Advanced IPv6 Security in the LAN Gilles Roy, Technical Leader BRKSEC-3003 In 2015, 55% of attacks are from the inside! *
Source: 2015 IBM Cyber Security Report
3 There is a lot happening on the LAN, it can be difficult to follow everything, lets break it down.
1. Operations
2. Attacks
3. Mitigations
4. Use cases
4 Use cases Enterprise SP Access Datacenter Address Allocation ✔ ✖ ✖ Duplicate Address Detection ✔ ✔ ✔ Address Resolution ✔ ✖ ✔ Operation Neighbor Unreachability Detection ✔ ✖ ✔ Prefix Allocation ✖ ✔ ✖ Making Default Router Discovery ✔ ✖ ✔ sense of Denial of Link Operations ✔ ✖ ✔ Denial of Address Resolution ✔ ✖ ✔ YOUR Router Theft ✔ ✔ ✔ Attacks Address Theft ✔ ✖ ✔ setup. Denial of Address Configuration ✔ ✔ ✖ Denial of Address Assignment ✔ ✖ ✖ RA Guard ✔ ✔ ✔ DHCP Guard ✔ ✔ ✖ Mitigation Source Guard ✔ ✖ ✔ Destination Guard ✔ ✖ ✖ Binding Guard ✔ ✖ ✔
5 Abstract summary and pre-requisite
• This session focuses on IPv6 security within the layer-2 domain
• With a multi-dimensional approach: operations, vulnerabilities, mitigations and use-cases
• It introduces security features at the First Hop, such RA Guard, Source Guard, Destination guard, etc
• Requirements: Knowledge of IPv6 and IPv6 Neighbor Discovery
6 Agenda
• IPv6 in the layer-2 domain: operations and protocols
• IPv6 in the layer-2 domain: vulnerabilities
• Attack Demonstration
• Mitigating Vulnerabilities
• Use cases overview
7 Some background on layer-2 & IPv6
• Layer-2: what is it?
• Layer-2 domain: also “broadcast domain”, link, lan, vlan, segment
• Nodes: hosts, routers, switches, access points
• Link operations: operations between nodes on the shared link
• Security perimeter: draws a line between trusted and untrusted devices
• First hop: first trusted device inside the security perimeter
• First hop security: Secures link-operations on First hop
8 For Your Link operations Reference LINK OPERATIONS PROTOCOLS IPv6 RFC
(IPV4) IPv6 ROUTER DISCOVERY DHCP Neighbor Discovery (ND) RFC4861 PREFIX DISCOVERY - −Neighbor Discovery (Hosts) RFC3633 −DHCP-PD (Routers) PARAMETER DISCOVERY DHCP −Neighbor Discovery (MTU) RFC4861 −DHCP (DNS server, NTP server, …) ADDRESS ASSIGNMENT DHCP −Neighbor Discovery (SLACC) RFC4861, RFC4862 −DHCP (Global scope addresses only) RFC3315
DUPLICATE ADDRESS DETECTION (DAD) ARP Neighbor Discovery RFC4862 ADDRESS RESOLUTION ARP Neighbor Discovery RFC4861 NEIGHBOR UNREACHABILITY DETECTION (NUD) ARP Neighbor Discovery RFC4861
REDIRECTION ICMP Neighbor Discovery RFC4861
9 Fundamentals On Neighbor Discovery
• Provide support for most operations on the link • Router Discovery • Address Resolution • Address Assignment
• Operates above ICMPv6 • Relies heavily on (link-local scope) multicast, combined with layer-2 Multicast
• Works with several ICMP messages and message “options”
• Similar to ARP, but has more options ND IPv6 ICMPv6 Message
10 Router Discovery protocol: discover Default router, online prefixes A R
ICMP Type = 133 (Router Solicitation) RS Source = Host link-local address Destination = ALL-ROUTERS multicast address (FF02::2) multicast multicast RA ICMP Type = 134 (Router Advertisement) Source = Router link-local address LLR Destination = All-nodes multicast address (FF02::1) Data = router lifetime, preference=medium,… RIB ::0/0 LLR Option = Prefix X,Y,Z, lifetime
Use R as default gateway
The LINK-LOCAL address is the router identity
11 Router Discovery protocol: select B A C
IF1 RA Source = LLB Data = router lifetime, preference=M RIB ::0/0 LLB Option = Prefix X,Y, lifetime
IF ADR-DB 1 X::A Y::A RA Source = LLC Data = router lifetime, preference=H RIB Option = Prefix Z, lifetime ::0/0 LLC
ADR-DB IF1 X::A Select router based on preference & build Y::A Z::A addresses after each prefix received
12 Router Discovery protocol: redirect X A B C
IF1
RA Source = LLB Data = router lifetime, preference=M
RIB Option = Prefix X,Y, lifetime, SLLA (MACB) ::0/0 LLB ND LLB MACB cache
Destination X, NH=LLB/MACB
REDIRECT Source = LL , Destination = A RIB B Data = Target: LLC, Destination: X ::0/0 LLB Option = TLLA (MACC) X/128 LLC
Destination X, NH=LLC/MACC
13 Address Resolution protocol: resolve
A C B
MAC B ICMP type = 135 (Neighbor Solicitation) NS-lookup Source = A, SLLA=MACA Dst = Solicited-node multicast address of B (SOL ) B Neighbor target = B A MACA STALE Query = what is B’s Link-Layer Address? cache
Neighbor B - INCMPL cache NA ICMP type = 136 (Neighbor Advertisement) Src = one B’s I/F address , Dst=A target = B B MAC B REACH Option = Target link-layer address (MACB)
data
14 Address Resolution protocol: confirm A C B
IF 1 MAC B data Neighbor B MAC STALE cache B
ICMP type = 135 (Neighbor Solicitation) NS-NUD Destination = B, target = B Query = Are you still there? Traffic sent while entry is not yet confirmed data
NA-NUD ICMP type = 136 (Neighbor Advertisement) Source = B, Destination = A, target = B B MAC B REACH Yes!
15 Address Resolution protocol: update
A C B
MAC B Neighbor B MAC B REACH cache
MAC BB
ICMP type = 136 (Neighbor Advertisement) NA-override unsolicited Source = B Destination = ALL-NODES target = B
Option = Target link-layer address (MACBB) B MAC BB REACH
16 Address assignment methods
Static
Stateless Address Auto configuration • Modified EUI-64 • Privacy Extensions • Cryptographic Generated Address (CGA)
DHCP (only global scope addresses)
Whichever the method, an address MUST be verified for uniqueness with Duplicate Address Detection (DAD) before it can be used
17 Address assignment StateLess Address Auto Configuration (DAD success)
A host router −EUI-64 −CGA −Privacy RA ICMP Type = 134 (Router Advertisement) −Computes HOSTID Destination = ALL-NODES −Builds A = X HOSTID Options = Prefix X, lifetime −DAD A Query = Does anybody use A already? ICMP type = 135 (Neighbor Solicitation) Source = UNSPEC NS-DAD Destination = SOL A target = A
address A ready to use
18 Address assignment StateLess Address Auto Configuration (DAD failure)
A host host X router −EUI-64 −CGA −Privacy RA ICMP Type = 134 (Router Advertisement) −Computes HOSTID Destination = ALL-NODES −Builds A = X HOSTID Options = Prefix X, lifetime −DAD A
ICMP type = 135 (Neighbor Solicitation) NS-DAD Source = UNSPEC
Destination = SOL A ,target = A
multicast Address cannot be used NA, target=A Manual intervention required in most cases
19 Address assignment: DHCP host A relay router server
SOLICIT (ALL_SERVERS_AND_RELAY) ADVERTISE
REQUEST, option: can I use A
REPLY: Your address is A ICMP type = 135 (Neighbor Solicitation) NS-DAD Source = UNSPEC
Destination = SOLA, target = A Query = Does anybody use A already?
LINK-LOCAL addresses cannot be DHCP-assigned address A ready to use
20 Address assignment: DHCP host A host relay router server
SOLICIT (ALL_SERVERS_AND_RELAY) ADVERTISE
REQUEST
REPLY ICMP type = 135 (Neighbor Solicitation) NS-DAD Source = UNSPEC Destination = SOL , target = A A multicast Query = Does anybody use A already? NA, target=A
DECLINE
Address cannot be used
21 Prefix assignment: DHCP-Prefix-Delegation
Home Network router relay server
LLGW
SOLICIT ADVERTISE
REQUEST-prefix, source-LLGW
REPLY-prefix: P1, lifetime RA Source = link-local address RIB Destination = ALL-NODES
Option = Prefix P1, lifetime P1 LLGW −Computes HOSTID
−Builds A = P1 HOSTID −DAD A
Source=A
22 Agenda
• IPv6 in the layer-2 domain: operations and protocols
• IPv6 in the layer-2 domain: vulnerabilities • Router theft • Address (Identity) theft • DoS attacks • Misdirect attacks
• Attack Demonstration
• …
23 Router Theft (and session hijacking!)
Where’s my next hop?
Right here! I’ll deliver that for you!
24 Router Theft: role (and session hijacking!)
R X C A X
RIB RA Source = LLR, preference=medium ::0/0 LLR Session via R Source = LLC, Destination=ALL-NODES, RA preference=high
::0/0 LLC
Session via C
Most frequent issue seen on the link
25 Address Theft
Don’t worry, 534 is here!
534?
26 Address/Identity Theft (and session hijacking!)
A B C
ND cache Address resolution flow
B MAC B Session established Source = B Destination = ALL-NODES (unsolicited) NA Target = B Option: SLLA= MACC B MAC C
Session re-established
27 Router Theft The Return: identity
R X C A X
RIB RA Source = LLR, SLLA = MACR ::0/0 LLR ND cache LL R MAC R Session via R / MAC Source = R R Destination = ALL-NODES (unsolicited) NA Target = LLR LL R MAC C Option: SLLA= MACC
Session via “R” / MACC
28 DoS attacks
Help!
• denial of Address initialization • denial of Address assignment • denial of Address configuration • denial of Address resolution (one packet) • denial of Address resolution (flood) • denial of link operations (flood)
29 DoS attack: denial of address initialization
host A attacker C router
ICMP Type = 134 Computes A = {P, RA Destination = ALL-NODES HOSTID} Options = Prefix P ICMP type = 135 (Neighbor Solicitation)
Source = UNSPEC, Destination = SOL A target = A NS-DAD, target=A Query = Does anybody use A already?
NA, target=A “it’s mine !” Address cannot be used
30 DoS attack: denial of Address assignment
host A attacker C relay router server
SOLICIT (ALL_SERVERS_AND_RELAY) ADVERTISE ADVERTISE, preference=255
REQUEST
REPLY, NoAddrsAvail
REPLY, IA=BOGUS
31 DoS attack: denial of address configuration . Attacker spoofs Router Advertisement with false on-link prefix . Victim generates (topology-bogus) IP address with this prefix . Access router drops outgoing packets from victim (ingress filtering) . Or return path is broken host A attacker C router B
Src = B’s link-local address RA Dst = All-nodes Autoconf BAD::A Options = prefix BAD and DAD it
Node A sourcing off-link traffic via B with BAD::A
B filters out BAD::A OR NOT …
32 DoS attack: denial of address resolution (one packet) • Attacker responds to all Resolution Requests A B X
MAC B ICMP type = 135 (Neighbor Solicitation) NS-lookup Dst = Solicited-node multicast address of B target = B Query = what is B’s Link-Layer Address?
Neighbor Src = B B - INCMPL Dst = A NA Src = B cache Options = TLLA (MAC ) FAKE Dst = A
Options = TLLA (MACB)
B REACH MAC FAKE
MACFAKE
33 DoS attack: denial of address resolution (Flood)
router X A PFX::/64 X scanning 2 64 addresses (ping dest. PFX::a, PFX::b, …PFX::z)
NS Dst = Multicast SOL PFX::a Query = Where is PFX::a ? Session to A
NS Dst = Multicast SOL Max3 PFX::b secondscapacity Query = Where is PFX::b ? STOP! reachedhistory Neighbor cache NS Dst = Multicast SOL PFX::z Query = Where is PFX::z ?
34 DoS attack: denial of link operations (flood)
A X R PFX::/64 Neighbor cache X “claims” 2 64 addresses
PFX::1 MAC1 STALE NS, Src=PFX::1, Dst=SOLR, SLLA = MAC1
PFX::1 MAC1 STALE NS, Src=PFX::2, Dst=SOLR, SLLA = MAC2 PFX::2 MAC2 STALE
64 NS, Src=PFX::2 , Dst=SOLR, SLLA = MACZ PFX::1 MAC1 STALE PFX::2 MAC2 STALE STOP! … … 64 PFX::2 MACZ STALE Src=A, Dst=SOLR, SLLA = MACA
Victim can be any node on the link
35 Misdirecting attacks
?
36 Misdirecting responses
. The attacker use a bogus source: topologically incorrect or unassigned . The destination of attacker’s traffic is both a victim and an accomplice . The source of attacker’s traffic is a victim when it exists . The network at large (local or remote) is another victim . Attack can be a flood based DoS, poisoning attack, single packet attack, etc.
37 Attack Demonstration
38 Router Theft - Demo Topology
vlan 100
HOST ROUTER PEER
SWITCH VILLAIN CAT
39 Attack Demonstration
40 Address Theft - Demo Topology
vlan 100
HOST SERVER
SWITCH VILLAIN
41 Attack Demonstration
42 More demos on youtube Demo Title link
Router theft & mitigations Cisco IPv6 Router Advertisement (RA) http://www.youtube.com/watch?v=YbDg33vV-0E Guard Demo Address theft & mitigations Cisco IPv6 snooping Demo http://www.youtube.com/watch?v=EjqimySPv7U
DoS attack on ND cache & Cisco IPv6 Destination Guard Demo http://www.youtube.com/watch?v=QDyqV7u4HSY mitigation Misdirect & mitigation Cisco IPv6 Source Guard Demo http://www.youtube.com/watch?v=-vOY0xXLoj0
43 Agenda
• IPv6 in the layer-2 domain: operations and protocols
• IPv6 in the layer-2 domain: vulnerabilities
• Attack Demonstration
• Mitigating Vulnerabilities
• Use cases overview
44 The toolbox Vulnerability Attack tool Mitigation Where Security level Deployability thc, si6, scapy Router Role theft fake_router6 Increase legal router preference Router Weak Low flood_router6 Manual default gateway configuration Host Very Strong Medium-Low redir6 SeND Router Authorization Host Very Strong Low Host isolation (PVLAN) Switch Very Strong Medium Port Access Lists (PACL) Switch Medium Medium-High RA guard Switch Medium-Strong Medium-High Router Identity theft/ Address Theft Parasite6 Static ND cache entry Host Very Strong Low SeND CGA Host Very Strong Low Binding Guard (“IPv6 snooping”) Switch Strong High DoS: denial of address initialization dos-new-IPv6 Binding Guard (“IPv6 snooping”) Switch Strong High SeND CGA Very Strong Medium DoS: denial of address assignment denial6 DHCP guard Switch Strong High fake_advertiser6 DHCP authentication Host Strong Low DoS: denial of address configuration thcping6 RA guard Switch Medium-Strong Medium-High dos-new-IPv6 PACL Switch Medium Medium DoS: denial of Address Resolution (1pkt) frag6 Binding Guard Switch Medium-Strong Medium-High DoS: denial of Address Resolution (flood) scan6 Destination Guard Router Strong Medium dos-new-IPv6 RACL Router Medium Medium-Low DoS: denial of Link Operations (flood) dos-new-IPv6 ND control Router Weak Low flood_advertise6 Binding Guard control Switch Very Strong Very High Misdirecting responses syn6_flood Source Guard, Prefix Guard Switch Very Strong Very High ACL Router Very Strong Low uRPF Router Weak Low 45 Router Theft Mitigation
I’m your next hop!
46 Router Theft mitigation: Router Authorization
Certificate Authority CA0 Router R A
Back-end Provisioning
My certificate is CA0 Your certificate: CERTR, Signed by CA0
ROUTER ADVERTISEMENT, source = LLR ,key = KEYR
Certificate Path Solicit (CPS): I trust CA0, what is your credential?
Certificate Path Advertise (CPA): It is CERTR
Verifies CERTR against CA0
Insert R as default route (SEcure Neighbor Discovery, RFC3971)
47 Router Theft mitigation: SeND Deployment Challenges ADMINISTRATIVE BOUNDARY CA CA CA
Router Host Router Host
➔To benefit fully from SeND, nodes must be provisioned with CA certificate
➔A chain of trust is “easy” to establish within the administrative boundaries, but very hard outside
➔It is a 2 player game! And very few IPv6 stacks can play the game today: Cisco IOS, Linux, some H3C, third party for Windows (from Hasso-Plattner-Institut in Germany!)
48 Router Theft mitigation: Host Isolation
• Prevent Node-Node Layer-2 communication by using:
• Private VLANs (PVLAN) where nodes (isolated port) can only contact RA the official router (promiscuous port) Promiscuous RA Port • WLAN in ‘AP Isolation Mode’ Isolated Port • one VLAN per host (SP access network with Broadband Network
Gateway) RA • Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm RA
• But Duplicate Address Detection does not work anymore...
RA Breaks DAD, requires DAD-proxy
49 Router theft is relevant in IPv4 networks as well!
--- ff02::1%en0 ping6 statistics --- 1 packets transmitted, 1 packets received, +57 duplicates, 0.0% packet loss
50 Router Theft Mitigation: RA Guard (RFC 6105) • Port ACL: blocks all ICMPv6 RA from hosts interface FastEthernet0/2 ipv6 traffic-filter ACCESS_PORT in RA access-group mode prefer port
Authorized Port • RA-guard lite: pre-programmed ACL RA interface FastEthernet0/2 ipv6 nd raguard access-group mode prefer port
deep RA packet inspection • RA-guard: RA - hop-limit Port Not ipv6 nd raguard policy HOST Authorized - M & O flag RA device-role host - Router preference ipv6 nd raguard policy ROUTER - Source device-role router
- Prefix list RA vlan configuration 100 - CGA credentials ipv6 nd raguard attach-policy HOST vlan 100
interface FastEthernet0/0 ipv6 nd raguard attach-policy ROUTER
51 Router Theft – Here comes fragmentation … • Problem - RA Guard works like a stateless ACL filtering ICMP type 134 (no reassembly) - Attackers can exploit that to evade RA guard by “pushing” ULP header (RA) into second fragment - They can even use overlapping fragments to “disguise” RA into some other valid message - RFC 3128 is not applicable to IPv6 - THC fake_router6 –FD implements this attack which bypasses RA Guard
IPv6 hdr HopByHop Routing Fragment1 Destination … ICMP header is in 2nd fragment, RA Guard has no clue where to find it! IPv6 hdr HopByHop Routing Fragment2 ..Destination …ICMP type=134 • Possible solutions
- RFC 7112 (First fragment MUST contain entire header chain) - block all fragments sent to ff02::1 - Drop if 1st fragment does not have Upper Layer Protocol header : deny ipv6 any any undetermined-transport - How about overlapping fragments? Forbidden: RFC 5722- Use a compliant host stack! - Drop IPv6 fragments carrying ND: RFC 6980
52 IPv6 and security is still evolving…
53 Router Theft Mitigation Demo
54 Demonstration
55 General principles on FH command interface
• Each FH feature provides a configuration mode to create and populate policies (+ one implicit “default” policy) ipv6 nd raguard policy host device-role host • Each FH feature provides commands to attach policies to targets: box, vlan, port vlan configuration 100 ipv6 nd raguard attach-policy host ipv6 snooping interface e 0/0 ipv6 nd raguard attach-policy router • Packets are processed by the lowest-level matching policy for each feature
− Packets received on e0/0 are processed by policy ra-guard “router” AND policy snooping “default”
− Packets received on any other port of vlan 100 are processed by policy ra-guard “host” AND policy snooping “default”
56 Configuration examples
Step1: Configure Step2: Attach policies to target policies Vlan Port ipv6 nd raguard policy HOST vlan configuration 100-200 device-role host ipv6 nd raguard attach-policy HOST ipv6 nd raguard policy ROUTER interface Ethernet0/0 device-role router ipv6 nd raguard attach-policy ROUTER ipv6 snooping policy NODE vlan configuration 100,101 tracking enable ipv6 snooping attach-policy NODE limit address-count 10 security-level guard ipv6 snooping policy SERVER interface Ethernet1/0 trusted-port ipv6 snooping attach-policy SERVER tracking disable security-level glean
57 Upcoming configuration changes
Configure policies Attach policies to target Box Vlan Port - IPv4 ip device tracking - ip device tracking maximum nnn ipv6 snooping policy NODE IPv6 limit address-count 10 - ipv6 snooping attach-policy NODE … device-tracking policy NODE Dual limit address-count 10 device-tracking attach-policy NODE … Configure static entries ip source binding … IPv4 ipv6 neighbor binding … IPv6 device-tracking binding … Dual
58 Upcoming configuration change - Upgrade
Upgrade command Configuration device-tracking upgrade-cli Before Configure policy Attach policy IPv4 - ip device tracking IPv6 ipv6 snooping policy xxx ipv6 snooping attach-policy xxx Configure static IPv4 ip source binding … IPv6 ipv6 neighbor binding … After Dual device-tracking policy xxx device-tracking attach-policy xxx
device-tracking binding …
Upgrade command Exec commands device-tracking upgrade-cli Show commands Clear commands Before IPv4 show ip device-tracking … clear ip device-tracking … IPv6 show ipv6 neighbor binding … clear ipv6 neighbor binding … show ipv6 snooping … After Dual show device-tracking … Clear device tracking database … show ip device=tracking database …
59 Address Theft Mitigation
Ah! Here is 534
60 Address Theft Mitigation: SeND CGA
1. Generates pair of RSA keys: Public (KEY) & Private (KEY) 2. Computes Address: A = PREFIX || hash (KEY) 3. Sources ND message with A , includes KEY, sign with KEY and include SIGNATURE
Source = A KEY SIGNATURE
ND-message 4. Extracts A, KEY & SIGNATURE 5. Verifies A = hash (KEY) 6. Verifies SIGNATURE against the entire message
(SEcure Neighbor Discovery, RFC3971) Has similar deployment issues as Router Authorisation
61 Address Theft Mitigation Binding Guard Binding table
ADR MAC VLAN IF Preference DHCP- A MAC 100 P1 X 1 H1 server H1 Y H2 H3 A21 MACH2 100 P2 Y A22 MACH2 100 P2 Z A3 MACH3 100 P3
DAD NS [target=A1, SMAC=MACH1]
REQUEST [XID, SMAC = MACH2]
REPLY[XID, IPA21, IPA22]
data [IP source=A3, SMAC=MACH3]
DHCP LEASEQUERY
DHCP LEASEQUERY_REPLY Preference is a function of: configuration, learning method, credential provided
64 Address Theft Mitigation Binding Guard
host Binding host table
Address glean Control (NDP, DHCP, …) N Valid – Arbitrate collisions, poll device, check ownership ? – Check against max allowed per box/vlan/port – Record & report changes Y
Update binding table & Switch packet Data Source Guard • Upon collision, choose highest preference (for instance “static, trusted, CGA, DHCP” preferred over “dynamic, not-trusted, not-CGA, SLACC) • For collision with same preference, choose First Come, First Serve or poll old location
65 Address Theft Mitigation Demo
66 Demonstration
67 DoS attacks mitigation
68 DoS attack mitigation: DHCP Guard Denial of address assignment
DHCP- server • Port ACL: blocks all DHCPv6 “server” messages on client-facing ports interface FastEthernet0/2
ipv6 traffic-filter CLIENT_PORT in ADVERTISE access-group mode prefer port
• DHCP guard: deep DHCP packet inspection
ipv6 dhcp guard policy CLIENT device-role client - Source ipv6 nd raguard policy SERVER device-role server - Prefix list - CGA credentials ADVERTISE vlan configuration 100 ipv6 dhcp guard attach-policy CLIENT vlan 100
interface FastEthernet0/0 SOLICIT ipv6 dhcp guard attach-policy SERVER
69 DoS attack mitigation: Binding Guard Denial of address initialization
host attacker A C IFA IFC
ICMP DAD-Neighbor Solicitation NS-DAD, target=A Source = UNSPEC, Destination = SOL A target = A Query = Does anybody use A already? A MACA IFA INCPL
“it’s mine !” NA, target=A
address A ready to use
70 DoS attack mitigation: RA Guard Denial of address configuration host attacker router A A C B
RA Src = B’s link-local address Dst = All-nodes Options = prefix BAD
Src = B’s link-local address Dst = All-nodes Options = prefix GOOD
Autoconf GOOD::A and DAD it Node A sourcing off-link traffic via B with GOOD::A
71 DoS attack mitigation: Destination Guard Denial of Address Resolution (flood) L3 switch router host Internet B Binding table Neighbor cache Address glean Scanning {P/64}
Destination = D1 … Dn
Lookup D1 NO found
Forward packet
• Mitigate prefix-scanning attacks and Protect ND cache • Useful at last-hop router and L3 distribution switch • Drops packets for destinations without a binding entry
72 DoS attack mitigation: Binding Guard Denial of link operations Router A IFA R X PFX::/64 IFX Binding table Neighbor cache Src=PFX::1, Dst=SOLR, SLLA = MAC1
PFX::1 MAC1 IFX PFX::1 MAC1 STALE
Src=PFX::2, Dst=SOLR, SLLA = MAC2
PFX::1 MAC1 IFX PFX::1 MAC1 STALE PFX::2 MAC2 IFX PFX::2 MAC2 STALE Src=PFX::3, Dst=SOL , SLLA = MAC R 3 STOP! Max: 2 entries /port exhausted
Src=A, Dst=SOLR, SLLA = MACA PFX::1 MAC IF 1 X PFX::1 MAC1 STALE PFX::2 MAC IF 2 X PFX::2 MAC2 STALE A MAC IF A A A MACA STALE
73 Misdirecting Mitigation
74 Misdirecting Mitigation: Source Guard
Binding table IPv6 MAC VLAN IF
A1 MACA1 100 P1
A1 A2 A3 A21 MACA21 100 P2
A22 MACA22 100 P2
Address glean
– Allow traffic sourced with known IP/SMAC – Deny traffic sources with unknown IP/SMAC – Tries recovering unknown addresses
P1, data, src= A1, SMAC = MACA1
P2, data src= A21, SMAC = MACA21
P3, data src= A3, SMAC = MACA3
75 Misdirecting Mitigation: Source Guard
Binding table IPv6 MAC VLAN IF
A1 MACA1 100 P1
A1 A2 A3 A21 MACA21 100 P2
A22 MACA22 100 P2
A3 MACA3 100 P3 Address glean DHCP LEASEQUERY DHCP LEASEQUERY_REPLY
Rate limiting
P3, data src= A3, SMAC = MACA3
P3, data src= A3
76 Misdirecting Mitigation: : Prefix Guard
Home Home L2 switch: L3 switch: DHCP server Network gateway - FH security - FH security - DHCP tag - DHCP relay G1 Shared vlan p1 P p2 1 G2 p3
G3 Prefix MAC VLAN Port Prefix NH
P1 MACG1 100 p1 P1 LLG1 Binding table FIB
DHCP-PD request
DHCP-PD reply: PREFIX=P1
RA [P1] SLACC
src = P1::iid
src = BAD::iid
77 Agenda
• IPv6 in the layer-2 domain: operations and protocols
• IPv6 in the layer-2 domain: vulnerabilities
• Attack Demonstration
• Mitigating Vulnerabilities
• Use cases overview
78 Use Case #1: Enterprise campus network
Building DataCenter WAN
Building
Campus core
Wireless
Building
79 Use Case #1: Enterprise campus network Vulnerabilities Building DataCenter −DoS WAN −Misdirect
−Router theft Building −Address theft −Session hijack −DoS −Misdirect
Campus core
Wireless Building
−Router theft −Address theft −Session hijack −DoS −Misdirect 80 Use Case #1: Enterprise campus network Vulnerabilities mitigations Building DataCenter −Access List WAN −Destination Guard
Building
−RA guard/PACL −DHCP guard/PACL −Source guard −ipv6 snooping/Binding guard Campus core
−IPv6 snooping/trusted −RA guard/PACL −DHCP guard/PACL −Source guard Wireless −ipv6 Bindings learnt from trusted Building snooping/Binding or untrusted access and guard from untrusted trunk
−RA throlling −AR proxying −DAD filtering
81 Use Case #2: Broadband Access network
DSL router ATM Firewall DSLAM SWITCHES BRAS/BNG ISP
Internet DSL router
Enterprise Ethernet SWITCHES
Ethernet Bridge CMTS Provisioning services DOCSIS 3.0
Cable router
82 Use Case #2: Broadband Access network Vulnerabilities
−Router theft −ND Cache poisoning for −Misdirect −Address (Next-Hop) theft −Session hijack session hijacking −DoS −Rogue RA for session −Misdirect hijacking DSL router ATM Firewall DSLAM SWITCHES BRAS/BNG ISP
Internet
Enterprise Ethernet SWITCHES
Ethernet Bridge CMTS Provisioning services DOCSIS 3.0
Cable router
83 Use Case #2: Broadband Access network Vulnerabilities mitigations
* DAD-proxy −Secure box −PVLAN*
−Ipv6 snooping/Binding guard DSL router ATM −Prefix guard (prefix-delegation) −DHCP guard Firewall DSLAM SWITCHES BRAS/BNG ISP
Internet DSL router
Enterprise Ethernet SWITCHES
Ethernet Bridge CMTS Provisioning services DOCSIS 3.0
Cable router
84 Use Case #3: DataCenter
WAN
Core Transitioning services
Firewall L3 Aggregation Load balancing L2 Access
VEM VEM Servers VM VM VM VM VM VM VM VM 85 1 2 3 4 1 2 3 4 Use Case #3: DataCenter Vulnerabilities WAN −DoS −Misdirect
Core Transitioning services
Firewall L3 Aggregation Load balancing L2 −Router theft −Address theft Access −Session hijack −DoS −Misdirect VEM VEM Servers VMVM VM VM VM VM VM VM 86 1 2 3 4 1 2 3 4 Use Case #3: DataCenter Vulnerabilities mitigations WAN
Core Transitioning services Core
Load balancin g −Access List −PVLAN L3 Aggregation−RA guard/PACL Aggregation −DHCP guard/PACL L2 −Source guard −ipv6 snooping/Binding guard Access Access
Servers VEM VEM Servers VMVM VM VM VM VM VM VM 87 1 2 3 4 1 2 3 4 For Your IPv6 First Hop Security Platform Support Reference Wireless LAN Nexus Catalyst 6500 Catalyst Catalyst ASR1000 Catalyst Controller 7600 Router 3k/5k/6k/7k/ Feature/Platform Series 4500 Series 2K/3K Series Router 3850 (Flex 7500, 5508, 2500, 9k WISM-2)
RA Guard 15.0(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2 NX-OS 8.0
NX-OS 8.0 IPv6 Snooping 15.0(1)SY1 15.1(2)SG 15.0.(2)SE XE 3.9.0S 15.2(4)S 15.0(1)EX 7.2
NX-OS 8.0 DHCPv6 Guard 15.2(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2
Source/Prefix NX-OS 8.0 15.2(1)SY 15.2(1)E 15.0.(2)SE2 XE 3.9.0S 15.3(1)S 7.2 Guard
NX-OS 8.0 Destination Guard 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.2(4)S
RA Throttler 15.2(1)SY 15.2(1)E 15.2(1)E 15.0(1)EX 7.2 ND Multicast 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.0(1)EX 7.2 Suppress
Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release
Available Now Not Available Roadmap 88 Key Take Away
• IPv6 is similar to IPv4 • Similar attacks • At minimum, deploy protection against rogue routers
• Training is required
• Experiment with IPv6 here at Cisco Live (SSID: CL-NAT64)!
• Attend the following related sessions: • IPv6 Security Threats and Mitigation [BRKSEC-3200] – Thursday 14:30
89 Complete Your Online Session Evaluation
• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
90 Final Message
• An unsecured LAN is vulnerable to attack, you must consider your specific setup and apply the required mitigation strategies.
91 Thank you
92
Appendix A: Image licensing details
• Villain image: Villain image from J.J. at the English language Wikipedia: https://commons.wikimedia.org/wiki/File:Villainc.svg • Swindon Magic Roundabout image by Dickbauch https://commons.wikimedia.org/wiki/File:Swindon_Magic_Roundabout_db_gespiegelt .png
94 Appendix B: Recommended Reading
• For reading material and further resources for this session, please visit www.pearson-books.com
95