In this chapter, you learn how to do the following:• Explain the need for IPv6 from the general perspective of the transition to IPv6 from IPv4 • List and describe the fundamental featur
Trang 1© 2012 Cisco and/or its affiliates All rights reserved 1
Securing the Data Plane
in IPv6 Environments
Trang 2In this chapter, you learn how to do the following:
• Explain the need for IPv6 from the general perspective of the
transition to IPv6 from IPv4
• List and describe the fundamental features of IPv6, as well as
enhancements when compared to IPv4
• Analyze the IPv6 addressing scheme, components, and design
principles and configure IPv6 addressing
• Describe the IPv6 routing function
• Evaluate how common and specific threats affect IPv6
• Develop and implement a strategy for IPv6 security
Contents
Trang 3© 2012 Cisco and/or its affiliates All rights reserved 3
The Need for IPv6
Trang 4IPv6 is a powerful enhancement to IPv4 Several features in IPv6
offer functional improvements What IP developers learned from
using IPv4 suggested changes to better suit current and probable
Trang 5© 2012 Cisco and/or its affiliates All rights reserved 5
The new IPv6 header is simpler than the IPv4 header, in the
following ways:
• Half of the previous IPv4 header fields are removed This enables simpler processing of the packets, enhancing the performance and routing efficiency
• All fields are aligned to 64 bits, which enables direct storage and access in memory by fast lookups
• No checksum occurs at the IP layer, and no recalculation is
performed by the routers Error detection is done by the link layer
and transport layer
IPv6 Headers
Trang 6Stateless Address Autoconfiguration
Trang 7© 2012 Cisco and/or its affiliates All rights reserved 7
IPv4 and IPv6 Compared
Trang 9© 2012 Cisco and/or its affiliates All rights reserved 9
IPv6 Address Representation
Trang 10• Unicast
• Address is for a single interface
• IPv6 has several types (for example, global, reserved, link-local, and site-local)
• Multicast
• One-to-many
• Enables more efficient use of the network
• Uses a larger address range
• Anycast
• One-to-nearest (allocated from unicast address space)
• Multiple devices share the same address
• All anycast nodes should provide uniform service
• Source devices send packets to anycast address
• Routers decide on closest device to reach that destination
• Suitable for load balancing and content delivery services
IPv6 Address Types
Trang 11© 2012 Cisco and/or its affiliates All rights reserved 11
IPv6 address types have the following patterns:
• Global: Starts with 2000::/3 and assigned by the Internet Assigned Numbers Authority (IANA)
• Reserved: Used by the IETF
• Private: Link local (starts with FE80::/10)
• Loopback: (::1)
• Unspecified: (::)
IPv6 Unicast Addressing
Trang 12IPv6 Global Unicast and Anycast
Addresses
Trang 13© 2012 Cisco and/or its affiliates All rights reserved 13
Link-Local Addresses
Multicast Addresses
Trang 14There are several ways to assign an IPv6 address to a device:
• Static assignment using a manual interface ID
• Static assignment using an EUI-64 interface ID
• Stateless autoconfiguration
• DHCP for IPv6 (DHCPv6)
Assigning IPv6 Global Unicast Addresses
Trang 15© 2012 Cisco and/or its affiliates All rights reserved 15
IPv6 EUI-64 Interface Identifier
Trang 16R1(config)# ipv6 unicast-routing
R1(config)# interface fa0/0
R1(config-if)# ipv6 address 2001:db8:c18:1::/64 eui-64
R1# show ipv6 interface fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::218:B9FF:FE21:9278
Global unicast address(es):
Trang 17© 2012 Cisco and/or its affiliates All rights reserved 17
• EIGRP for IPv6
Routing Considerations for IPv6
Trang 18In general, many types of attacks are similar between IPv4 and
IPv6, as listed below For some attack types, additional information
is provided
• Reconnaissance
– Not so easy in IPv6 due to large address space
– Scanners will make router trigger NDP, wasting CPU and resources
– Attack tools exist today (Parasit6, Fakerouter6, Scapy6, others)
• Viruses and worms
– Scanning will probably use alternative techniques
• Application layer attacks
– Same implications
– Peer-to-peer nature of IPv6 augments the problem
Revisiting Threats: Considerations for IPv6
Trang 19© 2012 Cisco and/or its affiliates All rights reserved 19
• Unauthorized access
• Man-in-the-middle attacks
– Still a possibility
– Myth: mandatory IPsec resolves the issue
– Reality: IPsec is a mandatory part of the stack, but you still have to configure it
• Sniffing or eavesdropping
• Denial of service (DoS) attacks
• Spoofed packets: forged addresses and other fields
• Still a possibility
• Bogons (bogus IP addresses) a reality today
• Attacks against routers and other networking devices
• Attacks against the physical or data link layers
Revisiting Threats: Considerations for IPv6
Trang 20However, there is also some bad news IPv6 is a bit different and, as such, there are threats that
have been slightly changed by the fact that IPv6 does things slightly differently than IPv4 The
following is a list of threats that are only slightly modified by IPv6:
Trang 21© 2012 Cisco and/or its affiliates All rights reserved 21
• Reconnaissance and scanning worms: Brute-force discovery is
• Autoconfiguration: NDP attacks are simple to perform.
• Attacks on transition mechanisms: Migration techniques are
required by IPv6
• Mobile IPv6 attacks: Devices that roam are susceptible to
multiple vulnerabilities
• IPv6 protocol stack attacks: Because of the code freshness of
IPv6, bugs in the protocol stack exist
List of threats that are unique to IPv6 networks
Trang 22• Training and planning
• Lack of knowledge, poor planning even for basic security controls (example:
weak ingress filtering, or no filtering at all)
• End nodes are exposed to many threats:
• Address configuration parameters: Rogue configuration parameters
• Address initialization: Denial of address insertion
• Address resolution: Address stealing
• Default gateway discovery: Rogue routers
• Neighbor reachability tracking: Rogue neighbor status
• Header extensions
• Hosts process routing headers (RH)
• Header extensions can be exploited (example: routing header for source
routing and reconnaissance)
• Amplification attacks based on routing header
IPv6 introduces the following difficulties or vulnerabilities
Trang 23© 2012 Cisco and/or its affiliates All rights reserved 23
• The attacker manipulates the routing header to create a traffic loop
• DoS attacks can be performed using this feedback loop to consume resources or amplify the
packets that are sent to a victim
• RH0 packets could be created with a list of embedded IPv6 addresses
• The packet would be forwarded to every system in the list before finally being sent to the
destination address
• If the embedded IPv6 addresses in an RH0 packet were two systems on the Internet listed
numerous times, it could cause a type of feedback loop.
Examples of Possible IPv6 Attacks
Traffic Loop from Exploiting Routing Header
Trang 24• The attacker abuses NDP by using a router to amplify a network scan
• The router sends Neighbor Solicitation (NS) messages to all the
hosts in the LAN segment, using the all-nodes multicast address
Network Scan from Exploiting NDP
Trang 25© 2012 Cisco and/or its affiliates All rights reserved 25
Combo Attack on IPv6
Trang 26• Ingress filtering is key:
• Deny Bogon addresses.
• Filter multicast packets at your perimeter based on their scope.
• Permit only packets that have as a destination address your allocated block of addresses or multicast group address or your link-local address for NDP.
• Granularly filter ICMPv6 messages at the perimeter (remember, ICMPv6 is needed for
protocol operations such as NDP).
• Drop RH0 packets and unknown extension headers at the perimeter and throughout the
interior of the network.
• Favor dual stack as the transition mechanism, but secure each protocol
equally.
• Control the use of tunneling:
• Configure manual tunnels if possible.
• Do not allow tunnels through the perimeter unless required.
• Consider current and future security enhancements:
• Secure NDS (SeND) from RFC 3971 provides a cryptographic method to Neighbor
Discovery.
Recommended Practices
Trang 27© 2012 Cisco and/or its affiliates All rights reserved 27
• For additional information, refer to these resources:
– Cisco Systems, Inc Cisco IOS IPv6 Configuration Guide, Release 12.4,
Implementing IPv6 Addressing and Basic Connectivity, http://
www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.h tml
– Cisco Systems, Inc IPv6 and IPv4 Threat Comparison and Best-Practice
Evaluation (v1.0), http://
www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-t hreats.pdf
– RFC 2464, “Transmission of IPv6 Packets over Ethernet Networks,” http://