IPv6 Security

Joni Julian

SouthEast Linux Fest

June 20, 2014

Who Am I?

I'm in Networking, not Security.

I'm Not Running IPv6

are you sure?

Start With IPv6

References, both PDFs:

1. Operational Experiences with IPv6 from Louisiana State Univeristy
2. Don't have the plaid polyester leisure suit of IPv6 networks from Infoblox at NANOG

IPv6 Security Overview

• NIST: Guidelines for the Secure Deployment of IPv6 (PDF)
• IPv6 Security - An Overview: "From a top view, the vulnerability concepts have not changed that much with the advent of IPv6, while the concrete methods are modified to the new protocol."
• Report on IPv6 Security Test Methodology (download the PDF paper mentioned)
• How to Securely Operate an IPv6 Network with Cisco examples, PDF

NAT Is Not Security

on imgflip

for further viewing

Translation

Host Firewall

ip6tables is a lot like iptables, and CERT has an example

hope@moose$ diff iptables.txt ip6tables.txt
10d9
< :tsm - [0:0]
16,23c15,18
< -A net-servers -s 172.16.100.0/24 -j ACCEPT
< -A net-users -s 172.16.150.0/24 -j ACCEPT
< -A monitors -s 172.16.200.0/24 -j ACCEPT
< -A tsm -s 172.19.133.0/25 -j ACCEPT
< -A tsm -s 172.16.163.230/32 -j ACCEPT
< -A unc -s 10.0.0.0/8 -j ACCEPT
< -A unc -s 172.16.0.0/12 -j ACCEPT
< -A unc -s 192.168.0.0/16 -j ACCEPT
---
> -A net-servers -s 2001:db8:1:100::/64 -j ACCEPT
> -A net-users -s 2001:db8:1:150::/64 -j ACCEPT
> -A monitors -s 2001:db8:1:200::/64 -j ACCEPT
> -A unc -s 2001:db8:1::/47 -j ACCEPT

Host Firewall

32c24
< -A INPUT -p icmp -j ACCEPT
---
> -A INPUT -p ipv6-icmp -j ACCEPT
36,38d27
< # TSM backups
< -A INPUT -p tcp -m state --state NEW --dport 1500:1501 -j tsm
< -A INPUT -p tcp -m state --state NEW --dport 1581:1582 -j tsm
53c40
< -A INPUT -p udp -m udp --dport 67 -j ACCEPT
---
> -A INPUT -p udp -m udp --dport 547 -j ACCEPT
56,57c43,44
< -A dhcp-servers -s 172.16.253.97/28 -j ACCEPT
< -A dhcp-servers -s 172.16.253.209/28 -j ACCEPT
---
> -A dhcp-servers -s 2001:db8:1:2005::1/64 -j ACCEPT
> -A dhcp-servers -s 2001:db8:1:3005::1/64 -j ACCEPT

NfTables

• NfTables
• Wikipedia: it bundles ip-, ip6-, arp-, and ebtables into a simpler engine
• Why you will love nftables
• Nftables how to
• Arch documentation

IPv6 Security Tools

• THC IPv6 from The Hackers Choice is a bundle of IPv6 tools
• SI6 Networks' IPv6 Toolkit (developed by Fernando Gont for SI6 Networks)
  • ipv6mon employs active probing to discover IPv6 addresses in use, and determine whether such addresses remain active.
• Scapy
  • ft6, the firewall tester for IPv6, built on Scapy
• Chiron, an all-in-one IPv6 penetration testing framework
• NDPMon, the IPv6 equivalent of Arpwatch

bring your own duct tape because there's nothing like Security Onion (yet)

Wherein I Jump In

hope@moose$ cd /usr/local/src
hope@moose$ sudo yum install libpcap-devel
hope@moose$ curl -O http://www.si6networks.com/tools/ipv6toolkit/ipv6toolkit-v1.5.3.tar.gz
hope@moose$ tar tf ipv6toolkit-v1.5.3.tar 
hope@moose$ tar xf ipv6toolkit-v1.5.3.tar 
hope@moose$ cd ipv6toolkit-v1.5.3
hope@moose$ less README.TXT 
hope@moose$ make all
hope@moose$ ls | grep 6$
hope@moose$ cd manuals
hope@moose$ nroff -man addr6.1 | less

Standard Options

-i [interface]  Use the specified interface. Required if the interface isn't
                obvious by inference (think link-local multicast).

-h              Display help.

-v              Be verbose.

Address Decode

addr6: An IPv6 address analysis and manipulation tool.

addr6 -a [ipv6 address] -d

decode that IPv6 address; see also v6decode or tavian or install ipv6calc

hope@moose$ ./addr6 -a 2610:28:3090:2004::13/64 -d
inet_pton(): address not valid
hope@moose$ ./addr6 -a 2610:28:3090:2004::13 -d
unicast=global=global=low-byte=unspecified
hope@moose$ ./addr6 -a fe80::250:56ff:fea6:7d6f -d
unicast=link-local=link=ieee-derived=00-50-56
hope@moose$

Flow Labels

flow6: A tool to perform a security assessment of the IPv6 Flow Label.

flow6 -i [interface] --flow-label-policy -d [destination] -v

Assess the flow label generation policy of the destination host for TCP (default, -P) on port 80 (default, -p).

Fragment Flood

frag6: A tool to perform IPv6 fragmentation-based attacks and to perform a security assessment of a number of fragmentation-related aspects.

frag6 -i [interface] --frag-id-policy -d [destination]

Assess the fragment ID generation policy of the destination host. Did you know that some firewalls don't evaluate fragments by the same rules? Yikes!

frag6 -i [interface] -s [source] -d [destination] -F

Frag flood! Does the host fall down? What about the router or firewall, if this traffic crosses one?

ICMPv6

icmp6: A tool to perform attacks based on ICMPv6 error messages.

icmp6 --icmp6-packet-too-big -p ICMP6 -d [destination] --peer-addr [source] -m 1240 -v

Send the ICMPv6 error "packet too big" from source address to destination address, specifying 1240 bytes for the MTU.

Jumbo

jumbo6: A tool to assess potential flaws in the handling of IPv6 Jumbograms.

jumbo6 -s [source] -d [destination] -P [payload size in bytes]

Send a jumbo frame. See also scapy.

Neighbor Advertisements

na6: A tool to send arbitrary Neighbor Advertisement messages.

na6 -i [interface] -d [destination] -t [target, could be global unicast] -c -o

Send a Neighbor Advertisement with a random link-local IPv6 address and random Ethernet address over the specified interface to the destination IPv6 address, like link-local or all nodes multicast, with the Solicited (-c) and Override (-o) flags set. This tool can also send a flood, from different sources (--flood-sources), and/or to different targets (--flood-targets)

Node Information

ni6: A tool to send arbitrary ICMPv6 Node Information messages, and assess possible flaws in the processing of such packets.

ni6 -i [interface] --subject-ipv6 [subject IPv6 address] -d [destination] -q 2 -v

Send an ICMPv6 Node Information query to the destination address about the given subject IPv6 address, querying for node names (-q).

Neighbor Solicitation Flood

ns6: A tool to send arbitrary Neighbor Solicitation messages.

ns6 -i [interface] -s [source] -t [target] -F 100 -l -z 5 -v

Send a neighbor solicitation from that interface with that source address to that target address. Send a flood (-F) of 100 packets every 5 seconds (-z).

Router Advertisements

ra6: A tool to send arbitrary Router Advertisement messages.

ra6 -i [interface] -d [destination] -D [destination MAC] --lifetime 100 -o -M 1400

Use that interface to send a Router Advertisement to the destination (think link-local) with the specified destination MAC with a router hop limit of 100, the Other bit (-o, get other information from DHCPv6), and an MTU of 1400. Demonstrate why you want RA Guard, or test that it works.

Redirect

rd6: A tool to send arbitrary ICMPv6 Redirect messages.

rd6 -i [interface] --learn-router -d [destination] -r [range/netmask] -t [target] -R 100 -1 -v

Flood the destination host with batches of 100 Redirect messages (-R) from a random address in the given range (-r) every (one) second (-1). Eek!

Router Solicitation

rs6: A tool to send arbitrary Router Solicitation messages.

rs6 -i [interface] -e

Send a Router Solicitation out that interface from random link-local IPv6 and MAC addresses to the default destination of ff02::2 (all routers link-local multicast) and 33:33:00:00:00:02 (Ethernet for same multicast group) with the same source Ethernet address (-e) as the packet. You can make a flood, -F [number of packets per flood], every few seconds, -z [interval].

Local Segment Scan

scan6: A scanning tool that finds all local IPv6 addresses.

scan6 -i [interface] -L or ... there's a multicast group for that!

hope@moose$ sudo ./scan6 -i eth1 -L | wc -l
75
hope@moose$ sudo ./scan6 -i eth1 -L | grep ^fe80 | wc -l
67
hope@moose$ ping6 -c2 ff02::1%eth1 | grep -v fe80
PING ff02::1%eth1(ff02::1) 56 data bytes

--- ff02::1%eth1 ping statistics ---
2 packets transmitted, 2 received, +73 duplicates, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.058/0.680/1.050/0.201 ms
hope@moose$ ping6 -c1 ff02::1%eth1
PING ff02::1%eth1(ff02::1) 56 data bytes
64 bytes from fe80::250:56ff:fea6:7d6f: icmp_seq=1 ttl=64 time=0.077 ms

--- ff02::1%eth1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.077/0.077/0.077/0.000 ms

An Actual Scan

hope@moose$ ping6 -c2 ff02::1%eth1
PING ff02::1%eth1(ff02::1) 56 data bytes
64 bytes from fe80::250:56ff:fea6:7d6f: icmp_seq=1 ttl=64 time=0.057 ms
64 bytes from fe80::250:56ff:fea6:8121: icmp_seq=1 ttl=64 time=0.792 ms (DUP!)
 . . .
64 bytes from fe80::e61f:13ff:fe2c:24c4: icmp_seq=1 ttl=64 time=2.73 ms (DUP!)
64 bytes from fe80::250:56ff:fea6:7d6f: icmp_seq=2 ttl=64 time=0.101 ms

--- ff02::1%eth1 ping statistics ---
2 packets transmitted, 2 received, +73 duplicates, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.057/1.820/2.738/0.493 ms
hope@moose$ 

Arbitrary TCP packets

tcp6: A tool to send arbitrary TCP segments and perform a variety of TCP-based attacks.

tcp6 -i [interface] -s [source] -d [destination] -a [destination port] -X S -F 100 -l -z 1 -v

Generate a TCP SYN flood for firewall testing. Or use scapy for the general case.

Toolkits Compared

What Have I Seen?

Security:

• rogue router advertisements (need RA Guard; ra6)
• neighbor detection (ND) floods (na6)
• possible router advertisement (RA) flood (ra6 again)

Network:

• incomplete configuration (OSPFv3, multicast querier ~ MLD snooping)
• timeouts or silent failures or inconsistency when one address family, properly registered in DNS, is down
  • ignoring neighbor unreachability detection (NUD) in ICMPv6

Summary

• IPv6 is already out there.
• The names have changed, but the concepts remain the same.
• v6decode IPv6 address tool or tavian IPv6 address tool
• UWM list of network troubleshooting tools like ping and ping6
• Expect IPv6 feature parity with IPv4, for web, ssh, SNMP, and any management interface as well as for user traffic.
  • Expect RA Guard just as much as BPDU Guard.
• Flying Penguin Technologies to teach IPv6 (with blog
  • our lab is here at SELF this weekend!