This chapter explains the need for IPv6 and presents its fundamental features, as well as enhancements when compared to IPv4. It covers IPv6 addressing scheme, components, and design principles and how routing functions. The chapter then presents potential threats and develops a strategy for IPv6 security.
Trang 1© 2012 Cisco and/or its affiliates All rights reserved 1
© 2012 Cisco and/or its affiliates All rights reserved 1
Securing the Data Plane in IPv6
Environments
Trang 2In this chapter, you learn how to do the following:
• Explain the need for IPv6 from the general perspective of the transition
to IPv6 from IPv4
• List and describe the fundamental features of IPv6, as well as
enhancements when compared to IPv4
• Analyze the IPv6 addressing scheme, components, and design
principles and configure IPv6 addressing
• Describe the IPv6 routing function
• Evaluate how common and specific threats affect IPv6
• Develop and implement a strategy for IPv6 security
Contents
Trang 3© 2012 Cisco and/or its affiliates All rights reserved 3
The Need for IPv6
Trang 4IPv6 is a powerful enhancement to IPv4 Several features in IPv6 offer
functional improvements What IP developers learned from using IPv4
suggested changes to better suit current and probable network demands:
• Larger address space:
Trang 5© 2012 Cisco and/or its affiliates All rights reserved 5
The new IPv6 header is simpler than the IPv4 header, in the following
ways:
• Half of the previous IPv4 header fields are removed This enables
simpler processing of the packets, enhancing the performance and routing efficiency.
• All fields are aligned to 64 bits, which enables direct storage and access
in memory by fast lookups.
• No checksum occurs at the IP layer, and no recalculation is performed by the routers Error detection is done by the link layer and transport layer.
IPv6 Headers
Trang 6Stateless Address Autoconfiguration
Trang 7© 2012 Cisco and/or its affiliates All rights reserved 7
IPv4 and IPv6 Compared
Trang 9© 2012 Cisco and/or its affiliates All rights reserved 9
IPv6 Address Representation
Trang 10© 2012 Cisco and/or its affiliates All rights reserved 10
• Unicast
• Address is for a single interface
• IPv6 has several types (for example, global, reserved, link-local, and site-local)
• Multicast
• One-to-many
• Enables more efficient use of the network
• Uses a larger address range
• Anycast
• One-to-nearest (allocated from unicast address space)
• Multiple devices share the same address
• All anycast nodes should provide uniform service
• Source devices send packets to anycast address
• Routers decide on closest device to reach that destination
• Suitable for load balancing and content delivery services
IPv6 Address Types
Trang 11© 2012 Cisco and/or its affiliates All rights reserved 11
IPv6 address types have the following patterns:
• Global: Starts with 2000::/3 and assigned by the Internet Assigned
Numbers Authority (IANA)
• Reserved: Used by the IETF
• Private: Link local (starts with FE80::/10)
• Loopback: (::1)
• Unspecified: (::)
IPv6 Unicast Addressing
Trang 12IPv6 Global Unicast and Anycast
Addresses
Trang 13© 2012 Cisco and/or its affiliates All rights reserved 13
Link-Local Addresses
Multicast Addresses
Trang 14There are several ways to assign an IPv6 address to a device:
• Static assignment using a manual interface ID
• Static assignment using an EUI-64 interface ID
• Stateless autoconfiguration
• DHCP for IPv6 (DHCPv6)
Assigning IPv6 Global Unicast Addresses
Trang 15© 2012 Cisco and/or its affiliates All rights reserved 15
IPv6 EUI-64 Interface Identifier
Trang 16© 2012 Cisco and/or its affiliates All rights reserved 16
R1(config)# ipv6 unicast-routing
R1(config)# interface fa0/0
R1(config-if)# ipv6 address 2001:db8:c18:1::/64 eui-64 R1# show ipv6 interface fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is
Trang 17© 2012 Cisco and/or its affiliates All rights reserved 17
• EIGRP for IPv6
Routing Considerations for IPv6
Trang 18In general, many types of attacks are similar between IPv4 and IPv6, as
listed below For some attack types, additional information is provided.
• Reconnaissance
– Not so easy in IPv6 due to large address space
– Scanners will make router trigger NDP, wasting CPU and resources
– Attack tools exist today (Parasit6, Fakerouter6, Scapy6, others)
• Viruses and worms
– Scanning will probably use alternative techniques
• Application layer attacks
– Same implications
– Peer-to-peer nature of IPv6 augments the problem
Revisiting Threats: Considerations for
IPv6
Trang 19© 2012 Cisco and/or its affiliates All rights reserved 19
• Unauthorized access
• Man-in-the-middle attacks
– Still a possibility
– Myth: mandatory IPsec resolves the issue
– Reality: IPsec is a mandatory part of the stack, but you still have to configure it
• Sniffing or eavesdropping
• Denial of service (DoS) attacks
• Spoofed packets: forged addresses and other fields
• Still a possibility
• Bogons (bogus IP addresses) a reality today
• Attacks against routers and other networking devices
• Attacks against the physical or data link layers
Revisiting Threats: Considerations for
IPv6
Trang 20However, there is also some bad news IPv6 is a bit different and, as such, there are threats that
have been slightly changed by the fact that IPv6 does things slightly differently than IPv4 The
following is a list of threats that are only slightly modified by IPv6:
• Packet amplification attacks (IPv4 uses broadcast; IPv6 uses multicast)
Revisiting Threats: Considerations for
IPv6
Trang 21© 2012 Cisco and/or its affiliates All rights reserved 21
• Reconnaissance and scanning worms: Brute-force discovery is more
difficult.
• Attacks against ICMPv6: ICMPv6 is a required component of IPv6.
• Extension header (EH) attacks: EHs need to be accurately parsed.
• Autoconfiguration: NDP attacks are simple to perform.
• Attacks on transition mechanisms: Migration techniques are required
by IPv6.
• Mobile IPv6 attacks: Devices that roam are susceptible to multiple
vulnerabilities.
• IPv6 protocol stack attacks: Because of the code freshness of IPv6,
bugs in the protocol stack exist
List of threats that are unique to IPv6
networks
Trang 22• Training and planning
• Lack of knowledge, poor planning even for basic security controls (example:
weak ingress filtering, or no filtering at all)
• End nodes are exposed to many threats:
• Address configuration parameters: Rogue configuration parameters
• Address initialization: Denial of address insertion
• Address resolution: Address stealing
• Default gateway discovery: Rogue routers
• Neighbor reachability tracking: Rogue neighbor status
• Header extensions
• Hosts process routing headers (RH)
• Header extensions can be exploited (example: routing header for source
routing and reconnaissance)
• Amplification attacks based on routing header
IPv6 introduces the following difficulties or
vulnerabilities
Trang 23© 2012 Cisco and/or its affiliates All rights reserved 23
• The attacker manipulates the routing header to create a traffic loop
• DoS attacks can be performed using this feedback loop to consume
resources or amplify the packets that are sent to a victim
• RH0 packets could be created with a list of embedded IPv6 addresses
• The packet would be forwarded to every system in the list before finally being sent to the destination address
• If the embedded IPv6 addresses in an RH0 packet were two systems on the Internet listed numerous times, it could cause a type of feedback
loop.
Examples of Possible IPv6 Attacks
Traffic Loop from Exploiting Routing Header
Trang 24• The attacker abuses NDP by using a router to amplify a network scan
• The router sends Neighbor Solicitation (NS) messages to all the hosts in the LAN segment, using the all-nodes multicast address.
Network Scan from Exploiting NDP
Trang 25© 2012 Cisco and/or its affiliates All rights reserved 25
Combo Attack on IPv6
Trang 26© 2012 Cisco and/or its affiliates All rights reserved 26
• Ingress filtering is key:
• Deny Bogon addresses
• Filter multicast packets at your perimeter based on their scope
• Permit only packets that have as a destination address your allocated block of addresses or multicast group address or your link-local address for NDP
• Granularly filter ICMPv6 messages at the perimeter (remember, ICMPv6 is
needed for protocol operations such as NDP)
• Drop RH0 packets and unknown extension headers at the perimeter and
throughout the interior of the network
• Favor dual stack as the transition mechanism, but secure each protocol equally.
• Control the use of tunneling:
• Configure manual tunnels if possible
• Do not allow tunnels through the perimeter unless required
• Consider current and future security enhancements:
• Secure NDS (SeND) from RFC 3971 provides a cryptographic method to
Neighbor Discovery
• RA Guard, from RFC 6105, is an alternative and complement to SeND, filtering
at Layer 2
Recommended Practices
Trang 27© 2012 Cisco and/or its affiliates All rights reserved 27
• For additional information, refer to these resources:
– Cisco Systems, Inc Cisco IOS IPv6 Configuration Guide, Release 12.4,
Implementing IPv6 Addressing and Basic Connectivity, http://