IPv6 SECURITYIntroductionAgendaTraditional IPv4 Edge Security DesignIPv6 Attack Against IPv4Slide 7IPv4 and IPv6 Header ComparisonAddress Allocation PolicyAddress TypesIPv6 Addressing per DeviceIPv6 Privacy Extensions (RFC 3041)IPv6 Header Format: Next HeaderExtension HeadersIPv6 Header Options (RFC 2460)ICMPv6Slide 17Types of Threats (1/2)Types of Threats (2/2)Slide 20IPv6 and IPv4 Threat ComparisonsReconnaissance in IPv4Reconnaissance in IPv6Slide 24Slide 25Reconnaissance IPv6 Best PracticesSlide 27Slide 28Unauthorized Access in IPv4Unauthorized Access in IPv6Privacy Extensions ConsiderationsLocal Unicast FilteringBogon Filtering in IPv6IPsec Filtering ConsiderationsRouting Header Considerations (1/2)Routing Header Considerations (2/2)Slide 37ICMPv4 vs. ICMPv6Generic ICMPv4 Border Firewall PolicyEquivalent Comparison ICMPv6 Border Firewall PolicyPotential Additional ICMPv6 Border Firewall PolicyUnauthorized Access Best PracticesSlide 45Header ManipulationFragmentation Attacks in IPv4Fragmentation Filtering in IPv4Fragment Header: IPv6IPv6 Fragmentation: Path MTU DiscoveryIPv6 Fragmentation: Still Needs Reassembly in the Firewall and NIDSIPv6 Fragmentation: Issues for Non-Stateful Filtering Devices IPv6Header Manipulation and Fragmentation Best PracticesSlide 59ARP and DHCP Attacks in IPv4Stateless AutoconfigurationNeighbor Discovery: Neighbor SolicitationDAD (Duplicate Address Detection)ARP and DHCP Best PracticesSlide 65Smurf AttackIPv6 and BroadcastsIPv6 and Other Amplification VectorsBest Practices for Amplification AttacksSlide 70IPv4 Routing AttacksIPv6 Routing AttacksSlide 76IPv6 Transition TechniquesIPv6 Translation, Transition, and TunnelingIPv6 Translation, Transition, and Tunneling: Dual-Stack Host ConsiderationsIPv6 Translation, Transition, and Tunneling Summary TableSlide 81IPv6 Attacks with Strong IPv4 SimilaritiesSlide 87IPv6 Dual Stack Attack ExampleSlide 89Slide 90SummaryReference MaterialsSlide 961© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3IPv6 SECURITYSESSION SEC-2003222© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Introduction•Discussions around IPv6 security have centered on IPsecThough IPsec is mandatory in IPv6, the same issues with IPsec deployment remain from IPv4:Configuration complexityKey managementMany IPv6 stacks do not today support IPsecTherefore, IPv6 will be deployed largely without cryptographic protections of any kind•Security in IPv6 is a much broader topic than just IPsecEven with IPsec, there are many threats which still remain issues in IP networking•This presentation will cover the rest of the things you should understand to consider the security implications of v6 on your network444© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Agenda•IPv4 Best Practices Summary and Attack Example•IPv6 Protocol Summary (Quick, Promise!)•Types of Threats•IPv6 and IPv4 Threat Comparisons (The Meat)•IPv6 Topology and BP Summary•v6/v4 Dual-Stack Attack Example555© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Edge Router Stateful FirewallISP RouterPublic ServersTraditional IPv4 Edge Security Design•This design can be augmented with NIDS, application proxies, and a range of host security controls•The 3-interface FW design as shown here is in use at thousands of locations worldwide•Firewall policies are generally permissive outbound and restrictive inbound•As organizations expand in size, the number of “edges” and the ability to clearly identify them becomes more difficultInternetInternal Network666© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Edge Router Stateful FirewallPublic ServersIPv6 Attack Against IPv4IPv4 InternetIPv4 Internal NetworkIPv6 Internet6to4 GatewayRogue Dual Stack Host1. Rogue Device Establishes 6to4 Tunnel to IPv6 Internet2. Firewall PermitsOutbound IP Protocol 413. Attacker Compromises Rogue Host over IPv64. Compromised System Attacks Internal Network over IPv4ISP RouterNote That This Tunneling Can Be Benign in Origin WhereasOther Tunnels (Like GRE) Tend to Require an Active ParticipantInside and Outside777© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Agenda•IPv4 Best Practices Summary and Attack Example•IPv6 Protocol Summary (Quick, Attend RST-1305 for More)•Types of Threats•IPv6 and IPv4 Threat Comparisons (The Meat)•IPv6 Topology and BP Summary•v6/v4 Dual-Stack Attack Example888© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3VersionTraffic Traffic ClassClassFlow LabelFlow LabelPayload LengthPayload LengthNext Next HeaderHeaderHop Hop LimitLimit Source AddressDestination AddressProtocolProtocolType of Type of ServiceServicePaddingPaddingHeader Header ChecksumChecksumFragment Fragment OffsetOffsetTotal LengthTotal LengthOptionsOptionsDestination AddressSource AddressTime to LiveTime to LiveFlagsFlagsIdentificationIdentificationIHLIHLVersionIPv4 Header IPv6 Header—Field’s Name Kept from IPv4 to IPv6—Fields Not Kept in IPv6—Name and Position Changed in IPv6—New Field in IPv6LegendIPv4 and IPv6 Header Comparison999© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Address Allocation Policy•The allocation process is under reviewed by the registries: IANA allocates 2001::/16 to registriesEach registry gets a /23 prefix from IANAFormerly, all ISP were getting a /35With the new policy, Registry allocates a /32 prefix to an IPv6 ISPThen the ISP allocates a /48 prefix to each customer (or potentially /64)ftp://ftp.cs.duke.edu/pub/narten/ietf/global-ipv6-assign-2002-06-26.txt20010DB8ISP PrefixSite PrefixLAN Prefix/32 /48 /64Registry/23Interface ID101010© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Address Types•UnicastGlobalLink-localSite-local (deprecated)/local unicastCompatible (IPv4, IPX, NSAP)•Multicast (one to many)•Anycast (one to nearest)•Reserved111111© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3IPv6 Addressing per Device•In IPv4, devices were restricted to one IPv4 address per interface •In IPv6, devices have multiple addresses per interface Ethernet0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::201:96FF:FE5B:E161 Global unicast address(es): 2001:0DB8:DEEE:19::1, subnet is 2001:0DB8:DEEE:19::/64 Joined group address(es): FF02::1 “All nodes link local multicast”FF02::2 “All
View Full Document