Chapter 6: Securing the Data Plane in IPv6 Environments

Securing the Data Plane in IPv6 EnvironmentsIn this chapter, you learn how to do the following:• Explain the need for IPv6 from the general perspective of the transition to IPv6 from IPv4• List and describe the fundamental features of IPv6, as well as enhancements when compared to IPv4• Analyze the IPv6 addressing scheme, components, and design principles and configure IPv6 addressing• Describe the IPv6 routing function• Evaluate how common and specific threats affect IPv6• Develop and implement a strategy for IPv6 securityContentsThe Need for IPv6IPv6 is a powerful enhancement to IPv4. Several features in IPv6 offer functional improvements. What IP developers learned from using IPv4 suggested changes to better suit current and probable network demands:• Larger address space: • Simpler header: • Mobility and security: • Transition richness: IPv6 Features and EnhancementsThe new IPv6 header is simpler than the IPv4 header, in the following ways:• Half of the previous IPv4 header fields are removed. This enables simpler processing of the packets, enhancing the performance and routing efficiency.• All fields are aligned to 64 bits, which enables direct storage and access in memory by fast lookups.• No checksum occurs at the IP layer, and no recalculation is performed by the routers. Error detection is done by the link layer and transport layer.IPv6 HeadersStateless Address AutoconfigurationIPv4 and IPv6 Compared• Manually• IPv6-in-IPv4• GRE (not discussed)• VPN (not discussed)• Semiautomatically• Tunnel broker (proxying)• Automatically• 6to4• ISATAP• TeredoTransition to IPv6IPv6 Address Representation• Unicast• Address is for a single interface• IPv6 has several types (for example, global, reserved, link-local, and site-local)• Multicast• One-to-many• Enables more efficient use of the network• Uses a larger address range• Anycast• One-to-nearest (allocated from unicast address space)• Multiple devices share the same address• All anycast nodes should provide uniform service• Source devices send packets to anycast address• Routers decide on closest device to reach that destination• Suitable for load balancing and content delivery servicesIPv6 Address TypesIPv6 address types have the following patterns:• Global: Starts with 2000::/3 and assigned by the Internet Assigned Numbers Authority (IANA)• Reserved: Used by the IETF• Private: Link local (starts with FE80::/10)• Loopback: (::1)• Unspecified: (::)IPv6 Unicast AddressingIPv6 Global Unicast and Anycast AddressesLink-Local AddressesMulticast AddressesThere are several ways to assign an IPv6 address to a device:• Static assignment using a manual interface ID• Static assignment using an EUI-64 interface ID• Stateless autoconfiguration• DHCP for IPv6 (DHCPv6)Assigning IPv6 Global Unicast AddressesIPv6 EUI-64 Interface IdentifierR1(config)# ipv6 unicast-routingR1(config)# interface fa0/0R1(config-if)# ipv6 address 2001:db8:c18:1::/64 eui-64R1# show ipv6 interface fa0/0FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::218:B9FF:FE21:9278 Global unicast address(es): 2001:DB8:c18:1:218:B9FF:FE21:9278, subnet is 2000:1:2:3::/64 Joined group address(es): FF02::1:FF21:9278 FF02::1 FF02::2 MTU is 1500 bytesIPv6 Address Configuration Example• Static• RIPng (RFC 2080)• OSPFv3 (RFC 2740)• IS-IS for IPv6• MP-BGP4 (RFC 2545/2858)• EIGRP for IPv6Routing Considerations for IPv6In general, many types of attacks are similar between IPv4 and IPv6, as listed below. For some attack types, additional information is provided.ReconnaissanceNot so easy in IPv6 due to large address spaceScanners will make router trigger NDP, wasting CPU and resourcesAttack tools exist today (Parasit6, Fakerouter6, Scapy6, others)Viruses and wormsScanning will probably use alternative techniquesApplication layer attacksSame implicationsPeer-to-peer nature of IPv6 augments the problemRevisiting Threats: Considerations for IPv6• Unauthorized access• Man-in-the-middle attacks Still a possibility Myth: mandatory IPsec resolves the issue Reality: IPsec is a mandatory part of the stack, but you still have to configure it• Sniffing or eavesdropping• Denial of service (DoS) attacks• Spoofed packets: forged addresses and other fields• Still a possibility• Bogons (bogus IP addresses) a reality today• Attacks against routers and other networking devices• Attacks against the physical or data link layersRevisiting Threats: Considerations for IPv6However, there is also some bad news. IPv6 is a bit different and, as such, there are threats that have been slightly changed by the fact that IPv6 does things slightly differently than IPv4. The following is a list of threats that are only slightly modified by IPv6:• LAN-based attacks (NDP)• Attacks against DHCP or DHCPv6• DoS against routers (hop-by-hop extension headers rather than router alerts)• Fragmentation (IPv4 routers performing fragmentation versus IPv6 hosts using a fragment extension header)• Packet amplification attacks (IPv4 uses broadcast; IPv6 uses multicast)Revisiting Threats: Considerations for IPv6• Reconnaissance and scanning worms: Brute-force discovery is more difficult.• Attacks against ICMPv6: ICMPv6 is a required component of IPv6.• Extension header (EH) attacks: EHs need to be accurately parsed.• Autoconfiguration: NDP attacks are simple to perform.• Attacks on transition mechanisms: Migration techniques are required by IPv6.• Mobile IPv6 attacks: Devices that roam are susceptible to multiple vulnerabilities.• IPv6 protocol stack attacks: Because of the code freshness of IPv6, bugs in the protocol stack existList of threats that are unique to IPv6 networks• Training and planning• Lack of knowledge, poor planning even for basic security controls (example: weak ingress filtering, or no filtering at all)• End nodes are exposed to many threats:• Address configuration parameters: Rogue configuration parameters• Address initialization: Denial of address insertion• Address resolution: Address stealing• Default gateway discovery: Rogue routers• Neighbor reachability tracking: Rogue neighbor status• Header extensions• Hosts process routing headers (RH)• Header extensions can be exploited (example: routing header for source routing and reconnaissance)• Amplification attacks based on routing headerIPv6 introduces the following difficulties or vulnerabilitiesThe attacker manipulates the routing header to create a traffic loop. DoS attacks can be performed using this feedback loop to consume resources or amplify the packets that are sent to a victim. RH0 packets could be created with a list of embedded IPv6 addresses. The packet would be forwarded to every system in the list before finally being sent to the destination address. If the embedded IPv6 addresses in an RH0 packet were two systems on the Internet listed numerous times, it could cause a type of feedback loop.Examples of Possible IPv6 AttacksTraffic Loop from Exploiting Routing HeaderThe attacker abuses NDP by using a router to amplify a network scan. The router sends Neighbor Solicitation (NS) messages to all the hosts in the LAN segment, using the all-nodes multicast address.Network Scan from Exploiting NDPCombo Attack on IPv6• Ingress filtering is key:• Deny Bogon addresses.• Filter multicast packets at your perimeter based on their scope.• Permit only packets that have as a destination address your allocated block of addresses or multicast group address or your link-local address for NDP.• Granularly filter ICMPv6 messages at the perimeter (remember, ICMPv6 is needed for protocol operations such as NDP).• Drop RH0 packets and unknown extension headers at the perimeter and throughout the interior of the network.• Favor dual stack as the transition mechanism, but secure each protocol equally.• Control the use of tunneling:• Configure manual tunnels if possible.• Do not allow tunnels through the perimeter unless required.• Consider current and future security enhancements:• Secure NDS (SeND) from RFC 3971 provides a cryptographic method to Neighbor Discovery.• RA Guard, from RFC 6105, is an alternative and complement to SeND, filtering at Layer 2.Recommended PracticesFor additional information, refer to these resources:Cisco Systems, Inc. Cisco IOS IPv6 Configuration Guide, Release 12.4, Implementing IPv6 Addressing and Basic Connectivity, Systems, Inc. IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation (v1.0), 2464, “Transmission of IPv6 Packets over Ethernet Networks,” 3146, “Transmission of IPv6 Packets over IEEE 1394 Networks,” 3587, “IPv6 Global Unicast Address Format,” 4007, “IPv6 Scoped Address Architecture,” 4291, “IP Version 6 Addressing Architecture,”