==PacketFault== |=----------------------=[ IPv6 flaws by design ]=-----------------------=| |=-----------------------------------------------------------------------=| |=------=[ fropert@packetfault.org ]=-------=| |=------------------=[ Last Update: March 18th 2008 ]-=------------------=| --[ Contents 1 - Introduction 2 - IPv4 and IPv6 share security threats 2.1 - Reconnaissance 2.2 - Privacy extension (RFC3041) 2.3 - Bogons filtering 2.4 - ICMP policy 2.5 - Packets fragmentation 2.6 - Routing headers 2.7 - IPv6 and broadcast 2.8 - Routing attacks protocols authentication 3 - IPv6 security threats 3.1 - Link-local 3.2 - Unsolicited neighbor solicitation 3.3 - DAD Duplicated Address Detection 3.4 - NUD Neighbor Unreachability Detection failure 4 - IPv6 Transit links 4.1 - 6to4 4.2 - Address spoofing 4.3 - 6to4 relay anycast prefix 4.4 - Flooding 6to4 relays routers 4.5 - ISATAP and IPv4 ACL filtering 4.6 - ISATAP and protocol 41 filtering 4.7 - ISATAP rogue routers 4.8 - TEREDO and MiTM 4.9 - TEREDO and DoS 4.10 - TEREDO and IPv4 spoofing 5 - References 5.1 - RFC links 5.2 - Tools --[ 1 - Introduction version 6 can be deployed ? Sure! The migration can’t be done in one day. It’s a great journey that you need to begin earliest for not only one reason. You want to be valuable in the field ? Easy … learn IPv6 because it have a great return on personal investment. Hurry-up guy! Some have already IPv6 networks: RENATER, Free Telecom[1], some will have: Bulgaria (DAITS), Beijing Olympics 2008[2] and some are temporary[3] with neat wireless topology[4] and interesting MRTG[5], NFsen[6] , NDPmon,[7] who’s who[8] statistics. You can observe the european IPv4 addresses exhaustion countdown[9]. This article is not product centric but constitute a good reminder on IPv6 security design flaws at the date of this article creation. So ask you the question.. Am I concerned with IPv6 security ? If so … you are on the good way to the Jedi long but no so straight road. --[ 2 - IPv4 and IPv6 share security threats IPv6 is that really different of IPv4 considering security perspective ? Not black nor White It’s Grey! Those two protocols share security threats. We can quote the biggest common risks between version 4 and version 6: Reconnaissance, Privacy extensions (RFC3041), bogons filtering, ICMP policy (RFC4890), fragmentation, routing headers, IPv6 and broadcast, routing attacks protocol authentication. --[ 2.1 - Reconnaissance In IPv6 the addressing scope is wider thant IPv4. There is IPv6 support of TCP connect scans and TCP connect ping scans in nmap but ICMP ping sweep aren’t available in the current release. Changelog is maintained here[10]. To give an order of idea, a /64 subnet theorically puts 50 000 years to be scanned. Considering this, IPv6 scanners philosophy needs some changes. The first idea is to use Internet DNS information of enterprises public servers that still need to be DNS reachable. You can use tools like Bidiblah[11] to complete the scan. Due to IPv6 addressing specifications and business needs, there will be more deployment of dynamic DNS. Multicast It infrastructure addressing are a second point to be aware of. In IPv6, routers on the local-link are reachable over FF05::2 and DHCP servers are on FF05::13. I bet you have already understand! You haven’t no more needs of reconnaissance step to discovers routers and DHCP servers. Consequently, worms and virii needs to be more intelligent in the way they scans the network particularly on the fact that’s the goal of worms is to propagate and not DoSing infrastructure considering the actual badguys business models. --[ 2.2 - Privacy extension (RFC3041) Nowadays, all IT workers needs reliable logs of their network activity. This extension is dedicated to assign temporarly global addresses for host client applications (servers aren’t concerned due to DNS reachability) on a periodically basis but the most important caveat is that tracking hosts/users gives headache to sysadmins but it prevent eavesdropping of mobiles devices location tracking even if L3 uppers layers are encrypted. Last but not least, if you needs to filter these addresses, you’ll lost level 3 granularity configuration. To prevent the use of this and “fallback” to an IPv4 addressing scheme, you have to deploy a GPO, use of netsh command (randomizeidentifiers=disabled) or if you are a Linux fanatic, you have to configure a specific well-known DHCP pool from the sysadmins perspective. In addition, configuration of ingress filtering is possible. --[ 2.3 - Bogons filtering As of IPv4, IPv6 have approximately the same limits concerning bogons identification. The difference is that with IPv6 you can easily identify non-bogons (ie: IANA allocated addresses) with the aid of top-level allocated TLAs. Concretely the configuration needed is the same: antispoofing feature like Cisco unicast reverse path forwarding (strict and loose modes). --[ 2.4 - ICMP policy (RFC4890) To the detriment of protocols likes ARP, ICMPv6 has in charge more operations than before likes stateless autoconfiguration, neighbor solicitation, duplicated address detection, routers redirect spoofing (packets rerouting), mobile IPv6 or multicast groups management. Concretely, a miscreant can DoS access layer hosts and flood bogus trafic at the victim host. These attacks can be mitigated with SEND Secure Neighbor Discovery and CGA Cryptographically Generated Addresses (RFC3971[12], RFC3972[13]) but software codes are only available on Linux, soon in Cisco IOS and probably never in Microsoft Vista. Anyway, you need to adapt your ICMP filtering rules as explained in RFC4890. If you prefer read some coding lines than RFC, I wrote a piece of code derivated from RFC4890 that translates “free” filtering rules to IOS rules. The TCL script is available here[14]. --[ 2.5 - Packets fragmentation It works like IPv4. Fragments are reassembled only by end-systems. It means that if you need IDPS in your pipes, security devices always needs some reassembly features. The DoS mitigation of core routers is identical: deny fragments in your core infrastructure with iACLs. --[ 2.6 - Routing headers Type 0 packets are identified as a risk since 2001, mitigation techniques are available[15] on IOS releases and no ipv6 source-route since 12.2(15)T (End Of Sales 2006) , demonstrated/over-mediatized in 2007 by EADS researchers at CanSecWest2007[16] and deprecated by RFC5095[17]. --[ 2.7 - IPv6 and broadcast No broadcast but multicast … each link-local nodes are reachable via FF02::1 and each link-local routers are reachable via FF02::02. Problems are moved not removed. --[ 2.8 - Routing attacks protocols authentication BGP, IS-IS and EIGRP are relying on MD5 authentication through non-protected IP layer as in IPv4 networks. OSPFv3 and RIPv6 now relies on IPSec. here is how you configure it on IOS: ipv6 ospf authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF Is that all ? Almost! Well-known traditional risks always exists. IPv6 doesn’t eradicated any of those: Sniffing packets over the wire, traffic flooding (unicast AND multicast), man in the middle, rogue devices and application layer attacks then not to forget IPv6 stacks/applications vulnerabilities due to young drivers: Vista, Linux, OpenBSD, Apache, Postfix, Python. And what about IPSec myth ? IPSec can’t be seriously used on Internet due to the lack of a global PKI. IPSec IKE must be configured with PSK pre-shared-keys. 5 IPSec nodes needs 10 pairs of manually setted PSK. RFC’s speaking, RFC2460 mandates IPSec but not IKE. Consequence are those adressed previously: it becomes unmanageable for all but the smallest deployments. Anyway IPSec involves others drawbacks for the IT team: QoS, netflow can’t do his daily job and you need to trust endpoints/end-users. For the last point, deploying endpoint protection security software (like CSA … YES! Cisco have an endpoint security agent, SkyRecon or other niche players) can help a lot. For the two others points, enabling IPSec with AH or ESP + Null encryption can be useful as only packets integrity is checked. With null encryption you can inspect IPSec packets and prevent packets tampering. --[ 3 - IPv6 security threats Now, I will go through specific IPv6 protocol implementation resulting risks. “There is no reason anymore to let your site be wide open for IPv6.” --[ 3.1 - Link-local In a traditional network, all nodes are trusted at the IP layer and are expected to behave in a trustworthy manner. Once the node get an IP address, no other protections are needed. It depends the network you are working on but worst are open 802.11 wireless access.Because of this, many attacks can be launched on the link-local and can be referred as boostrap security problems. --[ 3.2 - Unsolicited neighbor solicitation The weakness of NS messages is that anyone can claim to be any node on the LAN. The hacker node craft a falsified NS packet with his own MAC address but the IP address of the victim you want to intercept packets. This technique of borrowing communications between two nodes on the link-local is like ARP spoofing in an IPv4 network. If you desire to play by yourself, have a look to parasite6 from THC attack tools suite. --[ 3.3 - DAD Duplicated Address Detection It’s simple! When a node try to retrieve his link-local IP address, DAD process is started. His goal is to check that no other nodes already have the IP address he wants. The intranet hacker impact will be that he will refuse interface initialization of a specific host on the local-link. Considering the number of DAD attempts configured on the endpoint device, attacker will have to replay the DAD address collision packets consequently. --[ 3.4 - NUD Neighbor Unreachability Detection failure It’s the process of determining if a neighbor is no longer reachable. This feature is used between host-host, host-router, router-host and router-router (alternative to the integrated mechanism of the running routing protocol) only for unicast packets.For routers, another default router can be used by a host in the case the first one is taken over. If the attacker has predicted the existence of a second router then IP packets will not go out of the local-link. Attacking reachability of host on local-link can be effective specifically with UDP and idle TCP sessions. It’s more difficult with TCP active connection considering ACK and other randomized incremental counters. On these connections, NS sends probes to verify that the pipe has not been closed. Considering two machines A and B, an attack scenario could be that a hacker starts a DoS on the B box. Then, the hacker begins to reply of NS probes sent by A with bogus NA messages. Resulting, B is DoS’ed but A continue to send packets in direction of B whatever which service was running as hacker box acknowledge NS exchange. It’s fun to play with hosts. What about playing with routers ? It’s pretty much the same: man in the middle attacks, route cache manipulation, on-link prefix assumption (deprecated by RFC4943[18]), invalid prefix configuration information and neighbor discovery cache exhaustion. There are tons of solution to above attacks: RA snooping, static neighbors entries, IDPS. The one which really works is to control physical access and all attached nodes to your network. As you saw it, you can already do a lot of things on IPv6 networks as soon as you have physical access to a wire(line|less) switch. What about hacking IPv6 pipes not on endpoints but “in transit” where you can find two or more routers in the packets path? --[ 4 - IPv6 Transit links --[ 4.1 - 6to4 Version 6 packets are embbeded into version 4 packets. 6to4 is used for transitions migrations from IPv4 to IPv6. 6to4 allows IPv6 Internet islands to communicate with each others and IPv6 Internet within the existing IPv4 Internet. Technically, 6to4 softwares are deployed on IPv4/IPv6 border routers. If you need to contact a host in the native IPv6 Internet, you need to go through a 6to4 relay router.6to4 requires two different security thinking depending if it’s a 6to4 router or a 6to4 relay in transit.For both, you needs clear sigthedness with which miscreants IP packets will be disallowed and which will be discarded. The most important thing to retain is that IPv6 infrastructure can be attacked with IPv4 stack only host. 6to4 router and security checks in respect of RFCs standards: Disallow (Packets are dropped and implies manual configuration) * non globally-routable packets as the source/destination addresses + src/dst derived from mapped IPv4 addresses * IPv6 addresses are not in the global scope Discard (Packets are dropped and implies no configuration) * IPv6 destination addresses are not within the local 6to4 site * IPv4 source addresses does not match the source IPv6 address prefix and where the IPv6 source address is within a 6to4 site. Traffic from other 6to4 sites must be delivered directly and transit via 6to4 relays Considering 6to4 relays, it’s the same security checks that must be applied plus IPv6 destination addresses must be a 6to4 address to be relayed to sites. --[ 4.2 - Address spoofing There is more than one scenario to flood IPv6 address depending on the topology designed you’ll be able to reflect the DoS attack in different manners.You can flood an IPv6 endpoint device and IPv6 transit devices by replacing source address of the attacker by the one of the victim. Victim will receive data from the third-party device which is the one designated by the destination address. Notice that a 6to4 router will not discard packets even if the IPv6 source address is not in the common subnet due to the fact that any other 6to4 can be behind another IPv4 network previously in the packets path. DoSing a 6to4 site host is also possible by crafting spoofed IPv6 in IPv4 packets which are sent to a host behind 6to4 relay. Another possibility is to run attack from IPv6 native Internet and reflect by in transit 6to4 relay then 6to4 router and finally another 6to4 relay to attack a host in the IPv6 native Internet. Keep in mind that IPv6 ACL can easily be bypassed as soon as an attacker can modify his IP address. --[ 4.3 - 6to4 relay anycast prefix Another form of spoofing is the use of anycast addresses on 6to4 border routers while transiting by the “attacker wanted” ISP 6to4 relay to IPv6 native Internet.If a host inside the the 6to4 site use source-routing and decide to pass packets through anoter “better link quality or bandwith ISP” which is hearing on the Anycast addressing by specifing a nearest address from the best ISP in the source routing process. ISPs have to configure ACL on their relay routers to prevent intruders but you can’t avoid a lack of efficience and notice that return traffic can’t be controlled from the host inside a 6to4 site. --[ 4.4 - Flooding 6to4 relays routers You can attack a 6to4 router by crafting an IPv6 packet (one including IPv4 target address encapsulated in the IPv6 destination address) towards a valid IPv4 host which is not in a 6to4 site. This is because when packet not pass through 6to4 site router, IPv4 destination host will receive protocol 41 data. Delivering can’t be accomplished on the host because it does not run 6to4 software. Consequently, IPv4 host will flood the 6to4 relay victim router ICMPv4 error message. --[ 4.5 - ISATAP and IPv4 ACL filtering Another method to access IPv6 Internet is ISATAP. We actually run ISATAP on the Cisco internal network. ISATAP can runs over an enteprise backbone and network which is composed of IPv4 only stack hops. Endpoints needs to run an ISATAP software (XP an 2003 support it) an go through an ISATAP router which is connected to an IPv4 network and IPv6 native Internet. When the packets out the NIC of the ISATAP client, they are encapsulated with the protocol 41 then when it arrives to the ISATAP router, packets are unencapsulated. IPv4 addressing needs to be nonroutables. IPv4 address of hosts are embedded in IPv6 ISATAP address. ISATAP create a sort of virtual link between host and the exit router. It’s behave like to be on the same virtual L2 network. In order to configure ISATAP on your host, you need to known the IPv4/DNS address of the ISATAP router. First drawback of ISATAP concerning security is that it functions likes a real L2 network when a station wants to HTTPS into another station on the IPv4 portion of networks whatever if it contains routers from the IPv4 point of view, ISATAP see only link-local address between these two hosts. It means that there is no control point to run ACLs on IPv6 traffic which is view as a single hop through the network. If you really need to control ISATAP IPv6 traffic, you have to configure ACL filtering by using IPv4 address on the transit routers. --[ 4.6 - ISATAP and protocol 41 filtering Another security concern on ISATAP is the fact that the ISATAP router don’t have to accept protocol 41 on one of it outside interface but you absolutely need it on inside interfaces of course. Here I describe the risk if you don’t filter protocol 41: An IPv4 host from the Internet can DoS or run application layer attack by crafting IPv6 in IPv4 packets. The only one condition for this working is to known IPv4 address of the internal host and known that the host is using ISATAP before the launch of the attack. --[ 4.7 - ISATAP rogue routers Without a cabling access check, anyone can insert an ISATAP rogue router in front of the real ISATAP router and runs a man in the middle eavesdropping attack which can be done by compromising DNS server entry for isatap.internet.com by example. Don’t forget it’s a mitm attack so you have to redirect the traffic to the real ISATAP else hosts will loose IPv6 internet reachability. last but not least, please keep in mind that there is no host authentication on the ISATAP router to use its services. So everyone who is aware of the IPv4 address of the ISATAP router can have IPv6 access. So the most easy workaround but very administratively intensive task is to filter IPv4 address by accessing the ISATAP service. --[ 4.8 - TEREDO and MiTM Last topic in my article concerns TEREDO! The mechanism transition when you have IPv4 NAT device in your network. Often NAT devices carry only TCP, UDP and ICMPv4 packets. Teredo encapsulates IPv6 packets into UDP to allow the NAT device to carry the session. Teredo has 3 components: the client which is residing on the NAT device generally with non-routable IPv4 addresses that desire IPv6 connectivity. The router have to be dual-stack. The server is both connected to IPv4 and IPv6 world. It assist clients in obtaining a global scope IPv6 address and bootstrap connectivity between clients and native IPv6 nodes. Server is only used for setup a Teredo connection. Then after, Teredo relay is used. Relay and server can be installed on the same server or separated on two boxen. A big security problem with Teredo is that under IPV4, NAT transit router “hides” hosts behind him and no IPv4 host can by example SSH an internal host which haven’t a NAT translation active. But Teredo overcomes NAT and IPv6 hosts can opens SSH connections to the same destination host as before but within the Teredo scope addressing. Anyway does connectivity is inherent to security problems? Not white, not black, it’s grey. Depending how, who, and when setup comes from the ground… Teredo is concerned by man in the middle attack. Think about a traditional Teredo setup packet exchanges. RS and RA packets with the good Teredo server. If an attacker insert his teredo server, future RS from clients will be sent to the rogue Teredo server and will cause DoS of IPv6 connections if the attacker provision client with bad addresses or parameters. Anyway, authorization mechanism may be used to protect against man in the middle. --[ 4.9 - TEREDO and DoS Concerning Dos attacks, Teredo is vulnerable to tons of attacks: A rogue relay which advertises Teredo clients prefixes into IPv6 Internet and annouce himself as the next-hop router for Teredo clients. But the rogue relay intentionnaly drop packets. This an attack on IPv6 routing. Another DoS attack is peer overflow. This is a resource exhaustion attack. Each Teredo client keep a list of recently used peers. If you fill the storage used for this list then the host becomes unreachable for unknown peers. Another threat is flooding servers or relays ( both stateless) with traffic. Consequently real connections will have to wait for the queues being empties. Failover exists in Teredo systems. If a server becomes unavailable, in-flight sessions can be lost if the backup Teredo server changes the host IPv6 address. For the relays, if one’s is overwhelmed, traffic is picked up by an available relay. To sum up, if you can’t control DoS, your Teredo installation will sure be down. --[ 4.10 - TEREDO and IPv4 spoofing Finally, spoofing attacks in Teredo architectures. An attacker can craft a spoofed IPv6 RS and tunnel that IPv6 packet in IPv4 to a Teredo server of choice. Considering the IPv4 address is spoofed. Teredo server will reply back to the spoofed address. From the administrative perspective, you can ride up to the Teredo server easily but not discover who is the sender of the initial RS packet. Once the connection with the Teredo server is built. One’s can send spoofed packets like the precedent scenario but this time packets will be send through a Teredo relay. You can attack an IPv4 host from Teredo by sending an IPv6 packet to a destination that includes the Teredo prefix and IPv4 address of the victim. Packets would be pulled into a nearby Teredo relay then delivered to the IPv4 target. This is the end of the article… Please inform me if I forget to mention noticables things (not some stuff about IPv6 mobility nor Multicast threats because it will surely comes in a future article). --[ 5 - References [1] Iliad and IPv6 : http://www.iliad.fr/en/presse/2008/CP_060308_ENG.pdf [2] IPv6 and the 2008 Beijing Olympics : http://www.ipv6.com/articles/general/IPv6-Olympics-2008.htm [3] A Cisco Networkers First: IPv6 at Cisco Networkers Barcelona : http://www.cisconetworkers6.com/ [4] Cisco Networkers6 topology : http://www.cisconetworkers6.com/network/ [5] Cisco Networkers6 MRTG : http://www.cisconetworkers6.com/mrtg/ [6] Cisco Networkers6 nfsen : http://www.cisconetworkers6.com/nfsen/nfsen.php [7] Cisco Networkers6 ndpmon : http://www.cisconetworkers6.com/ndpmon.html [8] Cisco Networkers6 Visitors Statistics : http://www.cisconetworkers6.com/visitors.php [9] Regional registry IPv4 address exhaustion in... : http://penrose.uk6x.com/ [10] Nmap6 changelog : http://nmap6.sourceforge.net/ [11] Bidiblah : http://www.sensepost.com/research/bidiblah/flash/Flash/Sub-Domains/Sub-Domains.html [12] SEcure Neighbor Discovery (SEND) : http://www.faqs.org/rfcs/rfc3971.html [13] Cryptographically Generated Addresses (CGA): http://www.faqs.org/rfcs/rfc3972.html [14] RFC4890 translation rules to Cisco devices : http://www.rezalfr.org/francois.ropert/icmpv6.tcl [15] Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the IPv6 Routing Header Vulnerability : http://www.cisco.com/warp/public/707/cisco-amb-20070124-IOS-IPv6.shtml [16] IPv6 Routing Headers Security : http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf [17] Deprecation of Type 0 Routing Headers in IPv6 : http://www.tools.ietf.org/html/rfc5095 [18] IPv6 Neighbor Discovery On-Link Assumption Considered Harmful - http://tools.ietf.org/html/rfc4943 --[ 5.1 - RFC links Security Considerations for 6to4 - RFC3964 neighbor Discovery for IPv6 - http://www.faqs.org/rfcs/rfc2461.html Mobility support in IPv6 - http://www.faqs.org/rfcs/rfc3775.html IPv6 Mobility and IPSec - http://www.faqs.org/rfcs/rfc3776.html Local network protection for IPv6 - http://tools.ietf.org/html/rfc4864 IPv6 transition/coexistence security considerations - http://www.ietf.org/rfc/rfc4942.txt --[ 5.2 - Tools "I don’t understand this article but I would like tools to audit my networks clients". Here’s a list for you! THC IPv6 attack toolkit - http://freeworld.thc.org/thc-ipv6/ halfscan6 - http://www.habets.pp.se/synscan/programs.php?prog=halfscan6 6tunneldos - http://securityvulns.com/files/6tunneldos.c 4to6ddos - http://packetstormsecurity.org/distributed/4to6.tar.gz imps6-tools - http://packetstorm.wowhacker.com/DoS/imps6-tools.tar.gz wep0ff - http://packetstorm.wowhacker.com/wireless/wep0ff-ng.tar.gz Spak6 - http://cvs.deepspace6.net/view/spak6/