IPv6 Security

Joni Julian

SouthEast Linux Fest

June 20, 2014

Who Am I?

I'm in Networking, not Security.

I'm Not Running IPv6

are you sure?

Start With IPv6

References, both PDFs:

  1. Operational Experiences with IPv6 from Louisiana State Univeristy
  2. Don't have the plaid polyester leisure suit of IPv6 networks from Infoblox at NANOG

IPv6 Security Overview

NAT Is Not Security

on imgflip

for further viewing


nmapnmap -6

Host Firewall

ip6tables is a lot like iptables, and CERT has an example

hope@moose$ diff iptables.txt ip6tables.txt
< :tsm - [0:0]
< -A net-servers -s -j ACCEPT
< -A net-users -s -j ACCEPT
< -A monitors -s -j ACCEPT
< -A tsm -s -j ACCEPT
< -A tsm -s -j ACCEPT
< -A unc -s -j ACCEPT
< -A unc -s -j ACCEPT
< -A unc -s -j ACCEPT
> -A net-servers -s 2001:db8:1:100::/64 -j ACCEPT
> -A net-users -s 2001:db8:1:150::/64 -j ACCEPT
> -A monitors -s 2001:db8:1:200::/64 -j ACCEPT
> -A unc -s 2001:db8:1::/47 -j ACCEPT

Host Firewall

< -A INPUT -p icmp -j ACCEPT
> -A INPUT -p ipv6-icmp -j ACCEPT
< # TSM backups
< -A INPUT -p tcp -m state --state NEW --dport 1500:1501 -j tsm
< -A INPUT -p tcp -m state --state NEW --dport 1581:1582 -j tsm
< -A INPUT -p udp -m udp --dport 67 -j ACCEPT
> -A INPUT -p udp -m udp --dport 547 -j ACCEPT
< -A dhcp-servers -s -j ACCEPT
< -A dhcp-servers -s -j ACCEPT
> -A dhcp-servers -s 2001:db8:1:2005::1/64 -j ACCEPT
> -A dhcp-servers -s 2001:db8:1:3005::1/64 -j ACCEPT


IPv6 Security Tools

bring your own duct tape because there's nothing like Security Onion (yet)

Wherein I Jump In

hope@moose$ cd /usr/local/src
hope@moose$ sudo yum install libpcap-devel
hope@moose$ curl -O http://www.si6networks.com/tools/ipv6toolkit/ipv6toolkit-v1.5.3.tar.gz
hope@moose$ tar tf ipv6toolkit-v1.5.3.tar 
hope@moose$ tar xf ipv6toolkit-v1.5.3.tar 
hope@moose$ cd ipv6toolkit-v1.5.3
hope@moose$ less README.TXT 
hope@moose$ make all
hope@moose$ ls | grep 6$
hope@moose$ cd manuals
hope@moose$ nroff -man addr6.1 | less

Standard Options

-i [interface]  Use the specified interface. Required if the interface isn't
                obvious by inference (think link-local multicast).

-h              Display help.

-v              Be verbose.

Address Decode

addr6: An IPv6 address analysis and manipulation tool.

addr6 -a [ipv6 address] -d

decode that IPv6 address; see also v6decode or tavian or install ipv6calc

hope@moose$ ./addr6 -a 2610:28:3090:2004::13/64 -d
inet_pton(): address not valid
hope@moose$ ./addr6 -a 2610:28:3090:2004::13 -d
hope@moose$ ./addr6 -a fe80::250:56ff:fea6:7d6f -d

Flow Labels

flow6: A tool to perform a security assessment of the IPv6 Flow Label.

flow6 -i [interface] --flow-label-policy -d [destination] -v

Assess the flow label generation policy of the destination host for TCP (default, -P) on port 80 (default, -p).

Fragment Flood

frag6: A tool to perform IPv6 fragmentation-based attacks and to perform a security assessment of a number of fragmentation-related aspects.

frag6 -i [interface] --frag-id-policy -d [destination]

Assess the fragment ID generation policy of the destination host. Did you know that some firewalls don't evaluate fragments by the same rules? Yikes!

frag6 -i [interface] -s [source] -d [destination] -F

Frag flood! Does the host fall down? What about the router or firewall, if this traffic crosses one?


icmp6: A tool to perform attacks based on ICMPv6 error messages.

icmp6 --icmp6-packet-too-big -p ICMP6 -d [destination] --peer-addr [source] -m 1240 -v

Send the ICMPv6 error "packet too big" from source address to destination address, specifying 1240 bytes for the MTU.


jumbo6: A tool to assess potential flaws in the handling of IPv6 Jumbograms.

jumbo6 -s [source] -d [destination] -P [payload size in bytes]

Send a jumbo frame. See also scapy.

Neighbor Advertisements

na6: A tool to send arbitrary Neighbor Advertisement messages.

na6 -i [interface] -d [destination] -t [target, could be global unicast] -c -o

Send a Neighbor Advertisement with a random link-local IPv6 address and random Ethernet address over the specified interface to the destination IPv6 address, like link-local or all nodes multicast, with the Solicited (-c) and Override (-o) flags set. This tool can also send a flood, from different sources (--flood-sources), and/or to different targets (--flood-targets)

Node Information

ni6: A tool to send arbitrary ICMPv6 Node Information messages, and assess possible flaws in the processing of such packets.

ni6 -i [interface] --subject-ipv6 [subject IPv6 address] -d [destination] -q 2 -v

Send an ICMPv6 Node Information query to the destination address about the given subject IPv6 address, querying for node names (-q).

Neighbor Solicitation Flood

ns6: A tool to send arbitrary Neighbor Solicitation messages.

ns6 -i [interface] -s [source] -t [target] -F 100 -l -z 5 -v

Send a neighbor solicitation from that interface with that source address to that target address. Send a flood (-F) of 100 packets every 5 seconds (-z).

Router Advertisements

ra6: A tool to send arbitrary Router Advertisement messages.

ra6 -i [interface] -d [destination] -D [destination MAC] --lifetime 100 -o -M 1400

Use that interface to send a Router Advertisement to the destination (think link-local) with the specified destination MAC with a router hop limit of 100, the Other bit (-o, get other information from DHCPv6), and an MTU of 1400. Demonstrate why you want RA Guard, or test that it works.


rd6: A tool to send arbitrary ICMPv6 Redirect messages.

rd6 -i [interface] --learn-router -d [destination] -r [range/netmask] -t [target] -R 100 -1 -v

Flood the destination host with batches of 100 Redirect messages (-R) from a random address in the given range (-r) every (one) second (-1). Eek!

Router Solicitation

rs6: A tool to send arbitrary Router Solicitation messages.

rs6 -i [interface] -e

Send a Router Solicitation out that interface from random link-local IPv6 and MAC addresses to the default destination of ff02::2 (all routers link-local multicast) and 33:33:00:00:00:02 (Ethernet for same multicast group) with the same source Ethernet address (-e) as the packet. You can make a flood, -F [number of packets per flood], every few seconds, -z [interval].

Local Segment Scan

scan6: A scanning tool that finds all local IPv6 addresses.

scan6 -i [interface] -L or ... there's a multicast group for that!
hope@moose$ sudo ./scan6 -i eth1 -L | wc -l
hope@moose$ sudo ./scan6 -i eth1 -L | grep ^fe80 | wc -l
hope@moose$ ping6 -c2 ff02::1%eth1 | grep -v fe80
PING ff02::1%eth1(ff02::1) 56 data bytes

--- ff02::1%eth1 ping statistics ---
2 packets transmitted, 2 received, +73 duplicates, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.058/0.680/1.050/0.201 ms
hope@moose$ ping6 -c1 ff02::1%eth1
PING ff02::1%eth1(ff02::1) 56 data bytes
64 bytes from fe80::250:56ff:fea6:7d6f: icmp_seq=1 ttl=64 time=0.077 ms

--- ff02::1%eth1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.077/0.077/0.077/0.000 ms

An Actual Scan

hope@moose$ ping6 -c2 ff02::1%eth1
PING ff02::1%eth1(ff02::1) 56 data bytes
64 bytes from fe80::250:56ff:fea6:7d6f: icmp_seq=1 ttl=64 time=0.057 ms
64 bytes from fe80::250:56ff:fea6:8121: icmp_seq=1 ttl=64 time=0.792 ms (DUP!)
 . . .
64 bytes from fe80::e61f:13ff:fe2c:24c4: icmp_seq=1 ttl=64 time=2.73 ms (DUP!)
64 bytes from fe80::250:56ff:fea6:7d6f: icmp_seq=2 ttl=64 time=0.101 ms

--- ff02::1%eth1 ping statistics ---
2 packets transmitted, 2 received, +73 duplicates, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.057/1.820/2.738/0.493 ms

Arbitrary TCP packets

tcp6: A tool to send arbitrary TCP segments and perform a variety of TCP-based attacks.

tcp6 -i [interface] -s [source] -d [destination] -a [destination port] -X S -F 100 -l -z 1 -v

Generate a TCP SYN flood for firewall testing. Or use scapy for the general case.

Toolkits Compared

addr6 ipv6calc
ns6parasite6, sendpees6 
ra6flood_router6, fake_advertiser6 
scan6alive6ping6 -c2 ff02::1%if
tcp6exploit6, denial6, thc-ipv6-lib.cscapy

What Have I Seen?