IPv6 Security

ISP Workshops

These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license
(http://creativecommons.org/licenses/by-nc/4.0/)

Last updated 11th April 2018 1

Acknowledgements
p This material originated from the Cisco ISP/IXP Workshop
Programme developed by Philip Smith & Barry Greene
n These slides were developed by Eric Vyncke

p Use of these materials is encouraged as long as the source is fully

acknowledged and this notice remains in place

p Bug fixes and improvements are welcomed

n Please email workshop (at) bgp4all.com

Philip Smith 2
Before we begin…
p Enabling IPv6 on any device means that:
n The device is accessible by IPv6
n Interface filters and firewall rules already present in IPv4 must
be replicated for IPv6
n Router control-plane access filters already present in IPv4 must
be replicated for IPv6
p Failure to protect the device after enabling IPv6 means
that it is wide open to abuse through IPv6 transport
n Even though the IPv4 security is in place

3
Agenda
p Should I care about IPv6?
p Issues shared by IPv4 and IPv6
p Issues specific to IPv6
p Enforcing a Security Policy in IPv6
p Secure IPv6 transport over public network
p IPv6 Security Best Practices

4
Should I care?
p Is IPv6 in my IPv4 network?
n Yes!
n And it is easy to check too
p Look inside IPv4 NetFlow records
n Protocol 41: IPv6 over IPv4 or 6to4 tunnels
n IPv4 address: 192.88.99.1 (6to4 anycast server)
n UDP 3544, the public part of Teredo, yet another tunnel
p Look into DNS requests log for ‘ISATAP’

5
uTorrent 1.8
p Uses IPv6 by default – released August 2008

6
Should I care?
p Yes, because your end users are already using IPv6
p Some transition techniques are aggressive about using IPv6
p Plus users knowingly configuring IPv6 because “IT” have decided
not to supply it by default
n 6to4 – IPv6 automatic tunnel through IPv4
n Teredo – tunnel IPv6 through UDP to bypass firewalls and NATs
n ISATAP – tunnel between IPv6 nodes within organisations
n GRE or IPv6 in IP tunnels

7
Should I care?
p Yes, because some operating systems:
n Have IPv6 turned on by default
p (most modern OSes)
n Use IPv6 for administrative communications between devices
p Windows Server 2008 & 2012, Exchange 2010 etc
p Turning IPv6 off for some of these operating systems actually
harms their function and performance
n Don’t do it, even if you think it might be a good idea

p (Yes, this IPv6 deployment by stealth)

8
Issues shared by IPv4 and IPv6
Issues facing IPv4 that we can find in
IPv6…

9
Issues shared by IPv4 and IPv6
p Scanning methods
p Viruses and Worms
p Filtering
p Amplification attacks
p Layer-2 attacks
p Broadcasts
p Routing Authentication
p Hacking

10
Scanning
p Default subnets in IPv6 have 264 addresses
n 10 Mpps = more than 50 000 years to scan one /64
n But different scanning techniques will be used
n Miscreants will use more intelligent methods for harvesting
reachable addresses
p Public servers will still need to be DNS reachable
n AAAA entries in the DNS
n More information collected by Google...
n Network footprint tools like SensePost’s Yeti

11
Scanning
p Administrators usually adopt easy-to-remember
addresses
n Easy to remember:
p ::10, ::F00D, ::CAFE, ::FADE etc
n Insert the interface’s IPv4 address into the last 32 bits of the
interface’s IPv6 address:
p 2001:DB8:10::C0A8:A01 when IPv4 address on interface is 192.168.10.1

12
Scanning
p Network administrators pick short/simple addresses for
infrastructure devices:
n e.g Loopbacks on 2001:DB8::1, 2001:DB8::2, etc
p By compromise of hosts in a network
n Access to one host gives attackers the chance to discover new
addresses to scan
p Some transition techniques derive IPv6 address from
IPv4 address
n Plenty of opportunities for more scanning

13
Viruses and Worms in IPv6
p Viruses & worms
n No change for IPv6
n Usual transmission techniques such as IM, email etc are higher up the
protocol stack
p Other worms:
n IPv4: reliance on network scanning
n IPv6: not so easy using simple scanning Þ will use alternative techniques
already discussed

p Worm developers will adapt to IPv6

p IPv4 best practices around worm detection and mitigation remain
valid
14
Overloading the CPU
p Aggressive scanning can overload router CPU
n Router will do Neighbour Discovery, wasting CPU and memory
n Most routers have built-in rate-limiters which help
p Using a /64 on point-to-point links Þ a lot of addresses to scan!
p Using infrastructure ACL to prevent this scanning
n Easy with IPv6 because new addressing scheme can be done J

15
DoS Example
Ping-Pong over Physical Point-to-Point
p Most recent implementations support RFC 4443 so this is not a threat
p Use of /127 on P2P link recommended (see RFC 6164)
p Same as in IPv4, on real P2P, “if not for me send it on to the other side”,
producing looping traffic
1)
To
20
01
:d
b8
::3

2) To 2001:db8::3
3) To 2001:db8::3
R1 R2
Serial 0/0 Serial 0/0
2001:db8::1/64 2001:db8::2/64
4) To 2001:db8::3 16
5) To 2001:db8::3
IPv6 Bogon Filtering and Anti-Spoofing
p IPv6 has its bogons too:
n Bogons are prefixes which should not be used or routed on the
public Internet
p http://www.team-cymru.org/bogon-reference-http.html
p Similar situation as for IPv4
p BCP 38 is still essential!
n https://tools.ietf.org/html/bcp38
p Same technique = uRPF
n Apply towards all end-users and end-user networks

17
Aside: What is uRPF?
FIB:
172.16.1.0/24 fa0/0
192.168.1.0/24 gi0/1
src=172.16.1.1 fa0/0 gi0/1
router

p Router compares source address of incoming packet with FIB

entry
n If FIB entry interface matches incoming interface, the packet is forwarded
n If FIB entry interface does not match incoming interface, the packet is
dropped
18
Aside: What is uRPF?
FIB:
172.16.1.0/24 fa0/0
192.168.1.0/24 gi0/1
fa0/0 gi0/1
router
src=192.168.1.1

p Router compares source address of incoming packet with FIB

entry
n If FIB entry interface matches incoming interface, the packet is forwarded
n If FIB entry interface does not match incoming interface, the packet is
dropped
19
ICMPv4 vs. ICMPv6
p Significant changes from IPv4
p ICMP is relied on much more
ICMP Message Type ICMPv4 ICMPv6
Connectivity Checks X X
Informational/Error Messaging X X
Fragmentation Needed Notification X X
Address Assignment X
Address Resolution X
Router Discovery X
Multicast Group Management X
Mobile IPv6 Support X

p ICMP policy on firewalls needs fundamental rethink

20
Generic ICMPv4 on Firewall
Border Firewall Policy Internal Server A

Internet

ICMPv4 ICMPv4
Action Src Dst Name
Type Code

Permit Any A 0 0 Echo Reply

Permit Any A 8 0 Echo Request

Dst. Unreachable—
Permit Any A 3 0
Net Unreachable
Dst. Unreachable—
Permit Any A 3 4
Frag. Needed
Time Exceeded—
Permit Any A 11 0
TTL Exceeded
21
Equivalent ICMPv6 on Firewall
RFC 4890: Border Firewall Transit Policy Internal Server A

Internet

ICMPv6 ICMPv6
Action Src Dst Name
Type Code

Permit Any A 128 0 Echo Reply

Permit Any A 129 0 Echo Request

Permit Any A 1 0 No Route to Dst.

Permit Any A 2 0 Packet Too Big

Time Exceeded—
Permit Any A 3 0
TTL Exceeded
22
Permit Any A 4 0 Parameter Problem
Equivalent ICMPv6 on Firewall
RFC 4890: Border Firewall Receive Policy Internal Server A
Firewall B

Internet

ICMPv6 ICMPv6
Action Src Dst Name
Type Code

Permit Any B 2 0 Packet too Big For locally

generated
Permit Any B 4 0 Parameter Problem traffic

Permit Any B 130–132 0 Multicast Listener

Neighbor Solicitation
Permit Any B 133/134 0
and Advertisement

Deny Any Any

23
IPv6 Routing Header
p An extension header
p Processed by the listed intermediate routers
p Two types
n Type 0: similar to IPv4 source routing (multiple intermediate routers)
n Type 2: used for mobile IPv6 (single intermediate router)

IPv6 Header Routing Header

Next Header TCP Header
Next Header =
= Routing + Data
TCP

Routing Header
Next Header Ext Hdr RH Type
Routing Type Segments Left
Length
Routing Header Data 24
Type 0 Routing Header
Amplification Attack
p What if attacker sends a packet with a Routing Header containing
n A ® B ® A ® B ® A ® B ® A ® B ® A ....
p Packet will loop multiple times on the link R1-R2
p An amplification attack!

A B

25
Preventing Routing Header Attacks
p Apply same policy for IPv6 as for IPv4:
n Block Routing Header type 0
p Prevent processing at the intermediate nodes
no ipv6 source-route

n Windows, Linux, Mac OS: default setting

p At the edge
n With an ACL blocking routing header type 0
p RFC 5095 (Dec 2007) RH0 is deprecated
n Cisco IOS default changed in 12.4(15)T: no need to type ‘no ipv6 source-
route’

26
Threats on the Layer-2 Link
p IPv4 has several threats against layer-2
n ARP spoofing
n Rogue DHCP
n …

p What about IPv6?

n On WLAN hotspot
n On ETTx network
n On hosting service Data Center
n On ADSL/cable aggregation

27
ARP Spoofing is now NDP Spoofing
p ARP is replaced by Neighbour Discovery Protocol
n Nothing authenticated
n Static entries overwritten by dynamic ones
p Stateless Address Autoconfiguration
n Rogue RA (malicious or not)
n Node misconfiguration
p DoS
p Traffic interception (Man In the Middle Attack)
p Attack tools exist (from THC – The Hacker’s Choice)
n Parasit6
n Fakerouter6
n ...
28
ARP Spoofing is now NDP Spoofing
p BAD NEWS: nothing like dynamic ARP inspection for IPv6
n Will require new hardware on some platforms
p GOOD NEWS: Secure Neighbor Discovery (RFC3971)
n SEND = NDP + crypto
n But not supported by Windows yet!
n Crypto means slower...
n NDPmon toolset (NDP Monitor)
p GOOD NEWS: RA Guard (RFC6105)
n Superset of SEND
n Permits RAs based on a set of criteria
p More GOOD NEWS:
n Private VLAN works with IPv6
n Port security works with IPv6
n 802.1X works with IPv6
n DHCP-PD means no need for NDP-proxy
29
IPv6 and Broadcasts
p There are no broadcast addresses in IPv6
p Broadcast address functionality is replaced with
appropriate link local multicast addresses

Link Local All Nodes Multicast FF02::1

Link Local All Routers Multicast FF02::2
Link Local All mDNS Multicast FF02::F

Anti-spoofing also blocks amplification

attacks because a remote attacker cannot
masquerade as his victim
30
http://iana.org/assignments/ipv6-multicast-addresses/
Preventing IPv6 Routing Attacks:
Protocol Authentication
p BGP, IS-IS, EIGRP no change:
n MD5 authentication of the routing update
p OSPFv3 is different from OSPFv2
n MD5 authentication dropped from the protocol
n Authentication relies on transport mode IPSec
p RIPng and PIM also rely on IPSec
p IPv6 routing attack prevention best practices
n Use traditional authentication mechanisms on BGP and IS-IS
n Use IPSec to secure protocols such as OSPFv3 and RIPng

31
OSPFv3 & EIGRP Authentication
p OSPFv3:
ipv6 router ospf 30
area 0 authentication ipsec spi 256 md5
1234567890ABCDEF1234567890ABCDEF

p EIGRP:
interface Ethernet0/0
ipv6 authentication mode eigrp 100 md5
ipv6 authentication key-chain eigrp 100 MYCHAIN
!
key chain MYCHAIN
key 1
key-string my-eigrp-pw

32
BGP and IS-IS Authentication
p BGP:
router bgp 10
address-family ipv6
neighbor 2001:db8::4 remote-as 11
neighbor 2001:db8::4 password bgp-as11-pw

p IS-IS:
interface Serial0/0
isis authentication mode md5
isis authentication key-chain MYCHAIN
!
key chain MYCHAIN
key 1
key-string my-isis-pw
33
IPv6 Attacks with Strong IPv4 Similarities
p Sniffing
n Without IPSec, IPv6 is as vulnerable to sniffing as IPv4
p Application layer attacks
n The majority of vulnerabilities on the Internet today are at the application
layer, something that IPSec will do nothing to prevent
p Rogue devices
n Rogue devices will be as easy to insert into an IPv6 network as in IPv4
p Man-in-the-Middle Attacks (MITM)
n Without strong mutual authentication, any attacks utilizing MITM will have
the same likelihood in IPv6 as in IPv4
p Flooding
n Flooding attacks are identical between IPv4 and IPv6

34
By the Way: It Is Real L
IPv6 Hacking/Lab Tools
p Sniffers/packet capture p Scanners
n Snort n IPv6 security scanner
n TCPdump n Halfscan6
n Sun Solaris snoop n Nmap
n COLD n Strobe
n Wireshark n Netcat
n Analyzer p Packet forgers
n Windump n Scapy6
n WinPcap n SendIP
p DoS Tools n Packit
n 6tunneldos n Spak6
n 4to6ddos p Complete toolkit
n Imps6-tools n https://www.thc.org/thc-ipv6/

35
 Specific IPv6 issues
New features in IPv6 introduce new
problems…

36
Specific IPv6 Issues
p IPv6 header manipulation
p Link Local vs Global Addressing
p Transition Challenges
p 6to4, 6VPE
p v4/v6 translation issues
p IPv6 stack issues

37
IPv6 Header Manipulation
p Unlimited size of header chain (spec-wise) can make filtering difficult
p Potential Denial of Service with poor IPv6 stack implementations
n More boundary conditions to exploit
n Can I overrun buffers with a lot of extension headers?

Perfectly Valid IPv6 Packet

According to the Sniffer

Header Should Only Appear Once

Destination Header Which Should
Occur at Most Twice
Destination Options Header Should
Be the Last

38
Parsing the Extension Header Chain
p Finding the layer 4 information is not trivial in IPv6
n Skip all known extension header
n Until either known layer 4 header found Þ SUCCESS
n Or unknown extension header/layer 4 header found... Þ FAILURE

IPv6 hdr HopByHop Routing AH TCP data

IPv6 hdr HopByHop Routing AH Unknown L4 ???

IPv6 hdr HopByHop Unk. ExtHdr AH TCP data

39
Fragment Header: IPv6
IPv6 Header Fragment of TCP
Next Header Header + Data
= Fragment

Fragment Header
Next Header Reserved Fragment Offset
Routing Type Identification

Fragment Data

p According to the IPv6 RFC, fragmentation is only done by the end system
n But in some cases, routers act as an end system
p Reassembly done by end system like in IPv4
p Attackers can still cause fragmentation in end/intermediate systems
n A great obfuscation tool to hide attacks on IPS & firewall
40
Parsing the Extension Header Chain
Fragmentation Matters!
p Extension headers chain can be so large that the header itself is fragmented!
p Finding the layer 4 information is not trivial in IPv6
n Skip all known extension headers
n Until either known layer 4 header found Þ SUCCESS
n Or unknown extension header/layer 4 header found Þ FAILURE
n Or end of extension headers Þ FAILURE

IPv6 hdr HopByHop Routing Destination Destination Fragment1

IPv6 hdr HopByHop Fragment2 TCP Data

Layer 4 header is 41
in 2nd fragment
IPv6 Fragments
p Unlimited size of the extension header chain is a source
of potential problems
p We could block all IPv6 fragments on perimeter filters
p But what about legitimate IPv6 traffic which is
fragmented??
n DNSSEC packets are often large enough to be fragmented
p Dilemma:
n Blocking fragments – protects against fragmentation attacks
n Blocking fragments – breaks legitimate traffic

42
IPv6 Fragments
p Best current advice:
n Block fragments destined to network devices only
p Allow fragments transiting the network (won’t break DNSSEC etc)
n We want to avoid buffer exhaustion problems caused by a
fragment based DoS attack
n Example:
ipv6 access-list border-acl-in
...
deny ipv6 any 2001:DB8::/64 fragments
...

43
Link-Local vs. Global Addresses
p Link-Local addresses (FE80::/10) are isolated
n Cannot reach outside of the link
n Cannot be reached from outside of the link J
p Could be used on the infrastructure interfaces
n Routing protocols (including BGP) work with LLA
n Benefit: no remote attack against your infrastructure
p Implicit infrastructure ACL
n Note: need to provision loopback for ICMP generation
n LLA can be configured statically (not the EUI-64 default) to avoid changing
neighbour statements when changing MAC

44
Link-Local for Backbone: Example
p Note: need to provision loopback for ICMP generation
interface GigabitEthernet0/0/1
description Point-to-point to City 2
ip address 192.168.1.1 255.255.255.252
ipv6 unnumbered loopback 0

p Interface looks like this:

GigabitEthernet0/0/1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::462B:3FF:FE80:4A02
No Virtual link-local address(es):
Description: Point-to-point to City 2 (Gig0/3)
Interface is unnumbered. Using address of Loopback0
No global unicast address is configured

p Traceroute through the network shows loopback address for each hop
Tracing the route to noc.isp (2001:DB8::FF:FF)

1 cr1.city2.isp (2001:DB8::2:5) 6 msec 6 msec 6 msec

2 cr1.city1.isp (2001:DB8::1:3) 7 msec 8 msec 8 msec 45
3 noc.isp (2001:DB8::FF:FF) 8 msec 8 msec 8 msec
IPv6 Transition Technologies
Security
From IPv4 to IPv6, securely

46
Actively deployed Transition Technologies
p Dual stack
p Generic Tunnels
p 6to4
p ISATAP
p Teredo
p NAT64 (and NAT)
p 6rd
p DS-Lite
p 464XLAT
p 6PE & 6VPE
47
IPv4 to IPv6 Transition Challenges
p Many competing methods, several may be deployed at the same
time
p Dual stack
n Consider security for both protocols
n Cross v4/v6 abuse
n Resiliency (shared resources)
p Tunnels
n Bypass firewalls (protocol 41 or UDP)
n Bypass other inspection systems
n Render Netflow blind
n Traffic engineering becomes tough
n Asymmetrical flows (6to4)
48
Dual Stack with IPv6 on by Default
p Your host:
n IPv4 is protected by your favorite personal firewall...
n IPv6 is enabled by default (Windows, Linux, macOS, FreeBSD ...)
p Your network:
n Does not run IPv6
p Your assumption:
n I’m safe
p Reality
n You are not safe
n Attacker sends Router Advertisements
n Your host silently configures IPv6
n You are now under IPv6 attack
p Þ Probably time to think about IPv6 in your network
49
Dual Stack Host Considerations
p Host security on a dual-stack device
n Applications can be subject to attack on both IPv6 and IPv4
n Fate sharing: connectivity is as secure as the least secure
stack...
p Host security controls must filter and inspect traffic from
both IP versions
n Host intrusion prevention, personal firewalls, VPN clients, etc.

50
Split Tunnelling on VPNs
p VPNs are especially vulnerable:
n Split tunneling
p IPv4 traffic goes over the IPSEC Tunnel, but
p IPv6 traffic goes native, and is potentially vulnerable
n IPv6 host is vulnerable to incoming exploits
IPv4 IPsecVPN with
No Split Tunneling

Dual Stack
Client
IPv6 HDR IPv6 Exploit
Does the IPsec Client Stop an
Inbound IPv6 Exploit?

51
How to block Rogue Tunnels?
p Rogue tunnels by naïve users:
n Sure, block IP protocol 41 and UDP/3544
n In Windows:
netsh interface 6to4 set state state=disabled undoonstop=disabled
netsh interface isatap set state state=disabled
netsh interface teredo set state type=disabled

p Really rogue tunnels (covert channels)

n No easy way...
n Teredo will run over a different UDP port of course
p Deploying native IPv6 (including IPv6 firewalls and IPS) is
best/easier alternative
p Or disable IPv6 (uh?)
52
6to4 Issues
p Automatic tunnelling technology
p Obsoleted in May 2015 (BCP196) due to serious operational and security
concerns:
n Bypasses filters, firewalls, most intrusion detection systems
n Asymmetric traffic flows
p Two components:
n 6to4 client
n 6to4 relay
p 6to4 host might be IPv4 protected – what about IPv6 protection, filters,…?
p 6to4 relay
n 6to4 host picks topologically closest relay
n Outbound traffic – your ISP’s relay
n Return traffic – whose relay??
53
6to4 Tunnels Bypass Filters
p 6to4 tunnel to another 6to4 host on local network
n Results in IPv6 packets going from one IPv6 host to another
IPv6 over IPv4
n Bypasses IPv6 packet filters on central host
n Bypasses IPv4 packet filters on central host
n Þ Major security risk

54
6to4 Relay Security Issues
p Traffic is asymmetric
n 6to4 client/router ® 6to4 relay ® IPv6 server:
p Client IPv4 routing selects the relay
n IPv6 server ® 6to4 relay ® 6to4 client/router:
p Server IPv6 routing selects the relay
n Cannot insert a stateful device (firewall, ...) on any path
p Potential amplification attack (looping IPv6 packet) between
ISATAP server & 6to4 relay
n Where to route: 2002:isatap::/48 ?
n Where to route: isatap_prefix::200:5efe:6to4?

57
ISATAP issues
p Intra-site tunnelling protocol
n Designed to let isolated IPv6 clients speak to other isolated IPv6
enabled devices over a site’s IPv4 infrastructure
p Security considerations:
n Client IPv6 filtering/firewalling?
n Tunnel technology could bypass inter-departmental controls
used for IPv4
n Who runs the domain’s ISATAP server?

58
Teredo Issues
p UDP based tunnelling technology to allow remote IPv6 clients
connect to IPv6 Internet over IPv4 infrastructure
n Uses UDP
n Bypasses firewalls and traverses NATs
p Already seen the “bittorrent” case at the start of the presentation
p Severe security risk for any organisation
n Client IPv6 filters?
n Firewall bypass
n Who runs the remote Teredo relay?
n Runs on non-default UDP ports too

59
Translation Issues
p Whether NAT64 or NAT444
p Shared IPv4 address among different subscribers
n Per-IP address reputation means that bad behaviour by one
affects multiple subscribers
n Sending ICMP Packet-too-big to common server means
bandwidth reduction for all subscribers sharing that source IP
address
n Huge amount of log traffic for Lawful Intercept (but there are
other ways to keep track)

60
6rd Issues
p Based on 6to4, so potentially inherits most of 6to4’s
security considerations
n Securing IPv6 traffic on 6rd client in the same way as for native
IPv4 traffic
p 6rd-relay is controlled by ISP though
n Avoids “publicly operated” relay problem which plagues 6to4

61
DS-Lite & 464XLAT Issues
p ISP has native IPv6 backbone
n And no IPv4
p IPv4 tunnelled through IPv6
p CPE is dual stack towards the end user
n Usual dual stack security considerations
p ISP core tunnel termination (Large Scale NAT)
n Faces all the security and scaling considerations that any NAT
device would face

62
6VPE Security Issues
p 6PE (dual stack without VPN) is a simple case
p Security is identical to IPv4 MPLS-VPN, see RFC 4381
p Security depends on correct operation and
implementation
n QoS prevent flooding attack from one VPN to another one
n PE routers must be secured: AAA, iACL, CoPP …

63
6VPE Security Issues
p MPLS backbones can be more secure than normal IP backbones
n Core not accessible from outside
n Separate control and data planes
p PE security
n Advantage: Only PE-CE interfaces accessible from outside
n Makes security easier than in “normal” networks
n IPv6 advantage: PE-CE interfaces can use link-local for routing
n Þ completely unreachable from remote (better than IPv4)

64
 IPv6 Security Policies
So how do we go about securing the
network…?

65
IPv6 Security Policy
p Access control lists
n Configuration
n Implicit Rules
p Interface and VTY filtering
p IPv6 NetFlow
p Enterprise Security

66
Cisco IOS IPv6 Extended Access Control Lists
p Very much like in IPv4
n Filter traffic based on
p Source and destination addresses
p Next header presence
p Layer 4 information
n Implicit deny all at the end of ACL
n Empty ACL means traffic allowed
n Reflexive and time based ACL
p Known extension headers (HbH, AH, RH, MH, destination,
fragment) are scanned until:
n Layer 4 header found
n Unknown extension header is found
67
See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html
IPv6 ACL Implicit Rules
RFC 4890
p Implicit entries exist at the end of each IPv6 ACL to allow
neighbour discovery:
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any

68
IPv6 ACL Implicit Rules:
Adding a deny-log
p The IPv6 beginner’s mistake is to add a ‘deny log’ at the end of the
IPv6 ACL
. . .
! Now log all denied packets
deny IPv6 any any log
! Oooops . . . I forget about these implicit lines
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any

p Instead, explicitly add the implicit ACL

. . .
! Now log all denied packets
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any log 69
To filter ICMPv6 or not?
p Many administrators are very accustomed to severely filtering
ICMPv4
n Due to history – the ICMP DoS attacks from the late 90s and early 2000s.
n Blocking all ICMPv4 doesn’t really hurt IPv4 too much
p Stops Path MTU Discovery
p Makes troubleshooting incredibly hard
p Severely filtering ICMPv6 will cause serious harm to IPv6, or even
preventing IPv6 from working
n RFC4890 filtering or
n Rate-limit ICMPv6 and allow it all

70
Example: RFC 4890 ICMP ACL
ipv6 access-list RFC4890
permit icmp any any echo-reply
permit icmp any any echo-request
permit icmp any any 1 3
permit icmp any any 1 4
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any parameter-problem
permit icmp any any mld-query
permit icmp any any mld-reduction
permit icmp any any mld-report
permit icmp any any nd-na
permit icmp any any nd-ns
permit icmp any any router-solicitation 71
Example: Rogue RA & DHCP ACL
p If rogue RA or rogue DHCP server detected on network,
how to deal with it?
ipv6 access-list ACCESS-PORT
remark Block all traffic DHCP server -> client
deny udp any eq 547 any eq 546
remark Block Router Advertisements
deny icmp any any router-advertisement
permit any any

interface gigabitethernet 1/0/1

switchport
ipv6 traffic-filter ACCESS-PORT in
72
IPv6 ACL to Protect VTY
p Protecting router VTYs is very important
n Remember: device security is as good as the least protected
protocol
ipv6 access-list VTY
permit ipv6 2001:db8:0:1::/64 any
!
line vty 0 4
ipv6 access-class VTY in

73
IPv6 Filtering
p IPv6 access-lists (ACL) are used to filter traffic and
restrict access to the router
n Used on router interfaces
n Used to restrict access to the router
n ACLs matching source/destination addresses, ports and various
other IPv6 options
p IPv6 prefix-lists are used to filter routing protocol
updates
n Used on BGP peerings
n Matching source and destination addresses
74
IPv6 prefix-list example
p Example of using an ipv6 prefix-list to filter prefixes on a
BGP session:
router bgp 10
neighbor 2001:db8:1:1019::1 remote-as 20
!
address-family ipv6
neighbor 2001:db8:1:1019::1 activate
neighbor 2001:db8:1:1019::1 prefix-list ipv6-ebgp in
neighbor 2001:db8:1:1019::1 prefix-list v6out out
network 2001:db8::/32
exit-address-family
!
ipv6 prefix-list ipv6-ebgp permit ::/0 le 128
!
ipv6 prefix-list v6out permit 2001:db8::/32
!

75
Routing Security
p Implement the recommendations in
https://www.routingmanifesto.org/manrs
1. Prevent propagation of incorrect routing information
p Filter BGP peers, in & out!
2. Prevent traffic with spoofed source addresses
p BCP38 – Unicast Reverse Path Forwarding
3. Facilitate communication between network operators
p NOC to NOC Communication
4. Facilitate validation of routing information
p Route Origin Authorisation using RPKI

76
Cisco IOS IPv6 NetFlow
p Netflow supports IPv6 as from IOS 12.4
n Type 9 flow records
n Following syntax in 12.4 IOS releases
p Activated by:
n Interface subcommands:
ipv6 flow ingress
ipv6 flow egress

p Status:
show ipv6 flow cache
77
IPv6 NetFlow
gw>show ipv6 flow cache
IP packet size distribution (520293627 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .837 .130 .031 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 475168 bytes

29 active, 4067 inactive, 11258417 added
293481382 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 33992 bytes
0 active, 1024 inactive, 0 added, 0 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
SrcAddress InpIf DstAddress OutIf Prot SrcPrt DstPrt Packets
2001:7F8:4:1::44FC:1 Local 2001:7F8:4:1::219F:1 Gi0/0 0x06 0x00B3 0x9658 11
2001:7F8:4:1::219F:1 Gi0/0 2001:7F8:4:1::44FC:1 Local 0x06 0x9658 0x00B3 11
2001:7F8:4:1::44FC:1 Local 2001:7F8:4:1::220A:2 Gi0/0 0x06 0x00B3 0x8525 110
2001:7F8:4:1::44FC:1 Local 2001:7F8:4:1::847:1 Gi0/0 0x3A 0x0000 0x8800 14
2001:7F8:4:1::32E6:1 Gi0/0 FE80::222:55FF:FEE4:1F1B Local 0x3A 0x0000 0x8800 256
2001:7F8:4:1::220A:2 Gi0/0 2001:7F8:4:1::44FC:1 Local 0x06 0x8525 0x00B3 82
FE80::212:F2FF:FEF2:3C61 Gi0/0 FE80::222:55FF:FEE4:1F1B Local 0x3A 0x0000 0x8800 256
2001:7F8:4:1::1F8B:1 Gi0/0 2001:7F8:4:1::44FC:1 Local 0x06 0x00B3 0x4533 4
78
Cisco IOS IPv6 Netflow (15.0+)
p Flexible Netflow from 12.4T and 15.0 software releases:

flow monitor FLOW-MONITOR-V6-IN

exporter EXPORTER
cache timeout active 300
record netflow ipv6 original-input
!
flow monitor FLOW-MONITOR-V6-OUT
exporter EXPORTER
cache timeout active 300
record netflow ipv6 original-output
!
interface GigabitEthernet0/0
ipv6 flow monitor FLOW-MONITOR-V6-IN input
ipv6 flow monitor FLOW-MONITOR-V6-OUT output
!

79
Cisco IOS IPv6 Netflow (15.0+)
p Show commands are more sophisticated, for example:
n Show the top 20 outbound IPv6 flows
show flow monitor FLOW-MONITOR-V6-OUT cache aggregate ipv6 source address ipv6
destination address sort counter bytes top 20

n Show the top 20 inbound IPv6 flows

show flow monitor FLOW-MONITOR-V6-IN cache aggregate ipv6 source address ipv6
destination address sort counter bytes top 20

80
Securing IPv6 Connectivity
How do we secure our end-to-end
connections…?

81
Securing IPv6 Connectivity
p Over Internet
n Client to Server:
p IPsec or SSL VPN Client Software
n Network to Network:
p Tunnel technology (GRE) protected by IPsec
p Site to Site VPNs
n Tunnel technology (GRE or MPLS) protected by IPsec

82
Secure IPv6 over IPv4/v6 Public Internet
p No traffic sniffing
p No traffic injection
p No service theft
Public Network Site to Site Remote Access
IPv4 6in4/GRE Tunnels Protected by IPsec IPsec or SSL VPN Clients

IPv6 GRE Tunnels Protected by IPsec IPsec or SSL VPN Clients

83
 Secure Site to Site IPv6 Traffic over IPv4
IPv6 Network
Public Network with GRE IPsec

IPv6 Network
IPv6 in IPv4 tunnel

IPv4

84
 Secure Site to Site IPv6 Traffic over IPv4
Public Network with GRE IPsec
IPsec protects IPv4 unicast
traffic... The encapsulated
IPv6 packets
IPv6 Network

IPv6 Network
IPsec
IPv6 in IPv4 tunnel

IPv4

85
 Secure Site to Site IPv6 Traffic over IPv4
Public Network with GRE IPsec
IPsec protects IPv4 unicast
traffic... The encapsulated
IPv6 packets
IPv6 Network

IPv6 Network
IPsec
IPv6 in IPv4 tunnel

IPv4
GRE tunnel can be used to transport both IPv4 and IPv6 in the same tunnel

86
IPv6 Security Best Practices
Recommendations…

87
Candidate Best Practices (1)
p Train your network operators and security managers on
IPv6
p Train your network operators and security managers on
IPv6

p Selectively filter ICMP (RFC 4890)

n Might be easier to rate-limit ICMPv6 to a few Mbps
p Block Type 0 Routing Header at the edge
n Should be automatically blocked by equipment already (but do it
anyway)
88
Candidate Best Practices (2)
p Adopt all the IPv4 Best Current Practices
n Implement BCP38 filtering
n Implement the Routing Security recommendations in
https://www.routingmanifesto.org/manrs
n If management plane is only IPv4, block IPv6 to the core devices
n If management plane is dual stack, replicate IPv4 filters in IPv6
n Which extension headers will be allowed through the access control device?
n Deny IPv6 fragments destined to network equipment when possible
n Use authentication to protect routing protocols
n Document procedures for last-hop traceback

89
Candidate Best Practices (3)
Mainly for Enterprise Customers
p Implement privacy extensions carefully
p Only allow Global Unicast address sourced traffic out the border
routers
n Block ULA and other non-assigned IPv6 addresses
p Filter unneeded services at the firewall
p Maintain host and application security
p Use cryptographic protections where critical
p Implement ingress filtering of packets with IPv6 multicast source
addresses
p Avoid tunnels
n If you must tunnel, use static tunneling NOT dynamic tunneling

90
Conclusion
p So, nothing really new in IPv6
p Lack of operational experience may hinder security for a
while Þ training is required
p Security enforcement is possible
n Control your IPv6 traffic as you do for IPv4
p Leverage IPSec to secure IPv6 when suitable

91
IPv6 Security
ISP Workshops

92