Advanced IPv6 Security in the LAN Gilles Roy, Technical Leader BRKSEC-3003 In 2015, 55% of attacks are from the inside! * Source: 2015 IBM Cyber Security Report 3 There is a lot happening on the LAN, it can be difficult to follow everything, lets break it down. 1. Operations 2. Attacks 3. Mitigations 4. Use cases 4 Use cases Enterprise SP Access Datacenter Address Allocation ✔ ✖ ✖ Duplicate Address Detection ✔ ✔ ✔ Address Resolution ✔ ✖ ✔ Operation Neighbor Unreachability Detection ✔ ✖ ✔ Prefix Allocation ✖ ✔ ✖ Making Default Router Discovery ✔ ✖ ✔ sense of Denial of Link Operations ✔ ✖ ✔ Denial of Address Resolution ✔ ✖ ✔ YOUR Router Theft ✔ ✔ ✔ Attacks Address Theft ✔ ✖ ✔ setup. Denial of Address Configuration ✔ ✔ ✖ Denial of Address Assignment ✔ ✖ ✖ RA Guard ✔ ✔ ✔ DHCP Guard ✔ ✔ ✖ Mitigation Source Guard ✔ ✖ ✔ Destination Guard ✔ ✖ ✖ Binding Guard ✔ ✖ ✔ 5 Abstract summary and pre-requisite • This session focuses on IPv6 security within the layer-2 domain • With a multi-dimensional approach: operations, vulnerabilities, mitigations and use-cases • It introduces security features at the First Hop, such RA Guard, Source Guard, Destination guard, etc • Requirements: Knowledge of IPv6 and IPv6 Neighbor Discovery 6 Agenda • IPv6 in the layer-2 domain: operations and protocols • IPv6 in the layer-2 domain: vulnerabilities • Attack Demonstration • Mitigating Vulnerabilities • Use cases overview 7 Some background on layer-2 & IPv6 • Layer-2: what is it? • Layer-2 domain: also “broadcast domain”, link, lan, vlan, segment • Nodes: hosts, routers, switches, access points • Link operations: operations between nodes on the shared link • Security perimeter: draws a line between trusted and untrusted devices • First hop: first trusted device inside the security perimeter • First hop security: Secures link-operations on First hop 8 For Your Link operations Reference LINK OPERATIONS PROTOCOLS IPv6 RFC (IPV4) IPv6 ROUTER DISCOVERY DHCP Neighbor Discovery (ND) RFC4861 PREFIX DISCOVERY - −Neighbor Discovery (Hosts) RFC3633 −DHCP-PD (Routers) PARAMETER DISCOVERY DHCP −Neighbor Discovery (MTU) RFC4861 −DHCP (DNS server, NTP server, …) ADDRESS ASSIGNMENT DHCP −Neighbor Discovery (SLACC) RFC4861, RFC4862 −DHCP (Global scope addresses only) RFC3315 DUPLICATE ADDRESS DETECTION (DAD) ARP Neighbor Discovery RFC4862 ADDRESS RESOLUTION ARP Neighbor Discovery RFC4861 NEIGHBOR UNREACHABILITY DETECTION (NUD) ARP Neighbor Discovery RFC4861 REDIRECTION ICMP Neighbor Discovery RFC4861 9 Fundamentals On Neighbor Discovery • Provide support for most operations on the link • Router Discovery • Address Resolution • Address Assignment • Operates above ICMPv6 • Relies heavily on (link-local scope) multicast, combined with layer-2 Multicast • Works with several ICMP messages and message “options” • Similar to ARP, but has more options ND IPv6 ICMPv6 Message 10 Router Discovery protocol: discover Default router, online prefixes A R ICMP Type = 133 (Router Solicitation) RS Source = Host link-local address Destination = ALL-ROUTERS multicast address (FF02::2) multicast multicast RA ICMP Type = 134 (Router Advertisement) Source = Router link-local address LLR Destination = All-nodes multicast address (FF02::1) Data = router lifetime, preference=medium,… RIB ::0/0 LLR Option = Prefix X,Y,Z, lifetime Use R as default gateway The LINK-LOCAL address is the router identity 11 Router Discovery protocol: select B A C IF1 RA Source = LLB Data = router lifetime, preference=M RIB ::0/0 LLB Option = Prefix X,Y, lifetime IF ADR-DB 1 X::A Y::A RA Source = LLC Data = router lifetime, preference=H RIB Option = Prefix Z, lifetime ::0/0 LLC ADR-DB IF1 X::A Select router based on preference & build Y::A Z::A addresses after each prefix received 12 Router Discovery protocol: redirect X A B C IF1 RA Source = LLB Data = router lifetime, preference=M RIB Option = Prefix X,Y, lifetime, SLLA (MACB) ::0/0 LLB ND LLB MACB cache Destination X, NH=LLB/MACB REDIRECT Source = LL , Destination = A RIB B Data = Target: LLC, Destination: X ::0/0 LLB Option = TLLA (MACC) X/128 LLC Destination X, NH=LLC/MACC 13 Address Resolution protocol: resolve A C B MAC B ICMP type = 135 (Neighbor Solicitation) NS-lookup Source = A, SLLA=MACA Dst = Solicited-node multicast address of B (SOL ) B Neighbor target = B A MACA STALE Query = what is B’s Link-Layer Address? cache Neighbor B - INCMPL cache NA ICMP type = 136 (Neighbor Advertisement) Src = one B’s I/F address , Dst=A target = B B MAC B REACH Option = Target link-layer address (MACB) data 14 Address Resolution protocol: confirm A C B IF 1 MAC B data Neighbor B MAC STALE cache B ICMP type = 135 (Neighbor Solicitation) NS-NUD Destination = B, target = B Query = Are you still there? Traffic sent while entry is not yet confirmed data NA-NUD ICMP type = 136 (Neighbor Advertisement) Source = B, Destination = A, target = B B MAC B REACH Yes! 15 Address Resolution protocol: update A C B MAC B Neighbor B MAC B REACH cache MAC BB ICMP type = 136 (Neighbor Advertisement) NA-override unsolicited Source = B Destination = ALL-NODES target = B Option = Target link-layer address (MACBB) B MAC BB REACH 16 Address assignment methods Static Stateless Address Auto configuration • Modified EUI-64 • Privacy Extensions • Cryptographic Generated Address (CGA) DHCP (only global scope addresses) Whichever the method, an address MUST be verified for uniqueness with Duplicate Address Detection (DAD) before it can be used 17 Address assignment StateLess Address Auto Configuration (DAD success) A host router −EUI-64 −CGA −Privacy RA ICMP Type = 134 (Router Advertisement) −Computes HOSTID Destination = ALL-NODES −Builds A = X HOSTID Options = Prefix X, lifetime −DAD A Query = Does anybody use A already? ICMP type = 135 (Neighbor Solicitation) Source = UNSPEC NS-DAD Destination = SOL A target = A address A ready to use 18 Address assignment StateLess Address Auto Configuration (DAD failure) A host host X router −EUI-64 −CGA −Privacy RA ICMP Type = 134 (Router Advertisement) −Computes HOSTID Destination = ALL-NODES −Builds A = X HOSTID Options = Prefix X, lifetime −DAD A ICMP type = 135 (Neighbor Solicitation) NS-DAD Source = UNSPEC Destination = SOL A ,target = A multicast Address cannot be used NA, target=A Manual intervention required in most cases 19 Address assignment: DHCP host A relay router server SOLICIT (ALL_SERVERS_AND_RELAY) ADVERTISE REQUEST, option: can I use A REPLY: Your address is A ICMP type = 135 (Neighbor Solicitation) NS-DAD Source = UNSPEC Destination = SOLA, target = A Query = Does anybody use A already? LINK-LOCAL addresses cannot be DHCP-assigned address A ready to use 20 Address assignment: DHCP host A host relay router server SOLICIT (ALL_SERVERS_AND_RELAY) ADVERTISE REQUEST REPLY ICMP type = 135 (Neighbor Solicitation) NS-DAD Source = UNSPEC Destination = SOL , target = A A multicast Query = Does anybody use A already? NA, target=A DECLINE Address cannot be used 21 Prefix assignment: DHCP-Prefix-Delegation Home Network router relay server LLGW SOLICIT ADVERTISE REQUEST-prefix, source-LLGW REPLY-prefix: P1, lifetime RA Source = link-local address RIB Destination = ALL-NODES Option = Prefix P1, lifetime P1 LLGW −Computes HOSTID −Builds A = P1 HOSTID −DAD A Source=A 22 Agenda • IPv6 in the layer-2 domain: operations and protocols • IPv6 in the layer-2 domain: vulnerabilities • Router theft • Address (Identity) theft • DoS attacks • Misdirect attacks • Attack Demonstration • … 23 Router Theft (and session hijacking!) Where’s my next hop? Right here! I’ll deliver that for you! 24 Router Theft: role (and session hijacking!) R X C A X RIB RA Source = LLR, preference=medium ::0/0 LLR Session via R Source = LLC, Destination=ALL-NODES, RA preference=high ::0/0 LLC Session via C Most frequent issue seen on the link 25 Address Theft Don’t worry, 534 is here! 534? 26 Address/Identity Theft (and session hijacking!) A B C ND cache Address resolution flow B MAC B Session established Source = B Destination = ALL-NODES (unsolicited) NA Target = B Option: SLLA= MACC B MAC C Session re-established 27 Router Theft The Return: identity R X C A X RIB RA Source = LLR, SLLA = MACR ::0/0 LLR ND cache LL R MAC R Session via R / MAC Source = R R Destination = ALL-NODES (unsolicited) NA Target = LLR LL R MAC C Option: SLLA= MACC Session via “R” / MACC 28 DoS attacks Help! • denial of Address initialization • denial of Address assignment • denial of Address configuration • denial of Address resolution (one packet) • denial of Address resolution (flood) • denial of link operations (flood) 29 DoS attack: denial of address initialization host A attacker C router ICMP Type = 134 Computes A = {P, RA Destination = ALL-NODES HOSTID} Options = Prefix P ICMP type = 135 (Neighbor Solicitation) Source = UNSPEC, Destination = SOL A target = A NS-DAD, target=A Query = Does anybody use A already? NA, target=A “it’s mine !” Address cannot be used 30 DoS attack: denial of Address assignment host A attacker C relay router server SOLICIT (ALL_SERVERS_AND_RELAY) ADVERTISE ADVERTISE, preference=255 REQUEST REPLY, NoAddrsAvail REPLY, IA=BOGUS 31 DoS attack: denial of address configuration . Attacker spoofs Router Advertisement with false on-link prefix . Victim generates (topology-bogus) IP address with this prefix . Access router drops outgoing packets from victim (ingress filtering) . Or return path is broken host A attacker C router B Src = B’s link-local address RA Dst = All-nodes Autoconf BAD::A Options = prefix BAD and DAD it Node A sourcing off-link traffic via B with BAD::A B filters out BAD::A OR NOT