3. IPv6 Neighbor Discovery Fundamentals
RFC 4861, Neighbor Discovery for IP Version 6 (IPv6)
RFC 4862, IPv6 Stateless Address Autoconfiguration
Used for:
Router discovery
IPv6 Stateless Address Auto Configuration (SLAAC)
IPv6 address resolution (replaces ARP)
Neighbor Unreachability Detection (NUD)
Duplicate Address Detection (DAD)
Redirection
Operates above ICMPv6
Relies heavily on multicast (including L2-multicast)
Works with ICMP messages and messages “options”
4. IPv4 to IPv6 – Link model shift
Announces default router
Announces link parameters
Router
DHCP
server
„An IPv6 link”
DHCP
„An IPv4 link” server
Assign addresses
– Assign addresses
IPv4 link model is
DHCP-centric IPv6 link model is essentially
distributed, with DHCP playing a
Assign addresses minor role
Announces default router
Announces link parameters
5. Cisco Current Roadmap
Securing Link Operations: IETF SAVI WG
First Hop Trusted Device
Certificate
Advantages server
– central administration, central operation
– Complexity limited to first hop
– Transitioning lot easier
– Efficient for threats coming from the link
– Efficient for threats coming from outside
Time server
Disadvantages
– Applicable only to certain topologies
– Requires first-hop to learn about end-nodes
– First-hop is a bottleneck and single-point of
failure
7. IPv6 Address Resolution – comparing with IPv4 ARP
Creates neighbor cache entry, resolving IPv6 address into MAC address.
Messages: Neighbor Solicitation (NS), Neighbor Advertisement (NA)
A B C
ICMP type = 135 (Neighbor Solicitation)
Src = A NS
Dst = Solicited-node multicast address of B
Data = B
Option = link-layer address of A
Query = what is B’s link-layer address? ICMP type = 136 (Neighbor Advertisement)
Src = one B’s IF address
NA Dst = A
Data = B
Option = link-layer address of B
A and B can now exchange packets on this link
8. Attacking IPv6 Address Resolution
Attacker can claim victim's IPv6 address.
A B C
NS
Dst = Solicited-node multicast address of B
Query = what is B’s link-layer address? NS
Src = B or any C’s IF address
NA Dst = A
Data = B
Option = link-layer address of C
Countermeasures: Static Cache Entries, Address GLEAN,
SeND (CGA) on routers, Integrity Guard (Address-Watch).
9. Address GLEAN
Gleaning means inspecting the
Binding table
DHCP-
IPv6 MAC VLAN IF server
H1 H2 H3 A1 MACH1 100 P1
A21 MACH2 100 P2
A22 MACH2 100 P2
NS [IP source=A1, LLA=MACH1] A3 MACH3 100 P3
REQUEST [XID, SMAC = MACH2]
REPLY[XID, IPA21, IPA22]
data [IP source=A3, SMAC=MACH3]
DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY
NA [IP source=A1, LLA=MACH3] DHCP LEASEQUERY_REPLY
H1 H2 H3
10. IPv6 Duplicate Address Detection (DAD)
Verify IPv6 address uniqueness, verify no neighbors claims the address
Required (MUST) by SLAAC, recommended (SHOULD) by DHCP
Messages: Neighbor Solicitation, Neighbor Advertisement
A B C
ICMP type = 135 (Neighbor Solicitation)
Src = UNSPEC = 0::0 NS
Dst = Solicited-node multicast address of A
Data = A
Query = Does anybody use A already?
Node A starts using the address
11. Attack On DAD
Attacker hacks any victim's DAD attempts.
Victim can't configure IP address and can't communicate. DoS condition.
A C
Src = UNSPEC
Dst = Solicited-node multicast address of A
Data = A
NS
Query = Does anybody use A already?
Src = any C’s IF address
NA “it’s mine !”
Dst = A
Data = A
Option = link-layer address of C
12. Device tracking
Goal: to track active addresses (devices) on the link
IPv6 MAC VLAN IF STATE
A1
1 MACH1
H1 100 P1 REACH
STALE
H1 H2 H3 A21
21 MACH2
H2 100 P2 REACH
A22
22 MACH2
H2 100 P2 REACH
Address A3 MACH3 100 P3 STALE
GLEAN
Binding table
– Keep track of device state
– Probe devices when becoming stale
– Remove inactive devices from the binding table
– Record binding creation/deletion/changes
DAD NS [IP source=UNSPEC, target = A1]
NA [target = A1LLA=MACH1]
DAD NS [IP source=UNSPEC, target = A3]
13. IPv6 Source Guard
Validating the source address of IPv6 traffic sourced from the link
IPv6 MAC VLAN IF
Binding table A1 MACA1 100 P1
H1 H2 H3 A21 MACA21 100 P2
A22 MACA22 100 P2
A3 MACA3 100 P3
Address
GLEAN
DAD NS [IP source=UNSPEC, target = A3]
DHCP LEASEQUERY
NA [target = A1LLA=MACA3]
DHCP LEASEQUERY_REPLY
P3 ::A3, MACA3
P1:: data, src= A1, SMAC = MACA1
– Allow traffic sourced
with known IP/SMAC
P2:: data src= A21, SMAC = MACA21
– Deny traffic sources
P3:: data src= A3, SMAC = MACA3 with unknown IP/SMAC
15. Why should you care about router stealing?
$ ifconfig en1
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:26:bb:xx:xx:xx
inet6 fe80::226:bbff:fexx:xxxx%en1 IPv6 Network?
Is there an prefixlen 64 scopeid 0x6
inet 10.19.19.118 netmask 0xfffffe00 broadcast 10.19.19.255
media: autoselect
status: active
$ ping6 -I en1 ff02::1%en1
PING6(56=40+8+8 bytes) fe80::226:bbff:fexx:xxxx%en1 --> ff02::1
16 bytes from fe80::226:bbff:fexx:xxxx%en1, icmp_seq=0 hlim=64 time=0.140 ms
. . . Are there any IPv6 peers?
16 bytes from fe80::cabc:c8ff:fec3:fdef%en1, icmp_seq=3 hlim=64 time=402.112 ms
^C
--- ff02::1%en1 ping6 statistics ---
4 packets transmitted, 4 packets received, +142 duplicates, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.140/316.721/2791.178/412.276 ms
$ ndp -an
Neighbor Linklayer Address Netif Expire St Flgs Prbs
Configure a tunnel, enable forwarding, transmit RA
2001:xxxx:xxxx:1:3830:abff:9557:e33c 0:24:d7:5:6b:f0 en1 23h59m30s S
. . .
$ ndp -an | wc -l
64
16. IPv6 Router Discovery
Find default/first-hop routers
Discover on-link prefixes => which destinations are neighbors
Messages: Router Advertisements (RA), Router Solicitations (RS)
B
A
Internet
ICMP Type = 133 (Router Solicitation) RS
Src = UNSPEC (or Host link-local address)
Dst = All-routers multicast address (FF02::2)
Query = please send RA
ICMP Type = 134 (Router Advertisement)
RA
Src = Router link-local address
Dst = All-nodes multicast address (FF02::1)
Data = router lifetime, retranstime, autoconfig flag
Option = Prefix, lifetime
Use B as default gateway
17. Attacking IPv6 Router Discovery
Attacker tricks victim into accepting him as default router
Based on rogue Router Advertisements
The most frequent threat by non-malicious user
B
A C
Internet
RA Src = B’s link-local address
Dst = All-nodes
Data = router lifetime=0
Src = C’s link-local address
RA
Dst = All-nodes
Data = router lifetime, autoconfig flag
Options = subnet prefix, slla
Node A sending off-link
traffic to C
18. IPv6 RA-Guard – Securing Router Discovery
A C
RA
“I am the default gateway”
Verification Router Advertisement Option:
succeeded? prefix(s)
Forward RA
Switch selectively accepts or rejects RAs based on various criteria –
ACL (configuration) based, learning-based or challenge (SeND) based.
Hosts see only allowed RAs, and RAs with allowed content.
More countermeasures: static routing, SeND, VLAN segmentation,
PACL.
19. IPv6 Stateless Address Auto-Configuration (SLAAC)
Stateless, based on prefix information delivered in Router Advertisements.
Messages: Router Advertisements, Router Solicitations
B
A
Internet
ICMP Type = 133 (Router Solicitation) RS
Src = UNSPEC (or Host link-local address)
Dst = All-routers multicast address (FF02::2)
Query = please send RA
ICMP Type = 134 (Router Advertisement)
RA Src = Router link-local address
Dst = All-nodes multicast address (FF02::1)
Computes
X::x, Y::y, Z::z Data = router lifetime, retranstime, autoconfig flag
and DADs them Options = Prefix X,Y,Z, lifetime
NS
Source traffic with X::x, Y::y, Z::z
20. Attacking IPv6 Stateless Address Auto-Configuration
Attacker spoofs Router Advertisement with false on-link prefix
Victim generates IP address with this prefix
Access router drops outgoing packets from victim (ingress filtering)
Incoming packets can't reach victim
B
A C
Internet
Src = B’s link-local address
RA Dst = All-nodes
Options = prefix X Preferred lifetime = 0
Deprecates X::A
Src = B’s link-local address
Computes BAD::A
RA Dst = All-nodes
and DAD it
Options = prefix BAD, Preferred lifetime
Node A sourcing off-link traffic to B with BAD::A
Router B filters out BAD::A
21. Cryptographically Generated Addresses CGA
RFC 3972 (Simplified)
Each devices has a RSA key pair (no need for cert)
Ultra light check for validity
Prevent spoofing a valid CGA address
RSA Keys
Priv Pub Modifier
Public
Key SHA-1
Subnet
Prefix
Signature CGA Params
Subnet Interface
Prefix Identifier
SeND Messages Crypto. Generated Address
22. Using SeND for router authorization
Subject Name
Certificate Authority
Certificate Authority CA0 contains the list of
authorized IPv6
Certificate C0
prefixes
1 provision
Router certificate CR
Router
certificate
3
request provision
2
A Router R
host ROUTER ADVERTISEMENT (SRC = R)
Certificate Path Solicit (CPS): I trust CA0, who are you R?
4
5 Certificate Path Advertise (CPA): I am R, this is my certificate CR signed by CA0
6
Verify CR against CA0
Each node takes care of its own security
7 Verifies router legitimacy
Insert R as default route
Verifies address ownership
23. SeND Deployment Challenges with boundaries
ADMINISTRATIVE BOUNDARY CA
CA
CA
Router Router
Host Host
Nodes must be provisioned with CA certificate(s)
A chain of trust is easy to establish within the administrative
boundaries, but very hard outside
Very few IPv6 stacks support SeND today
25. Reconnaissance in IPv6?
Easy with Multicast.
No need for reconnaissance anymore
3 site-local multicast addresses (not enabled by default)
FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers
Several link-local multicast addresses (enabled by default)
FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP, …
Source Destination Payload
Attacker FF05::1:3 DHCP Attack 2001:db8:2::50
2001:db8:1::60
2001:db8:3::70
http://www.iana.org/assignments/ipv6-multicast-addresses/
26. Remote address resolution cache exhaustion
X
Gateway
PFX::/64
X scanning 2 64 addresses
(ping PFX::a, PFX::b, …PFX::z)
Dst = Solicited-node multicast address of PFX::a
Query = what is PFX::a ’s link-layer address?
NS 3 seconds history
Dst = Solicited-node multicast address of PFX::b
Query = what is PFX::b ’s link-layer address?
NS
Dst = Solicited-node multicast address of PFX::z
Query = what is PFX::z’s link-layer address?
NS
Countermeasures: address provisioning mechanisms and
filtering on routers, Destination Guard on switches
27. Destination guard – mitigating cache exhaustion
L3 switch
host B
Internet
Binding table Neighbor cache
Address glean
Scanning
{P/64}
Src=D1
Src=Dn
Lookup D1
NO
found
Forward packet
Mitigate prefix-scanning attacks and Protect ND cache
Useful at last-hop router and L3 distribution switch
Drops packets for destinations without a binding entry
28. Mitigating Remote Neighbor Cache Exhaustion
Built-in rate limiter but no option to tune it
Since 15.1(3)T: ipv6 nd cache interface-limit
Or IOS-XE 2.6: ipv6 nd resolution data limit
Destination-guard is coming with First Hop Security phase 3
Using a /64 on point-to-point links => a lot of addresses to scan!
Using /127 could help (RFC 6164)
Internet edge/presence: a target of choice
Ingress ACL permitting traffic to specific statically configured (virtual) IPv6
addresses only
Using infrastructure ACL prevents this scanning
iACL: edge ACL denying packets addressed to your routers
Easy with IPv6 because new addressing scheme can be done
32. What your IPS should support now
Can detect IPv6 tunnels in IPv4
IPv6 in IPv4
IPv6 in MPLS tunnel
Teredo destination IP address
Teredo source port
Teredo destination port
Teredo data packet
And more?
Detect DNS request for ISATAP
Detect traffic to 6to4 anycast server
33. Intrusion Prevention for L2 Security
ICMPv6 Signatures for Attack mitigation and visibility, including NA, NS, RA, RS.
34. IPS for Virtual Switching with ERSPAN
Extends the Local SPAN to send packets
outside local host (VEM)
Can be used to monitor the traffic on ERSPAN DST
Virtual Switch remotely ID:2 ID:1
One or more source:
NAM
Type: Ethernet, Vethernet, Port-Channel, VLAN
Direction: Receive (Ingress) / Transmit (Egress) /
Both
Management
IP based destination Console
ERSPAN VMkernel
ERSPAN ID provides segmentation
NEXUS 1000v
Permit protocol type header 0x88be for
ERSPAN GRE
VM VM VM VM ESXi
36. Features for IPv6 First-Hop Security
Switches do/will integrate a set of monitoring, inspection and guard features for a
variety of security-centric purposes:
1. RA-guard
2. Address NDP address glean/inspection (NDP+DHCP+data)
3. Integrity guard (Address watch/ownership enforcement)
4. Device Tracking
5. DHCP-guard
6. DAD/Resolution proxy
7. Source-guard (SAVI)
8. Destination-guard
9. DHCP L2 relay
Ask your vendor.for current support and serious roadmap.
cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html
37. First Hop Security Phase I in 2010
Protecting against Rogue RA
Port ACL (see later) blocks all ICMPv6 Router
Advertisements from hosts
interface FastEthernet3/13
RA
switchport mode access
ipv6 traffic-filter ACCESS_PORT in RA
access-group mode prefer port
RA-guard feature in host mode (12.2(33)SXI4 &
12.2(54)SG ): also dropping all RA received on
this port
interface FastEthernet3/13
RA
switchport mode access RA
ipv6 nd raguard
access-group mode prefer port
RA
38. IPv6 Snooping Phase II and III
Phase II Phase III
DHCP Guard Destination Guard
Source Guard Prefix Guard
Multi Switch operation DAD Proxy
RA Throttler Binding Table Recovery
NDP Multicast Suppress SVI support
39. The bottom line
Look inside NetFlow records
Protocol 41: IPv6 over IPv4 or 6to4 tunnels
IPv4 address: 192.88.99.1 (6to4 anycast server)
UDP 3544, the public part of Teredo, yet another tunnel
Look into DNS server log for resolution of ISATAP
Beware of the IPv6 latent threat:
Your IPv4-only network may be vulnerable to IPv6 attacks now.