© 2005 internet security systems. all rights reserved. contents are property of internet security...

© 2005 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Security Implications of IPv6

Michael H. [email protected]

mailto:[email protected]


IPv6 Overview

• Expands addresses to 128 bits• Formalized address boundaries• IPSec (backported to IPv4 some time ago)• Quality of Service (QoS) typing• Stateless and stateful autoconfiguration• Dynamic address renumbering• Transition tunnels and translators• Robust resistance to brute force scanning• No broadcast addresses


Paradigm Shift

• Contrary to popular belief - IPv6 is NOT merely IPv4 with fat addresses

• IPv4 allocations were a paradigm of scarity– Dense allocations to optimize utilization

• IPv6 allocations are a paradigm of bounty– Sparce allocations to optimize versatility

• Best practices in IPv4 may not be best practices in IPv6• Best practices for IPv6 may not have been best practices

for IPv4• Even if IPv6 were IPv4 with fat addresses (which it’s not)

it couldn’t be because of the paradigm change


IPv6 Code Stability

• IPv6 has been around for many years• IPv6 is still under development• IPv6 will have new bugs that don't exist in IPv4• Few bugs derive exclusively from the IP layer• Few vulnerabilities derive exclusively from the IP layer• A lot of IPv6 is very similar to IPv4• Lessons learned in IPv4 give IPv6 a better start• OpenBSD had an IPv6 specific DoS bug• Cisco had IPv6 based router vulnerabilties• Windows XP was vulnerable to “land” on IPv6


Some IPv4 Guesstimates

• IPv4 host addresses – 4 billion (0.0.0.0 - 255.255.255.255)• IPv4 networks (pure guesswork)

– If all of IPv4 space were /24 nets - 16 million– If all allocated space were /24 nets - ~ 4-8 million– Estimate of broadband and DSL accounts - 20 million

» Some have networks, some don't» Some have NAT routers, some have real networks

– Best wild guess – 4 million to 20 million» (Reality check – probably less than 4 million)

• IPv4 core routes (from BGP 5/2006) – 181,000• Routable IPv4 unicast addresses – 1.51 billion


Some Current IPv6 Statistics

• IANA SubTLA Assignments RIR's (/23)– Now replaced by variable “global unicast address blocks– Multiple /20 and /19 assignments to RIRs to meet demand– http://www.iana.org/assignments/ipv6-unicast-address-assignments

• IPv6 core routes (from BGP 5/2006) ~640– Global IPv6 only (2000::/16 - 2ffff::/16)– Not counting 6Bone (3ffe::/16) (due to retire in 6/2006)– Not counting 6to4 (2002::/16) routes (4 billion /48 networks)– Not counting Teredo routing (2000:0::/32)

• Routable IPv6 /48 networks – 1.65 billion


Transition Mechanisms

• Intended to promote IPv6 adoption and interoperability• Compatibility addresses aid IPv4 – IPv6 communications• SIT (Six in Tunnel) / 6in4• 6to4 Automatic SIT tunnels• 6over4• IPv6 over UDP in various encapsulations• Proxy Services, Services, and Protocol Bouncers• DSTM and 4in6 provides reverse transition support• Translators (NAT-PT, TRT)


6in4 / SIT Tunnels

• Simple Internet Transition / Six In Tunnel• Protocol 41 (iPv6) in IPv4• Basis for several IPv6 tunnel schemes

– Static SIT tunnels use preconfigured endpoints– Tunneling at the heart of ISATAP routed addresses

• Can pass “many” IPv4 NAT devices (proto 41 forwarding)– Not reliable and not preferred over NAT

• Most tunnel brokers provide IPv6 through SIT tunnels– Some (OCCAID, Hurricane Electric) only provide 6in4 tunnels

• 6to4 provides autoconfigured 6in4 tunnels– 2002::/16 prefix– Assigns a /48 IPv6 network to every IPv4 address!– No tunnel brokers or static configuration required


Teredo / Shipworm

• IPv6 over UDP (default - port 3544/udp)• Intended to provide IPv6 tunnels over IPv4 NAT devices• Both endpoints may be NATed and/or firewalled!

– Can bypass most firewalls (uses outbound UDP sockets)– Uses a robust NAT traversal similar to STUN (RFC 3489)– Provides peer-to-peer IPv6 connectivity for clients over NAT devices

• Clients requires a Teredo server and relay on public IPv4• Teredo servers carry no production traffic• Teredo relays are currently advertized in BGP• Miredo project provides Teredo support on Linux and FreeBSD• IANA assigned address prefix 2001:0::/32• IETF Standard RFC 4380


Other IPv6 over UDP Transports

• UDP based transports work well over IPv4 NAT– Also bypasses most firewalls – including stateful firewalls– Some may be “STUN” enabled

• TSP - Tunnel Setup Protocol (3653/udp)– Promoted by FreeNet6 / Hexago– Also used with 4in6 for DSTM– Still an IETF draft

• AICCU - Automatic IPv6 Connectivity Client Utility (8374/udp)– SixXS in Europe

• OpenVPN (1194/udp v2 – 5100/udp v1)– Used by the German “Join” project as an IPv6 tunnel broker– Uses ESPinUDP (IPSec NAT-T) encapsulation– Directly tunnels IPv6 in IPv4 without additional tunneling layers


Other Transports

• IPv6 can be transported over anything that transports IPv4.• PPP – Native or tunneled IPv4 using 6in4• IPSec / IPSec NAT-T

– Encrypted tunnel– Encapsulation and transport of IPv6 over IPv4 using 6in4– NAT-T provides a further UDP transport, but provides no STUN support (yet)

• 6over4 - Uses IPv4 multicast• ISATAP - Complex setup using 6in4 - Large enterprises• Generic Routing Encapsulation (GRE)

– IPv6/4 over IPv4– IPv4/6 over IPv6


Transports of Ill Repute

• Ping Tunnel– Tunneling over ICMP Echo / Echo Reply

• Htunnel (tunnel over http, including proxies)• TCPtunnel

– Covert Channel in TCP header bits

• Covert Channel Tunneling Tool (CCTT)– Brings several covert tunneling encapsulations under one roof– Tunneling over ICMP– Tunneling over HTTP– Tunneling over DNS– Tunneling over NTP


The Internet Underground

• Elite are already active on IPv6• IPv6 only IRC channels• IPv6 only FTP sites• IPv6 only Web sites• Many IRC bots have IPv6 patches• IPv6 has been used for communications tunnels• IPv6 can be used to hide backdoors• IPv6 can be used to bypass firewalls• IPv6 can enable end to end peer to peer connectivity

– Even when all clients are behind NAT– Using 3rd party STUN or Teredo servers– Public servers carry no “malicious traffic”


EUI - End Unit Identifier Field

• Lower 64 bits of an IPv6 address• Local “host” field on an IPv6 /64 subnet• EUI-64 derived from interface MAC addresses

– Remains constant across subnets– Potential privacy issues

• Privacy Enhanced addresses generated randomly– Can change at varying intervals over time– Hard to track and diagnose

• Random server addresses– Uses DNS to track server address changes

• Cryptographic client addresses• May be derived from and IPv4 address in transition tunnels


Well Known EUI Addresses

• 6to4 addresses (bad defaults)– Linux: 2002:{IPv4}::1– Windows: 2002:{IPv4}::{IPv4}

• Teredo host addresses are predictable (based on IPv4)– Contains both teredo server address and client IPv4 address

• May be useful as “dummy” addresses and client addresses• Router defaults

– Trivial EUI addresses– Static Configurations

• Service addresses (DNS servers)• Site Local Aggregators (SLA)

– Subnet allocation scheme

• Easy to guess means easy to scan


Stateless Autoconfiguration

• Allows for auto configuration of IPv6 addresses• Allows for dynamic renumbering of prefixes• Subnets may have multiple perimeter routers

– Different prefixes– Different lifetimes– Different preferences

• Interfaces may have multiple global addresses / EUI's• Rogue routers may inject IPv6 routes on IPv4 nets• Rogue routers may interfere with IPv6 routers• Accidents DO happen (accidental router advertisements)


Scanning IPv6

• 4 billion times harder to scan 1 IPv6 subnet than all of IPv4• “Efficient” (dense) allocations == Feature Rich Targets• Sparse allocations make brute force scanning impractical

– Scanning for backdoors impractical» By attackers» By defenders

– Scanning for proxies impractical– Scan-based worms can not propagate

» No more slammer» No more blaster

• Cripples brute force scanning for open relays for Spam• Reduces hacker “hijack wars” and “shelling matches”• Use of trivial address allocations can degrade this


IPv6 and Broadcasts

• No broadcast addresses– No local broadcast– No directed broadcast– No global broadcast

• Broadcast functions handled by various multicast addresses– Multicast addresses may never be source addresses– Some mutlicast addresses and functions can still have a large scope

• No more smurf amplifiers (unless source is local to subnet)• No more broadcast scanning for nodes• No more directed broadcast “food fights”• No help with local broadcast DDoS Zombies


Security Through Obscurity?

• Isn't all this just security through obscurity– Hiding behind complex, obscure, addresses– Hiding by not allowing directed broadcasts– Hiding behind privacy addresses

• No.... It's not security through obscurity– Systems are not hidden, you can look them up just fine– Systems merely can not be scanned for using brute force

• Removes a hacking tool (brute force scanning)• Removes a worm propagation vector• Removes a DDoS tool (smurf)• Makes life harder on spammers (good thing)• Makes life harder in hacker war participants (good thing)


IPv6 and the Anatomy of a Hack

• Basic layers in the Anatomy of a Hack– Identify targets– Gain access– Acquire shell– Elevate privilege– Clean up traces– Secure communications and future access

• IPv6 impacts some, but not all, layers of this model


Identify Targets

• Brute force scanning is impractical– Targets have to be individually chosen

• Port probes are possible once system is identified• Security access may be on alternate addresses• Services may be dispersed across multiple addresses

– Security services, ssh, on unpublished addresses– Public services, web, smtp, ftp, on published addresses– No substitute for firewalls

• Advantage - defender


Gaining Access

• Access to other systems may be acquired from compromised systems secured by IPv6 tunnels

• Multiple systems may be accessed and routed out through single hosts anchoring IPv6 tunnels

• Additional global routing may contribute to accessing systems behind firewalls or on private IPv4 address space

• IPv6 traffic may be detected (if you know what to look for)• Some advantage – Attacker• Some advantage – Defender


Securing Access

• IPv6 aids in hiding backdoors• Many IDS systems do not detect IPv6 traffic• Many IDS systems do not detect communications tunnels• Properly configured IDS systems can detect IPv6 traffic• Security scanners can not scan for IPv6 backdoors• IPv6 is easy to set up without interfering with IPv4 operations• Bots and malware may connect back to multiple addresses• Advantage - Attacker


Hiding Backdoors / Securing Access

• Backdoors / servers can listen on specific IPv6 addresses• Addresses can vary randomly with time• Multiple addresses can hide multiple access points• Cannot be scanned for by IPv4 scanners• Communications may evade IPv4-only IDS• SLA and EUI (80 bits) must be exact to connect• Traffic can be detected by IDS and sniffers• IPv6 can secure malicious backdoors or security access

points equally well


Firewalls

• Not all firewalls configured to block protocol 41 by default– (Most now are)

• IPv4 firewalls can not see TCP or UDP in tunnels (SIT, Teredo, ...)• IPv6 firewalls can not see protocol 41 (or UDP) on IPv4• Teredo, TSP, AYIYA, and OpenVPN (UDP) can bypass firewalls• All tunnels should terminate at the firewall or security perimeter• Unroll all encapsulations and pass IPv6 traffic natively• Tunnels should be prohibited from within corporate networks• 6to4 auto tunnels should be limited to external sites / clients• Provide an external gateway for supported tunneling protocols


Providing IPv6

• To provide IPv6 to a network, you must support it• Tunnels should be terminated security perimeters (firewalls)• 6to4 / 6in4 should be prohibited within a corporate network• Native IPv6 should be provided within the corporate network• Router advertisements should be monitored for anomalies• Prefixes should be monitored for unexpected changes• Unusual router advertisements should be investigated• IDS systems should detect rogue routers and prefixes• EUI policy should be defined and enforced


Avoiding IPv6

• To avoid having IPv6 on a network, you must support it• Tunneling protocols and transports should be blocked

– At all security perimeters– At routers and subnet boundaries– All tunneling protocols must be recognized

• IDS / IPS systems should monitor for IPv6 link protocols– Neighbor discovery– Router advertisements

• NIDS systems should detect IPv6 – native and tunneled– Unroll all encapsulated traffic to get at core protocols– Watch for encrypted encapsulations

• Host systems should be monitored for IPv6


Ignoring IPv6

• If you don't provide or prevent IPv6, you will have IPv6– You won't control it– You won't recognize it– You won't be managing it– It will still be globally addressable– It will still be fully routable (independent of IPv4 routing)– Others will be providing IPv6 routes and routers, not you

• Others providing IPv6 will not have your best interest at heart– Users bypassing restrictions– Intruders securing backdoors


Conclusion

• IPv6 carries a number of advantages– Improved addressing– Improved security– Improved routing

• IPv6 advantages can be used against networks– Backdoors hidden– Communications channels hidden– Security mechanisms bypassed

• IPv6 is easier and cheaper to provide than prevent• Time for ignoring IPv6 is past• Time for understanding and using IPv6 is now

And he didn't even know it was IPv6 enabled...


Security Implications of IPv6

Michael H. [email protected]

© 2005 internet security systems. all rights reserved. contents are property of internet security...

Documents

global ipv6

routable ipv6

ipv6 adoption

ipv6 overviewexpands

popular belief ipv6

ipv6 code stabilityipv6

ipv4 space

ip layera lot of ipv6