IPv6 Security

Training Course

April 2021
 09:00 - 09:30 Co ee, Tea

11:00 - 11:15 Break

13:00 - 14:00 Lunch

15:30 - 15:45 Break

17:30 End

2










ff

Introductions

• Name
• Number in the list
• Experience with Security and IPv6
• Goals

Introduction

Basic IPv6 Protocol Security

Basic header, Extension Headers, Addressing

IPv6 Associated Protocols Security

ICMPv6, NDP, MLD, DNS, DHCPv6

Internet-wide IPv6 Security

Filtering, DDoS, Transition Mechanisms

Tips and Tools

Up-to-date information, Security Tools, Device features

Legend

Learning / Understanding

Attacker Protecting

5
Introduction to IPv6
Security
Section 1
IPv6 is Happening…

Source: http://worldipv6launch.org/measurements/ (12/1/2021)

7
… and So Are IPv6 Security Threats!

8
IPv6 Security Statements
1 2 3 4 5 6 7 8

• IPv6 is more secure than IPv4

• IPv6 has better security and it’s built in

Reason:
• RFC 4294 - IPv6 Node Requirements: IPsec MUST

Reality:
• RFC 8504 - IPv6 Node Requirements: IPsec SHOULD

• IPsec available. Used for security in IPv6 protocols

9

IPv6 Security Statements

1 2 3 4 5 6 7 8

• IPv6 has no NAT. Global addresses used

• I’m exposed to attacks from Internet

Reason:
• End-2-End paradigm. Global addresses. No NAT

Reality:
• Global addressing does not imply global reachability

• You are responsible for reachability ( ltering)

10

fi

IPv6 Security Statements

1 2 3 4 5 6 7 8

• IPv6 Networks are too big to scan

Reason:
• Common LAN/VLAN use /64 network pre x

• 18,446,744,073,709,551,616 hosts

Reality:
• Brute force scanning is not possible [RFC5157]

• New scanning techniques

11

fi

IPv6 Security Statements

1 2 3 4 5 6 7 8

• IPv6 is too new to be attacked

Reason:
• Lack of knowledge about IPv6 (it’s happening!)

Reality:
• There are tools, threats, attacks, security patches, etc.

• You have to be prepared for IPv6 attacks

12

IPv6 Security Statements

1 2 3 4 5 6 7 8

• IPv6 is just IPv4 with 128 bits addresses

• There is nothing new

Reason:
• Routing and switching work the same way

Reality:
• Whole new addressing architecture

• Many associated new protocols

13

IPv6 Security Statements

1 2 3 4 5 6 7 8

• IPv6 support is a yes/no question

Reason:
• Question: “Does it support IPv6?”

• Answer: “Yes, it supports IPv6”

Reality:
• IPv6 support is not a yes/no question

• Features missing, immature implementations,

interoperability issues 14

IPv6 Security Statements

1 2 3 4 5 6 7 8

• IPv6 is not a security problem in my IPv4-only

network

Reason:
• Networks only designed and con gured for IPv4

Reality:
• IPv6 available in many hosts, servers, and devices

• Unwanted IPv6 tra c. Protect your network

15

ffi
fi

IPv6 Security Statements

1 2 3 4 5 6 7 8
• It is not possible to secure an IPv6 network

• Lack of resources and features

Reason:
• Considering IPv6 completely di erent than IPv4

• Think there are no BCPs, resources or features

Reality:
• Use IP independent security policies

• There are BCPs, resources and features 16

ff

Conclusions

A change of mindset is necessary

• IPv6 is not more or less secure than IPv4

• Knowledge of the protocol is the best security measure

17

Basic IPv6 Protocol

Security
Section 2
IPv6 Basic Header and
Extension Headers
Section 2.1
 Basic IPv6 Header: Threat #1

Version Tra c Class Flow Label

Payload Length Next Header Hop Limit

Source Address

Destination Address

20
ffi
Basic IPv6 Header: Threat #1

IP spoo ng:
Using a fake IPv6 source address

Solution:
ingress ltering and RPF (reverse path forwarding)

21
fi
fi

 Basic IPv6 Header: Threat #2

Version Tra c Class Flow Label

Payload Length Next Header Hop Limit

Source Address

Destination Address

22
ffi
Basic IPv6 Header: Threats #2

Covert Channel:
Using Tra c Class and/or Flow Label

Solution:
Inspect packets (IDS / IPS)
Expected values:
- Traffic Class: 0 (unless QoS is used)

- Flow Label: 0

23
ffi

IPv6 Extension Headers

Basic IPv6 Header Hop-by-hop Options Upper Layer

Destination Options*

Routing

Fragment

IPsec: AH

IPsec: ESP

Destination Options** * Options for IPs in routing header

** Options for destination IP

24

Extension Headers Properties

1 Flexible (use is optional)

2 Only appear once (except Destination options)

3 Fixed (types and order)

4 Processed only at endpoints

(except Hop-by-Hop and Routing)

25
• Flexibility means complexity

• Security devices / software must process the

full chain of headers

• Firewalls must be able to lter based on

Extension Headers

26

fi

 Routing Header

Includes one or more IPs that should be “visited” in the path

- Processed by the visited routers

8 bits 8 bits 8 bits 8 bits

Next Header Length Routing Type Segments Left

Speci c data of that Routing Header type

27
fi

Routing Header Threat

• Routing Header (Type 0):
- RH0 can be used for tra c ampli cation over a remote path

• RH0 Deprecated [RFC5095]

- RH1 deprecated. RH2 (MIPv6), RH3 (RPL) and RH4 (SRH) are valid

RH0 Fields Address[1] Address[2] … Address[n]

28
ffi

fi

 A B
Target

S
Attacker
D

Basic Hdr RH0 Basic Hdr RH0

S | D Segs = 127 S | A Segs = 127

Addr[1] = A Addr[1] = B
Addr[2] = A Basic Hdr RH0
Addr[2] = B
… … S | B Segs = 126
Addr[126] = B Addr[126] = A
Addr[127] = A Addr[127] = D
S | A Segs = 125

S | B Segs = 124

S | A Segs = 1

S | B Segs = 0 S | D Segs = 0

29
Extension Headers Solutions

Deprecated [RFC5095]
Use of RH0
Do not use or allow

• Require security tools to inspect Header Chain properly

30

Fragment Header
- Used by IPv6 source node to send a packet bigger than path MTU

- Destination host processes fragment headers

8 bits 8 bits 13 bits 2 bits 1 bit

Next Header Reserved Fragment O set Res M

Identi cation

32 bits

M Flag:
1 = more fragments to come;
0 = last fragment

31
fi

ff

EH Threats: Fragmentation

Overlapping Fragments that overlap because

?
Fragments of wrong “fragment o set”

Not Sending Waiting for last fragment

Last Fragment Resource consumption

“Atomic” Packet with Frag. EH is the only

Fragments fragment (Frag. O set and M = 0)

32

ff
ff

EH Solutions: Fragmentation

Overlapping Not allowed in IPv6 [RFC5722]

Fragments Packets are discarded

Not Sending Timer and discard packets

Last Fragment (default 60 secs)

“Atomic” Processed in isolation from any

Fragments other packets/fragments [RFC6946]

33

Bypassing RA Filtering/RA-Guard
Using any Extension Header

Basic IPv6 Header Destination Options ICMPv6: RA

Next Header = 60 Next Header = 58

If it only looks at Next Header = 60, it does not detect the RA

34
Bypassing RA Filtering/RA-Guard
Using Fragment Extension Header

Basic IPv6 Header Fragment Destination Options

Next Header = 44 Next Header = 60 Next Header = 58

Basic IPv6 Header Fragment Destination Options ICMPv6: RA

Next Header = 44 Next Header = 60 Next Header = 58

Needs all fragments to detect the RA

35
 Extension Headers Solutions

Fragmented NDP Forbidden [RFC6980]

packets Do not use or allow

Header chain should go in the

rst fragment [RFC7112]
Other attacks based
on Extension Headers
Recommendations to avoid
the problem [RFC7113]

• Require security tools to inspect Header Chain properly

36
fi

IPsec - Security Protocols

Authentication
AH Provides Integrity
MAY
Header (AH) be implemented

Encapsulating Security Provides Con dentiality MUST

Payload (ESP) and Integrity be implemented

37

fi
IPsec or manual

IKE
PROTECTED

1 2
Pkt IPsec
SA IPsec SA

PROTECT
UNPROTECTED

Pkt Pkt
SPD
Send BYPASS

DISCARD

SPD Security Policy Database indicates what to do with packets

SA Security Association: info needed for IPsec with 1 host, 1 direction

IKE Internet Key Exchange allows automatic creation of SAs

38
IPsec Modes

S Internet R2
R1
D

Tunnel Mode IPv6 | IPsec IPv6 | Upper Layers

S
S
Internet
R2
R1
D
D

Transport Mode IPv6 | IPsec Upper Layers

39
IPsec: Authentication Header
Unprotected IPv6
IPv6 EHs Upper Layers

Immutable/predictable elds EH1 = Hop-by-Hop,

Dest. Options*,
ICV Hash ? Routing, Fragment
AH in Transport Mode EH2 = Destination Options**
IPv6 EH1 AH EH2 Upper Layers

Integrity

Immutable/predictable elds

ICV Hash

AH in Tunnel Mode
IPv6 EHs AH IPv6 EHs Upper Layers

Integrity
* Options for IPs in routing header
** Options for destination IP 40

fi
fi

IPsec: ESP
Unprotected IPv6 EH1 = Hop-by-Hop,
IPv6 EHs Upper Layers Dest. Options*,
Routing, Fragment
EH2 = Destination Options**
Hash

ESP in Transport Mode

IPv6 EH1 ESP EH2 Upper Layers ESP Trailer ICV

Encryption
Integrity

Hash

ESP in Tunnel Mode

IPv6 EHs ESP IPv6 EHs Upper Layers ESP Trailer ICV

Encryption
Integrity
* Options for IPs in routing header
** Options for destination IP 41

IPv6 Packet Generation

Exercise 2.1
Exercise 2.1: IPv6 Packet Generation
• Description: Use Scapy to generate IPv6 packets

• Goals:

- Get familiar with lab environment

- Learn the basics of Scapy tool

- Learn to generate tailor made IPv6 packets

• Time: 30 minutes

• Tasks:

- Login in to the lab environment

- Generate IPv6 packets following instructions in Exercise Booklet

43

Exercise 2.1: Lab network

ROUTER

::1
USER X
Network Prefix:
2001:DB8:F:X::/64

eth0 eth0 eth0

HOST A HOST B HOST C

44

IPv6 Addressing
Architecture
Section 2.2
 340,282,366,920,938,463,463,374,607,431,768,211,456

End-to-end

/64 /64

/64

/64

/64

/64

Multiple Addresses
Link-local
Global (GUA)

Multicast
46
 IPv6 Address Scope
GLOBAL SITE

LINK

INTERFACE

fe80::a:b:100 01::2 2001:67c:2e:1::c1

fd00:a:b::100 05::1:3 02::1

47
ff
ff
ff
IPv6 Network Scanning
64 bits 64 bits

Network Pre x Interface ID (IID)

Network Pre x determination (64 bits)

Common patterns in addressing plans
DNS direct and reverse resolution
Traceroute

Interface ID determination (64 bits)

“brute force” no longer possible

48
fi
fi
 IID Generation Options
64 bits

Interface ID (IID)

Modi ed EUI-64 (uses MAC address)

“stable” IID
for SLAAC
Stable, semantically opaque [RFC7217]
“temporary”
Temporary Address Extensions [RFC8981] IID for SLAAC

DHCPv6

Manually

Others (CGA, HBA)

49
fi
 SLAAC IIDs Currently
• Consider IID bits “opaque”, no value or meaning [RFC7136]

How to generate IIDs [RFC7217]

Di erent for each interface in the same network pre x

Not related to any xed interface identi er

Always the same when same interface connected to same network

• Widely used and standardised for “stable” addresses

[RFC8064]

50
ff
fi
fi
fi

 Guessing IIDs

64 bits = 18,446,744,073,709,551,616 Addresses

EUI-64 IPv4-based Sequential

OUI: 24 bits 2001:db8:1::10.0.0.5

FFFE: 16 bits

Low-bits / Trivial (::1) Service port Wordy Address

2001:db8:1::80 2001:db8::bad:cafe

51
 Locally Scanning IPv6 Networks

Tra c Snooping

Dual-stack

Routing Protocols
LLMNR [RFC4795]

Local Protocols Multicast DNS (mDNS) [RFC6762]

DNS Service Discovery (DNS-SD) [RFC6763]

Local Scanning

52
ffi
 Special / Reserved IPv6 Addresses
Name IPv6 Address Comments
Unspeci ed ::/128 When no address available
Loopback ::1/128 For local communications
IPv4-mapped :: :0:0/96 For dual-stack sockets. Add IPv4 address 32 bits
Documentation 2001:db8::/32 RFC 3849
IPv4/IPv6 Translators 64: 9b::/96 RFC 6052
Discard-Only Address
100::/64 RFC 6666
Block
Teredo 2001::/32 IPv6 in IPv4 Encapsulation Transition Mechanism
6to4 2002::/16 IPv6 in IPv4 Encapsulation Transition Mechanism
ORCHID 2001:10::/28 Deprecated RFC 5156
Benchmarking 2001:2::/48 RFC 5180
Link-local fe80::/10 RFC 4291
Unique-local fc00::/7 RFC 4193
6Bone 3ffe::/16, 5f00::/8 Deprecated RFC 3701
IPv4-compatible ::/96 Deprecated RFC 5156

http://www.iana.org/assignments/iana-ipv6-special-registry/
53
ff
ff
ff
fi
Security Tips
• Use hard to guess IIDs
- RFC 7217 better than Modified EUI-64
- RFC 8064 establishes RFC 7217 as the default

• Use IPS/IDS to detect scanning

• Filter packets where appropriate

• Be careful with routing protocols

• Use "default" /64 size IPv6 subnet prefix

54

IPv6 Network Scanning

Exercise 2.2
Exercise 2.2: IPv6 Network Scanning
• Description: Use available toolsets to scan a subnet
• Goals:
- Know about two new toolsets: THC-IPV6 and The IPv6 Toolkit
- Learn how to use them to scan a subnet

• Time: 10 minutes
• Tasks:
- Use The IPv6 Toolkit to scan your lab’s subnet
- Use THC-IPV6 to scan your lab’s subnet

56

 IPv6 Associated
Protocols Security
Section 3
ICMPv6
Section 3.1
ICMPv6 [RFC4443] is an integral part of IPv6

Error Messages Informational Messages

Destination Unreachable Echo Request

Packet Too Big Echo Reply

Time Exceeded NDP

Parameter Problem MLD

59
ICMPv6 Format
• General Format

8 bits 8 bits 16 bits

Type Code Checksum

Message Body

• Extended Format [RFC4884]

Used by: Destination Unreachable

Time Exceeded

60

ICMPv6 Error Messages

Type Code
No route to destination (0)
Communication with destination administratively prohibited (1)
Beyond scope of source address (2)
Address Unreachable (3)
Destination Ureachable (1)
Port Unreachable (4)
Source address failed ingress/egress policy (5)
Reject route to destination (6)
Error in Source Routing Header (7)
Packet Too Big (2)
Packet Too Big (0)
Parameter = next hop MTU
Hop Limit Exceeded in Transit (0)
Time Exceeded (3)
Fragment Reassembly Time Exceeded (1)
Erroneous Header Field Encountered (0)
Parameter Problem (4) Unrecognized Next Header Type (1)
Parameter = o set to error Unrecognized IPv6 Option (2)
IPv6 First Fragment has incomplete IPv6 Header Chain (3)

61
ff

FILTER ICMPv6 CAREFULLY!

Used in many IPv6 related protocols

62
 ICMPv6 Security

Packet with MULTICAST destination address

No ICMPv6 Error message allowed Echo Reply responding an Echo Request is

as a response Optional

avoids not recommended

Hosts Discovery Ampli cation Attacks Smurf Attacks ?

63
fi

 NDP
Section 3.2
NDP [RFC4861] is used on a link

Messages Used for:

Neighbour Solicitation Discovery: routers, pre xes, network parameters

Neighbour Advertisement Autocon guration

DAD
Router Solicitation
NUD
Router Advertisement Address Resolution

Redirect

65
fi
fi
 Hop Limit = 255 NDP has vulnerabilities
[RFC3756]
[RFC6583]
if not then discard

Speci cation says to use IPsec SEND [RFC3971]

(SEcure Neighbour Discovery)

impractical, it’s not used Not widely available

66
fi

NDP Threats
• Neighbor Solicitation/Advertisement Spoo ng

• Can be done sending:

1. NS with “source link-layer” option changed

2. NA with “target link-layer” option changed

- Can send unsolicited NA or as an answer to NS

• Redirection/DoS attack

• Could be used for a “Man-In-The-Middle” attack ?

67

fi

NS Spoo ng (Redirection / DoS)

Neighbour Cache
IP1 11:11:11:11:11:11 IPr
R MACr = 12:34:56:78:9a:bc
IPr 12:34:56:78:9a:bc
IP2 22:22:22:22:22:22
IP2 aa:aa:aa:aa:aa:a
aa
IP1 IP2
11 MAC1 = 11:11:11:11:11:11 2 MAC2 = 22:22:22:22:22:22

IPv6 ICMPv6 NS

IPv6.Source IPv6 IP2 IPa

MACa = aa:aa:aa:aa:aa:aa
IPv6.Destination IPv6 IP1
NS.Target Addr IP1
NS.Src Link-layer Addr aa:aa:aa:aa:aa:aa

68
fi
Unsolicited NA (Redirection / DoS)
Neighbour Cache
IP1 11:11:11:11:11:11 IPr
R MACr = 12:34:56:78:9a:bc
IPr 12:34:56:78:9a:bc
IP2 22:22:22:22:22:22
IP2 aa:aa:aa:aa:aa:a
a
IP1 IP2
11 MAC1 = 11:11:11:11:11:11 2 MAC2 = 22:22:22:22:22:22

IPv6 ICMPv6 NA

NA.Target Addr IP2 IPa

MACa = aa:aa:aa:aa:aa:aa
NA.Target Link-layer Addr aa:aa:aa:aa:aa:aa

69
NUD Failure (DoS attack)

NA NS

Answer to NS 1

NUD to refresh IP host 2

in neighbour cache

70

 DAD (DoS Attack)

Answer to NS Answer to NS

NA NS

NS NS

DAD for IP before

con guring it

71
fi
 NDP
Exercise 3.2-a
Exercise 3.2-a NDP
• Description: Create packets to poison neighbor cache

• Goals:
- Practice with Scapy tool

- Learn how to modify the neighbor cache of another host in the same
network

• Time: 15 minutes

• Tasks (at least one of them):

- Generate NS packets that change other host’s neighbor cache

- Generate NA packets that change other host’s neighbor cache

73

3.2-a: Neighbor cache attack using NS

Neighbor Cache # ip neighbour show
IPb bb:bb:bb:bb:bb:bb

IP2 22:22:22:22:22:22
IPb cc:cc:cc:cc:cc:cc

IPa IPb
1A MACa = aa:aa:aa:aa:aa:aa 2B MACb = bb:bb:bb:bb:bb:bbb

IPc
MACc = cc:cc:cc:cc:cc:cc
IPv6 ICMPv6 NS
C

IPv6.Source IPv6 IPb

IPv6.Destination IPv6 IPa
NS.Target Addr IPa
NS.Src Link-layer Addr cc:cc:cc:cc:cc:cc

74
3.2-a: Neighbor cache attack using NA
Neighbor Cache # ip neighbour show
IPb bb:bb:bb:bb:bb:bb

IP2 22:22:22:22:22:22
IPb cc:cc:cc:cc:cc:cc

IPa IPb
1A MACa = aa:aa:aa:aa:aa:aa 2B MACb = bb:bb:bb:bb:bb:bbb

IPc
MACc = cc:cc:cc:cc:cc:cc
IPv6 ICMPv6 NA C

NA.Target Addr IPb

NA.Target Link-layer Addr cc:cc:cc:cc:cc:cc

75
Malicious Last Hop Router

(lifetime = 0)
22
RA RA

RA RA RA RS
Periodic RAs Answer to RS 1
1

76
 Bogus On-Link Pre x

Pre xes on the Link

google
facebook
amazon

RA

DoS

google is on the link

77
fi

fi
Bogus Address Con guration Pre x

RA

this is your global pre x

2001:db8:bad:bad::/64

DoS

78
fi

fi
fi
Parameter Spoo ng: Hop Limit

RA

Current Hop Limit: 3

DoS

79
fi
Parameter Spoo ng: DHCPv6

ATTACKER’S
DHCP SERVER

RA

M: 1
O: 1
DoS

80

fi
Spoofed Redirect Message
Neighbour Cache Routes on Host 1:
::/0 - fe80::a:b:c
IP1 11:11:11:11:11:11 IPr = fe80::a:b:c
2001:db8::face:b00c - fe80::a R MACr = 12:34:56:78:9a:bc
IPr 12:34:56:78:9a:bc

IP1
11 MAC1 = 11:11:11:11:11:11

IPa = fe80::a
MACa = aa:aa:aa:aa:aa:aa
IPv6 ICMPv6 Redirect

IPv6.Source IPv6 IPr = fe80::a:b:c

IPv6.Destination IPv6 IP1
Redirect.Target Addr IPa = fe80::a
Redirect.Dst Addr. 2001:db8::face:b00c

81

Neighbour Discovery DoS Attack

Router Neighbour Cache
IPa aa:aa:aa:aa:aa:aa
IPb bb:bb:bb:bb:bb:bb
Internet IP1 = P::1
IPr 12:34:56:78:9a:bc
IP2 = P::2
IP1 ???
.. IP3 = P::3
. ..
.
IPn ??? IPn = P::n

IPr = fe80::a:b:c
MACr = 12:34:56:78:9a:bc

NS

IPa Network Pre x (P) 2 IPb

2001:db8:a:b::/64

82
fi
 NDP
Exercise 3.2-b
Exercise 3.2-b NDP
• Description: Send RA messages to perform attacks
• Goals:
- Practice with Scapy tool
- Use RA messages to perform attacks on a link

• Time: 20 minutes

• Tasks:
- Send RA messages with bogus address configuration prefix

84

First Hop Security

• Security implemented on switches

• There is a number of techniques available:

- RA-GUARD

- IPv6 Snooping (ND inspection + DHCPv6 Snooping)

- IPv6 Source / Pre x Guard

- IPv6 Destination Guard (or ND Resolution rate limiter)

- MLD Snooping

- DHCPv6 Guard

85

fi

IPv6 Snooping

IP2 IP1
12 MAC2
2
1 MAC1

NA NA

NS NS

NS

NA

IPa
MACa

86
IPv6 Source / Pre x Guard

IP2
12 MAC2

Source

Source

IPa
MACa

87
fi
IPv6 Destination Guard

Internet

Destination

IPa 2 IPb

88
Rogue Router Advertisements

RA

89
Rogue RA Solutions
1 2
Link Monitoring SEND

3 4
MANUAL CONFIGURATION Host Packet Filtering
+ Disable Autocon g

5 6
Router Preference Option ACLs on Switches
[RFC4191]

7
RA Snooping on Switches (RA GUARD)

90
fi

RA-GUARD [RFC6105]

• Easiest available solution

• Only allows RAs on legitimate
ports on L2 switches

91

Implementing RA-GUARD

Stateless RA Guard

Decision based on RA message or

static con guration

Stateful RA Guard

Stateful RA Guard
Learns dynamically

92
fi

Filtering
• Use Access Control Lists (ACLs) in switches

Switches need to understand

Ethernet IPv6 ICMPv6

Ethertype 0x86DD Version 6 ICMPv6 Type and

for IPv6 Code

Source/destination Source/destination
MAC address IPv6 address

Next Header

93

Filtering Example

(config)#ipv6 access-list RA-GUARD

(config-ipv6-acl)#sequence 3 deny icmp any any router-advertisement
(config-ipv6-acl)#sequence 6 permit ipv6 any any

(config-ipv6-acl)#exit

(config)#interface FastEthernet0/5
(config-if)#ipv6 traffic-filter RA-GUARD in

94

Conclusions / Tips

• NDP is an important, powerful and vulnerable protocol

• Recommended: use available solutions to protect NDP

• Detection (IDS/IPS) can be easier and recommended

95

 MLD
Section 3.3
• MLD (Multicast Listener Discovery) is:

- Multicast related protocol, used in the local link

- Two versions: MLDv1 and MLDv2

- Uses ICMPv6

- Required by NDP and “IPv6 Node Requirements”

- IPv6 nodes use it when joining a multicast group

97

 MLDv1

QUERY REPORT DONE

Router asks for Listeners report Listeners indicate

listeners themselves that they’re done

General

Speci c

98
fi

 Src: fe80::2
Dst: SolicitedNode(2)

2 fe80::2
fe80::a R REPORT SolicitedNode(2)

QUERY

Src: fe80::a
Dst: FF02::1

99

MLDv2

• Mandatory for all IPv6 nodes (MUST) [RFC8504]

• Interoperable with MLDv1

• Adds Source-Speci c Multicast lters:

- Only accepted sources
- Or all sources accepted except speci ed ones

100
fi

fi
fi

 MLDv2

QUERY REPORT-v2

Router asks for Current state

listeners

General State change

( lter/sources)
Speci c Multicast
Address
Sent to FF02::16
Speci c Multicast
Address and Source

101
fi
fi
fi

MLD Details
• Nodes MUST process QUERY to any of its unicast or
multicast addresses

• MLDv2 needs all nodes using MLDv2

• All OSs join (REPORT) to the Solicited Node addresses

102

MLD Flooding

REPORT

RAM Exhaustion

CPU Exhaustion

103
MLD Flooding

REPORT

Rate limit MLD messages

Rate limit MLD states

Disable MLD (if not needed)

104
MLD Tra c ampli cation

Several REPORTs for each QUERY

REPORT

..
.
QUERY

105
ffi
fi
MLD Tra c ampli cation

Rate limit MLD messages

Disable MLD (if not needed)

REPORT

..
.

106
ffi
fi
Passive MLD Scanning

REPORT

QUERY

DONE

107
Active MLD Scanning

QUERY
All Nodes (FF02::1)

Routers (FF02::2, FF02::16)

REPORT

REPORT

REPORT

108
Built-in MLD Security

MLD Message
Source: Link local address only

Hop Limit = 1

Router Alert option in Hop-by-Hop EH

Discard non-compliant messages

109
MLD Snooping
RFC4541

QUERY

Only allow multicast tra c on ports with listeners

110
ffi
MLD Protection on Switches

QUERY
Only allow QUERIES on router’s port

deny icmp any any mld-query

QUERY

111
 MLD
Exercise 3.3
Exercise 3.3 MLD
• Description: Network scanning using MLD
• Goals:
- Know about a new tool: Chiron
- Learn how to use Chiron to scan a network using MLD

• Time: 10 minutes
• Tasks:
- Scan your network using MLD Query message

113

 DNS
Section 3.4
IPv6 DNS Con guration Attacks

Attacker becomes the DNS server of the victim

using:

NDP Autoconfiguration

Man-in-the-Middle SLAAC

Neighbor Cache DHCPv6

Poisoning

115

fi
IPv6 DNS Con guration Attacks

Depending on answers to DNS queries

Man-in-the-Middle DoS Attack

116

fi
DHCPv6
Section 3.5
Introduction

Similar to IPv4 Message names change

Client / Server SOLICIT

ADVERTISE
UDP
REQUEST
Uses Relays REPLY
…

118

Multicast in DHCPv6

Servers and relays listen on multicast addresses

All DHCP Relay Agents and Servers FF02::1:2

All DHCP Servers FF05::1:3

119
Triggering the use of DHCP

Looks
Looks like
like I’ll
I’ll need
need a
a DHCP
DHCP server
server to
to know
know
-- my public
where address
is the DNS Server
ATTACKER’S
DHCP SERVER - where is the DNS Server

RA

M
M 1
0
O
O 1-

120

CLIENT DHCPv6 RELAY DHCPv6 SERVER

fe80::a fe80::f

Dst: FF02::1:2
SOLICIT R-F (SOLICIT)
Src: FE80::a

Dst: FE80::a
ADVERTISE R-R (ADVERTISE)
Src: FE80::f

Dst: FF02::1:2
REQUEST R-F (REQUEST)
Src: FE80::a

Dst: FE80::a
REPLY R-R (REPLY)
Src: FE80::f

121
Privacy Considerations

Client information can be obtained from IDs

like the MAC from Client-ID

LINK-LOCAL ADDRESS MAC ADDRESS

122

Privacy Considerations

Server address assignment strategies:

- Iterative: scanning easier
- Identifier-based: easier to track activity
- Hash: better, but still allows activity tracking
- Random: better privacy

123

Rogue DHCP Server

Answers before legitimate server

REPLY

REPLY

124
Rogue DHCP Server

DHCP Exhaustion Attack

REQUEST

Address Pool: EMPTY

125
Rogue DHCP Server

CLIENT ROGUE DHCP SERVER

SOLICIT

ADVERTISE

Simple Attack

126
Rogue DHCP Server

CLIENT ROGUE DHCP SERVER

SOLICIT

ADVERTISE

REQUEST

REPLY

DHCP Reply Injection

127
DHCPv6 Solutions
RFC8415 - Security Considerations
recommends RFC8213 - IPSec with Encryption

IPSec (with
(without
ESP)
encryption)

CLIENT RELAY DHCP SERVER

128
DHCPv6 Solutions

Secure DHCPv6 (with encryption)

CLIENT RELAY DHCP SERVER

End-to-end encryption
Public key cryptography
Authentication

129
DHCPv6 Shield
RFC7610

• Protects clients only

• Implemented on L2 switches
• DHCPv6 Guard is vendor
implementation

130

IPv6 Filtering
Section 4
Filtering IPv6 Tra c
Section 4.1
ffi
Filtering in IPv6 is very Important!

• Global Unicast Addresses

• A good addressing plan

Easier ltering!

133
fi

New Filters to Take Into Account

• ICMPv6

• IPv6 Extension Headers

• Fragments Filtering

• Transition mechanisms (TMs) / Dual-Stack

134

Filtering ICMPv6
Type - Code Description Action
Type 1 - all Destination Unreachable ALLOW
Type 2 Packet Too Big ALLOW
Type 3 - Code 0 Time Exceeded ALLOW
Type 4 - Code 0, 1 & 2 Parameter Problem ALLOW
Type 128 Echo Reply ALLOW for troubleshoot and services. Rate limit
Type 129 Echo Request ALLOW for troubleshoot and services. Rate limit
Types 131,132,133, 143 MLD ALLOW if Multicast or MLD goes through FW
Type 133 Router Solicitation ALLOW if NDP goes through FW
Type 134 Router Advertisement ALLOW if NDP goes through FW
Type 135 Neighbour Solicitation ALLOW if NDP goes through FW
Type 136 Neighbour Advertisement ALLOW if NDP goes through FW
Type 137 Redirect NOT ALLOW by default
Type 138 Router Renumbering NOT ALLOW

More on RFC 4890 - https://tools.ietf.org/html/rfc4890

135
Filtering Extension Headers

• Firewalls should be able to:

1. Recognise and lter some EHs (example: RH0)

2. Follow the chain of headers

3. Not allow forbidden combinations of headers

136
fi

Filtering Fragments

Upper layer info Creates many tiny fragments to

not in 1st fragment go through ltering / detection

Fragments
Several fragment headers
inside fragments

Fragmentation
External header hides fragmentation
inside a tunnel

137

fi
Filtering Fragments

Upper layer info All header chain should be in

not in 1st Fragment the 1st fragment [RFC7112]

Fragments Should not happen in IPv6.

inside fragments Filter them

Fragmentation FW / IPS / IDS should support

inside a tunnel inspection of encapsulated tra c

138

ffi
Filtering TMs / Dual-stack

Technology Filtering Rules

Native IPv6 EtherType 0x86DD

6in4 IP proto 41
6in4 (GRE) IP proto 47
6in4 (6-UDP-4) IP proto 17 + IPv6
6to4 IP proto 41
6RD IP proto 41
ISATAP IP proto 41
Teredo UDP Dest Port 3544
Tunnel Broker with TSP (IP proto 41) || (UDP dst port 3653 || TCP dst port 3653)
AYIYA UDP dest port 5072 || TCP dest port 5072

More on RFC 7123 - https://tools.ietf.org/html/rfc7123

IANA Protocol Numbers -
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

139

IPv6 Packet Filtering

Much more important in IPv6

+
Common IPv4 Practices

+
New IPv6 Considerations

End to End needs ltering

ICMPv6 should be wisely ltered

Filtering adapted to IPv6: EHs, TMs

140
fi
fi
Filtering IPv6 Tra c
Exercise 4.1
ffi
Exercise 4.1 IPv6 Packet Filtering
• Description: Configure IPv6 packet filters
• Goals:
- Understand IPv6 packet filtering
- Learn how to use ip6tables on Linux hosts

• Time: 20 minutes
• Tasks:
- Configure IPv6 packet filtering rules

142

4.1: IPv6 Packet Filtering - Redirect

Routes on Host A
# ip -6 route show cache

::/0 fe80::a:b:c
IPr = fe80::a:b:c
2001:db8:bad:dad::1 fe80::a
R MACr = 12:34:56:78:9a:bc

IPa IPb
1A MACa = aa:aa:aa:aa:aa:aa 2B MACb = bb:bb:bb:bb:bb:bb

IPc = fe80::a
IPv6 ICMPv6 Redirect MACc = cc:cc:cc:cc:cc:cc
C
IPv6.Source fe80::a:b:c
IPv6.Destination IPa
Redirect.Target Addr fe80::a
Redirect.Dst Addr 2001:db8:bad:dad::1

143
Internet Wide IPv6
Security
Section 5
DDoS
Section 5.1
DDoS attacks in IPv6?

146
DDoS factors related with IPv6

Using lots of hosts

Using outdated rmware

Poor (or no) security measures

147
fi
DDoS factors related with IPv6

Filter tra c
Don’t allow access to all IPv6 addresses

Update rmware

Use security measures for IPv6

Ingress / Egress ltering and RPF

Hierarchical IPv6 address assignment

148
fi
ffi

fi
IPv6 Transition
Mechanisms
Section 5.2
Temporary solution…

With security risks!

150
• In IPv4-only infrastructure expect dual-stack hosts:
- VPNs or tunnels
- Undesired local IPv6 traffic
- Automatic Transition Mechanisms
- Problems with rogue RAs

151

Dual-stack

Bigger attack surface Protect IPv6 at the same level as IPv4

GUA Addresses Filter end-to-end IPv6 properly

Use one IP version to attack the other Don’t trust “IPv4-only”

152
Tunnelling
IP-2 | IP-1 | DATA

IP-1 | DATA
Tunnel Tunnel
end point end point

Attackers need knowledge of

• Version of IP-1 and IP-2 Solutions
• Tunnel end points addresses • Filtering
• Tunneling protocol
• Authentication
To create tailor-made packets for
• Traffic Injection
• Unauthorised use
• Reflection attack
• Loop attack 153

Translation

IPSec can’t be used end-to-end

DNSSEC can’t be used with DNS64

Reflection attack Must support ltering

IP pool depletion attack

Implementations should protect
themselves against exhaustion
ALG (Application Level Gateway) attacks
CPU Attack

154
fi
IPv6 Security Tips and
Tools
Section 6
Introduction

1 Best security tool is knowledge

2 IPv6 security is a moving target

3 IPv6 is happening: need to know about IPv6 security

Cybersecurity challenge: Scalability

4 IPv6 is also responsible for Internet growth

156
Tips

• IPv6 quite similar to IPv4, many reusable practices

• IPv6 security compared with IPv4:

No changes with IPv6 Changes with IPv6 New IPv6 issues

157

 Up to date information

Information Standardisation Vulnerabilities Security Cybersecurity Vendors Public Forums

category Bodies Databases Tools Organisations

IETF Vulnerability CSIRTs / CERTs Mailing Lists

Sub-categories Scanners Gov. / LEAs Groups of Interest
Security Events

Information in Security Vulnerability ID Vulnerability ID Vulnerability ID Vulnerability ID “0 Day”

considerations (CVE-ID, other) (CVE-ID, other) (CVE-ID, other) (CVE-ID, other) vulnerabilities
this category
Protocol updates Severity (CVSS, Severity (CVSS, Severity (CVSS, Severity (CVSS, News
other) other) other) other)
Security Trends
recommendations Description Description Description Description
Lessons learned
A ected systems A ected systems A ected systems A ected systems

Solutions and Solutions and Solutions and Solutions and

workarounds workarounds workarounds workarounds

A ected devices “0 Day” “0 Day”

in your network vulnerabilities vulnerabilities

RFCs, I-Ds NVD, CVE OpenVAS CERT-EU Cisco, Juniper, NOGs, IETF, IPv6
Examples ENISA MS, Kaspersky, Hackers, Reddit,
EUROPOL/EC3 etc. Troopers, etc.

158
















































ff
ff
ff
ff
ff


















































Examples
Manual

CVE cve.mitre.org/cve/search_cve_list.html
Search for: ICMPv6 windows

NVD https://nvd.nist.gov/vuln/search
Search for: CVE-2020-16899
Go to vendor’s link

Automated

OpenVAS

159

Homework

Go to: cert.europa.eu
Select language lters
Search for IPv6
optional: con gure a subscription

Go to NVD: https://nvd.nist.gov/vuln/search
Search for IPv6 + your vendor

160
fi

fi



Security Tools
Type Can be used for Examples
Assessing IPv6 security
Packet Testing implementations Scapy, nmap,
Generators Learning about protocols Ostinato, TRex
Proof of concept of attacks/protocols
Understanding attacks and security measures
Packet Sni ers/ tcpdump, Scapy,
Learning about protocols and implementations
Analyzers Wireshark, termshark
Troubleshooting
Assessing IPv6 security
Specialised Learning about protocols and implementations THC-IPV6, The IPv6
Toolkits Proof of concept of attacks/protocols Toolkit, Ettercap
Learn about new attacks
Finding devices and information
Scanners nmap, OpenVAS
Proactively protect against vulnerabilities
Understanding attacks and security measures
Learning about protocols and implementations
IDS/IPS Snort, Suricata, Zeek
Assessing IPv6 security
Learn about new attacks

161
ff
 Devices Categories (RIPE-554)
Security
Host Switch Router CPE
Equipment
IPSec (if needed) HOST + HOST + HOST + Router
RH0 [RFC5095] IPv6 ACLs Security
Ingress Filtering Header chain
Overlapping Frags
and RPF [RFC7112] Equipment
FHS
[RFC5722] DHCPv6 Relay
RA-Guard Support EHs DHCPv6 Server
[RFC8213]
[RFC6105] Inspection Privacy Issues
Atomic Fragments
OSPFv3
[RFC6946] ICMPv6 ne
DHCPv6 guard Auth. [RFC4552] grained ltering
NDP
Fragmentation IPv6 snooping or / and [RFC7166]
Encapsulated
[RFC6980]
IPv6 source / Tra c Inspection
pre x guard
IS-IS
Header chain
[RFC7112] [RFC5310] IPv6 Tra c
IPv6
Filtering
destination guard or, less preferred,
Stable IIDs
[RFC8064][RFC7217] [RFC5304]
MLD snooping
[RFC7136] [RFC4541]
MBGP
Temp. Address DHCPv6-Shield
Extensions [RFC7610] TCP-AO [RFC5925]
[RFC8981] MD5 Signature Option
[RFC2385]
Disable if not used:
Obsoleted
LLMNR, mDNS,
DNS-SD, transition MBGP Bogon
mechanisms pre x ltering 162
ffi
fi
fi

fi
ffi
fi
fi

 Control Plane Security Forwarding Plane Security

IPv6 Internet

BGP

R Router
IPv6
P2P links
IGP NDP
MLD
R

R R
Firewall FW

NDP
DHCPv6
Switch FHS
MLD
DNS*
IPv6

Hosts Servers

* All Name resolution related protocols

163

 We want your feedback!

What did you think about this webinar?

Take our survey at:

http://www.ripe.net/training/ipv6security/survey

164



 RIPE NCC
Academy

Learn something new today!

academy.ripe.net

165

 Presentation Title
LAUNCHING SOON

Presentation Subtitle
https://www.ripe.net/certi edprofessionals

Type Of Session
RIPE NCC Learning & Development
fi

Title Text
The End! Kрай Y Diwedd
Fí
Соңы Finis
Liðugt
Ende Finvezh Kiнець
Konec Kraj Ënn Fund

Lõpp Beigas Vége Son Kpaj

An Críoch
‫הסוף‬ Endir
Fine Sfârşit Fin Τέλος
Einde
Конeц Slut Slutt
Pabaiga
Amaia Loppu Tmiem Koniec
Fim
167
Extra: Smurf Attack
Reply Reply
Reply Reply
3 N packets 3 N packets
Reply Reply

1 1
1 Request 1 Request

2 2
Reply Reply
1 1
Echo Request Echo Request
1 1
N Request 1 Packet 1 Packet
N Request
Source: Victim Source: Victim
2 Destination: Broadcast 2 Destination: Multicast (FF02::1)
Reply Reply

IPv4 IPv6

? 168

Extra: DoS / DDoS

• DoS (Denial of Service): Type of attack that is able to
make a service or protocol to stop working.

• DDoS (Distributed DoS): Is a type of DoS attack that

is performed from several devices.

• Example: send too much traffic to a

link, so that the routers can’t handle
it, overloading them

? 169

Extra: MITM
• Man-In-The-Middle attack:
- The attacker is able to be on the path of the packets

1
22 1
22

? 170

Extra: Replay Attacks

• Replay Attacks consist in sending again a previous
packet
1
22
Packet
1

2
Packet

• Solution: nonce or timestamp (makes packet unique)

1
22
Packet | nonce
1 X

2
Packet | nonce

? 171
 Extra: Overlapping Fragments
Fragments

200 bytes

1 200 201 320

O set 1 1 320

O set 201 201

120 bytes

Normal fragments o set say where the data goes

Fragments

200 bytes

1 200 201 320

O set 1 1 270

O set 150 150

120 bytes

Overlapping fragments have wrong o set values ? 172

ff
ff
ff
ff
ff
ff
 Extra: Hash Function
• Input: Variable length bit string, for example a text

• Output: Fixed length bit string, represented by a series of

characters

HASH
Text ea326e4c7178ad
HASH
Function
Another Text bc835b33a22b0f

Not Reversible
? 173

Extra Reference Slides

 IPv6 Associated
Protocols Security
Section 3
IPv6 Routing protocols
Section 3.6
 THIS SECTION NOT COVERED SAME AS IPv4

Authentication of Route filtering Router Hardening

neighbors/peers

Securing routing
updates

177

Neighbors/Peers Authentication

Authentication Options Comments

RIPng - No authenticatio - RIPv2-like MD5 no longer availabl

- IPsec (general recommendation) - IPSec not available in practice
OSPFv3 - IPsec [RFC4552] - ESP or AH. Manual key
- Authentication Trailer [RFC7166] - Hash of OSPFv3 values. Shared key

IS-IS - HMAC-MD5 [RFC5304 - MD5 not recommende

- HMAC-SHA [RFC5310] - Many SHA, or any other hash
MBGP - TCP MD5 Signature Option [RFC2385 - Protects TCP. Available. Obsolete
- TCP-AO [RFC5925] - Protects TCP. Recommended

178
n

Securing Routing Updates

• IPsec is a general solution for IPv6 communication
- In practice not easy to use

• OSPFv3 specifically states [RFC4552]:

1. ESP must be used
2. Manual Keying

• Other protocols: No options available

179

Conclusions

• Security options available for IPv6 routing protocols

• Try to use them:

- Depending on the protocol you use
- At least at the same level as IPv4

180

IPv6 Filtering
Section 4
Filtering IPv6 Routing
Information
Section 4.2
 IPv6 BGP Bogon Pre x Filtering

Use Pre x
Default ::/0
Unspeci ed Address ::/128
Loopback Address ::1/128
IPv4-mapped Addresses :: :0.0.0.0/96
IPv4-compatible Addresses (deprecated) ::/96
Link-local Addresses fe80::/10
Site-local Addresses (deprecated) fec0::/10
Unique-local addresses fc00::/7
Multicast Addresses 00::/8
Documentation addresses 2001:db8::/32
6Bone Addresses (deprecated) 3 e::/16, 5f00::/8
ORCHID 2001:10::/28

Team Cymru: https://team-cymru.com/community-services/bogon-reference/

183
ff
ff
ff
ff
fi
fi
fi
MANRS (www.manrs.org)

• Secure and Resilient Internet is a collaborative e ort

• Concrete actions for: network operators, IXPs, CDN/
Cloud providers

• IPv6 and IPv4 BGP

184

ff

 MANRS Network Operators Actions

Facilitate Global Keep contact information updated:

Coordination RIPE DB, LIR Portal, PeeringDB

Facilitate Routing Route Document

RPKI
Information Validation Objects Policy

Ingress Filtering
Prevent IP Spoofing uRPF
[RFC2827][RFC3704]

Check BGP
Prevent Incorrect Define Announcements
Routing Information Routing Policy
(RPKI / ROAs)

BGP Bogon Filtering BGPsec (?)

185

Internet Wide IPv6

Security
Section 5
BGP Hijacking
Section 5.3
Introduction

• BGP is a control plane protocol (application level)

• Hijack techniques same in IPv6 and IPv4
• Protection techniques as well

188

 BGP Pre x Hijack - Fake Origin

Tra c to AS 1

P/29 [1] P/29 [1,A] P/29 [1,A,B]

1 A B 2
,B]
Victim ,A P/29
P/29 [1,A] [1
29 [1,A,B]
P/ P/32 [3,D]

C D

P/29 [1,A,C]
P/32 [3]
Tra c to AS 1
/32 pre x
3

Attacker

189
ffi
ffi
fi
fi
 BGP MITM - Fake AS-path
Tra c to AS 1

P/29 [1] P/29 [1,A] P/29 [1,A,B]

1 A X B 2
]
A ,B
Victim [1, P/29
P/29 [1,A] 29
P/ [1,A,B]

X
P/32 [A,C,3,D]
C D
X
P/
32

Tra c to AS 1 P/32 [A,C,3]

[A
,C

/32 pre x P/29 [1,A,C] Tra c to AS 1

,3
]

/32 pre x
3

Attacker

190
ffi
ffi
ffi
fi
fi
BGP Hijack: Solutions

• To secure BGP for IPv6:

1. Route Filtering

2. RPKI

3. BGPsec (in the future)

• Temporary: More speci c announcement

191

fi