fedv6tf-fhs
TRANSCRIPT
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Agenda • Why IPv6, Why Now • IPv6 Host Asignments • IPv6 First Hop Security • SeND • 802.1x • Alternatives • Summary
Market Factors Driving IPv6 Adoption
IPv6
IPv4 Address Depletion
2011
National IPv6 Strategies STEM
Mandate
Infrastructure Evolution
4G, DOCSIS 3.0, CGN
IPv6 OS, Content & Applications
Preferred by App’s & Content
RF Mesh (IEEE 802.15.4), PLC (IEEE 1901.2), LTE, Bluetooth LE, 6LoWPAN, RPL
IPv6 for the Enterprise in 2015
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/whitepaper_c11-586154.pdf
Framing the Attack Surface
• Layer 2 tyipcally involves Ethernet (switches) or WiFi (controllers) links • Security is only as strong as your weakest link • When it comes to networking, layer 2 can be a relativley weak link
Physical Links
MAC Addresses
IP Addresses
Protocols/Ports
Application Stream Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
Initial Compromise
Com
prom
ised
IPv6 Host Portion Address Assignment
Similar to IPv4 New in IPv6
Manually configured StateLess Address AutoConfiguration SLAAC EUI64
SLAAC Privacy Extensions
Assigned via DHCPv6
00 90 27 ff fe 17 fc 0f
OUI Device Identifier
00 90 27 17 fc 0f
02 90 27 ff fe 17 fc 0f
0000 00U0 U= 1 = Universel/unique
0 = Local/not unique U bit must be flipped
ff fe 00 90 27 17 fc 0f
IPv6 Privacy Extensions (RFC 4941)
• Generated on unique 802 using MD5, then stored for next iteration • Enabled by default in Windows, Android, iOS, Mac OS/X, Linux • Temporary or Ephemeral addresses for client application (web browser)
Recommendation: Good for the mobile user, but not for your organization/corporate networks (Troubleshooting and accountability)
2001 DB8
/32 /48 /64
Random Generated Interface ID 0000 1234
Stable Interface ID Generation (RFC 7217)
• RID = hash (Prefix, Net_Iface, DAD_Counter, secret_key) • Generate IID’s that are Stable/Constant for Each Network Interface • IID’s Change As Hosts Move From One Network to Another
10
Implementation of the RID is left to the OS Vendor and MAY differ between Client and Server
2001 DB8
/32 /48 /64
Random ID 0000 1234
DHCPv6
DHCPv6 Server 2001:db8::feed:1
DHCPv6 Solicit
• Source – fe80::1234, Destination - ff02::1:2 • Client UDP 546, Server UDP 547
• Original Multicast Encapsulated in Unicast (Relay)
• DUID – Different from v4, used to identify clients • ipv6 dhcp relay destination 2001:db8::feed:1
DHCPv6 Relay
DHCPv6 Relay
SOLICIT (any servers)
ADVERTISE (want this address)
REQUEST (I want that address)
REPLY (It’s yours)
Disabling Ephemeral Addressing
• Enable DHCPv6 via the M flag • Disable auto configuration via the A bit in option 3 • Enable Router preference to high • Enable DHCPv6 relay
interface fastEthernet 0/0 ipv6 address 2001:db8:1122:acc1::1/64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1
• Catalyst Integrated Security Features (CISF)
• Dsniff - Dug Song
• Ettercap – source forge
IPv4 vulnerabilities & Countermeasures
Port Security
IPv6 Hacking Tool’s
• ARP is replaced by Neighbor Discovery Protocol • Nothing authenticated • Static entries overwritten by dynamic ones
• Stateless Address Autoconfiguration • rogue RA (malicious or not)
• Attack tools are real! • Parasit6 • Fakerouter6 • Alive6 • Scapy6 • …
15
IPv6 Snooping
IPv6 First Hop Security (FHS)
IPv6 FHS RA
Guard DHCPv6 Guard
Source/Prefix Guard
Destination Guard
Protection: • Rogue or
malicious RA • MiM attacks
Protection: • Invalid DHCP
Offers • DoS attacks • MiM attacks
Protection: • Invalid source
address • Invalid prefix • Source address
spoofing
Protection: • DoS attacks • Scanning • Invalid
destination address
RA Throttler
ND Multicast Suppress
Reduces: • Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
Facilitates: • Scale
converting multicast traffic to unicast
Address Exhaustion – Parasite6
• Attacker hacks any victim's DAD attempts
• Victim will need manual intervention to configure IP address
Src = UNSPEC Dst = Solicited-node multicast A Data = A Query = Does anybody use A?
Src = any C’s IF address Dst = A Option = link-layer address of C
A B
NS
NA
C
Misconfiguration
• Admin/Intern sends RA’s with false prefix • Enthusiast who has a tunnel broker account • The most frequent threat by non-malicious user
B Src = C link-local address Dst = All-nodes Options = prefix BAD
RA
A C
Malicious Attack – Floodrouter6
• Flooding RA’s overwhelms the system, OSX, MSFT, ipad/phone, Android
B RA, prefix BAD1
A 2 3 5
RA, prefix BAD2 RA, prefix BAD3 RA, prefix BAD4 RA, prefix BAD5 RA, prefix BAD6
C
Update: MSFT Addresses Vulnerability in IPv6 Could Allow Denial of Service (2904659) Published: February 11, 2014
Malicious Attack – Fakerouter6
• Attacker spoofs Router Advertisement with false on-link prefix • MITM, Splash Screen, Capture
B
Src = B’s link-local address Dst = All-nodes Options = prefix BAD
RA
A C
• Port ACL
• interface FastEthernet0/2 • ipv6 traffic-filter ACCESS_PORT in
deny icmp any any router-advertisement
• Feature Based
• interface FastEthernet0/2 • ipv6 nd raguard
• Policy Based
ipv6 snooping policy HOST!
security-level guard! ! ! ! !
limit address-count 2 !
device-role node!
interface GigabitEthernet1/0/2!
ipv6 snooping attach-policy HOST!
HOST Device-role
RA
RA
RA
RA
RA
ROUTER Device-role
IPv6 FHS – DHCPv6 Guard
Prevent Rogue DHCP responses from misleading the client
DHCP Server
DHCP Req.
I am a DHCP Server
DHCP Client
• Deep control packet Inspection • Address Glean (ND , DHCP, data) • Address watch • Binding Guard
IPv6 FHS – Snooping
Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses.
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
IPv6 Binding Table (RFC6620)
IPv6 Source Guard
IPv6 Destination Guard Device Tracking
IPv6 FHS – IPv6 Source Guard
Mitigates Address High Jacking, Ensures Proper Prefix
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
~Host A
NDP or DHCPv6
Host A
IPv6 Destination Guard
• Mitigate prefix-scanning attacks and Protect ND cache • Drops packets for destinations without a binding entry
Intf IPv6 MAC VLAN State
g1/0/10 ::0001 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
Forward packet
Lookup Table
found No
Yes
NS 2001:db8::1
Ping 2001:db8::1
Ping 2001:db8::4 Ping 2001:db8::3
Ping 2001:db8::2
Secure Neighbor Discovery – SeND (RFC 3756)
• Each device has a RSA key pair • Ultra light check for validity
SHA-1
RSA Keys Priv Pub
Subnet Prefix
Interface Identifier
Crypto. Generated Address
Signature
SeND Messages
Modifier
Public Key Subnet Prefix CGA Params
27
SeND Operation
Router R host
Certificate Authority CA0 Certificate Authority Certificate C0
Router certificate request
Router certificate CR
Certificate Path Solicit (CPS): I trust CA0, who are you ?
Certificate Path Advertize (CPA): I am R, this is my certificate CR
1
2
3
4
5
6 Verify CR against CA0
7 Start using R as default gateway
Router Advertisement
SeND OS Support
• Microsoft Windows 7 or Server 2008 • No native Supplicant • TrustRouter application (not NA/NS) • WinSEND application works with all NDP traffic
• Apple Mac • No native Supplicant • TrustRouter application (not NA/NS)
• Linux and/or Unix • Easy-SEND • ND-Protector • IPv6-Send-CGA
Fundamentals of 802.1X
31
RADIUS 802.1X Ethernet / WLAN IP / Layer 3
Windows Native
Apple OSX Native
Cisco Anyconnect Open 1X
Ethernet Switch Router
Wireless Controller
Access Point
Identity Services Engine
Network Policy Server
Free RADIUS
Access Control Server
Active Directory
Token Server
Open LDAP
Supplicant Authenticator Authentication
Server Identity Store
RADIUS 802.1X Ethernet / WLAN IP / Layer 3
Supplicant Authenticator Authentication
Server Identity Store
Fundamentals of 802.1X
32
RADIUS: ACCESS-REQUEST
RADIUS SERVICE-TYPE: FRAMED
EAP: EAP-RESPONSE-IDENTITY
Credentials (Certificate / Password / Token)
802.1X EAP
EAP
RADIUS EAP EAP
EAP: Extensible Authentication Protocol
RADIUS 802.1X IP / Layer 3
Supplicant Authenticator Authentication
Server Identity Store
Fundamentals of 802.1X
33
EAP: EAP-SUCCESS RADIUS: ACCESS-ACCEPT [+Authorization Attributes ]
802.1X
RADIUS EAP
Port-Authorized
802.1X EAP
Port-Unauthorized (If authentication fails)
EAP: Extensible Authentication Protocol
Three proven deployment scenarios
Authentication without Access control
Minimal impact to users and the network
Highly Secure, Good for logical isolation
MAC Authentication Bypass
MAB
802.1X Timeout
EAPoL: EAP Request Identity
EAPoL: EAP Request Identity
EAPoL: EAP Request Identity
Any Packet RADIUS: ACCESS-REQUEST RADIUS Service-Type: Call-Check AVP: 00-10-23-AA-1F-38
RADIUS: ACCESS-ACCEPT
MAC Authentication Bypass (MAB) requires a MAC database | MAB may cause delayed network access due to EAP timeout
Bypassing “Known” MAC Addresses
00-10-23-AA-1F-38 Authenticator Authentication Server
LAN
802.1X
No 802.1X
Endpoints without supplicant will fail 802.1X authentication!
Authentication Server Authenticator
LAN
RADIUS Server
Cisco ISE
Web Server
Web Pages: Login, Login Expiry, Auth-Success, Auth-Failure, etc.
Settings: Max Sessions, Timeout, Max Fail Attempts, TCP-Port, etc.
HTTP(S)
LAN
RADIUS Server
HTTP(S) RADIUS
Authenticator
Web Pages: Login, Login Expiry, Auth-Success, Auth-Failure
Settings: Max Sessions, Timeout, Max Fail Attempts, Banner, etc.
Web Authentication
Secure alternative to 802.1X Typically meant for Guest user authentication Doesn’t require a supplicant .1X
Local Web Authentication (LWA) Central Web Authentication (CWA)
IP address prior to authentication Authenticator hosts web pages
Separate method like .1X & MAB RADIUS Service-Type: Outbound
IP address prior to authentication Central Server hosts web pages
.1X / MAB is authorized w URL Centralized administration
Private VLAN’s
38
• Prevent Node-Node Layer-2 communication • Promiscuous (router port) talks to all other port types • Isolated port can only contact a promiscuous port/s • Community ports can contact their group and promiscuous port/s
• DAD ND Proxy • Prevents address conflicts
• Internet Edge, Data Center • Reducing attack surface, malware propagation
• Service Provider • Client/customer isolation
Community Ports
Community Ports Isolated
Port
Promiscuous Port
R
§ Gain Operational Experience now § Security enforcement is possible
§ Control IPv6 traffic as you would IPv4
§ “Poke” your Provider’s
§ Lead your OT/LOB’s into the Internet
Key Take Away