ipv6 workshop-tm-gd-va

© 2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco “Tech Session” Preparing for BYOD & the Internet of Everything, an IPv6 Workshop

Tim Martin

CCIE #2020

Solutions Architect

Fall 2013


•  BYOD and the Internet of Everything •  IPv6 Addressing Deep Dive •  IPv6 Security Concerns •  IPv6 Securing the Access Layer •  IPv6 Securing the Perimeter •  IPv6 Deployment Strategies •  Summary


89%

10%

1% 23%

36%

26% 75%

22%

Desktops Smart Phones Tablets •  Boomers are retiring, GenX is “tech savvy”, GenY is “tech dependent”

•  2016 GenY (the millennia's (18-34)) become the largest workforce segment

•  43% of 18-24 year-olds say that texting is just as meaningful as a phone conversation -eMarketer

•  40% of GenY believe that blogging about workplace issues is acceptable –Iconoculture

•  24% of GenY say that technology use is what makes their generation unique -Pew Research

•  74% of GenY used a smartphone for work purposes in the last year, compared to 37 percent of Baby Boomers -CompTIA


National IPv6 Strategies STEM

IPv6

IPv4 Address Depletion

Infrastructure Evolution IPv6 OS, Content & Applications

2011

•  Eliminate Complexities Associated with RFC 1918, NAT, ALG’s, CIDR

Mandate

Pref. by App’s in W7, S2008, OSX 4G, DOCSIS 3.0, CGN


“I thought this (v4) was still an experiment and that if it worked we would then design a production version” - Vint Cerf

- outer Vendors

1.85% - Internet User Traffic Worldwide


  Standards - Leadership in IP protocols within IETF & IPv6 development

  Experience - Professional Services offering years of experience in IPv6

  Solutions - Innovation, Feature Acceleration



32,768|16,384|8,192|4,096|2,048|1,024|512|256¡¡128|64|32|16|8|4|2|1


340,282,366,920,938,463,374,607,432,768,211,456 (IPv6 Address Space - 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456

vs 4,294,967,296 (IPv4 Address Space - 4 Billion)

. •  Lot’s of talk about how big, it’s BIG, do NOT worry about waste

•  Each /64 prefix contains 18 Quintillion host address’s (18,446,744,073,709,551,616)

•  Theoretical vs. Practical deployment, still not an issue

Antares 15th Brightest star in the sky

Our Sun

.


2 3 4 5 6 7 8 9

2 3 4 5 6 7 8 9

1

2 3 4 5 6 7 8 9

10

Data Link

Physical

Network

Transport Session

Pres. App.

2 3 4 5

6 7 8 9


•  IPv6 has a specific Ethernet Protocol ID •  IPv6 relies heavily on Multicast

Destination Ethernet Address!

Source Ethernet Address!

0x0800!!

IPv4 Header and Payload!

Destination Ethernet Address!

Source Ethernet Address!

0x86DD!!

IPv6 Header and Payload!

xx 33 33 xx xx xx

I bit = Local Admin, L bit = Multicast/Broadcast

0000 00IL


Fragment Offset Flags

Total Length Type of Service IHL

Padding Options Destination Address

Source Address

Header Checksum Protocol Time to Live

Identification

Version

IPv4 Header (20)

Next Header Hop Limit

Flow Label Traffic Class

Destination Address

Source Address

Payload Length

Version

IPv6 Header (40)

•  Length is constant in IPv6 •  Fragmentation occurs in (EH)

•  Option’s occur in (EH) •  UDP must have valid Checksum, unlike v4.

•  Upper layer checksums use the Pseudo Header format: SRC/DST Addr + Next Header


Class Flow 6 Hop

Destination

V Len

Source

Upper Layer TCP Header

Payload

Class Flow 60 Hop

Destination

V Len

Source


Payload

Destination Options 6

Class Flow 0 Hop

Destination

V Len

Source


Payload

Hop-by-Hop 60


Extension Header * Type Hop-by-Hop Options 0

Routing Header 43


Fragment Header 44

ESP Header 50

Authentication Header 51


Mobility Header 135

IPv6 Header Hop-by-Hop Destination Opt TCP Header Payload

•  EH are daisy chained, processed in order •  Length is variable, must be on 8 byte boundary, typically 24 bytes •  If HbH is present, must be first, must be processed, likely in SW

*order of appearance


Type Code Data

Checksum

•  Neighbor Discovery, Router Discovery, Path MTU Discovery and (MLD) Type – (1-127) = Error Messages, (128-255) = Informational Messages Code – More Granularity within the Type Checksum – computed over the entire ICMPv6 Data - Original Header Return (8 bytes), then fill to Min MTU (1280)

58

IPv6 basic header

ICMPv6 Header

Next Header *58, not 1 (ICMP)


•  Will break ICMP error message rule (by responding for Multicast)

•  Must set ALL interfaces to 1280 MTU if you disallow PTB at your FW

Source Destination Link

MTU 1500 MTU 1500 MTU 1400 MTU 1300

Packet, MTU=1500

ICMPv6 Packet Too Big, Use MTU=1400

Packet, MTU=1400

ICMPv6 Type 2 PTB, Use MTU=1300

Packet, MTU=1300


IPv6 Address Family

Multicast Anycast Unicast

Assigned Solicited Node

Unique Local Link Local Global Special Embedded

*IPv6 does not use broadcast addressing


•  IPv6 addresses are 128 bits long Segmented into 8 groups of 16 bits separated by (:) 32 HEX characters – CAsE DoEs not mAttEr •  It’s a Prefix, not a mask, no more 255.255.255.0 •  Word, Quad or mouthful?..

Host

:HHHH:HHHH:HHHH:HHHH

Network Portion Host Portion

Subnet ID

SSSS

Global Routing Prefix

NNNN:NNNN:NNNN:


•  Recommended Alloca,ons •  Consumer, SMB /56 /60 /64 •  Municipal Government, Enterprise, Single AS /48 •  State Governments, Universi,es (LIR) /32 /36 /40 /44 /48

•  Addressing Plan, Site Count •  IPv4 Allocation, Multi-homed ISP •  Point of Contact, Org ID •  Submit, Verify •  Review, Officer Certification •  Approval, Fees Paid, Assignment

Registries

Level Four Entity

IANA

ISP Org

PA

/48

2000::/3

/12

/32

2000::/3

/48

/12

PI

/32 ARIN


•  Leading 0’s can be omitted

•  The double colon (::) can appear only once

2001:0DB8:0000: :0000:0000:0000:1E2A 00A4 Full Format

2001:DB8:0: :0:0:0:1E2A A4 Abbreviated Formats

2001:DB8:0: ::1E2A A4


Link-Local – Non routable exists on single layer 2 domain (FE80::/64) FE80:0000:0000:0000

:: xxxx:xxxx:xxxx:xxxx

FCgg:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:

FDgg:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:

Unique-Local – Routable within administrative domain (FC00::/7)

2000:NNNN:NNNN HHHH:HHHH:HHHH:HHHH Global – Routable across the Internet (2000::/3)

:SSSS:

2NNN:NNNN:NNNN HHHH:HHHH:HHHH:HHHH :SSSS:


Similar to IPv4 New in IPv6

Manually configured StateLess Address AutoConfiguration SLAAC EUI64

SLAAC Ephemeral Addressing pseudo-random

Assigned via DHCP

*Secure Neighbor Discovery SeND


00 90 27 FF FE 17 FC 0F

OUI Device Identifier

00 90 27 17 FC 0F

02 90 27 FF FE 17 FC 0F

0000 00U0 U= 1 = Unique

0 = Not Unique U bit must be flipped

FF FE 00 90 27 17 FC 0F


•  Temporary or Ephemeral addresses for client application (web browser) •  Random 64 bit interface ID, then run DAD before using it •  Enabled by default in Windows, Android, iOS 4.3, Mac OS/X 10.7

Recommendation: Good for the consumer, but not for your organization/corporate networks (Troubleshooting and Trace Back)

24

2001 DB8

/32 /48 /64

Random Generated Interface ID 0000 1234


C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------- Temporary Preferred 6d21h48m47s 21h46m 2002:500e:2301:1:bd86:eac2:f5f1:39c1 Public Preferred 29d23h58m25s 6d23h58m25s 2002:500e:2301:1:202:8a34:bead:a136 Link Preferred infinite infinite fe80::202:8a34:bead:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------- -------- ---- ------------------------ --- --------------------- no Autoconf 8 2002:500e:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9

Windows 7 uses pseudo random by default. Mac OSX uses EUI. iPad & iPhone generate a new temporary address per association


•  Functionality is to assess reachability of neighbors •  Maps Layer 3 IPv6 address to Layer 2 MAC address •  LINK OPERATIONS (control plane) •  Neighbor discovery messages

•  Router solicitation (ICMPv6 type 133) •  Router advertisement (ICMPv6 type 134) •  Neighbor solicitation (ICMPv6 type 135) •  Neighbor advertisement (ICMPv6 type 136) •  Redirect (ICMPV6 type 137)

IPv4 IPv6 ARP Request Neighbor Solicitation

Broadcast Solicited Node Multicast

ARP Reply Neighbor Advertisement

Unicast Unicast

NDP

RA RS

NS NA Redirects

NUD DAD

IPv6


•  Router solicitations (RS) are sent by nodes at bootup

•  Host needs an RA to finish building it’s Address’s

RS

ICMP Type 133 IPv6 Source Link Local (FE80::A) IPv6 Destination All Routers Multicast

(FF02::2) Option SRC Link Layer Address

RA

ICMP Type 134 IPv6 Source Link Local (FE80::2)

IPv6 Destination FE80::A Data Options, subnet prefix,

lifetime, autoconfig flag

RS RA

A


•  M-Flag – Stateful DHCP to acquire an IPv6 address •  O-Flag – Stateless DHCP in addition to SLAAC •  H-Flag – Mobile IP home agent

•  Preference Bits – Low, Med, High •  Router Lifetime – Must be >0 for Default (1800-9000)

•  Options - Prefix Information, Prefix Length •  L bit – Only way a host get a On Link Prefix •  A bit – MUST set to 0 for DHCP to work properly

type = 134 code = 0 checksum hop limit M|O|H|pref router lifetime

reachable time retransmit timer options (variable)

Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: 1800 Reachable time: 60000 Retrans timer: 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .0.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::

RA


Node A can start using address A

B A C

•  Probe neighbors to verify address uniqueness

ICMP Type 135 NS IPv6 Source UNSPEC = ::

IPv6 Dest. A Solicited Node Multicast FF02::1:FF00:A

Data FE80::A Query Anyone using A?

NS


•  For each Unicast and Anycast address configured there is a corresponding solicited-node multicast

•  Multicast for resolution, Unicast for reachability

•  Solicited-node multicast consists of FF02::1:FF/104 {lower 24 bits from IPv6 Unicast interface ID}

FF02 0000 0000 0000 0000 0001 FF17 FC0F

2001 0DB8 1234 0001 0200 CAFF FE17 FC0F

33 33 17 FC 0F FF Ethernet Multicast Uses last 32 bits


R1#sh ipv6 int e0 Ethernet0 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 Global unicast address(es):

2001:DB8:0:1234::1 subnet is 2001:DB8:0:1234::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds *If EUI format is used then the 1rst solicited node mcast addr is used for both the LL & GU

Solicited-Node Multicast Address*


A! B!

ICMP Type 135 NS IPv6 Source FE80::A

IPv6 Destination B Solicited Node Multicast FF02::1:FF00:B

Target Address 2001:db8:1:46::B Code 0 (need link layer) Query What is B link layer

address?

ICMP Type 136 NA IPv6 Source FE80::B

IPv6 Destination FE80::A Target Type 2

Data Link Layer address of B *Flags R = Router

S = Response to Solicitation O = Override cache information

NS NA

•  Local Link only, Not Routed

•  ARP replacement, Map’s L3 to L2.

•  Multicast for resolution, Unicast for reachability


Neighbors are only considered “reachable” for 30-seconds. “Stale” indicates that, we MAY need to send a NS packet.


•  Prefix FF00::/8 8-bit 4-bit 4-bit 112-bit

1111 1111 0 R P T Scope Variable format

Flags

O Reserved

R = 0 R = 1

No embedded RP Embedded RP

P = 0 P = 1

Without Prefix Address based on Prefix

T = 0 T = 1

Well Known Address (IANA assigned) Temporary address (local assigned)

Scope 1 Node

2 Link

3 Subnet

4 Admin

5 Site

8 Organization

E Global


•  Every Unicast prefix can build custom multicast addresses

•  Last 32 bits of unicast address mapped into Group ID (112 Bits) 8 Bits 4 Bits 4 Bits 8 Bits 8 Bits 64 Bits 32 Bits

1111 1111 0 0 1 1 1110 Rsvd plen Unicast Prefix Group ID

Example plen 40 = 64 bits

Prefix 2001:db8:cafe:1::

Group ID 11d7:4cd3

FF3E:0040:2001:DB8:CAFE:1:11D7:4CD3


•  Static mapping of RP into Multicast group

•  Solves MSDP and scaling issues 8 Bits 4 Bits 4 Bits 4 Bits 4 Bits 8 Bits 64 Bits 32 Bits

1111 1111 0 1 1 1 1110 Rsvd RPid plen Unicast Prefix Group ID

Example Rsvd/RPid 0000 | 0101

Prefix 2001:db8:cafe:1::

Group ID 645

FF7E:0540:2001:DB8:CAFE:1:0000:0645

FF7E:540:2001:db8:cafe:1::645

2001:db8:cafe:1::5


Address Scope Meaning FF01::1 Node-Local This Node

FF05::2 Site-Local All Routers

FF02::1 Link-Local All Nodes

FF02::2 Link-Local All Routers

FF02::5 Link-Local OSPFv3 Routers

FF02::6 Link-Local OSPFv3 DR Routers

FF02::9 Link-Local RIPng

  FF02, is a permanent address and has link scope

  Link Operations, Routing Protocols, Streaming Services


•  MLD uses LL source addresses

•  3 msg types: Query, Report, Done

•  MLD packets use “Router Alert” in HBH

•  MLDv1 = (*,G) shared, MLDv2 = (S,G) source

MLD snooping

MLD IGMP Message Type

ICMPv6 Type Function

MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query

Listener Report

Listener Done

130

131

132

Used to find out if there are any multicast listeners

Response to a query, joins a group

Sent by node to report it has stopped listening

MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query

Listener Report

130

143

Used to find out if there are any multicast listeners

Enhanced reporting, multiple groups and sources


•  Hosts send MLD report to alert router they wish to join a multicast group

•  Router then joins the tree to the source or RP

MLD Report (A)

ICMP Type 131

IPv6 Source fe80::209:5bff:fe08:a674

IPv6 Destination FF38::276

Hop Limit 1

Group Address ff38::276

Hop-by-Hop Header

Router Alert Yes

MLD Report

A MLD Report

B I wish to receive

ff38::276 I wish to receive

ff38::276

MLD Report (B)

ICMP Type 131

IPv6 Source fe80::250:8bff:fE55:78de


Hop Limit 1


Hop-by-Hop Header

Router Alert Yes

(S, G)

Source for multicast ff38::276

fe80::209:5bff:fe08:a674 fe80::250:8bff:fE55:78de fe80::207:85ff:fe80:692


MLD Done (A)

ICMP Type 132


IPv6 Destination FF02::2 (All routers)

Hop Limit 1


Hop-by-Hop Header

Router Alert Yes

MLD Done (A)

A

fe80::209:5bff:fe08:a674 MLD Report (B)

B

fe80::250:8bff:fE55:78de

I wish to leave ff38::276

I am watching ff38::276

MLD Query (C)

ICMP Type 130

IPv6 Source fe80::207:85ff:fe80:692


Hop Limit 1

Hop-by-Hop Header

Router Alert Yes Q

uery (C)

fe80::207:85ff:fe80:692

C MLD Report (B)

ICMP Type 131

IPv6 Source fe80::250:8bff:fE55:78de


Hop Limit 1


Hop-by-Hop Header

Router Alert Yes


•  MLDv2 Report FF02::16

ICMPv6 type 143

•  Group Specific Query FF38::4000:BA11

ICMPv6 type 130

•  Group & Source Specific Query 2001:DB8:CAFÉ::1, FF38::4000:BA11

•  Leaving a Group MLDv2 Ignore Query (silent)

Filter mode Change Record (report)

MLD Report (A)

ICMP Type 143



Hop Limit 1

# of Records Include/exclude

Group Address FF38::4000:BA11

Hop-by-Hop Header

Router Alert Yes

MLD Report

A I wish to receive FF38:4000:BA11

(S, G)

Source for multicast FF38::4000:BA11

fe80::209:5bff:fe08:a674


•  Loopback 0:0:0:0:0:0:0:1=> ::1

•  Unspecified address 0:0:0:0:0:0:0:0=> 0::0 => :: => ::/128

•  Documentation Prefix 2001:0DB8::/32

•  Discard Prefix 0100::/64

•  6to4 Automatic Tunneling 2002::/16

•  Default Route ::/0


•  IPv4 Compatible 0:0:0:0:0:0.A.B.C.D/96 0:0:0:0:0:0.192.168.30.1 ::C0A8:1E01 Used by IPv6 aware devices, now deprecated

•  IPv4 Mapped 0:0:0:0:0:FFFF.A.B.C.D/96 0:0:0:0:0:FFFF.192.168.30.1 ::FFFF:C0A8:1E01

Used in automatic tunneling by device with no IPv6 knowledge

IPv4

IPv6 Internet

IPv6 Network


DNS1 2001:db8:aa::21

2001:db8:aa::21

2001:db8:aa:: Cost 10

•  Uses the same address in multiple locations •  Must not be used as a source address •  Router is configured for /64, Host is configured /128 •  Routers use Metric of Routing Protocol to determine closest device

I pick DNS1 closest metric

2001:db8:aa:: Cost 30

2001:db8:aa:: Cost 20

DNS2 2001:db8:aa::21

DNS3 2001:db8:aa::21


2001:db8:C18:2::/64

R1 R2 A B

Packet

IPv6 Source B IPv6 Dest. 2001:db8:c18:2::1 ULP variable

Redirect

ICMP Type 137 IPv6 Source Link Local (R2) IPv6 Dest. B Data Use Link Local (R1)

Redirect Packet

•  Cannot be used if destination is multicast •  Hosts should not send redirects •  Should be turned off on routed links


HSRP for IPv6 •  Modification to Neighbor Advertisement, router Advertisement,

and ICMPv6 redirects

•  Virtual MAC derived from HSRP group # and virtual IPv6 LLA

HSRP Standby

HSRP Active

Neighbor Unreachability Detection •  For rudimentary HA at the first HOP

•  Hosts use NUD “reachable time” to cycle next known default GW

RA Reach-time

GLBP for IPv6 •  Modification to Neighbor Advertisement, Default Gateway is

announced via RA’s from Virtual MAC

•  Active Virtual Gateway (AVG), assigns MAC’s, responds to NDP and directs hosts to Active Virtual Forwarder (AVF)

GLBP AVG AVF

GLBP AVG AVF

Default Gateway . . . . . . . . . : 10.121.10.1 fe80::211:bcff:fec0:d000%4 fe80::211:bcff:fec0:c800%4


DHCP Messages IPv4 IPv6

Initial Message Exchange 4-way handshake 4-way handshake

Message Types Broadcast, Unicast Multicast, Unicast

Client Server (1) DISCOVER SOLICIT

Server Client (2) OFFER ADVERTISE

Client Server (3) REQUEST REQUEST

Server Client (4) ACK REPLY

•  FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope) •  FF05::1:3 = All DHCP Servers (Site-local scope) •  Clients listen on UDP port 546; Servers/relays on UDP port 547 •  Rapid Commit, 2 packet exchange. Assignment of Options (O flag) •  ipv6 dhcp relay destination replaces ip helper address


IPv4 IPv6

A record:

Function IPv4 IPv6

Hostname to

IP Address

A Record www.abc.test. A 192.168.30.1

AAAA Record (Quad A) www.abc.test AAAA 2001:db8:C18:1::2

IP Address To

Hostname

PTR Record 1.30.168.192.in-addr.arpa. PTR www.abc.test.

PTR Record 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.

DNSServer!

2001:db8:1::1!

IPv4 IPv6

IPv4

IPv6

192.168.0.3!

www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1

•  AAAA = easy, PTR = messy!•  Draft RFC 6106, RA Option 25!


Fast0/0

interface FastEthernet0/0 ip address 10.151.1.1 255.255.255.0 ipv6 enable Link Local

ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty 0 4 ipv6 access-class VTY in Best to secure me

ipv6 unicast-routing ! interface FastEthernet0/0 ip address 10.151.1.1 255.255.255.0 ipv6 address 2006:1::1/64 ipv6 nd managed-config-flag

I am a Router now

Routable IPv6 Control of RA’s


C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------- Temporary Preferred 6d21h48m47s 21h46m 2002:500e:2301:1:bd86:eac2:f5f1:39c1 Public Preferred 29d23h58m25s 6d23h58m25s 2002:500e:2301:1:202:8a34:bead:a136 Link Preferred infinite infinite fe80::202:8a34:bead:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------- -------- ---- ------------------------ --- --------------------- no Autoconf 8 2002:500e:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9


1995: RFC 1883 2013: IPv6

Is IPv6 (a teenager) really ‘better and more secure’?…

52


•  Your host: IPv4 is protected by your favorite personal firewall... IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)

•  Your network: Does not run IPv6

•  Your assumption: I’m safe

•  Reality You are not safe Attacker sends Router Advertisements Your host configures silently to IPv6 You are now under IPv6 attack

•  => Probably time to think about IPv6 in your network

53


•  Sniffing IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4

•  Application layer attacks The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent

•  Rogue devices Rogue devices will be as easy to insert into an IPv6 network as in IPv4

•  Man-in-the-Middle Attacks (MITM) Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4

•  Flooding Flooding attacks are identical between IPv4 and IPv6

54


•  Public servers will still need to be DNS reachable More information collected by Google...

•  Port scan of 18 Quintillion address from a 40G link (~5,000 years)

•  Using peer-to-peer clients gives IPv6 addresses of peers

•  Administrators should not adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0, :ABBA:BABE or simply IPv4 last octet for dual stack)

•  Social engineering, enumeration through DNS, EUI-64, could reduce scope

55


ICMP REQ D=160.154.5.255 S= 172.18.1.2 160.154.5.0

Attempt to Overwhelm Destination

ICMP REPLY D=172.18.1.2 S=160.154.5.19

ICMP REPLY D=172.18.1.2 S=160.154.5.18

ICMP REPLY D=172.18.1.2 S=160.154.5.17

ICMP REPLY D=172.18.1.2 S=160.154.5.16

ICMP REPLY D=172.18.1.2 S=160.154.5.15

ICMP REPLY D=172.18.1.2 S=160.154.5.14

172.18.1.2


•  Broadcast address functionality is replaced with appropriate link local multicast addresses

Link Local All Nodes Multicast—FF02::1 Link Local All Routers Multicast—FF02::2 Link Local All mDNS Multicast—FF02::FB

•  Hosts “SHOULD” reply to an multi-casted echo request Note: anti-spoofing also blocks amplification attacks because a remote attacker cannot masquerade as his victim

http://iana.org/assignments/ipv6-multicast-addresses/

57


•  RFC 4443 ICMPv6 ICMP error message MUST not be generated in response to a packet with a multicast destination address Section 2.4 (e.3)

Exceptions for Section 2.4 (e.3)

Packet Too Big message – Fragmentation needed Parameter Problem message – Where an OS may not understand an EH

ICMP information message (echo reply) SHOULD be generated even if destination is multicast

58

• Rate Limit egress ICMP Packets

• Rate limit ICMP messages generation

• Secure the multicast network (source specific multicast)

• Note: Implement Ingress Filtering of Packets with IPv6 Multicast Source Addresses

• Note: anti-spoofing also blocks amplification attacks because a remote attacker cannot masquerade as his victim


•  Viruses – involve “human” interaction to propagate

•  Worms – spread by scanning for vulnerable hosts from infected host

•  Other worms: IPv4: reliance on network scanning IPv6: not so easy => will use alternative techniques

•  (W32/Sdbot-VJ) Spyware hiding as “wipv6.exe”

 Worm developers will adapt to IPv6   IPv4 best practices around worm detection and

mitigation remain valid

59


Scanning Made Bad for CPU Remote Neighbor Cache Exhaustion

•  Potential router CPU/memory attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Similar attack on local LAN

2001:db8::/64

2001:db8::1

NS: 2001:db8::1

NS: 2001:db8::2

NS: 2001:db8::3

NS: 2001:db8::1

NS: 2001:db8::2

NS: 2001:db8::3

NS: 2001:db8::1

NS: 2001:db8::2

NS: 2001:db8::3

60


•  IPv6 originally mandated the implementation of IPsec (but not its use)

•  Now, RFC 6434 “IPsec SHOULD be supported by all IPv6 nodes” •  Some organizations still believe that IPsec should be used to secure all flows...

Interesting scalability issue (n2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic Network telemetry is blinded: NetFlow of little use Network services hindered: what about QoS?

Recommendation: Reserve IPsec for residential or hostile environment or high profile targets EXACTLY as for IPv4

61


•  ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones

•  Stateless Address Autoconfiguration rogue RA (malicious or not)

•  Attack tools are real! Parasit6 Fakerouter6 Alive6 Scapy6 …

62


WHEN WHAT

WHERE

HOW WHO

Identity Centralized Policy Engine

Business-Relevant Policies

Dynamic Policy & Enforcement

APPLICATION CONTROLS

MONITORING REPORTING

SECURITY POLICY ENFORCEMENT

Security Policy Attributes

SWITCHPORT

AC

Employee


•  Each device has a RSA key pair •  Ultra light check for validity

SHA-1

RSA Keys Priv Pub

Subnet Prefix

Interface Identifier

Crypto. Generated Address

Signature

SeND Messages

Modifier

Public Key Subnet Prefix CGA Params

65


Router R host

Certificate Authority CA0 Certificate Authority Certificate C0

Router certificate request

Router certificate CR

Certificate Path Solicit (CPS): I trust CA0, who are you ?

Certificate Path Advertize (CPA): I am R, this is my certificate CR

1

2

3

4

5

6 Verify CR against CA0

7 Start using R as default gateway

Router Advertisement

•  Most OS’s do NOT support it (Vista, 2007/8, OSX, iOS, Android)


•  Microsoft Windows Deploy a Group Policy Object (GPO)

•  Alternatively disabling stateless auto-configuration and force DHCPv6 Send Router Advertisements with

all prefixes with A-bit set to 0 (disable SLAAC) M flag set to 1 to force stateful DHCPv6

Use DHCP to a specific pool + ingress ACL allowing only this pool

netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent netsh interface ipv6 set privacy state=disabled store=persistent

For Your Reference

interface fastEthernet 0/0 ipv6 nd prefix default no-autoconfig ipv6 dhcp server . . . (or relay) ipv6 nd managed-config-flag

67


•  Catalyst Integrated Security Features (CISF)

•  Dug Song - dsniff Port

Security


IPv6 Snooping

IPv6 FHS RA

Guard DHCPv6 Guard

Source/Prefix Guard

Destination Guard

Protection: •  Rouge or

malicious RA •  MiM attacks

Protection: •  Invalid DHCP

Offers •  DoS attacks •  MiM attacks

Protection: •  Invalid source

address •  Invalid prefix •  Source address

spoofing

Protection: •  DoS attacks •  Scanning •  Invalid

destination address

RA Throttler

ND Multicast Suppress

Reduces: •  Control traffic

necessary for proper link operations to improve performance

Core Features Advance Features Scalability & Performance

Facilitates: •  Scale

converting multicast traffic to unicast


•  Attacker spoofs Router Advertisement with false on-link prefix •  Incoming packets can't reach victim •  The most frequent threat by non-malicious user

A sourcing off-link traffic to B with BAD::A

B

B filters out BAD::A

RA Src = B’s link-local address Dst = All-nodes Options = prefix 2001:db8 Src = B link-local address Dst = All-nodes Options = prefix BAD

RA Computes BAD::A and DAD it

Deprecates 2001:db8::A

A C


•  Flooding RA’s overwhelms the system, OSX, iPAD, MSFT, Android

B RA, prefix BAD1

A C 2 3 5

RA, prefix BAD2 RA, prefix BAD3 RA, prefix BAD4 RA, prefix BAD5 RA, prefix BAD6


•  Attacker spoofs Router Advertisement with false on-link prefix •  MITM, Splash Screen, Capture

B

RA Src = B’s link-local address Dst = All-nodes Options = prefix 2001:0db8 Src = B’s link-local address Dst = All-nodes Options = prefix BAD

RA

A C


•  Port ACL blocks all ICMPv6 RA from hosts interface FastEthernet0/2

ipv6 traffic-filter ACCESS_PORT in

deny icmp any any router-advertisement

•  RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port

interface FastEthernet0/2

ipv6 nd raguard

access-group mode prefer port

•  RA-guard (12.2(50)SY, 15.0(2)SE)

ipv6 nd raguard policy HOST device-role host

ipv6 nd raguard policy ROUTER device-role router

ipv6 nd raguard attach-policy HOST vlan 100

interface FastEthernet0/0

ipv6 nd raguard attach-policy ROUTER

HOST Device-role

RA

RA

RA

RA

RA

ROUTER Device-role


•  Attacker hacks any victim's DAD attempts

•  Victim will need manual intervention to configure IP address

Src = UNSPEC Dst = Solicited-node multicast A Data = A Query = Does anybody use A?

Src = any C’s IF address Dst = A Data = A Option = link-layer address of C

A B

NS

NA

C


Prevent Rogue DHCP responses from misleading the client

Before DHCP Guard After DHCP Guard

Host First Hop Switch Host First Hop Switch

DHCP Server DHCP Server

I am a DHCP Server

DHCP Req. DHCP Req.

I am a DHCP Server


•  Deep control packet Inspection •  Address Glean (ND , DHCP, data) •  Address watch •  Binding Guard

Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses.

Intf IPv6 MAC VLAN State

g1/0/10 ::001A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

IPv6 Binding Table

IPv6 Source Guard

IPv6 Destination

Guard Device Tracking


Before IPv6 Source Guard After IPv6 Source Guard

Host A First Hop Switch Host A First Hop Switch

Allow traffic only from sources that was present in the binding table


g1/0/10 ::001A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

g1/0/21 ::0021 0021 200 Active


g1/0/10 ::001A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

g1/0/21 ::0021 0021 200 Active

NA NA

NA

NA

~Host A ~Host A


•  Mitigate prefix-scanning attacks and Protect ND cache •  Drops packets for destinations without a binding entry


g1/0/10 ::0001 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

Forward packet

Lookup Table

found No

Yes

NS 2001:db8::1

Ping 2001:db8::1

Ping 2001:db8::4 Ping 2001:db8::3

Ping 2001:db8::2


Router Solicitation (RS)

Triggered (RA)

•  Scaling the mobility access environment •  NDP process is multicast “chatty”, consumes airtime •  Rate limit RA’s from the legitimate router •  Inspect the RS, convert the responding RA to L2 Unicast

Periodic (RA’s)


(NS)

MAC IPv6 Address 00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4

(Unicast NA)

•  Scaling the mobility access environment •  NDP process is multicast “chatty”, consumes airtime •  Caching allows the Controller to “proxy” the NA, based on gleaning •  Intercepting the NS and unicasting it over L2 to the target

2

4


http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf


ICMPv6 Filtering

•  PERMIT Transit IN: Too-big, Unreachable, TTL Exceeded, Parameter Problem, Echo Reply

•  PERMIT Transit OUT: Too-big, Parameter Problem, Echo Request, (maybe Unreachables )

•  PERMIT to a firewall interface (Local Configuration Traffic): Too-big, Unreachable, TTL Exceeded, Parameter Problem, Echo Request/Reply, (RA/RS), NA/NS

•  BLOCK all other

•  …or you follow RFC 4890 - Recommendations for Filtering ICMPv6 Messages in Firewalls


•  Can match on Upper layers: TCP, UDP, SCTP port numbers, ICMPv6 code and type TCP flags SYN, ACK, FIN, PUSH, URG, RST Traffic class (only six bits/8) = DSCP, Flow label (0-0xFFFFF)

•  IPv6 extension header routing matches any RH, routing-type matches specific RH mobility matches any MH, mobility-type matches specific MH dest-option matches any destination options auth matches AH hbh matches hop-by-hop (since 15.2(3)T)

•  fragments keyword matches Non-initial fragments (same as IPv4)

•  undetermined-transport keyword does not match TCP/UDP/SCTP and ports are in the fragment ICMP and type and code are in the fragment Everything else matches (including OSPFv3, …) Only for deny ACE

84


•  RFC 1858 Firewall Processing Fragments

•  RFC 5722 Host Handling Overlapping Fragments

•  Atomic frags (offset =0, M =0), Tiny fragments (<1280 bytes), Predictable-ID, etc.

IPv6 hdr NH = 60, Offset = 0, M=1 DO - Frag 1, >1400 Bytes

ICMP RA IPv6 hdr NH = 58, Offset = >0, M=0 Fragment 2

ICMP RA IPv6 hdr NH = 58, Offset = 1, M=0 Fragment 2

IPv6 hdr NH = 58, Offset = 0, M=1 Fragment 1 ICMP

Hidden ULP

Overlapping Fragments

Offset Flags

Length ToS IHL

Checksum Prot TTL

ID

Ver

Routing Type!Reserved Next Header Fragment Offset Reserved | M!Identification

Fragmentation EH (type 44)

Aug 2013 RFC 6980


•  Potential DoS with poor IPv6 stack implementations •  PadN in DO, covert channeling – RFC 2460 states a max of 5 bytes (0x00) •  IPv6 Inspection – Only known EH, strict order, granular filtering •  What constitutes an acceptable EH maximum?

Perfectly Valid IPv6 Packet According to the Sniffer

Routing Header out of order. DH should be last

Header Should Only Appear Once

Destination Header Which Should Occur at Most Twice

87


Routing Type!Ext Hdr Length

•  An extension header

•  Processed by the listed intermediate routers

•  Two types (RH) Type 0: similar to IPv4 source routing - blocked by default beginning 12.4(15)T Type 2: used for mobile IPv6

Next Header RH Type

IPv6 Basic Header

Routing Header

Next Header = 43 Routing Header

Routing Header Segments Left!

Routing Header Data


IPv6 Extention Header Filtering

•  Allow only Fragmentation Extension Header •  Allow other header only on special need e.g.

ESP/AH Header for IPsec Destination Header, Routing Header-2, Mobility Header for mobility

•  Allow all other non-TCP/UDP protocols you might need e.g. GRE. •  Block more than one fragmentation header if possible

Multiple cascaded fragmentation headers don’t make sense There should be only one fragmentation header per packet Don’t confuse this with multiple fragments


•  Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt •  Anti-spoofing (RFC2827, BCP38), Multi homed filtering (RFC3704, BCP 84) •  uRPF – Unicast Reverse Path Forwarding

IPv6 Intranet

Inter-Networking Device with uRPF Enabled

X IPv6 Intranet/Internet

No Route to SrcAddr => Drop

90


Other IPv6 Filtering Considerations

•  Allow rules should always have Source Address 2000::/3 instead of ‘any’* - Implicit DENY will deny anything else

•  If you want more granularity, you can filter the assigned numbers, (IPv6 Legitimate Prefixes)

•  Block documentation prefixes 2001:db8::/32 •  If you do that, keep in mind to update the rule set when IANA makes new assignments (5 years since last change) •  What about Multicast and Special address’s

IANA Allocations Prefixes IPv6 unicast 2001::/16

6to4 2002::/16

RIPE NCC 2003::/18

APNIC 2400::/12

ARIN (US DoD) 2600::/12

ARIN 2610::/23

ARIN 2620::/23

LACNIC 2800::/12

RIPE NCC 2A00::/12

AfriNIC 2C00::/12


•  Teredo navalis A shipworm drilling holes in boat hulls

•  Teredo Microsoftis IPv6 in IPv4 punching holes in NAT devices

IPv4 Intranet

IPv4 Internet IPv6 Internet

Tunneling

! 6to4, ISATAP access-list deny 41 any any ! Teredo access-list deny udp any any eq 3544 access-list deny udp any eq 3544 any

IPv4 IPv6 41


interface Ethernet0/0 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF

interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN key chain MYCHAIN key 1 key-string 1234567890ABCDEF1234567890ABCDEF accept-lifetime local 12:00:00 Dec 31 2011 12:00:00 Jan 1 2012 send-lifetime local 00:00:00 Jan 1 2012 23:59:59 Dec 31 2013

•  OSPFv3, RIPng, PIM - No crypto maps, no ISAKMP: transport mode with static keys •  EIGRP, BGP, ISIS - use their own MD5 authentication mechanism

93


Planning and coordination is required from many across the organization, including …  Network engineers & operators  Security engineers  Application developers  Desktop / Server engineers  Web hosting / content developers  Business development managers  …

Moreover, training will be required for all involved in supporting the various IPv6 based network services

•  Build your IPv6 Transition Team


WAN Pt 2 Pt /127

Core /64 or /127

Servers /64

Hosts /64

Loopback /128

•  /64 everywhere a host

•  /127 Point to Point out of a single /64 1&2 not in same subnet

•  /128 Loopback out of a single /64

•  /64, /64, /64


•  Methods Follow IPv4 (/24 only), Organizational, Location, Function based

•  Hierarchy is key (A /48 example) Bit twiddle's dream (16 bit subnet strategy) 8 bits = (256) Regions (states, counties, agencies, etc..) 4 more bits = (16) Sub Levels within those Regions 4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..)

•  Cisco IPv6 Addressing White Paper http://www.cisco.com/go/IPv6

•  Monotonically (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 )

97


Translation Services IPv4

IPv6

Tunneling Services

IPv4 over IPv6 IPv6 over IPv4

Dual Stack

Recommended Enterprise Co-existence Strategy

IPv6 IPv4


DNS Server!

2001:db8:1::1!

IPv4

IPv6

192.168.0.3!

www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1

•  Host security on a dual-stack device Fate sharing: least secure stack..

•  In a dual stack case, an application can: Query DNS for IPv4 and/or IPv6 records Parallel connection request vs. serial

RFC 6555

•  RFC 6724 – Default Address Selection (IPv6) Scope, Smallest Scope, Preferred, Transitional, Longest Prefix

Application Layer

TCP/UDP

IPv6

TCP/UDP

IPv4

Network Interface Card

Application Layer

TCP/UDP

IPv6 IPv4

Network Interface Card


  6rd (RFC 5569)

  6to4 (RFC 3056)

  ISATAP (RFC 5214)

  Teredo

 AYIYA

 GRE (RFC 2473)

 Manual Tunnel (RFC 2893)

 DMVPN

 MPLS 6VPE

  LISP


MTU & Frag issue

Server Load Balancer Stateful NAT64

IPv6

IPv4

Most widely deployable

IPv4

IPv6

SW = Poor Performance

Proxy

IPv6

IPv4

IPv6 Internet

IPv4 Internet

IPv6 Internet


•  Stateless NAT (~ASA static) RFC 6145 (IP/ICMP Translation Algorithm) Gives an IPv6-only host access to the IPv4 world and vice versa Consumes an IPv4 address for each IPv6-only device

•  Stateful NAT (~ASA dynamic) RFC 6146 (Framework for IPv4/IPv6 Translation) - NAT-PT successor (deprecated) Can aggregate many IPv6 users into a single (or more) IPv4 address Used mainly where IPv6-only clients need to access IPv4 servers Only supports IPv6-initiated flows Similar as IPv4-to-IPv4 PAT works, a translation table is required

Version IHL Type of Service Total Length

Identification Flags Fragment Offset

Time to Live Protocol Header Checksum

Source Address

Destination Address

Version Traffic Class Flow Label

Payload Length Next Header Hop Limit

Source Address

Destination Address

  Connects IPv6 islands to the IPv4 world

  TCP/UDP/ICMP Unicast traffic only


•  IP-MIB & IP-FORWARD-MIB IPv4. CISCO-IETF-IP-MIB & CISCO-IETF-IP-FORWARDING-MIB •  Protocol Version Independent (PVI) manage the same OID’s (RFC’s 4292, 4293) •  Syslog must be able to recieve1180 bytes, no ack, no retransmission facility •  NetFlow, Deep Packet Inspection, IPSLA, all work with IPv6


•  Core-to-Access – Gain experience with v6

•  Turn up your servers – Enable the experience

•  Access-to-Core – Securing and monitoring

•  Internet Edge – Business continuity

Servers

Branch Access

WAN

Campus Core

Access Layer

ISP ISP

Internet Edge


•  Address Spoofing (-> uRPF, ACLs) [IOS, ASA]

•  Neighbor Discovery Attacks (NS,NA,RS,RA,REDIR..) (-> First Hop Security, RA Guard, ND Inspection, SEND, ACL, IPv6 Inspects) [Catalyst, ASA]

•  Routing Header (RH0) source routing like attacks (-> no ipv6 source route (before 12.4.(15)T, blocked on ASA by default ) [IOS, ASA]

•  Extention Header (e.g. Fragmentation) Games (-> ACLs e.g. deny ip any any undetermined-transport) [IOS, ASA, Catalyst]

•  DHCP Attacks (-> DHCP Authentication, PACL) [IOS, ASA, Catalyst]

•  Transition Technologies (6to4, Teredo, ISATAP, etc) Attacks (-> ACL, disabled on device, enable IPv6 ) [IOS, ASA, IPS]

•  Smurf Attack (-> uRPF) [IOS, ASA]

•  Routing Protocol Attacks (-> Authentication) [IOS,ASA]

•  … and more. To be continued… have fun defending them.


  WWW.CISCO.COM/GO/IPv6

  Cisco Live! - www.ciscolive365.com


IPv6 Assessment Service Determine how your network needs to change to support your IPv6 strategy

IPv6 Discovery Service Guidance in the early stages of considering a transition to IPv6

IPv6 Planning and Design Service Designs, transition strategy, and support to enable a smooth migration

IPv6 Implementation Service Validation testing and implementation consulting services

Network Optimization Service Absorb, manage, and scale IPv6 in your environment

A Phased-Plan Approach for Successful IPv6 Adoption


•  Gain Operational Experience now

•  Security enforcement is possible

•  Control IPv6 traffic as you would IPv4

•  Plan, Prepare, Preserve, Prosper

•  “Poke” your Provider’s

•  IPv6 is here now are you?

109


Address Spoofing (-> uRPF, ACLs) [IOS, ASA] Neighbor Discovery Attacks (NS,NA,RS,RA,REDIR..) (-> FHS, RA Guard, ND Inspection, SEND, ACL) [Catalyst, ASA] Routing Header (RH0) source routing like attacks (-> no ipv6 source route, blocked on ASA by default ) [IOS, ASA] Extention Header (Fragmentation) (-> ACLs, undetermined-transport) [IOS, ASA, Catalyst] DHCP Attacks (-> DHCP Authentication, PACL) [IOS, ASA, Catalyst] Transition Technologies (6to4, Teredo, ISATAP, etc) Attacks (-> ACL, disabled on device, enable IPv6 ) [IOS, ASA, IPS] Smurf Attack (-> uRPF) [IOS, ASA] Routing Protocol Attacks (-> Authentication) [IOS,ASA]

DHCPv6 Guard Source Guard Destination Guard RA Throttler ND Mcast Suppress

Core Features Advance Features Scalability & Performance

RA Guard

Your host: IPv4 is protected IPv6 is enabled by default

Your network: Does not run IPv6 Your assumption: I’m safe Reality: You are not safe, Linksys? Time to enable IPv6 in your network

"The Hacker's Choice" THC IPv6 Attack Toolkit V2.0

GGGG:GGGG:GGGG: HHHH:HHHH:HHHH:HHHH SSSS: Global/48 Subnet Host/64

Internet of Everything, increasing the number of non-PC devices connecting to the Internet

Cisco’s core expertise is IP

End Nodes compromised by default configuration flaw in IPv6

Dual

Stack

Dual

Stack

ISATA

P

ISATA

P

Internet Tunnels

Translation LISP

NAT64

ipv6 nd Managed-config-flag

ipv6 nd Other-config-flag

DH

CP

Tech Tip* permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log

ipv6 workshop-tm-gd-va

Technology

ipv6 header hop

cisco andor

ipv6 address space

ipv6 fragmentation

fragment header

authentication header

esp header

mobility header