IPV6 - Essentials and Security

-Avi Joshi MS Cyber Security

CONTENTS

1. 2. 3. 4. 5. 6. 7. 8. 9.

What is Internet Protocol? IPv4-Addressing and Classes IPv6- Definition Problem with IPv4 Address resolutions Security issues Advantages over IPV4 Current Implementation Implementation in our network

CONTENTS

1. 2. 3. 4. 5. 6. 7. 8. 9.

What is Internet Protocol? IPv4-Addressing and Classes IPv6- Definition Problem with IPv4 Address resolutions Security issues Advantages over IPV4 Current Implementation Implementation in our network

What is IP ?
The Internet Protocol (IP) is the principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet.

IP, as the primary protocol in the Internet layer of the Internet protocol suite, has the task of delivering packets from the source host to the destination host solely based on the IP addresses in the packet headers. The Internet Protocol is responsible for addressing hosts and for routing datagrams (packets) from a source host to a destination host across one or more IP networks.

CONTENTS

1. 2. 3. 4. 5. 6. 7. 8. 9.

What is Internet Protocol? IPv4-Addressing and Classes IPv6- Definition Problem with IPv4 Address resolutions Security issues Advantages over IPV4 Current Implementation Implementation in our network

What is IPv4 ?
First version of IP. IPv4 is one of the major protocol in TCP/IP protocols suite. This protocol works at Network layer of OSI model and at Internet layer of TCP/IP model. Thus this protocol has the responsibility of identification of hosts based upon their logical addresses and to route data between/among them over the underlying network. IPv4 provides a mechanism to uniquely identify each host over the network by IP addressing scheme.

Quick IPv4 Address Recap

Developed in 80s 232 4.3 billion possible addresses (4,294,967,296) Generally represented in decimal
One byte = 0 - 255 32-bit (four bytes) long

208.132.96.25
1101000.10000100.01100000.00011001

IPv4 - Addressing
IPv4 uses hierarchical addressing scheme. An IP address which is 32-bits in length, is divided into two parts as depicted:

32 bit addressing

IPv4 - Classes

IPv4 uses hierarchical addressing scheme.

CLASS A

The first bit of the first octet is always set to 0 (zero). Thus the first octet ranges from 1 127, i.e.
.

Default subnet mask: 255.0.0.0

IPv4 - Classes
An IP address which belongs to class B has the first two bits in the first octet set to 10, i.e. Default subnet mask: 255.255.0.0
.

CLASS B

CLASS C

The first octet of Class C IP address has its first 3 bits set to 110, i.e., Default subnet mask: 255.255.0.0
.

IPv4 - Classes
Very first four bits of the first octet in Class D IP addresses are set to 1110 Reserved for multicasting

CLASS D

CLASS E

This IP Class is reserved for experimental purposes only like for R&D or Study. IP addresses in this class ranges from 240.0.0.0 to 255.255.255.254. Like Class D, this class too is not equipped with any subnet mask.

CONTENTS

1. 2. 3. 4. 5. 6. 7. 8. 9.

What is Internet Protocol? IPv4-Addressing and Classes IPv6- Definition Problem with IPv4 Address resolutions Security issues Advantages over IPV4 Current Implementation Implementation in our network

What is IPV6 ?
Internet Protocol version 6 (IPv6) is the latest revision of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet.

IPv6 (Internet Protocol version 6) is a set of specifications from the Internet Engineering Task Force (IETF) that's essentially an upgrade of IP version 4 (IPv4). It was implemented on 6 June 2012.

CONTENTS

1. 2. 3. 4. 5. 6. 7. 8. 9.

What is Internet Protocol? IPv4-Addressing and Classes IPv6- Definition Problem with IPv4 Address resolutions Security issues Advantages over IPV4 Current Implementation Implementation in our network

Whats the problem with IPv4?

Simply put, it doesnt offer enough addresses
World Population: Around 6.8 billion Number of IPv4 addresses: Around 4.3 billion

It Gets Worse
People (personal computers) arent the only thing online

CONTENTS

1. 2. 3. 4. 5. 6. 7. 8. 9.

What is Internet Protocol? IPv4-Addressing and Classes IPv6- Definition Problem with IPv4 Address resolutions Security issues Advantages over IPV4 Current Implementation Implementation in our network

Dissecting an IPv6 Address

Developed in 1998 3.4 x 1038 or 340 Undecillion (what?) possible addresses 2128 Generally represented in hexadecimal (HEX)

Two bytes = 0 FFFF (65535)

128-bits (16 bytes) long 340 282 366 920 938 463 463 374 607 431 768 211 456

2560:1900:4545:0003:0200:F8FF:FE21:67CF
0010000111011010000000001101001100000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010

Shortening IPv6 Addresses

2001:0019:0545:0003:0200:0000:0000:67CF
Remove preceding zeros

2001:19:545:3:200:0:0:67CF
Remove groups of zeros

2001:19:545:3:200::67CF 2001:19:545:3:200:::67CF

Types of IPv6 Addresses

Unicast Address a one-to-one address:
Global publicly routable address assigned by IANA (2000::/3) Link local Local address assigned for auto configuration or neighbor discovery, etc not routed. (FE80::/10) Unique local like private addresses. Just used at local site (FC00 or FD00::/8) Special special addresses like loopback or default gateway Compatible used for IPv4 to IPv6 migration

Types of IPv6 Addresses

Multicast Address an address intended for one-to-many communication:
Multicast sent to members in a multicast group Broadcast sent to all address on a network (technically, now a all-nodes multicast)

Anycast Address a new address used to send to the first receipient of a group

IPv6 Hierarchical Addressing

Global Routing Prefix Prefix

SLA ID

Interface ID

2561:1900:4545:0003:0200:F8FF:FE21:67CF
TLA ID NLA ID

IPv6 Subnetting
CIDR only (slash notation) No concept of subnet masks / followed by prefix size (decimal number 1-128)

2001:1900:4545:0003:0200:F8FF:FE21:67CF
/16 /32 /48

2001:1900:4545::/48

2001:1900:4545:0000:0000:0000:0000:0000 2001:1900:4545:FFFF:FFFF:FFFF:FFFF:FFFF

What about MAC?

Hosts generate a unique Interface Identifier
Called 64-bit Extended Unique Identifier or EUI-64 48-bit MAC addresses converted by adding FFFE to the middle

1. 2. 3. 4.

MAC Address: Split in half: Insert FFFE: Change 7th bit to 1:

90-3A-2B-06-2C-D1 90-3A-2B 06-2C-D1 90:3A:2B:FF:FE:06:2C:D1 92:3A:2B:FF:FE:06:2C:D1

What about ARP?

IPv6 replaces ARP with the Neighborhood Discovery Protocol. This new protocol combines many functions:
Host-to-Host Functions Address resolution (uses ICMPv6 Neighbor advertisement and solicitation msgs) Duplicate address detection Next-Hop determination Neighbor unreachable detection Host/Router Discovery Functions Router Discovery Prefix Discovery Parameter Discovery Address Autoconfiguration Redirect Function

Stays same

Simplified Headers Mean Faster Traffic

Dropped
Name/position change New

IPv4 Header (20 bytes)

Version IHL Type of Service Total Length Fragmen t Offset Version

IPv6 Header (40 bytes)

Traffic Class Flow Label Next Header

Identification Time to Live

Flags

Payload Length

Hop Limit

Protocol
Source Address Destination Address Options

Header Checksum

Source Address

Padding

Destination Address

IPv6 OS Support

CONTENTS

1. 2. 3. 4. 5. 6. 7. 8. 9.

What is Internet Protocol? IPv4-Addressing and Classes IPv6- Definition Problem with IPv4 Address resolutions Security issues Advantages over IPV4 Current Implementation Implementation in our network

The Big IPv6 Security Question

IPv6 Offers:

Security Benefits (The Good)

Security Drawbacks (The Bad)

IPv6 Security: The Good

Built-In IPSec Offers Better Security Right?

IPSec is a mandatory part of the IPv6 Protocol

Whats IPSec Again?

Internet Protocol Security (IPSec) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications.

Among other things, IPSec consists of:

Authentication Headers (AH) Provides data origin authentication and integrity (protects against replay attacks) Encapsulating Security Payloads (ESP) Adds encryption to the mix to provide confidentiality

What are IPv6 Extension Headers?

Ext. headers may include:

Remember IPv6 need header simplification? Dropped options to go somewhere

IPv6 Header
IPv6 Header IPv6 Header

Hop-by-hop options Destination Options Routing IPv4 Header IPv6 Fragmentation (20 bytes) Payload(40 AH Header Traffic Type of ESP Header Version IHL Flow Total Label Length Dropped Class Service Etc

Extension Payload Identification Length Header

Time to Live

Next Fragmen Flags Hop Limit Header t Offset Payload Header Checksum

Protocol Source Address

ExtensionSource Address Extension Destination Address Header Header

Destination Address Options Padding

Payload

Built-In IPSec Offers Better Security Right?

IPSec is a mandatory part of the IPv6 Protocol

What does this really mean?

Part of IPv6 protocol stack, not an optional add-on Implemented with AH and ESP Extension Headers Follows one standard (less interop issues) Every IPv6 device can do IPSec However, IPSec usage is still OPTIONAL!

Wait! Doesnt IPv4 Offer IPSec too?

Some truths about IPv6s additional IPSec Security:
IPv4 has it too (though, not natively) We dont have to use it, and most dont Still complex May require PKI Infrastructure

So is this really a security benefit? Short term probably no measureable advantage over IPv4 IPSec Long term More applications will leverage it now that its mandatory!

So Long NAT! Hello, End-2-End Addressing

NAT does NOT provide security! End-2-End (public) addressing increases accountability

Vast Address Space Naturally Thwarts Certain Attacks

(340 unidecillion)

Too big for automated reconnaissance and attack:

Average network port scans would take decades Automated worm propagation would slow to a crawl

IPv6 Security: The Bad

Immature Protocols = Increased Vulnerability & Risk

During the creation life-cycle of new standards and protocols: Security is often an after-thought Unexpected problems happen due to complex interactions Many issues dont surface until the tech receives wider usage

These concepts have proven themselves with many new network protocols in the past. Most experts suspect there are many security issues in IPv6, and related protocols, that we have yet to uncover.

Unfamiliarity Causes Misconfigurations

Many network administrators and IT practitioners are still relatively unfamiliar with all IPV6s ins and outs

Common issues:

Not realizing IPv6 is already in their network Ignorance of Tunneling Mechanisms Lack of ACL policy for IPv6 multi-homing Unawareness of potential privacy issues Over permissiveness, just to get it to work

Automatic Addressing May Pose Privacy Concerns

In the previous slides, i showed how to automatically create a EUI-64 address. However, this makes our MAC public, which we may consider a privacy issue. There are options to rectify this issue: Privacy Enhanced Addresses [RFC 3041] Cryptographically Generated Addresses (CGA) [RFC 3972]
1. 2. 3. 4. MAC Address: 90-3A-2B-06-2C-D1 Split in half: 90-3A-2B 06-2C-D1 Insert FFFE: 90:3A:2B:FF:FE:06:2C:D1 Change 7th bit to 1: 92:3A:2B:FF:FE:06:2C:D1

A Look Back at IPv4 ARP Poisoning

Hey I also Everyone. And have I 192.168.20.2, 192.168.20.1 have 192.168.20.34 And ..

Who has 192.168.20.34?

I Do. Heres my MAC

No authentication or security

Neighborhood Discovery Suffers from Similar Issues

Neighbor Solicitation

I Do. Send traffic to me

Neighbor Advertisement ND Spoofing

Who Who has has 2001::3/64? 2001::3/64?

I Do. Heres my Layer 2 address

No authentication or security

Many Other Neighbor and Router Discovery Issues

Other ND related attacks: Duplicate Address Detection (DAD) DoS attack ND spoofing attack for router (allows for MitM) Neighbor Unreachability Detection (NAD) DoS attack Last Hop Router spoofing (malicious router advertisements) And many more Solution: SEcure Neighbor Discovery (SEND) RFC 3971 Essentially adds IPSec to ND communications Requires PKI Infrastructure Not available in all OSs yet. 802.1X also an option

IPv6 Security Controls Lagging Hacking Arsenal/Tools

Attackers already have many IPv6 capable tools:
THC-IPv6 Attack Suite
Alive6

TCPDump
Fake_mld6 Fake_Advertiser6 SendPees6 DNSDict6 Trace6 Flood_Router6

Imps6-tools Relay6 IPv6 Unfortunately, security controls and 6tunnel products seems to be a bit behind. NT6tunnel VoodooNet Scapy6 Metasploit (etc.) Web Browsers (XSS & SQLi)

THC-IPv6 Attack Suite Nmap Wireshark

COLD Spak6

Parasite6 Redir6

Multi-Generator (MGEN) Fake_Router6

Detect-New-IPv6 IPv6 Security Scanner (vscan6) DoS-New-IPv6 Smurf6 rSmurf6 TooBig6

Isic6 Hyenae SendIP Packit

Halfscan6 Strobe Netcat6

Flood_Advertise6 Fuzz_IP6 etc

4to6ddos 6tunneldos

Fake_MIPv6

IPv6 Security:

Conclusion

So Does/Will IPv6 Provide More Security?

Probably Not. Few will adopt/use the IPv6 related security additions early on. Furthermore, the protocols newness and administrators unfamiliarity may result in more vulnerabilities at first. That said, IPv6 security is NOT worse than IPv4.

Yes. If leveraged, some IPv6 additions can increase our overall network security. As we become more familiar with it, and more network services begin to leverage advanced options, IPv6 should prove slightly more security than IPv4.

Short Term

Long Term

CONTENTS

1. 2. 3. 4. 5. 6. 7. 8. 9.

What is Internet Protocol? IPv4-Addressing and Classes IPv6- Definition Problem with IPv4 Address resolutions Security issues Advantages over IPV4 Current Implementation Implementation in our network

IPv6 Technical Benefits

Exponentially more IP addresses Fixed headers means faster traffic

True end-to-end addressing. (No more NAT?)

Built in end-to-end security (IPSec) Built in QoS functionality Autoconfiguration Great for mobiles

Advantages of IPv6 over IPv4 (1)

Feature Source and destination address IPSec IPv4 32 bits Optional IPv6 128 bits required

Payload ID for QoS in the header

Fragmentation Header checksum Resolve IP address to a link layer address

No identification
Both router and the sending hosts included broadcast ARP request

Using Flow label field

Only supported at the sending hosts Not included Multicast Neighbor Solicitation message

Advantages of IPv6 over IPv4 (2)

Feature Determine the address of the best default gateway IPv4 ICMP Router Discovery(optional) IPv6 ICMPv6 Router Solicitation and Router Advertisement (required)

Send traffic to all nodes on a subnet

Configure address Manage local subnet group membership

Broadcast

Link-local scope all-nodes multicast address

Auto configuration Multicast Listener Discovery (MLD)

Manually or DHCP (IGMP)

CONTENTS

1. 2. 3. 4. 5. 6. 7. 8. 9.

What is Internet Protocol? IPv4-Addressing and Classes IPv6- Definition Problem with IPv4 Address resolutions Security issues Advantages over IPV4 Current Implementation Implementation in our network

Ipv6 Implementation till date

Ipv6 Implementation till date

Test Your Connectivity!!

CONTENTS

1. 2. 3. 4. 5. 6. 7. 8. 9.

What is Internet Protocol? IPv4-Addressing and Classes IPv6- Definition Problem with IPv4 Address resolutions Security issues Advantages over IPV4 Current Implementation Implementation in our network

Three Steps to Implementing IPv6

Research and Discovery Planning & Migration Strategies

Implementation & Transition

Find the Answer to Three Questions

Does your ISP support IPv6?

Research and Discovery

Whats your network look like today? What needs an upgrade? (or a transition technology)

Map Your Network

We should identify:
Our core infrastructure (routers, switches, etc) Security devices Hosts and OSs on our network Enumerate our DNS and DHCP servers Our application servers (Public & Private) Other networks devices (printers, NAS, etc..)

Research and Discovery

What Needs an Upgrade?

The goal of the previous network enumeration process is to figure out what supports IPv6 and what does not.

Research and Discovery

Place in three buckets: No support Partial support Full support (w/dual-stack)

Devices lacking support will require eventual upgrade or transition services

IPv6 Transition Technologies

Dual-Stack: IPv4 and IPv6 run together on all/most devices. Dual-Stack routing devices can handle translation, if necessary Tunneling: Allow IPv6 devices to communicate over an IPv4 network via tunnels (a lot like VPN)
Manual: Require configuration. More control, thus more secure Automatic: Little setup. May sneak out your network Tunnel Brokers: Companies that offer easy IPv6 tunneling services

Planning and Migration Strategies

Translation: Re-writing one protocol packets to another protocol (IPv6 to IPv4, and vice versa).

Application-specific proxies: Translation only for specific services (web, email, etc). IPv6 client connects to proxy server, it makes IPv4 connection to a service

Common Tunneling and Translation Protocols

Tunnel Protocols Translation Protocols

Planning and Migration Strategies

6to4 (Auto) Teredo (Auto) ISATAP (Auto) 6rd (Auto) 4in6 (Configured) 6in4 (Configured)

Stateless IP/ICMP Translation (SIIT) NAT64 DNS 64 Dual-stack Lite (DSLite) NAT-PT (depreciated)

Three Migration Strategies

Planning and Migration Strategies

Core Migration Application/Server Migration Client-Side Migration

A Simplified Network
Internet ISP

Planning and Migration Strategies

IPv4 Core Network

IPv4 Network (LAN)

IPv4 Network (DMZ)

IPv4 Network

Client-side Migration

IPv6 Tunnel broker or endpoint

Internet

Planning and Migration Strategies

ISP Again, Tunneling or Translation services used where needed

IPv6 Core Network IPv6 Routers (or Dual-stack)-- IPv4 IPv4/IPv6 Network Network (LAN) Dual-stack Routers--------------------------- IPv4 Network IPv4 Network (DMZ)

Expect a Long-term Transition Phase

Plan at least a 6 year IPv6 Transition phase It will actually take some organizations years to fully convert to IPv6 More importantly, even if you convert your entire network to IPv6-only tomorrow, you will still need to leverage 4to6 translation technologies to allow the rest of the world to connect to you until they catch up!

Implementation and Transition

References:
1. http://www.google.com/ipv6/statistics.html 2. http://oversteer.bl.echidna.id.au/IPv6/RFC 3. http://www.cisco.com/web/about/security/security_services/ciag/documents/ v6-v4-threats.pdf 4. https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IPv6 SecurityChallenges.pdf 5. http://technet.microsoft.com/en-us/library/bb726956.aspx 6. http://tools.ietf.org/html/rfc4861#page-38 7. http://www.ipv6.com 8. http://rfc-ref.org/RFC-TEXTS/3756/chapter4.html 9. And many more..

Thank You!