Fernando Gont
Knockin' on IPv6 Doors
Hack In Paris 2018Paris, France. June 25-29, 2018
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
About...
● Security Researcher and Consultant at SI6 Networks● Published:
● 30 IETF RFCs (10+ on IPv6)● 10+ active IETF Internet-Drafts
● Author of the SI6 Networks' IPv6 toolkit● https://www.si6networks.com/tools/ipv6toolkit
● More information at: https://www.gont.com.ar
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
How I lost my voice :-)
Congreso de Seguridad en Computo 2011 4Hack in Paris 2018Paris, France. June 25-29, 2018
© 2018 SI6 Networks. All rights reserved
Introduction
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
So... what is this “IPv6” thing about?
● It addresses the problem of IPv4 address exhaustion● Employs 128-bit addresses (vs. IPv4's 32-bit addresses)● Provides the same service as IPv4● It is not backwards-compatible with IPv4
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
So... what is this “IPv6” thing about? (II)
● For every domain name, the DNS may contain ● A resource records (IPv4 addresses)● AAAA (Quad-A) resource records (IPv6 addresses)
● Hosts may query for A and/or AAAA resource records according different criteria
● Based on a number of factors, IPv6 and/or IPv4 could be employed
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
Deployment: Current state of affairs
Congreso de Seguridad en Computo 2011 8Hack in Paris 2018Paris, France. June 25-29, 2018
© 2018 SI6 Networks. All rights reserved
IPv4/IPv6 Security Polices
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
IPv4/IPv6 Security Policies
● IPv6 and IPv4 are two different network-layer protocols● Such policies are typically configured independently of each other
● No unified rules for both network protocols● Very prone for policy mismatches
● Security policies are expected to be the same for both protocols● But...are they?
Congreso de Seguridad en Computo 2011 10Hack in Paris 2018Paris, France. June 25-29, 2018
© 2018 SI6 Networks. All rights reserved
Our Experiment
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
What we did
● Study the filtering policies for different types of nodes:● Web servers● Name servers● Mail servers● Routers
● For different types of organizations● Companies● Non-profits● Educational
● Compare the policies for IPv4 and IPv6
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
Some specific questions to be answered
● What's the typical number of addresses in IPv4 vs. IPv6?● Are there mistmatches in the security policies for...
● different IPv4 addresses?● different IPv6 addresses?● IPv4 vs. IPv6 addresses?
● Are IPv6 security policies...● stricter or more relaxed than those IPv4?● or are them just different?
Congreso de Seguridad en Computo 2011 13Hack in Paris 2018Paris, France. June 25-29, 2018
© 2018 SI6 Networks. All rights reserved
Identifying Targets
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
Leveraging search engines
● script6 of SI6 Networks' IPv6 Toolkit leverages "Bing"
● Simple implementation:● Specify site● Iterate through results pages● Use letters and/o numbers in search string to shield different results
● Example:
script6 get-bing navy.mil
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
Leveraging search engines (II)
● Results improve with the help of a dictionary● Example:
script6 get-bing-dict navy.mil english.dic
Congreso de Seguridad en Computo 2011 19Hack in Paris 2018Paris, France. June 25-29, 2018
© 2018 SI6 Networks. All rights reserved
Results
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
Typical number of addresses per domain
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
Policy mismatches across address families
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
Open ports on IPv4/IPv6 (cumulative)
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
Open ports (differential)
25Hack in Paris 2018Paris, France. June 25-29, 2018
© 2018 SI6 Networks. All rights reserved
Conclusions
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
Some conclusions
● There's a significant mistmatch beween IPv4 and IPv6 security policies
● Previous studies suggested that fewer controls were enforced on IPv6
● Ours suggest that IPv4 and IPv6 policies are just different● there are also minor mistmatches between different IPv6 addresses!
27Hack in Paris 2018Paris, France. June 25-29, 2018
© 2018 SI6 Networks. All rights reserved
Questions?
© 2018 SI6 Networks. All rights reservedHack in Paris 2018Paris, France. June 25-29, 2018
Thanks!
Fernando Gont
IPv6 Hackers mailing-listhttp://www.si6networks.com/community/
www.si6networks.com