October 20, 2014 Leave a Comment
Avatar
Perspectives

IPv6 First-Hop-Security

If you’ve worked with networking sometime in the last decade, I’m sure you’ve heard of this thing called IPv6. IPv6 has been around for quite a while, but it seems to be growing increasingly more popular as of late.
My focus on this article will be some of the challenges with security and IPv6, primarily those that Cisco IPv6 First-Hop-Security (FHS) solves.

Several times I’ve found myself looking at the network traffic traversing a customer’s network, asking if they use IPv6.
Unfortunately, most of the times the answer is no, even though I can see the Link-local and multicast addresses flying by my screen.
When I proceed to ask if they’ve added any security measurements in the network to protect against IPv6 attacks, the answer is mostly: “Why would we need any IPv6 security if we don’t use IPv6”?

The statement I’ll be trying to relay with this article is that even though your network isn’t using IPv6 (yet), you still need to address these issues, and when you do start to use IPv6, what do you need to think about, security-wise.
Both IPv6 and IPv4 are subject to attacks, but most of them can be mitigated with some simple steps.
The hardest part seems to be awareness.


Powered by Verint: Conduct your own online surveys I’ll include two feasible scenarios which will show three different attacks that are inherent to the IPv6 protocol. These attacks and solutions also have their IPv4 counterparts. As a rule of thumb, if you’re using any security measurements on your LAN for IPv4 (which you should), you’ll need to secure IPv6 as well. I’ll try to keep the discussion on a high-level overview, but the following terms might benefit from some explanation before we proceed:

  • Neighbor Discovery Protocol (NDP/ND – RFC4861) is a protocol used for a number of things in IPv6. For example; determine the link-layer address of other hosts on the same link; check for duplicate addresses in the network. It is also used by SLAAC described next.
  • Stateless Address Autoconfiguration (SLAAC – RFC 4862) is basically a method for IPv6 hosts to receive an IPv6 prefix from an IPv6 Router that they can use to generate their own unique IPv6 address.
  • Recursive DNS Server (RDNSS – RFC6106) is a fairly new feature which adds an option to the ICMPv6 Router Advertisement, so that the hosts can automatically receive a DNS server with the other information required for the IPv6 auto-configuration.
  • ICMPv6 defines some new packet types to be used for different functions in the network:
  • Neighbor Solicitation (NS): Used to request link-layer information from an IPv6 neighbor on the link.
  • Neighbor Advertisement (NA): Used to respond to a NS message.
  • Router Solicitation (RS): Used by a host to locate IPv6 routers on the link.
  • Router Advertisement (RA): Used by routers to advertise IPv6 information, and to respond to RS messages.

Scenario 1 Let me start off with a common scenario. Company A is using IPv4-only in their network, the company doesn’t see the need for IPv6 because they have no shortage of IPv4 addresses because of RFC1918 and NAT, IPv6 is therefore ignored on this network. This also means that none of the company’s workstations have IPv6 support disabled. (Sounds familiar yet?) The Operating System (OS) in use on the company workstations will prefer using IPv6 if available, and does support both SLAAC and RDNSS. Basically, this means that the workstations will automatically try look for an IPv6 capable router that can provide an IPv6 prefix. This prefix can then be used by the workstation to generate their own global IPv6 unicast address. The simple network below addresses the issue where an attacker uses IPv6 to put himself in the middle of the traffic flow from the user to internal corporate services, or the Internet.

Business Critical Services

This attack consist of 4 simplified steps

  • The user’s workstation is looking for an IPv6 capable router that can provide an IPv6 address. The router is not IPv6 capable, so it discards the request.
  • The attacker receives the request (ICMPv6 RS) and responds with a prefix and claiming to be router for which the client can use to send its traffic (ICMPv6 RA).
  • The client has both IPv4 and IPv6 addresses, it prefers using IPv6 and sends legitimate data towards the “router” with the highest preference, i.e. the attacker.
  • The attacker can now capture traffic, manipulate the sending or receiving traffic, and translate the IPv6 traffic into IPv4 traffic using its own legitimate IPv4 address on the network.

A different approach the attacker could do is to use the RDNSS to manipulate the DNS requests, pointing the user to a malicious server, or black-hole traffic causing Denial-Of-Service. There have also been cases where IPv6 nodes have been flooding the network with ICMPv6 RA, inadvertently causing a Denial-Of-Service situation.

Powered by Verint survey software

The point I’m trying to convey with this scenario is that even though this company isn’t even thinking of using IPv6, and are most likely unaware of this vulnerability, most modern OS today prefer using IPv6 if available. And mind you, there are attack tools designed to take advantage of this, and other IPv6 related security issues.

The exact solution to this example is simple, and it’s something I’ve started to implement on all new network equipment I set up: RA Guard.
A different approach is to disable IPv6 on all hosts, but this might be difficult to implement and verify. Plus, you probably need to start using IPv6 eventually, maybe sooner than you think?
In fact, some OS vendors actually require IPv6 to be enabled, to maintain proper operation.

Scenario 2
Company B has seen the light and implemented IPv6 to some degree. They are now running dual-stack on most of their hosts, but no security measurements exists besides static IPv6 access-lists on their edge firewall. (Well, it’s a start right?)

The IPv6 attacker from Company A is back, and this time he is trying to take down the poor router in the network.
In this attack, the attacker is trying to exhaust the memory on the unit. The attack consist of sending traffic to every legitimate IPv6 addresses in a /64 network (or several), causing the router to send ICMPv6 Neighbor Solicitation for the IPv6 addresses. Eventually the routers neighbor cache will be full and the attacker would have caused Denial-of-service on the network.

User Attacker

Here we see the attacker sending traffic to 2^64 addresses, the router has to cache these entries and eventually the cache will be full.

The good news is, Company B is using newer Cisco equipment which by default rate limits the number of Neighbor Solicitation packets in queue waiting for Neighbor Advertisement response, default 16 packets. Therefore, this particular attack won’t do Company B any harm.

The attacker then moves on to a different approach, taking advantage of the duplicate address detection feature in IPv6.
The attacker is now listening for all possible solicited node multicast addresses, and every time a client is trying to claim an IPv6 address, the attacker responds with Neighbor Advertisement, telling the client that the address is already in use.

User Attacker1

With this attack none of the IPv6 clients will be able to generate their own global unicast IPv6 address. Solution: ND Inspection
This feature inspects the ICMPv6 NA packet and makes sure the IPv6 address is correct and is actually owned by the host claiming it.

Conclusion
As you can imagine, the number of attacks that can be leveraged on both IPv4 and IPv6 is pretty high. Using dual stack requires you to secure both IPv6 and IPv4.

Whether you already have IPv6 in your network, planning to implement IPv6 soon, or not using IPv6 at all, there are some concerns that needs to be addressed if you want your network to be secure.
This article focused mostly on LAN security, so-called First Hop Security, but there are other parts of your network that needs securing as well. For example: routing protocol(s), control-plane and management-plane.

A few other attack types that is worth mentioning in regards to LAN security:

  • NA Spoofing
    Attacker is claiming to be a different host by responding to a Neighbor Solicitation with its own link-layer address.
    Equivalent to ARP spoofing
  • Router Discovery poison
    The attacker is spoofing a RA from a legitimate router changing the lifetime of the RA entry, after the lifetime for the legitimate router has been expired, the attacker sends its own RA which causes the client to send all traffic towards the attacker.
  • DHCPv6 Spoofing
    The attacker sets up a rogue DHCPv6 server which can provide both illegitimate and legitimate IPv6 addresses, depending on the goal of the attacker.
  • Reconnaissance attack using IPv6 Multicast addresses
  • IPv6 address spoofing
    Attacker is claiming to be sending from a spoofed legitimate IPv6 address.

This is by no means an exhaustive list.

I’ve already mentioned some of the security features that Cisco offers in their products, but I would strongly recommend looking more into the following tools:
ND Inspection
RA Guard
IPv6 Source Guard
DHCPv6 Snooping

SeND is especially a protocol worth mentioning.
SeND – Secure Neighbor Discovery (RFC 3972) is possible the best First Hop Security feature you can implement on your network.
SeND uses PKI certificates to validate the Neighbor Discovery Protocol messages.
The downside with this protocol is that it is generally not supported on the common OSes.

Links:
http://www.cisco.com/en/US/products/ps12961/products_ios_protocol_group_home.html
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html