Threats Considerations for IPv6

So now that we’ve covered the basics of the IPv6 protocol suite options for us, routing that sort of thing, what about the threats, that’s really what this course is focused on, and we have to understand that a lot of the usual suspects still exist in IPv6 that came from IPv4. So reconnaissance attacks where they’re trying to discover information about our network – maybe a little bit harder because we have a larger address space. I wouldn’t say that that’s going to afford as much security, okay, but there are issues with Neighbor Discovery Protocol consuming CPU utilization. There are a lot of tools out there, viruses and worms might operate a little bit differently, but viruses and worms have a few key elements. They really more or less target the application layer, and they need a means of communicating across a network, and so they say here the scanning will use alternative techniques, but the scanning is just one element of it, isn’t it, that’s just how we discover vulnerable devices that we can leapfrog against.

Spoofing still a problem, bogons, you know – when you hear about a bogon list, it’s basically a list of impossible or problematic IP addresses. We have bogon lists for IPv4, we’ll have them for IPv6. Application layer attacks – still basically the same beast because we’re not changing our applications. Man-in-the-middle attacks – still possible. Hey, earlier we had said that IPv6 has the requirement of supporting IPsec, but just because we are connected to IPv6 doesn’t mean we have IPsec tunnels going everywhere. No, we still would have to set them up. It just means that it is a mandatory thing to support it, but until we’ve taken the time to configure all of the different elements of IPsec, we don’t have a tunnel. And therefore, if we’re sending communication, it could be altered, so we have integrity problems. It could be read, so we have confidentiality issues, so same issue arises there.

New vulnerabilities specific to IPv6

Okay, first, this is still just a protocol suite, and with any protocol suite, you’re going to have a large number of vulnerabilities, and overtime IPv6 could certainly become more secure than IPv4. But here’s the bad news – we’re not well trained on it, the industry is not well trained on IPv6, and you would be hard-pressed to find even the most cutting-edge environments that have really set up extremely secure IPv6 deployment, where you would certainly be able to do the same thing for an IPv4 deployment. Our endnotes are certainly vulnerable to compromise things like configuration parameters, the denial of address insertion, address resolution challenges, the default gateway discovery with things like stateless autoconfiguration. Those things can be exploited right, and there are also things that are inside of the header. With any header, there are going to be things that hackers figure out how to compromise. So what we do have to understand is that this is just something that we should expect when we’re migrating to any new protocol suite, then it isn’t necessarily saying “ah, this is a really bad protocol suite.” It’s got its fair share of things that we’re going to have to lock down as security folks in IT.

Here are some issues that we certainly have to understand. First, we use multicast quite heavily, broadcast – a direct broadcast communication is not part of the protocol suite. It doesn’t mean we can’t communicate to everyone on the network, it just means we use multicast to do that. And when we’re using this multicast modality, that sets us up for a man-in-the-middle or meet-in-the-middle attack where someone is pretending to be part of the conversation. So it’s easier to do that when it’s one-to-one, especially for things like stateless autoconfiguration where you’re like, “okay, here’s the information,” and you don’t necessarily have one-to-one communication with this target going to this target. We also have some really fantastic tunneling approaches, but this is a lot more robust and dynamic than the tunneling approaches that you would see inside of IPv4. For instance, if you’re going to do tunneling in IPv4, you have to manually configure it. There’s not really any tunneling approach that I’m aware of that could just do it automatically; however, we do have dynamic tunneling approaches that could be set up on the fly and these tunnels could be allowed through the firewall to get a sneak stuff in through the firewall that we don’t want to allow, that’s a problem. And then we have the fact that we’re running dual stack unless administrators take the time to lock that down. Yeah, it’s been that way since I think Windows Vista. Windows Vista has IPv6 in conjunction with IPv4; Windows 7, Windows 8, so the typical modern operating systems are running dual stack out-of-the box. And so you’ve got this big huge protocol suite that might not even be in use in a network but it’s exploitable, and that’s a challenge. So vulnerabilities are something that are going to keep us in business or keep us IT security folks with a job for the foreseeable future, and it might mean, “okay I want to remove all the IPv6 elements in my network on all of the adapters that are on all of the desktops and laptops, because I’m not using it yet,” so you could immediately take advantage of this information.

Amplification DoS attacks

We’ve got two example attacks that would be classified as denial-of-service attacks. And let’s take a look at the first one.

pic1

In this first one, the attacker is basically jury rigging a routing loop. And the way that they engineer this is by specifying multiple addresses that we want to make sure that we sent to, and we can basically encode addresses, and encode that in such a way so that the router would get this, and then send it over to the other router, and both of these routers could be doing it simultaneously, and we could list the same address multiple times. What this really seems like is I mean do you know what this is similar to in IPv4, because this might seem like it’s entirely new, but there’s something really similar in IPv4 called IP source routing where you can specify who you want to communicate with and who you want the traffic to flow through, and so this would be similar to that same challenge.

The bottom example here is where we’re exploiting Neighbor Discovery. The attacker is trying to scan IPv6 addresses, the router then sends a neighbor solicitation to everybody in the network using a multicast address, and then what is going to happen, well, we’re basically saying, “hey, who’s out there,” and everyone on the LAN is going to communicate back to the router. That would be an amplification attack as well because, well, we’re getting a massive number of responses. So anytime we hear the word denial-of-service means we’re trying to shut something down, and these both shut something down by way of starving – starving traffic and resources. So when we’re exploiting the routing headers, we’re basically saying “I’m going to amplify this packet, having it sent back and forth between the two routers many, many times.” Then the bottom example, “send a little bit of traffic, and then get a huge amount of traffic back in reverse,” and that would be very similar to pinging the directed broadcast of a subnet. So that’s very similar to an existing IPv4 attack, and I think some of these hackers are just like how can I figure out how to do this same attack in a new protocol suite, then they’re making that happen.

Pivoting attacks

This is more or less a scare tactic but the problem with the scare tactic is it is possible. So let me walk you through this and share with you kind of the high level of how this attack could take place where we’re taking advantage of multiple things.

pic2

So first we have an IPv4 network on the left-hand side, and these still have dual stack capabilities but nobody is taking advantage of dual stack, and we have a router that’s really focused on IPv4 and not worried about things like Teredo tunnels going through it. So the first thing that does have to happen is we compromise one of the hosts inside of this IPv4 network with whatever it takes to compromise, you know, it could be virus – something like that, we could have a Trojan horse – ultimately, that host gets compromised. And then it’s going to pretend to be a router. So it is going to send a router advertisement, and when we send a router advertisement, the dual stack hosts are going to see that and go, “hey, great, there hasn’t been an IPv6 router on this network, I’m going to obtain an IPv6 address from this router, so I can play with the protocol suite that had been previously kind of unconfigured but ready and willing to be configured.” So now this hacker is advertising IPv6 default gateway functionality giving out addressing, things like that. Then what happens is these automatic hosts could trigger a Teredo tunnel back through the firewall to the source of the attack, going out there to the Internet. The Teredo tunnel is able to encapsulate and essentially conceal the communication back and forth between the newly-compromised endsystem in the IPv4 network and down through the firewall to the attacker. It’s even possible that with pivoting, it could hop a few times with that header functionality, so that we could kind of scramble who this is even coming from, and make it even more difficult to lockdown. So does this make you want to turn off unneeded protocol suites on your endsystems? It does for me, and I think that’s one of the takeaways.

IPv6 security strategy

Here are some of the recommended practices that you could take away from this a pretty brief discussion of IPv6 security, but there are some takeaways here.

  • Deny bogon addresses – that’s basically an address that shouldn’t exist.
  • Filter multicast packets at the perimeter based on scope.
  • Only receive packets that have a destination address within your allocated block – that’s basically spoof prevention, right. ICMPv6 should be filtered to just the bare bones minimum. Make sure that there’re RH0 packets that allow us to encode basically multiple hops, communicate to specific addresses – sometimes multiple times, sometimes using that pivoting approach where we can send it from one host to another host, to another host – well we want to probably drop that colt, shouldn’t necessarily need that for the majority of basic communication out there.
  • Keep dual stack as a transition mechanism, but it is easier and better long-term to have a single protocol suite on the hosts. Is that going to be possible, it’s going to be very challenging except for really extremely aggressive IPv6 deployments or an IPv4 deployment that hasn’t had the need to worry about IPv6 here. You saw a few examples of that dynamic tunneling where we could set up a Teredo tunnel through the firewall from a compromised host back to the attacker. You may not want to allow tunnels through your firewall, and I think that that was a pretty straightforward takeaway there.
  • Neighbor Discovery Protocol that could be compromised. Well, there’s a secure version of that which is basically Secure Neighbor Discovery and that’s got the acronym of SeND. We didn’t see that, but it does exist, so you should understand that there are some technologies out there.
  • Router advertisement (RA) guard – similar, you know, in name to root guard but the purpose there is to lock down the RA mechanism that is going to perform router advertisements inside of a given broadcast domain.

So nice recommended practices that you could start to figure out how to implement in your own environment.

Our Recommended Premium CCNA Training Resources

These are the best CCNA training resources online:

Click Here to get the Cisco CCNA Gold Bootcamp, the most comprehensive and highest rated CCNA course online with a 4.8 star rating from over 30,000 public reviews. I recommend this as your primary study source to learn all the topics on the exam. Cisco CCNA Gold Bootcamp
And click here for a free trial of AlphaPrep premium practice tests when youre ready to test your knowledge. They have the largest question bank, with adaptive tests and advanced reporting which tells you exactly when you are ready to pass the real exam. Cisco CCNA Gold Bootcamp