How to Securely Operate an IPv6 Network BRKSPG-2603 Eric Vyncke, [email protected] @evyncke Abstract • This intermediate session describes how an IPv6 network can be securely operated. • The session explains how the management, control and data planes can be secured. • It also covers topics such as forensic, telemetry and lawful intercept. • The content is mainly geared to Service Providers but enterprises may also find it useful. • It is targeted to security and network architects with operational background. • There is also enterprise versions of this session BRKSEC-2003 (on-line only) / BRKSEC- 3200 which is more protocol oriented than operational. Beware that there is 30% overlap between BRKSEC-3200 and BRKSPG-2603. 3 Roadmap For IPv6 Security Sessions On www.ciscolive.com BRKSEC-2003 IPv6 Security Threats and Mitigations BRKSPG-2603 How to Securely Operate an IPv6 Network BRKSEC-3003 BRKSEC-3200 Operation Advanced IPv6 Security in Advanced IPv6 Security in the LAN the Core Architecture and design BRKSEC-3036 Advanced IPsec LTRSEC-3001 Advanced - IOS Dual-stack designs with FlexVPN FlexVPN Lab Products 4 IETF OPSEC Working Group 5 For Your Reference For Reference Slides • There are more slides in the hand-outs than presented during the class • Those slides are mainly for reference and are indicated by the book icon on the top right corner (as on this slide) • Some slides have also a call-out to another session (see below) BRKSEC- 3200 6 7 Agenda • Management Plane • Control Plane • Routing Information • Neighbor Discovery • Control Plane Protection • Data Plane • Anti-spoofing • Access Control List • Tunnel loops • Telemetry • Forensic • Lawful Intercept • Summary 8 Management Plane 9 9 Management over IPv6 • SSH, syslog, SNMP, NetFlow all work over IPv6 • Dual-stack management plane • More resilient: works even if one IP version is down • More exposed: can be attacked over IPv4 and IPv6 • RADIUS over IPv6 is recent (IOS 15.2(1)T, IOS-XE rls 3.2S) • But, IPv6 RADIUS attributes can be transported over IPv4 • As usual, infrastructure ACL is your friend (more to come) as well as out-of- band management 10 For Your Reference IPv6 ACL to Protect VTY ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty 0 4 ipv6 access-class VTY in • Must be done before enabling IPv6 on any interface • Beware there is no equivalent for HTTP => use ACL • The ‘management-interface’ command of ‘control-plane host’ is IPv4 only => use ACL • In IOS-XR, the command is ‘access-class VTY ingress’, the IPv4 and IPv6 ACL must have the same name 11 Control Plane: Routing Protocols 12 Preventing IPv6 Routing Attacks Protocol Authentication • BGP, ISIS, EIGRP no change: • An MD5 authentication of the routing update • OSPFv3 has changed and pulled MD5 authentication from the protocol and instead rely on transport mode IPsec (for authentication and confidentiality) • But see RFC 6506 7166 (not yet widely implemented) • IPv6 routing attack best practices • Use traditional authentication mechanisms on BGP and IS-IS • Use IPsec to secure protocols such as OSPFv3 13 For Your Reference OSPF or EIGRP Authentication interface Ethernet0/0 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF interface Ethernet0/0 ipv6 authentication mode eigrp 100 md5 ipv6 authentication key-chain eigrp 100 MYCHAIN key chain MYCHAIN key 1 key-string 1234567890ABCDEF1234567890ABCDEF accept-lifetime local 12:00:00 Dec 31 2006 12:00:00 Jan 1 2008 send-lifetime local 00:00:00 Jan 1 2007 23:59:59 Dec 31 2007 No crypto maps, no ISAKMP: transport mode with static session keys 14 For Your Reference BGP Route Filters • Pretty obvious for customer links • For peering, a relaxed one ipv6 prefix-list RELAX deny 3ffe::/16 le 128 ipv6 prefix-list RELAX deny 2001:db8::/32 le 128 ipv6 prefix-list RELAX permit 2001::/32 ipv6 prefix-list RELAX deny 2001::/32 le 128 ipv6 prefix-list RELAX permit 2002::/16 ipv6 prefix-list RELAX deny 2002::/16 le 128 ipv6 prefix-list RELAX deny 0000::/8 le 128 ipv6 prefix-list RELAX deny fe00::/9 le 128 ipv6 prefix-list RELAX deny ff00::/8 le 128 ipv6 prefix-list RELAX permit 2000::/3 le 48 ipv6 prefix-list RELAX deny 0::/0 le 128 Source: http://www.space.net/~gert/RIPE/ipv6-filters.html 15 Link-Local Addresses vs. Global Addresses • Link-Local addresses, fe80::/10, (LLA) are isolated • Cannot reach outside of the link • Cannot be reached from outside of the link • Could be used on the infrastructure interfaces • Routing protocols (inc BGP) work with LLA • Benefit: no remote attack against your infrastructure: implicit infrastructure ACL • Note: need to provision loopback for ICMP generation (traceroute and PMTUD) • See also: RFC 7404 • LLA can be configured statically (not the EUI-64 default) to avoid changing neighbor statements when changing MAC interface FastEthernet 0/0 ipv6 address fe80::1/64 link-local neighbor fe80::2%FastEthernet0/0 16 Control Plane: Neighbor Discovery 17 Scanning Made Bad for CPU Remote Neighbor Cache Exhaustion RFC 6583 • Potential router CPU/memory attacks if aggressive scanning • Router will do Neighbor Discovery... And waste CPU and memory • Local router DoS with NS/RS/… NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 NS: 2001:db8::3 NS: 2001:db8::2 NS: 2001:db8::1 2001:db8::/64 18 Mitigating Remote Neighbor Cache Exhaustion • Built-in rate limiter with options to tune it BRKSEC- • Since 15.1(3)T: ipv6 nd cache interface-limit 3003 • Or IOS-XE 2.6: ipv6 nd resolution data limit • Destination-guard is part of First Hop Security phase 3 • Priority given to refresh existing entries vs. discovering new ones (RFC 6583) • Using a /64 on point-to-point links => a lot of addresses to scan! • Using /127 could help (RFC 6164) • Internet edge/presence: a target of choice • Ingress ACL permitting traffic to specific statically configured (virtual) IPv6 addresses only (see next slide) • Using infrastructure ACL prevents this scanning • iACL: edge ACL denying packets addressed to your routers http://www.insinuator.net/2013/03/ipv6-neighbor-cache-exhaustion-attacks-risk-assessment-mitigation-strategies-part-1 19 Simple Fix for Remote Neighbor Cache Exhaustion • Ingress ACL allowing only valid destination and dropping the rest • NDP cache & process are safe • Requires DHCP or static configuration of hosts NS: 2001:db8::1 NA: 2001:db8::1 2001:db8::/64 20 ARP Spoofing is now NDP Spoofing: Threats • ARP is replaced by Neighbor Discovery Protocol • Nothing authenticated • Static entries overwritten by dynamic ones • Stateless Address Autoconfiguration • rogue RA (malicious or not) • All nodes badly configured • DoS • Traffic interception (Man In the Middle Attack) • Attack tools exist (from THC – The Hacker Choice) • Parasit6 • Fakerouter6 • ... 21 ARP Spoofing is now NDP Spoofing: BRKSEC- Mitigation 3003 • GOOD NEWS: dynamic ARP inspection for IPv6 is available • First phase (Port ACL & RA Guard) available since Summer 2010 • Second phase (NDP & DHCP snooping) starting to be available since Summer 2011 • http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html • (Kind of ) GOOD NEWS: Secure Neighbor Discovery • SeND = NDP + crypto • IOS 12.4(24)T • But not in Windows Vista, 2008 and 7, Mac OS/X, iOS, Android • Crypto means slower... • Other GOOD NEWS: • Private VLAN works with IPv6 • Port security works with IPv6 • IEEE 801.X works with IPv6 (except downloadable ACL but it is coming) 22 Mitigating Rogue RA: Host Isolation • Prevent Node-Node Layer-2 RA communication by using: Promiscuous Port • Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port) RA • WLAN in ‘AP Isolation Mode’ • 1 VLAN per host (SP access network with Broadband Network Gateway) Isolated Port • Link-local multicast (RA, DHCP request, RA etc) sent only to the local official router: no R harm A • Can break DAD RA • Advertise the SLAAC prefix without the on- link bit to force router to do ‘proxy-ND’ 23 First Hop Security: RAguard since 2010 RFC 6105 RA • Port ACL blocks all ICMPv6 RA from hosts interface FastEthernet0/2 ROUTER ipv6 traffic-filter ACCESS_PORT in Device-role access-group mode prefer port RA • RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also HOST dropping all RA received on this port Device-role interface FastEthernet0/2 Can also enforce ipv6 nd raguard MTU, prefix, ... In access-group mode prefer port RA RA RA • RA-guard (12.2(50)SY, 15.0(2)SE) ipv6 nd raguard policy HOST device-role host ipv6 nd raguard policy ROUTER device-role router RA ipv6 nd raguard attach-policy HOST vlan 100 interface FastEthernet0/0 ipv6 nd raguard attach-policy ROUTER 24 For Your IPv6 First Hop Security Platform Support Reference Wireless LAN Nexus Catalyst 6500 Catalyst Catalyst ASR1000 Catalyst Controller 7600 Router 3k/5k/6k/7k/ Feature/Platform Series 4500 Series 2K/3K Series Router 3850 (Flex 7500, 5508, 2500, 9k WISM-2) RA Guard 15.0(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2 NX-OS 7.4 NX-OS 7.4 IPv6 Snooping 15.0(1)SY1 15.1(2)SG 15.0.(2)SE XE 3.9.0S 15.2(4)S 15.0(1)EX 7.2 NX-OS 7.4 DHCPv6 Guard 15.2(1)SY 15.1(2)SG 15.0.(2)SE 15.2(4)S 15.0(1)EX 7.2 Source/Prefix NX-OS 7.4 15.2(1)SY 15.2(1)E 15.0.(2)SE2 XE 3.9.0S 15.3(1)S 7.2 Guard NX-OS 7.4 Destination Guard 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.2(4)S RA Throttler 15.2(1)SY 15.2(1)E 15.2(1)E 15.0(1)EX 7.2 ND Multicast 15.2(1)SY 15.1(2)SG 15.2(1)E XE 3.9.0S 15.0(1)EX 7.2 Suppress Note 1: IPv6 Snooping support in 15.0(1)SY does not extend to DHCP or data packets; only ND packets are snooped Note 2: Only IPv6 Source Guard is supported in 15.0(2)SE; no support for Prefix Guard in that release Available Now Not Available Roadmap 25 CPE to CPE Communication IPv4 vs.