address

Src = UNSPEC Dst = Solicited-node multicast A Data = A Query = Does anybody use A?

Src = any C’s IF address Dst = A Option = link-layer address of C

A B

NS

NA

C

Misconfiguration

•  Admin/Intern sends RA’s with false prefix •  Enthusiast who has a tunnel broker account •  The most frequent threat by non-malicious user

B Src = C link-local address Dst = All-nodes Options = prefix BAD

RA

A C

Malicious Attack – Floodrouter6

•  Flooding RA’s overwhelms the system, OSX, MSFT, ipad/phone, Android

B RA, prefix BAD1

A 2 3 5

RA, prefix BAD2 RA, prefix BAD3 RA, prefix BAD4 RA, prefix BAD5 RA, prefix BAD6

C

Update: MSFT Addresses Vulnerability in IPv6 Could Allow Denial of Service (2904659) Published: February 11, 2014

Malicious Attack – Fakerouter6

•  Attacker spoofs Router Advertisement with false on-link prefix •  MITM, Splash Screen, Capture

B

Src = B’s link-local address Dst = All-nodes Options = prefix BAD

RA

A C

•  Port ACL

•  interface FastEthernet0/2 •  ipv6 traffic-filter ACCESS_PORT in

deny icmp any any router-advertisement

•  Feature Based

•  interface FastEthernet0/2 •  ipv6 nd raguard

•  Policy Based

ipv6 snooping policy HOST!

security-level guard! ! ! ! !

limit address-count 2 !

device-role node!

interface GigabitEthernet1/0/2!

ipv6 snooping attach-policy HOST!

HOST Device-role

RA

RA

RA

RA

RA

ROUTER Device-role

IPv6 FHS – DHCPv6 Guard

Prevent Rogue DHCP responses from misleading the client

DHCP Server

DHCP Req.

I am a DHCP Server

DHCP Client

•  Deep control packet Inspection •  Address Glean (ND , DHCP, data) •  Address watch •  Binding Guard

IPv6 FHS – Snooping

Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses.

Intf IPv6 MAC VLAN State

g1/0/10 ::000A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

IPv6 Binding Table (RFC6620)

IPv6 Source Guard

IPv6 Destination Guard Device Tracking

IPv6 FHS – IPv6 Source Guard

Mitigates Address High Jacking, Ensures Proper Prefix

Intf IPv6 MAC VLAN State

g1/0/10 ::000A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

g1/0/21 ::0021 0021 200 Active

~Host A

NDP or DHCPv6

Host A

IPv6 Destination Guard

•  Mitigate prefix-scanning attacks and Protect ND cache •  Drops packets for destinations without a binding entry

Intf IPv6 MAC VLAN State

g1/0/10 ::0001 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

Forward packet

Lookup Table

found No

Yes

NS 2001:db8::1

Ping 2001:db8::1

Ping 2001:db8::4 Ping 2001:db8::3

Ping 2001:db8::2

SeND

Secure Neighbor Discovery – SeND (RFC 3756)

•  Each device has a RSA key pair •  Ultra light check for validity

SHA-1

RSA Keys Priv Pub

Subnet Prefix

Interface Identifier

Crypto. Generated Address

Signature

SeND Messages

Modifier

Public Key Subnet Prefix CGA Params

27

SeND Operation

Router R host

Certificate Authority CA0 Certificate Authority Certificate C0

Router certificate request

Router certificate CR

Certificate Path Solicit (CPS): I trust CA0, who are you ?

Certificate Path Advertize (CPA): I am R, this is my certificate CR

1

2

3

4

5

6 Verify CR against CA0

7 Start using R as default gateway

Router Advertisement

SeND OS Support

•  Microsoft Windows 7 or Server 2008 •  No native Supplicant •  TrustRouter application (not NA/NS) •  WinSEND application works with all NDP traffic

•  Apple Mac •  No native Supplicant •  TrustRouter application (not NA/NS)

•  Linux and/or Unix •  Easy-SEND •  ND-Protector •  IPv6-Send-CGA

802.1x

Fundamentals of 802.1X

31

RADIUS 802.1X Ethernet / WLAN IP / Layer 3

Windows Native

Apple OSX Native

Cisco Anyconnect Open 1X

Ethernet Switch Router

Wireless Controller

Access Point

Identity Services Engine

Network Policy Server

Free RADIUS

Access Control Server

Active Directory

Token Server

Open LDAP

Supplicant Authenticator Authentication

Server Identity Store

RADIUS 802.1X Ethernet / WLAN IP / Layer 3

Supplicant Authenticator Authentication

Server Identity Store

Fundamentals of 802.1X

32

RADIUS: ACCESS-REQUEST

RADIUS SERVICE-TYPE: FRAMED

EAP: EAP-RESPONSE-IDENTITY

Credentials (Certificate / Password / Token)

802.1X EAP

EAP

RADIUS EAP EAP

EAP: Extensible Authentication Protocol

RADIUS 802.1X IP / Layer 3

Supplicant Authenticator Authentication

Server Identity Store

Fundamentals of 802.1X

33

EAP: EAP-SUCCESS RADIUS: ACCESS-ACCEPT [+Authorization Attributes ]

802.1X

RADIUS EAP

Port-Authorized

802.1X EAP

Port-Unauthorized (If authentication fails)

EAP: Extensible Authentication Protocol

Three proven deployment scenarios

Authentication without Access control

Minimal impact to users and the network

Highly Secure, Good for logical isolation

Alternatives

MAC Authentication Bypass

MAB

802.1X Timeout

EAPoL: EAP Request Identity

EAPoL: EAP Request Identity

EAPoL: EAP Request Identity

Any Packet RADIUS: ACCESS-REQUEST RADIUS Service-Type: Call-Check AVP: 00-10-23-AA-1F-38

RADIUS: ACCESS-ACCEPT

MAC Authentication Bypass (MAB) requires a MAC database | MAB may cause delayed network access due to EAP timeout

Bypassing “Known” MAC Addresses

00-10-23-AA-1F-38 Authenticator Authentication Server

LAN

802.1X

No 802.1X

Endpoints without supplicant will fail 802.1X authentication!

Authentication Server Authenticator

LAN

RADIUS Server

Cisco ISE

Web Server

Web Pages: Login, Login Expiry, Auth-Success, Auth-Failure, etc.

Settings: Max Sessions, Timeout, Max Fail Attempts, TCP-Port, etc.

HTTP(S)

LAN

RADIUS Server

HTTP(S) RADIUS

Authenticator

Web Pages: Login, Login Expiry, Auth-Success, Auth-Failure

Settings: Max Sessions, Timeout, Max Fail Attempts, Banner, etc.

Web Authentication

Secure alternative to 802.1X Typically meant for Guest user authentication Doesn’t require a supplicant .1X

Local Web Authentication (LWA) Central Web Authentication (CWA)

IP address prior to authentication Authenticator hosts web pages

Separate method like .1X & MAB RADIUS Service-Type: Outbound

IP address prior to authentication Central Server hosts web pages

.1X / MAB is authorized w URL Centralized administration

Private VLAN’s

38

•  Prevent Node-Node Layer-2 communication •  Promiscuous (router port) talks to all other port types •  Isolated port can only contact a promiscuous port/s •  Community ports can contact their group and promiscuous port/s

•  DAD ND Proxy •  Prevents address conflicts

•  Internet Edge, Data Center •  Reducing attack surface, malware propagation

•  Service Provider •  Client/customer isolation

Community Ports

Community Ports Isolated

Port

Promiscuous Port

R

Summary

§  Gain Operational Experience now §  Security enforcement is possible

§  Control IPv6 traffic as you would IPv4

§  “Poke” your Provider’s

§  Lead your OT/LOB’s into the Internet

Key Take Away