Embed Size (px)
Citation preview
Internet Protocol, Version 6&
Cybersecurity
Sandia National Laboratories is a multi-mission laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration
under contract DE-AC04-94AL85000.
SAND Number: 2012-4437C
Curtis M. KeliiaaSandia National Laboratories
Advanced Information, Network, & Systems EngineeringOriginal May 30, 2012
Updated January 17, 2017
For The Next Generation
The IPv6 Internet
IPv6 Event Horizon
1981 - IPv4 Internet Engineering Task Force (IETF) Specification, 4.3 Billion Addresses1998 - IPv6 IETF Specification, Greater Address Capacity (Trillion, Trillion, Trillion)2007 - Modern Operating Systems Support Dual Stack2008 - IPv6 On VeriSign Root Servers for Native IPv6 Internet Operation2008 - US Government Initiation, and Acquisition Begin2010 - US Government Unclassified Network Mandates
FY12 - Upgrade External/Public Servers and Services, DNS, Email, & Web ServicesFY14 - Upgrade All Internal Applications that Communicate with Public Internet Servers & Supporting Enterprise Networks
2/3/2011 - Internet Assigned Numbers Authority (IANA) IPv4 Address Exhaustion Event9/24/2015 - American Registry for Internet Numbers (ARIN) IPv4 Free-Pool Reaches 03/14/2016 - IETF IPv4 Standards Obsoleted, Superseded by IPv62017 - Carrier Space Predominantly IPv6Future Now! - Unprecedented Internet Expansion Based on IPv6
IPv6
• New Information & Communication Technologies (ICT)– Address Capacity (3.4 X 1038th)– Mobile IPv6 (MIPv6)– Network Mobility (NEMO)
• Adoption Will Require:– Updated ICT Knowledge, Skills, & Abilities– Coexistence with IPv4 until IPv6 Predominance
• Single Stack Reduces Complexity, Risk, & Cost– Feature Parity in Host & Network Infrastructure– Security Parity in Host & Network Protection Devices
IPv6 is not backwards compatible with IPv4
What’s Different?
PROPERTY IPv4 IPv6Address size and network size 32 bits, network size 8-30 bits 128 bits, network size 64 bits
Packet header size 20-60 bytes 40 bytesHeader-level extension Limited number of small IP
optionsUnlimited number of IPv6
extension headers
Fragmentation Sender or any intermediate router allowed to fragment
Only sender may fragment
Control protocols Mixture of non-IP (ARP), ICMP, and other protocols
All control protocols based on ICMPv6
Minimum allowed MTU 576 bytes 1280 bytesPath MTU discovery Optional, not widely used Strongly recommendedAddress assignment Usually one address per host Usually multiple addresses per
interface
Address types Use of unicast, multicast, and broadcast address types
Broadcast addressing no longer used, use of unicast, multicast
and anycast address types
Address configuration Devices configured manually or with host configuration protocols
like DHCP
Devices configure themselves independently using stateless
address auto-configuration (SLAAC) or use DHCP
Differences between IPv4 and IPv6Source: National Institute of Standards and Technology (NIST)
IPv6 FunctionsIPv6 FUNCTIONAL CATEGORY NOTES – EXAMPLES
IPv6 Basic Capabilities IPv6, Neighbor Discovery (ND), Stateless Address Automated Configuration (SLAAC), Dynamic Host Configuration Protocol
(DHCPv6)
Routing Protocols Open Shortest Path First (OSPF), Border Gateway Protocol (BGP)
Quality of Service Differentiated Services (DiffServ)Transition Mechanisms 6to4, Dual Stack, Tunneling, IPv6 over IPv4 Multiprotocol
Label Switching (MPLS)(6PE)Link Specific IP over X, Robust Header Compression (ROHC)Addressing IPv6 Global, Unique Local Address (ULA), Cryptographically
Generated Addresses (CGA)IP Security Internet Protocol Security (IPsec), Internet Key Exchange
(IKE), Encapsulating Security Payload (ESP), Crypto Algorithms
Network Management Simple Network Management Protocol (SNMP), Management Information Base (MIBs)
Multicast Multicast Listener Discovery version (MLD), Protocol Independent Multicast-Spare Mode (PIM-SM)
Mobility Mobile IP (MIP), Network Mobility (NEMO)Application Requirements Sockets, Domain Name System (DNS), Uniform Resource
Identifiers (URIs), guidanceNetwork Protection Device
RequirementsFirewalls, Intrusion Detection Systems
Differences between IPv4 and IPv6Source: National Institute of Standards and Technology (NIST)
IPv6 Protocol HeaderIPv6 Protocol Header (40 Bytes)Version (4 bits) Traffic Class (8 bits) Flow Label (20 bits)Payload Length (16 bits) Next Header (8 bits) Hop Limit (8 bits)Source Address (128 bits)
Destination Address (128 bits)
IPv6 Multicast ScopesIPv6 Multicast Addresses
Multicast Address Resultsff01::1 – Interface-Local Scope All Nodes Address
Returns the source MAC address
ff01::2 – Interface-Local Scope All Routers Address
No Result
ff02::1 – Link-Local-Scope All Nodes Address
Finds nodes on a subnet
ff02::2 – Link-Local-Scope All Routers Address
Returns local subnet routers
ff05::1 – Site-Local Scope All Site Nodes Address
Depreciated
ff05::2 – Site-Local Scope All Site Routers Address
Depreciated
ff05::1 – Site-Local Scope All DHCP Servers Address
Depreciated
Source: IPv6 Security by Scott Hogg and Eric Vyncke: ISBN-13 978-1-58705594
Multicast and Neighbor Discovery Protocol (NDP)NO BROADCAST or ARP
IPv6 Address Notation
128 bit IPv6 address 2001:0db8:beef:cafe::f00d/64
• Hexadecimal colon delineated values• /64 standard network prefix• “::” one time zeros concatenation• Drop leading zeroes per 16 bit word “2001:db8” • 64 bits host address space• 2000 to 3000 hosts per subnet practical
2001:db8:
IPv6 Internet Service Provider Allocation32 Bits
/32
Example IPv6 Address ComponentsIPv6 Address – 128 Bits
:f00d
Host Identifier64 Bits
/128
Network Prefix/64cafe:
Customer Subnets16 Bits
/64
beef:
Customer Allocation16 Bits
/48
Worldwide Transition to IPv6
1. Next Generation Services – Mobility, Voice, Video, Data, Multiplayer Gaming, Cloud2. LTE Advanced and Packet Switched Infrastructure3. 3GPP System Architecture Evolution (SAE) and Evolved Packet Core (EPC)4. 5G Mobility/Broadband/Mobile Networks5. Internet of Things (IoT)6. IEEE 2030 Specification – Information Technology (IT), Telecommunications,
Cybersecurity, Distributed Management Task Force (DMTF) Common Information Model (CIM) Infrastructure, Internet, Smart Grid
1. Quality of Service (QoS) – Service Level Agreements (SLA)2. Traffic Engineering3. Multicast Services4. IPv6 Provider Edge (6PE)5. Border Gateway Protocol (BGP) – Multi-Protocol Label Switching (MPLS) IPv6 VPN –
IPv6 Virtual Private Network (VPN) Provider Edge (6VPE)6. Layer 2 Tunnel Protocol (L2TP)
IPv6 Transition Mechanisms
1. Dual Stack2. Network Address Translation (NAT)3. Tunnels
• Manually Configured Tunnels• Generic Routing Encapsulation (GRE) (41)• 6in4
• Automatic Tunnels• 6to4 (2002:/16)• Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
(5EFE, 41)• Teredo (3544)
4. Proxy/Application Layer Gateway (ALG)
Dual stack is not the destinationThe goal is single stack IPv6Turn off IPv4 (Out of your comfort zone?)
IPv6 Deployment Concerns1. ICT Workforce KSA Development2. Core System & Network Services
– Domain Name System (DNS) – A and AAAA records– IP Address Management (IPAM)– Dynamic Host Configuration Protocol (DHCP)v6
3. Information Assurance– Latent Threat– Incident Response
4. Configuration Management & IT Disaster Recovery5. Asset Management6. Information Service & Application Resilience
– Remove Discrete Address Calls– IPv6 Address Family Sockets
7. Business Continuity Planning (BCP)– Growing IPv6 Internet Connectivity– Embedded IPv6 Host Functionality– Growing Service & Application Dependencies
Cybersecurity
Tenets of Cyber Security
Confidentiality; Integrity; Availability
Availability; Integrity; Confidentiality
Incident Response | Investigation | Non-Repudiation Forensics | Chain of Evidence | Provenance
Enterprise Security
1. Network Infrastructure – Dual Stack, Perimeter Protection, Segmentation2. Intrusion Detection System (IDS)3. Data Loss Prevention (DLP)4. Continuous Diagnostics & Mitigation (CDM)5. Core Network Services6. Systems – Platforms, Desktop, Datacenter, Laptop, Mobile Devices
– Eventual IPv6 only (face:b00c)7. Maintenance and Operations – Network Monitoring, Help Desk and
Trouble Tickets, Incident Response8. Operational Support – Asset, Access, Configuration Management9. Applications – Email, Web, Mobility, …
Detect and Block IPv4 and IPv6 Malicious Traffic
Internet Threats and IPv6 Protocol Vulnerabilities
Proper Filtering and Use Policies are Absolutely Necessary!
IPv6 Protocol Vulnerabilities Internet Threats
ICMPv6 unallocated and experimental Messages
Packet Flooding
Extension Header Threats Internet WormsExtension Header Vulnerabilities Distributed Denial of Service (DDOS)Routing Header 0 Man in the MiddleIPv6 Extension Header Fuzzing BotnetsRouter Alert Attack Bogon AddressesFragmentation Header Attacks BGP TTL, Long As paths, Private AS pathsUnknown Option Headers IGP Prefix Delegation ThreatsUpper Layer Header Attacks SLAAC PredictabilityReconnaissance/Scanning and Assessing Multi-homing IssuesRegistry Checking Phishing, Spear PhishingMulticast Reconnaissance Layer 3 and 4 Spoofing
Social Engineering
Source: IPv6 Security by Scott Hogg and Eric Vyncke: ISBN-13 978-1-58705594
Perimeter Protection
Routes to Block inbound and outbound at the network perimeter
Prefixes
Default route ::/0Unspecified address ::/128Loopback address ::1/128IPv4-compatible address ::/96IPv4-mapped address ::ffff:0.0.0.0/96Link-local addresses fe80::/10 or longerSite-local addresses (depreciated) fec0::/10 or longerUnique-local addresses fc00::/7 or longerMulticast addresses ff00::/8 or longerDocumentation addresses (non-routable) 2001:db8::/32 or longer6Bone addresses (depreciated) 3ffe::/16
Source: IPv6 Security by Scott Hogg and Eric Vyncke: ISBN-13 978-1-58705594
Host ACL Policy ExampleICMPv6 Message Policy For Hosts
ICMPv6 Permit or Deny
Message ICMPv6 Type Direction
Permit NS (DAD) and NA 135 and 136 Inbound and OutboundPermit RA from local router’s
link local address to ff02::1
134 Inbound
Permit RS from host’s link local address to ff02::2
133 Outbound
Permit Error Messages Dest. Unreachable, Packet Too Big, Time Exceeded, parameter Problem
1,2,3 and 4 Inbound and Outbound
Permit MLD 130, 131, 132 and 143 Inbound and OutboundPermit Echo Request 128 OutboundPermit Echo Reply 129 InboundDeny Unallocated Error
messages5-99 and type 202-126 Inbound and Outbound
Deny Unallocated informational messages
154-199 and type 202-254
Inbound and Outbound
Deny Experimental messages
100, 101, 200,and 201 Inbound and Outbound
Deny Reserved Error messages
127 and 255 Inbound and Outbound
Deny Remaining ICMPv6 messages
All others Inbound and Outbound
Source: IPv6 Security by Scott Hogg and Eric Vyncke: ISBN-13 978-1-58705594
SANS 20 Critical Controls 1-10
Critical Control 1: Inventory of Authorized and Unauthorized DevicesCritical Control 2: Inventory of Authorized and Unauthorized SoftwareCritical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and ServersCritical Control 4: Continuous Vulnerability Assessment and RemediationCritical Control 5: Malware DefensesCritical Control 6: Application Software SecurityCritical Control 7: Wireless Device ControlCritical Control 8: Data Recovery CapabilityCritical Control 9: Security Skills Assessment and Appropriate Training to Fill GapsCritical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
SANS 20 Critical Controls 11-20
Critical Control 11: Limitation and Control of Network Ports, Protocols, and ServicesCritical Control 12: Controlled Use of Administrative PrivilegesCritical Control 13: Boundary DefenseCritical Control 14: Maintenance, Monitoring, and Analysis of Audit LogsCritical Control 15: Controlled Access Based on the Need to KnowCritical Control 16: Account Monitoring and ControlCritical Control 17: Data Loss PreventionCritical Control 18: Incident Response CapabilityCritical Control 19: Secure Network EngineeringCritical Control 20: Penetration Tests and Red Team Exercises
IPv6 ReferencesIPv6 Forum: http://www.ipv6forum.org/
Cheat Sheet: http://www.roesen.org/files/ipv6_cheat_sheet.pdf
Check your Local IPv6 Task Force: http://www.ipv6tf.org/; http://www.nav6tf.org/; http://ipv6hawaii.org/; http://www.rmv6tf.org/
SysAdmin, Audit, Network, Security (SANS) Institute, 20 Critical Security Controlshttp://www.sans.org/critical-security-controls/
NIST Guidelines for the Secure Deployment of IPv6 – SP800-119 Guidelines for the Secure Deployment of IPv6, 12/2010; SP800-53 Security and Privacy Controls For Federal Information Systems and Organizations, Rev 4 2/28/2012
http://csrc.nist.gov/publications/PubsSPs.html
IPv6 Security by Scott Hogg and Eric Vyncke:ISBN-13 978-1-58705-594-2, ciscopress.com © 2009 Cisco Systems Inc.
Deploying IPv6 Networks by Ciprian Popoviciu, Eric Levy-Abegnoli, and Patrick Grossetete:ISBN: 15870552105, Sixth Printing July 2011 © 2006 Cisco Systems Inc
