Ipv6 Security Threats and Mitigation Eric Vyncke, Distinguished System Engineer [email protected] @Evyncke

Ipv6 Security Threats and Mitigation Eric Vyncke, Distinguished System Engineer Evyncke@Cisco.Com @Evyncke

Advanced IPv6 Security Threats and Mitigation Eric Vyncke, Distinguished System Engineer [email protected] @evyncke

BRKSEC-3200 Session Objectives

• Advanced IPv6 security topics like extension headers, transition options and dual stack environments

• Including more details on attack

• Main focus is on enterprise issues

• Requirements: good knowledge of the IPv6 and IPsec protocols as well as IPv4 & IPv6 network security best practices (for example BRKSEC-2003 from www.ciscolive.com)

3 Roadmap For IPv6 Security Sessions BRKSEC-2003 Introduction to IPv6 Security: Threats and Mitigation www.ciscolive.com BRKSPG-2603 How to Securely Operate an IPv6 Network BRKSEC-3003 BRKSEC-3200 Advanced IPv6 Security in Advanced IPv6 Security: Operation the LAN Threats and Mitigation

Architecture and design

BRKSEC-3036 Advanced IPsec LTRSEC-3001 Advanced - IOS designs with FlexVPN FlexVPN Lab Dual-stack Products

4 For Your References... Reference

• There are more slides in the hand-outs than presented during the class

• Those slides are mainly for reference and are indicated by the book icon on the top right corner (as on this slide)

• Some slides have also a call-out to another session (see below)

BRKSEC- 3003

• Other slides are about demos and experiments (not to be repeated on a production network)

5 Agenda

• Routing security

• “Playing” with extension headers

• More on tunnels and dual-stack

• Enforcing a security policy

• Summary “Experiment” with IPv6-only over WiFi at Cisco Live SSID: CL-NAT64 Passphrase: cl-nat64

6 Routing Security

7 IPv6 Bogon and Anti-Spoofing Filtering

• Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt

• Every network should implement two forms of anti-spoofing protections: • Prevent spoofed addresses from entering the network • Prevent the origination of packets containing spoofed source addresses • Anti-spoofing = uRPF

Inter-Networking Device with uRPF Enabled IPv6 IPv6 Intranet X Intranet/Internet

IPv6 Unallocated No Route to SrcAddr => Drop Source Address

8 For Your IPv6 uRPF and Cisco Devices Reference The Theory-Practice Gap • Supported everywhere except: • 7600 & Cat 6K • Sup720/32: no IPv6 uRPF at all • Sup 2T is OK • Cat 3750: no uRPF at all • GSR 12K • only strict mode • only with Engine 5, other engines uRPF not supported • requires IOS 12.0(31)S or IOS-XR rls 2.1 • ASR 5K • ASR 9K requires release 4.1.1 • Metro switch

• ASA enables IPv4 and IPv6 uRPF in the same command

• No VRF mode yet for IPv6

9 Remote Triggered Black Hole (RFC 5635)

BGP update:BGP update: BGP update: BGP update: BGP update:BGP update: Block 2001:db8::bad

BGP update Block 2001:db8::bad NOC 2001:db8::bad . BGP allows you to ”announce” a host/subnet IP address which you want to drop traffic to or from . By enabling BGP on selected choke points, it becomes possible to control traffic dynamically

10 How Does RTBH Work?

• It’s Magic!  • BGP allows specifying the next-hop IP address in routing updates. • Other routing protocols automatically use the announcing device IP address as the next-hop • By setting the next-hop of an IP address to the RFC 6666 discard prefix 100::/64, we can create a routing update containing this specific IP address • This routing update which when received, will merge the routing update with a pre- defined static route on the receiving router: • ipv6 route 100::/64 Null0 • Now, the routing table contains a routing entry specifying that traffic for this address, will be sent to the Null0 interface • By default: drop all packets to this address • By using loose uRPF: drop all packets from this address (because interface is Null0)

• http://www.cisco.com/web/about/security/intelligence/ipv6_rtbh.html

11 Edge (Dropping) Router Configuration

Do not DoS ourselves by generating ICMP  interface Null0 no ipv6 unreachables Generic BGP configuration for IPv6 ! (to be localized of course and care must be taken to avoid router bgp 65444 forwarding RTBH specific routes outside of your AS) bgp router-id 10.10.10.2 neighbor 2001:db8::1 remote-as 65444 ! address-family ipv6 neighbor 2001:db8:::1 activate ! ipv6 route 100::/64 Null0 Static route for the RFC 6666 discard prefix to the Null0

12 Trigger (NOC) Router Configuration

interface Null0 Generic BGP configuration for IPv6 no ipv6 unreachables (to be localized of course and care must be taken to avoid ! forwarding RTBH specific routes outside of your AS) router bgp 65444 bgp router-id 10.10.10.1 neighbor 2001:db8::2 remote-as 65444 no auto-summary st ! 1 part of the “magic” to send address-family IPv6 some route with the discard next- neighbor 2001:db8::2 activate hop network 2001:db8:0:ff::/64 redistribute static route-map ipv6-rm ! route-map ipv6-rm permit 10 2nd part of the “magic” all routes match tag 66 with a tag of 66 will be sent with set local-preference 200 the discard next-hop set origin igp set ipv6 next-hop 100::1

route-map ipv6-rm deny 20 13 Two Final Touches to RTBH ipv6 route 2001:db8::bad/128 100::1 tag 66

Create a static route to 2001:db8::bad with tag 66, this will trigger a BGP update with next-hop 100::1 and all edge routers will drop packets to 2001:db8::bad interface Gigabit0/0/1 ipv6 verify unicast source reachable-via any [allow-default]

But, usually we want to drop packet FROM an address, so uRPF must be configured at the edge routers

14 Preventing IPv6 Routing Attacks Protocol Authentication

• BGP, ISIS, EIGRP no change: • An MD5 authentication of the routing update

• OSPFv3 has changed and pulled MD5 authentication from the protocol and instead rely on transport mode IPsec (for authentication and confidentiality) • But see 6506 7166 (but not widely implemented yet)

• IPv6 routing attack best practices • Use traditional authentication mechanisms on BGP and IS-IS • Use IPsec to secure protocols such as OSPFv3

15 For Your Reference OSPF or EIGRP Authentication

interface Ethernet0/0 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF

interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN

key chain MYCHAIN key 1 key-string 1234567890ABCDEF1234567890ABCDEF accept-lifetime local 12:00:00 Dec 31 2011 12:00:00 Jan 1 2012 send-lifetime local 00:00:00 Jan 1 2012 23:59:59 Dec 31 2013

No crypto maps, no ISAKMP: transport mode with static session keys 16 “Playing” with Extension Headers

17 Packet Forgery with SCAPY /1

• Scapy is a open source packet forgery tool built on Python

• Powerful albeit complex to understand and to use: evyncke@host1:~# scapy Welcome to Scapy (2.1.0) >>> target="2001:db8:23:0:60de:29ff:fe15:2” >>> packet=IPv6(dst=target)/ICMPv6EchoRequest(id=0x1234, seq=RandShort(), data="ERIC") >>> sr1(packet) Begin emission: Finished to send 1 packets. Received 2 packets, got 1 answers, remaining 0 packets >

18 18 Packet Forgery with SCAPY /2

• Variable can be assigned a value with “=“

• Packets are built with the concatenation operator “/”

• Headers are instantiated with default values (such as source address, checksum, next header, length, ...) all can be overwritten

• Packet can be displayed in various format: ls(), packet.show()

• Packet can be sent by • send(): simply send it • sr1(): send it and wait for one reply

>>> target="2001:db8:23:0:60de:29ff:fe15:2” >>> packet=IPv6(dst=target)/ICMPv6EchoRequest(id=0x1234, seq=RandShort(), data="ERIC")

19 IPv6 Routing Header • Processed by intermediate routers

• Three types • Type 0: similar to IPv4 source routing (multiple intermediate routers) • Type 2: used for mobile IPv6 • Type 3: used by RPL (Routing Protocol for Low-Power and Lossy Networks) • Type (4?): segment routing Next Header = IPv6 Basic Header 43 Routing Header Routing Header Routing Header Next Header Ext Hdr Length RHRouting Type Type Segments Left

Routing Header Data

20 Type 0 Routing Header Amplification Attack

• What if attacker sends a packet with RH containing • A -> B -> A -> B -> A -> B -> A -> B -> A .... • Packet will loop multiple time on the link A-B • An amplification attack!

A B

21 Type 0 Routing Header Traffic Rebound

. Rule on the Firewall . Allow proto tcp from any to webserver port 80

. Deny proto tcp from any to any Web

Host1 src=host1,dst=web, payload proto=tcp, dport=80

rtheader=host2, segments left=1 src=host1, dst=host2 rtheader=web, segments left=0 payload proto=tcp, IPv6 dport=80 Network Host2 Firewall

22 Preventing Routing Header-0 Attacks

• Apply same policy for IPv6 as for IPv4: • Block Routing Header type 0(RH-0)

• Prevent processing at the intermediate nodes but forwarding is OK • no ipv6 source-route • Windows, Linux, Mac OS: default setting • IOS-XR before 4.0: a bug prevented the processing of RH-0 • IOS before 12.4(15)T: by default RH-0 were processed

• At the edge to block forwarding • With an ACL blocking routing header

• RFC 5095 (Dec 2007) RH-0 is deprecated • Default changed in IOS 12.4(15)T and IOS-XR 4.0 to ignore RH-0 • ASA drops all packets with any routing header

• Type 2 and type 3 (+SR – type 4) are not dangerous and should be allowed

23 Let’s Try it With Scapy & Tcpdump a="2001:DB8:1::1" b="2001:DB8:23::2” route=[] for i in range(0, 30): route.append(a) route.append(b) packet=IPv6(dst=b,hlim=255)/IPv6ExtHdrRouting(addresses=route,type=0)/ICMPv6EchoRequest() sr1(packet)

Using a recent IOS, the router refuses to process Routing Header Type 0

IP6 (hlim 63, next-header ICMPv6 (58) payload length: 384) 2001:db8:23::2 > scapy_host: [icmp6 sum ok] ICMP6, parameter problem, length 384, errorneous - octet 42

24 Let’s Try it Again With Ancient IOS, Scapy & Tcpdump

Snapshot before: R1#sh ipv6 traffic interface ethernet 0/0 Ethernet0/0 IPv6 statistics: Rcvd: 26 total, 25 local destination 41 source-routed, 0 truncated ... Sent: 118 generated, 0 forwarded ...

Snapshot after: R1#sh ipv6 traffic interface ethernet 0/0 Ethernet0/0 IPv6 statistics: Rcvd: 28 total, 27 local destination 71 source-routed, 0 truncated ... Sent: 120 generated, 0 forwarded ...

25 RH-2 for Mobile IPv6 is OK

• Required by mobile IPv6

• Rebound/amplification attacks impossible • Only one intermediate router: the mobile node home address Next Header = 43 IPv6 Basic Header Routing Header Routing Header Routing Header Next Header Ext Hdr Length RHRouting Type= Type 2 Segments Left= 1 Mobile Node Home Address

26 For Your Reference RH-3 for RPL is OK

• Used by Routing Protocol for Low-Power and Lossy Networks

• But only within a single trusted network (strong authentication of node), never over a public untrusted network • Damage is limited to this RPL network • If attacker is inside the RPL network, then he/she could do more damage anyway

27 IPv6 Header Manipulation • Unlimited size of header chain (spec-wise) can make filtering difficult • Potential DoS with poor IPv6 stack implementations • More boundary conditions to exploit • Can I overrun buffers with a lot of extension headers? • Mitigation: a firewall such as ASA which can filter on headers

Perfectly Valid IPv6 Packet According to the Sniffer

Header Should Only Appear Once Destination Header Which Should DestinationOccur at Most Options Twice Header Should Be the Last

http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html

31 Parsing the Extension Header Chain

• Finding the layer 4 information is not trivial in IPv6 • Skip all known extension header • Until either known layer 4 header found => MATCH • Or unknown extension header/layer 4 header found... => NO MATCH

IPv6 hdr HopByHop Routing AH TCP data

IPv6 hdr HopByHop Routing AH Unknown L4 ???

32 Fragment Header: IPv6

Next Header = IPv6 Basic Header 44 Fragment Header Fragment Header

Fragment Header Next Header Reserved Fragment Offset Identification Fragment Data

• In IPv6 fragmentation is done only by the end system • Tunnel end-points are end systems => Fragmentation / re-assembly can happen inside the network

• Reassembly done by end system like in IPv4

• RFC 5722: overlapping fragments => MUST drop the packet. Most OS implement it since 2012

• Attackers can still fragment in intermediate system on purpose

• ==> a great obfuscation tool 33 Fragmentation Used in IPv4 by Attackers ... Also applicable to IPv6 of course

• Great evasion techniques • Some firewalls do not process fragments except for the first one • Some firewalls cannot detect overlapping fragments with different content

• IPv4 tools like whisker, fragrout, etc.

• Makes firewall and network intrusion detection harder

• Used mostly in DoSing hosts, but can be used for attacks that compromise the host • Send a fragment to force states (buffers, timers) in OS

• See also: http://insecure.org/stf/secnet_ids/secnet_ids.html 1998!

34 Parsing the Extension Header Chain Fragments and Stateless Filters

• RFC 3128 is not applicable to IPv6 • Layer 4 information could be in 2nd fragment • But, stateless firewalls could not find it if a previous extension header is fragmented IPv6 hdr HopByHop Routing Fragment1 Destination …

IPv6 hdr HopByHop Routing Fragment2 … Destination TCP Data

Layer 4 header is in 2nd fragment, Stateless filters have no clue where to find it!

• But, RFC6980: “nodes MUST silently ignore NDP … if packets include a fragmentation header

• But, RFC7112: “A host that receives a First Fragment that does not satisfy… SHOULD discard the packet

35 Fragment Obfuscation with Scapy & tcpdump >>> packet=IPv6(dst=dst)/IPv6ExtHdrDestOpt(options=PadN(optdata='A'*20))/TCP(sport=sport,dport=22 ,flags="S", seq=100) >>> frag1=IPv6(dst=dst)/IPv6ExtHdrFragment(nh=60, id=0xabbababe, m=1, offset=0)/str(packet)[40:48] >>> frag2=IPv6(dst=dst)/IPv6ExtHdrFragment(nh=60, id=0xabbababe, m=0, offset=1)/str(packet)[48:84] >>> send(frag1) >>> send(frag2) IP6 (hlim 64, next-header Fragment (44) payload length: 16) 2001:...:1 > 2001:...:2: frag (0xabbababe:0|8) [|DSTOPT] 0x0000: 6000 0000 0010 2c40 2001 0db8 0001 0000 `.....,@...... 0x0010: 60de 29ff fe15 0001 2001 0db8 0023 0000 `.)...... #.. 0x0020: 60de 29ff fe15 0002 3c00 0001 abba babe `.).....<...... 0x0030: 0602 0114 4141 4141 ....AAAA

IP6 (hlim 64, next-header Fragment (44) payload length: 44) 2001:...:1 > 2001:...:2: frag (0xabbababe:8|36) 0x0000: 6000 0000 002c 2c40 2001 0db8 0001 0000 `....,,@...... 0x0010: 60de 29ff fe15 0001 2001 0db8 0023 0000 `.)...... #.. 0x0020: 60de 29ff fe15 0002 3c00 0008 abba babe `.).....<...... 0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 0x0040: 47b3 0016 0000 0064 0000 0000 5002 2000 G...... d....P... 0x0050: da35 0000

36 IPv6 Fragmentation & IOS ACL Fragment Keyword

• This makes matching against the first fragment non-deterministic: • layer 4 header might not be there but in a later fragment  Need for stateful inspection

• fragment keyword matches • Non-initial fragments (same as IPv4), permitted by default

• undetermined-transport keyword does not match • If non-initial fragment • Or if TCP/UDP/SCTP and ports are in the 1st fragment • Or if ICMP and type and code are in the 1st fragment • Everything else matches (including OSPFv3, RSVP, GRE, ESP, EIGRP, PIM …) • Only for deny ACE

37 Fragmented Packets and ASA • ASA drops packets where the 1st fragment does not have the layer-4 information

deny IP teardrop fragment (size = 28, offset = 8) from 2001:...:1 to 2001:...:2

38 Let’s Try the Naïve ACL... ipv6 access-list NO_SSH deny tcp any any eq 22 log permit ipv6 any any

IP6 (hlim 62, next-header Fragment (44) payload length: 16) 2001:..:1 > 2001:..:2: frag (0xabbababe:0|8) [|DSTOPT] IP6 (hlim 62, next-header Fragment (44) payload length: 44) 2001:..:1 > 2001:..:2: frag (0xabbababe:8|36)

SSH accepts connection and replies IP6 (hlim 64, next-header TCP (6) payload length: 24) 2001:...:2.22 > 2001:...:1.18355: Flags [S.], cksum 0x138c (correct), seq 621319016, ack 101, win 5760, options [mss 1440], length 0

39 Let’s Try undetermined_transport... ipv6 access-list NO_SSH2 deny ipv6 any any undetermined-transport log deny tcp any any eq 22 log permit ipv6 any any

%IPV6_ACL-6-ACCESSLOGSP: list NO_SSH2/10 denied tcp 2001:...:1 -> 2001:...:2, 1 packet

1st fragment is not received..

IP6 (hlim 62, next-header Fragment (44) payload length: 44) 2001:..:1 > 2001:..:2: frag (0xabbababe:8|36)

Reassembly fails after time-out, connection is never established

40 Is it the End of the World?

• The lack of fast wirespeed stateless ACL is a bad news of course

• IETF made 1st IPv6 fragment without layer-4 invalid and it SHOULD be dropped by receiving host and MAY be dropped by routers • RFC7112 (born as draft-ietf-6man-oversized-header-chain)

• Use of undetermined-transport is strongly recommended

• ASA always drops such initial fragment

• If not supported, consider • Bidirectional traffic (TCP, ...): block on the other direction using the source port • On an intermediate router: permit TCP, ICMP, UDP, ... Hence blocking everything else (including 1st fragment without layer-4)

41 Playing Tricks with Fragments as in IPv4 /1

• Assuming stateful IPS (or even firewall) prefers the last fragment and host the first fragment...

Data = ATTACK Data = ATTACK ID=n, OFF=10 ID=n, OFF=10 Data = GOOD Data = GOOD ID=n, OFF=10 ID=n, OFF=10

After re-assembly: After re-assembly: GOOD ATTACK

42 Playing Tricks with Fragments as in IPv4 /2

• Assuming stateful IPS/firewall prefers the first fragment...

Data = GOOD Data = GOOD ID=n, OFF=10, HL=2 ID=n, OFF=10, HL=1

Data = ATTACK Data = ATTACK Data = ATTACK ID=n, OFF=10, HL=32 ID=n, OFF=10, HL=31 ID=n, OFF=10, HL=30

43 Overlapping Fragments Issues – RFC 5722

• Also in IPv4 • Can hinder NIDS/firewall • Can bypass stateless ACL, e.g. ‘established’ sessions (block TCP SYN)

IPv6 hdr Frg ID=n O=0 TCP DST=80, ACK Filler ✔ ✔ IPv6 hdr Frg ID=n O=8 SYN Attack

At host: TCP DST=80, ACKSYN AttackFiller ✖ • RFC 5722 => drop overlapping fragments • FreeBSD, Ubuntu 11.10 and Windows 7 implement RFC 5722 hence no worries for them

44 Atomic IPv6 Fragments

• See: RFC 6946 & draft-ietf-6man-deprecate-atomfrag-generation

• Def: fragment which is both the first (offset=0) and the last (M=0) • Used when a link MTU on the path < 1280 per RFC 2460 (section 5 about NAT64) • Host caches this ‘feature’ per destination when receiving ICMPv6 packet-too-big

• Can be forged by sending a spoofed ICMPv6 packet-too-big • A trick must be used to ensure that the error message contains a copy of a valid packets • But, several OS do not even check, so why bother?

• Mitigation: anti-spoofing

45 Predictable Fragment ID...

• RFC 2460 about ID field “The Identification must be different than that of any other fragmented packet sent recently* with the same Source Address and Destination Address”

• In IPv4, this was leveraged for blind scanning... • Allows a remote host C to detect the TCP/UDP ports opened between A and B • Either for anonymous scan of B • Or is C can only reach A (DMZ)

C A B See also draft-gont-6man-predictable-fragment-id

46 Review of TCP 3-way Handshake

Open Port Closed Port A B A B TCP SYN TCP SYN

TCP SYN+ACK TCP RST

TCP ACK

A sends 2 A sends 1 packets packets

47 Blind Scanning Recipe

• 1 spoon of 3-way • 1 gr of spoofing C • A lot of predictable fragment ID (to taste) • 1 L of atomic fragment

48 Blind Scanning Recipe

Open Port Closed Port C A B C A B ICMP_ECHO_REQ ICMP_ECHO_REQ

ICMP_ECHO_REP ICMP_ECHO_REP ID=1000 ID=1000 TCP SYN TCP SYN

TCP SYN+ACK TCP RST

TCP RST ICMP_ECHO_REQ ID=1001 ICMP_ECHO_REQ

ICMP_ECHO_REP ICMP_ECHO_REP ID=1002 ID=1001

49 Extension Header Security Policy

• White list approach for your traffic • Only allow the REQUIRED extension headers (and types), for example: • Fragmentation header • Routing header type 2 & destination option (when using mobile IPv6) • IPsec  AH and ESP • And layer 4: ICMPv6, UDP, TCP, GRE, ... • If your firewall is capable: • Drop 1st fragment without layer-4 header • Drop routing header type 0 • Drop/ignore hop-by-hop

Source: Tony Webster, Flickr

50 Extension Header Loss over the Internet

• End users SHOULD filter packets with extension headers

• But, what are your ISP and its transit provider doing to your packets?

Source: Paul Townsend, Flickr

• draft-gont-v6ops-ipv6-ehs-in-real-world • About 20-40% of packets with Ext Hdr are dropped over the Internet

51 Things Keeps Improving Though

• Current research by Polytechnique Paris (Mehdi Kouhen) and Cisco (Eric Vyncke) • And VM provided by Sander Steffann

• http://btv6.vyncke.org/exthdr/index.php?ds=bgp&t=fh (work in progress!)

52 More on dual-stack networks

53 Enabling IPv6 in the IPv4 Data Center The Fool’s Way Internet 2) Sending RA with prefix for auto- 1) I want IPv6, configuration send RA

3) 3) 3) 3) Yahoo! Yahoo! Yahoo! Yahoo! IPv6  IPv6  IPv6  IPv6 

IPv4 protection: IPv4 protection: IPv4 Protection: iptables ipfw Security center

4) Default protection… IPv6 Protection: IPv6 Protection: IPv6 Protection: No ip6tables ✗ No ip6fw ✗ Security center ✔

Mac OS X 10.7+ now uses packet filter which is dual-stack 54 Enabling IPv6 in the IPv4 Data Center The Right Way

Internet

2) Sending RA with 1) I want IPv6, “no auto-config” send RA

3) Yahoo! 3) No 3) No 3) No Static IPv6 IPv6 IPv6 IPv6 SLAAC SLAAC SLAAC address

IPv4 protection: IPv4 protection: IPv4 Protection: iptables ipfw Security center

55 Vulnerability Scanning in a Dual-Stack World

• Finding all hosts: • Address enumeration does not work for IPv6 • Need to rely on DNS or NDP caches or NetFlow

• Vulnerability scanning • IPv4 global address, IPv6 global address(es) (if any), IPv6 link-local address • Some services are single stack only (currently mostly IPv4 but who knows...) • Personal firewall rules could be different between IPv4/IPv6

• IPv6 vulnerability scanning MUST be done for IPv4 & IPv6 even in an IPv4-only network • IPv6 link-local addresses are active by default

56 HTTP Session Cookie

HTTP has no transaction concept Source: wikimedia and Pinheiro Application stores transaction states (e-commerce chart) on the server as a ‘session’ ‘sessions’ are identified by an opaque value which is unique for the length of the transaction This value is transported as a HTTP header cookie This value is usually an index into a server table containing all transactions To prevent ‘session hijacking’, some servers store the client IP address and check it on each HTTP request Session Cookies at Work

John Doe with IP address A Server Log “John Doe” in, here are my credentials

Credentials valid, logged in, here is a new cookie Cookie C is for: • John Doe I want to add item FOO to my cart, here is my cookie • Address A • Authorized Item FOO added • Shopping Cart: • FOO • BAR I want to add item BAR to my cart, here is my cookie

Item BAR added Session Cookie and IP Address Change

• User starts a transaction with IP address A • Server allocates cookie C • Server stores address A and checks it for all HTTP requests having cookie C • The CRUX: • Happy Eyeball (RFC 6555) switches address family and use address B • CGN change address to IPv4 B (non RFC 6888 compliant) • New privacy extension IPv6 address B • Next requests from user still uses cookie C but comes from address B • Server checks the address, A != B and server refuses the request Session Cookies Changing Address

John Doe with IPv6 address A Server Log “John Doe” in, here are my credentials

Credentials valid, logged in, here is a new cookie Cookie C is for: • John Doe • Address A • Authorized John Doe with IPv4 address B • Shopping Cart:

I want to add item FOO to my cart, here is my cookie

You are not authorized Symptom of HTTP Requests being Denied

• Return to login screen

• or Preventing Session Cookie Stealing

• Working with OWASP to fix:

• https://www.owasp.org/index.php Session_Management_Cheat_Sheet

• Checking IPv4 address is kind of useless in CGN world anyway

• Prevent cookie stealing on the path

• Encrypt with HTTP2 or TLS

• Prevent cookie stealing by hostile script

• Add “HttpOnly” in Set-Cookie More on tunnels

63 L3-L4 Spoofing in IPv6 When Using IPv6 over IPv4 Tunnels

• Most IPv4/IPv6 transition mechanisms have no authentication built in

• => an IPv4 attacker can inject IPv6 traffic if spoofing on IPv4 and IPv6 addresses IPv6 ACLs Are Ineffective since IPv4 & IPv6 are spoofed Tunnel termination forwards the Inner IPv6 IPv4 Packet IPv6 Public IPv4 Internet IPv6 Network IPv6 Network

IPv6 in IPv4

Tunnel Tunnel Server B Server A Termination Termination

64 Looping Attack Between 2 ISATAP Routers (RFC 6324)

ISATAP router 1 ISATAP router 2 1. Spoofed IPv6 packet S: 2001:db8:2::200:5efe:c000:201 Prefix 2001:db8:1::/64 Prefix 2001:db8:2::/64 D: 2001:db8:1::200:5efe: c000:202 192.0.2.1 192.0.2.2 2. IPv4 ISATAP packet to 192.0.2.2 containing S: 2001:db8:2::200:5efe:c000:201 D: 2001:db8:1::200:5efe:c000:202

3 IPv6 packet S: 2001:db8:2::200:5efe:c000:201 D: 2001:db8:1::200:5efe:c000:202 • Root cause • ISATAP routers ignore each other Repeat until Hop Limit == 0 Mitigation: • ISATAP router: .IPv6 anti-spoofing everywhere • accepts native IPv6 packets .ACL on ISATAP routers accepting IPv4 from valid clients only • forwards it inside its ISATAP tunnel .Within an enterprise, block IPv4 ISATAP traffic between ISATAP routers • Other ISATAP router decaps and forward .Within an enterprise block IPv6 packets between ISATAP routers as native IPv6

65 Link-Local Addresses vs. Global Addresses • Link-Local addresses, fe80::/16, (LLA) are isolated • Cannot reach outside of the link • Cannot be reached from outside of the link 

• Could be used on the infrastructure interfaces • Routing protocols (inc BGP) work with LLA • neighbor FE80::1%Ethernet1/0 • Benefit: no remote attack against your infrastructure • Implicit infrastructure ACL • Note: need to provision loopback for ICMP generation (notably traceroute and PMTUD) • See also: RFC7404 • LLA can be configured statically (not the EUI-64 default) to avoid changing neighbor statements when changing MAC

66 SP Transition Mechanism: 6VPE • 6VPE: the MPLS-VPN extension to also transport IPv6 traffic over a MPLS cloud and IPv4 BGP sessions

67 6VPE Security

• 6PE (dual stack without VPN) is a simple case • Security is identical to IPv4 MPLS-VPN, see RFC 4381 • Security depends on correct operation and implementation • QoS prevent flooding attack from one VPN to another one • PE routers must be secured: AAA, iACL, CoPP … • MPLS backbones can be more secure than “normal” IP backbones • Core not accessible from outside • Separate control and data planes • PE security • Advantage: Only PE-CE interfaces accessible from outside • Makes security easier than in “normal” networks • IPv6 advantage: PE-CE interfaces can use link-local for routing • RFC7404 (born draft-ietf-opsec-lla-only) • => completely unreachable from remote (better than IPv4)

68 Enforcing a Security Policy

69 For Your ASA Firewall IPv6 Support Reference

• Since version 7.0 (April 2005)

• IPv6 header security checks (length & order)

• Management access via IPv6: Telnet, SSH, HTTPS, ASDM

• Routed & transparent mode, fail-over

• v6 App inspection includes: DNS,FTP, HTTP, ICMP, SIP, SMTP, and IPSec pass-through

• IPv6 support for site-to-site VPN tunnels was added in 8.3 (IKEv1 in ASA 8.3.1, and IKEv2 in ASA 8.4.1)

• Selective permit/deny of extension headers (ASA 8.4.2)

• OSPFv3, DHCPv6 relay, stateful NAT64/46/66, mixed mode objects (ASA 9.0)

70 ASA 8.4.2 : IPv6 Extension Header Filtering

• By default all packets with routing header are dropped

• Initial fragment without layer-4 header are always dropped

71 ASA 9.0 Mixed Mode Objects

72 Spam over IPv6 Botnet member or open relay • Spammers are also using IPv6 of course... from Germany • Probably even without knowing it!

Nov 14 00:44:18 ks postfix/smtpd[22843]: connect from unknown[2a01:4f8:d16:4351::2] Nov 14 00:44:18 ks postfix/smtpd[22843]: A5CDC155: client=unknown[2a01:4f8:d16:4351::2] Nov 14 00:44:18 ks postfix/cleanup[22847]: A5CDC155: message- id= Nov 14 00:44:18 ks postfix/qmgr[3578]: A5CDC155: from=, size=27742, nrcpt=1 (queue active)

• So, we need to fight IPv6 spam! • Content filtering: nothing has changed • Sender authentication (DKIM, SPF, DMARC) works with IPv6 (BRKSEC-3770) • Sender reputation works with Cisco Senderbase

73 Senderbase.org and IPv6: It Works 

No geolocation yet though (albeit Maxmind supports IPv6) Not a lot of data yet... PLEASE HELP

74 Summary of Cisco IPv6 Security Products • ASA Firewall (Since version 7.0 released 2005) • Flexibility: Dual stack, IPv6 only, IPv4 only • SSL VPN for IPv6 over IPv4 (ASA 8.0) over IPv6 (ASA 9.0) • Stateful-Failover (ASA 8.2.2) • Extension header filtering and inspection (ASA 8.4.2) BRKSEC-3772 • Dual-stack ACL & object grouping (ASA 9.0)

• ASA-SM • Leverage ASA code base, same features ;-) 16 Gbps of IPv6 throughput BRKSEC-2762 • IOS Firewall (IOS 12.3(7)T - released 2005; Zone-based firewall on IOS-XE 3.6 2012)

• IPS (Since 6.2 - released 2008)

• Email Security Appliance (ESA) under beta testing since 2010, IPv6 support since 7.6.1 (May 2012)

• Web Security Appliance (WSA) with explicit and transparent proxy

• Cisco Cloud Web Security (ScanSafe) work in progress (need IPv6 connectivity for all towers...)

• FIREpower NGIPS provides Decoder for IPv4 & IPv6 Packets 75 IPv6 VPN

76 Secure IPv6 over IPv4/6 Public Internet • No traffic sniffing

• No traffic injection

• No service theft

Public Network Site 2 Site Remote Access

. 6in4/GRE Tunnels Protected by . ISATAP Protected by IPsec RA IPsec IPv4 . DMVPN 12.4(20)T . SSL VPN Client AnyConnect . FlexVPN . IPsec VTI 12.4(6)T . AnyConnect 3.1 & ASA 9.0 IPv6 . DMVPN 15.2(1)T . FlexVPN

77 Secure Site to Site IPv4/IPv6 Traffic BRKSEC- over IPv4/IPv6 with DMVPN & FlexVPN 3036

• IPv6 packets over DMVPN IPv4/IPv6 tunnels • In IOS release 12.4(20)T (2008) • In IOS-XE release 3.5 (2011) • IPv6 and/or IPv4 data packets over same GRE tunnel

• Complete set of NHRP commands • network-id, holdtime, authentication, map, etc.

• NHRP registers two addresses • Link-local for routing protocol (Automatic or Manual) • Global for packet forwarding

• FlexVPN (= DMVPN phase 4) integrates site-2-site and remote access in a single unified CLI and supports dual-stack or IPv6-only

78 For Your Reference DMVPN for IPv6 Configuration Hub Spoke interface Tunnel0 interface Tunnel0 ipv6 address 2001:db8:100::1/64 ipv6 address 2001:db8:100::11/64 ipv6 eigrp 1 ipv6 eigrp 1 no ipv6 split-horizon eigrp 1 ipv6 nhrp map multicast 172.17.0.1 no ipv6 next-hop-self eigrp 1 ipv6 nhrp map 2001:db8:100::1/128 172.17.0.1 ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 100006 ipv6 nhrp network-id 100006 ipv6 nhrp holdtime 300 ipv6 nhrp holdtime 300 ipv6 nhrp nhs 2001:db8:100::1 tunnel source Serial2/0 tunnel source Serial1/0 tunnel mode gre multipoint tunnel mode gre multipoint tunnel protection ipsec profile vpnprof tunnel protection ipsec profile vpnprof ! ! interface Ethernet0/0 interface Ethernet0/0 ipv6 address 2001:db8:0::1/64 ipv6 address 2001:db8:1::1/64 ipv6 eigrp 1 ipv6 eigrp 1 ! ! interface Serial2/0 interface Serial1/0 ip address 172.17.0.1 255.255.255.252 ip address 172.16.1.1 255.255.255.252 ! ! ipv6 router eigrp 1 ipv6 router eigrp 1 no shutdown no shutdown

All combinations of IPv4 and IPv6 are allowed 79 FlexVPN Site-to-site: e.g. IPv6 over IPv4

• IPv4/IPv6 FlexVPN over IPv4 or IPv6 are allowed (IPv6 over IPv4 shown)

2001:db8:beef::/64 2001:db8:cafe::/64

172.16.1.1 172.16.2.1 interface Tunnel0 interface Tunnel0 ipv6 address fe80::1 link-local ipv6 address fe80::2 link-local ipv6 ospf 1 area 0 ipv6 ospf 1 area 0 tunnel source FastEthernet0/0 tunnel source FastEthernet0/0 tunnel destination 172.16.2.1 tunnel destination 172.16.1.1 tunnel protection ipsec profile default tunnel protection ipsec profile default interface FastEthernet0/1 interface FastEthernet0/1 ipv6 address 2001:db8:cafe::1/64 ipv6 address 2001:db8:beef::1/64 ipv6 ospf 1 area 0 ipv6 ospf 1 area 0 interface FastEthernet0/0 interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.0 ip address 172.16.2.1 255.255.255.0 80 For Your FlexVPN Shortcut Switching Reference Hub configuration

2001:db8:1::/64 2001:db8::/64

RADIUS Srv 172.16.0.1

aaa authorization network default group radius Spoke pool crypto ikev2 profile default match identity remote fqdn domain cisco.com RADIUS route identity local dn authentication local rsa-sig Full cert based ipsec:ipv6-addr-pool=v6pool authentication remote rsa-sig authentication pki trustpoint CA ipsec:route-set=interface aaa authorization user cert list default ipsec:route-set=prefix ipv6 2001:db8::/32 virtual-template 1 ipsec:route-accept=any ip:interface-config=ip nhrp network-id 1 interface loopback0 RADIUS peer config ip:interface-config=ip nhrp redirect ipv6 address 2001:db8:ffff::1/128

interface virtual-template 1 type tunnel ip unnumbered looback0 tunnel protection ipsec profile default

ipv6 local pool v6pool 2001:db8:fffe::/120 128 81 For Your IPv6 Flex Shortcut Switching Reference Spoke configuration 2001:db8:1::/64 2001:db8::/64

172.16.0.1

aaa authorization network default local

crypto ikev2 profile default interface virtual-template 1 type tunnel Tunnel match certificate HUBMAP ipv6 unnumbered tunnel 0 identity local fqdn Spoke1.cisco.com ip nhrp network-id 1 address and authentication local rsa-sig tunnel protection ipsec profile default routes from authentication remote rsa-sig ip nhrp shortcut virtual-template 1 config- pki trustpoint CA exchange aaa authorization group cert list default default crypto ikev2 authorization policy default virtual-template 1 route set ipv6 access-list v6routes IPv6 Hub assigned interface Tunnel0 address ipv6 access-list v6routes ipv6 address negotiated permit ipv6 2001:db8:1::/64 any tunnel source FastEthernet0/0 ip nhrp network-id 1 IPv6 Spoke specific Shortcut ip nhrp shortcut virtual-template 1 subnet switching tunnel destination 172.16.0.1 tunnel protection ipsec profile default

82 Secure RA IPv* over IPv* Public Network: AnyConnect SSL VPN Client 3.1 & ASA 9.0 IPv6/IPv4 Intranet AnyConnect supports native IPv4/6 connectivity • Connecting via IPv4/6 Internet to ASA IPv4/6 Transport • SSL Tunneling IPv6 in IPv6 , IPv4 in IPv4, IPv6 Network in IPv4, IPv4 in IPv6 • No support for DHCPv6 yet • Mobile does not support IPv6 transport

See also: http://blog.webernetz.net/2014/01/18/cisco-anyconnect-ipv6-access-through-ipv4-vpn-tunnel/

86 Use Case: BC-Hydro IPv6 + IPsec for Smart Meters

http://www.rmv6tf.org/wp-content/uploads/2015/10/2-Bavarian-Mauro_Success-and- future-of-IPv6-from-an-Electrical-Utility-Perspective-rev5.compressed.pdf On ciscolive.com: BRKARC-2008 - Smart Grid: Field Area Network Multi-Service Architecture and BC Hydro Case Study http://www.cisco.com/c/dam/en_us/solutions/industries/retail/downloads/bc-hydro-cisco.pdf

87 Summary

88 Key Take Away

• So, nothing really new in IPv6 BUT • Fragmentation is even more complex in IPv6 than in IPv4 • FlexVPN or DMVPN allow for secure transport in a dual-stack network • User attribution not so easy: DHCP is not so friendly

• Scapy is a powerful tool to test your security devices

• Lack of operation experience may hinder security for a while: training is required

• Experiment with IPv6 here at Cisco Live!

89 Call to Action: Learning more about IPv6

Lunch and Learn: • IPv6 in the Enterprise: Thu 18 13:00 LABIPM-2007 Intermediate - IPv6 Hands on Lab Wed 17 09:00:00 CCSIP6-2006 BMW: Enterprise IPv6 adoption Wed 17 11:30:00 LABSPG-7122 Advanced IPv6 Routing and services lab Wed 17 14:00:00 Walk-in Self-Paced Lab: BRKIP6-2100 IPv6-centric application development Wed 17 14:30:00 LABCRS-1000 Intro IPv6 Addressing BRKRST-2667 How to write an IPv6 Addressing Plan Wed 17 14:30:00 and Routing Lab BRKSPG-2300 Service Provider IPv6 Deployment Wed 17 16:30:00 Don't Be Left Behind: Consumer Internet Traffic is Shifting to IPv6, Will PNLCRS-2307 Wed 17 16:30:00 Experiment with IPv6-only WiFi: your Organization Follow? BRKRST-2312 Intermediate - IPv6 Planning, Deployment and Operation Considerations Thu 18 09:00:00 SSID: CL-NAT64 BRKSPG-2061 IPv6 Deployment Best Practices for the Cable Access Network Thu 18 09:00:00 WPA passphrase: cl-nat64 BRKCOL-2020 IPv6 in Enterprise Unified Communications Networks Thu 18 11:30:00 SLAAC + stateless DHCP BRKSEC-3003 Advanced IPv6 Security in the LAN Thu 18 11:30:00 NAT64 included to access legacy BRKRST-3123 Segment Routing for IPv6 Networks Thu 18 14:30:00 BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation Thu 18 14:30:00 Ask all World of Solutions exhibitors for BRKRST-2301 Intermediate - Enterprise IPv6 Deployment Fri 19 09:00:00 their IPv6 support  Recommended Reading

91 Complete Your Online Session Evaluation

• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

92 Thank you