IPv6 security aspects Bert Hubert IPv6 is more of the same, but there are still things to think...
-
Upload
sonia-earnest -
Category
Documents
-
view
239 -
download
1
Transcript of IPv6 security aspects Bert Hubert IPv6 is more of the same, but there are still things to think...
IPv6 security aspects Bert Hubert
IPv6 is more of the same, but there are still things to think about
http://tinyurl.com/ipv6securityOr over IPv6
http://xs.powerdns.com/ipv6-security
Agenda Who am I? IPv6: where does it come from? IPv6: more of the same, or, twice the work Things to watch out for:
I have IPv6?? (three ways) End-to-End by default Equal protection Privacy issues Lawful intercept: when the government calls
DNS64
Who am I?
Founder of PowerDNS: Powers 40% of European domain names
Principal Consultant: ”Experts in IT Security – for a more secure society”
PowerDNS DNS converts ”www.ipv6day.nl” into 145.100.96.6
(or 2001:610:158:960::6!) PowerDNS is the DNS server of around 30%-50%
of all European domains, in use by the largest DNS operators in the world
You 'use' it every day First DNS server to be able to run from a database First DNS server with ”easy DNSSEC” .. every year we find some remaining non-IPv6 safe
things, but 3.0 is Complete I hope..
12% of downloads of 3.0 over IPv6!
Fox-IT Supplies governments, financial institutions
and others with IT security training, solutions and services. Around 100 ”nerds, geeks and hackers”
High-end cryptography & security devices Audits, Forensic investigation Fighting cybercrime Replay: Innovative communication analysis
tools (full IPv6!) We don't have IPv6 yet externally!
.. very secure
IPv6, where does it come from?
IPv6 can be delivered natively or via a tunnel The tunnel in that case runs over Ipv4 Manual & automatic
Natively can be on a normal (ether)network Natively can also mean that it arrives serially (to your
DSL device or Cable Modem) To get an IPv4 address, you usually use DHCP IPv6 has that too, but also automatic address
assignment ('you pick an address, and it will be ok')
Our goal in life
If we care about security, we want to know about
what traffic is going where Block unwanted traffic Keep an eye out for intrusions
This goes for email, but also for IP traffic IPv6 is no different
Access rules
IDS/IPS/Spam appliance
Internet
OK!
Access rules
IDS/IPS/Spam appliance
IPv4
OK!
Access rules
IDS/IPS/Spam appliance
IPv4
@$#$#$#%
$#$$%
IPv6
IPv6
Access rules
IDS/IPS/Spam appliance
IPv4
OK!
IPv6: more of the same 4 → 6: 50% more! 32 bits → 128 bits: 300% more!
7922816251426433759354395033500% more
One server suddenly has three addresses: 200% more!
This sounds trivial, but suddenly the 'rule count' of your firewall, IDS, IPS etc doubles
Previously each server had one 'window on the world', now two
Both need to be filtered and monitored Can happen without concious action!
Wait, what, I have IPv6? You do! Say hi to fe80::92fb:a6ff:fe4a:51da%eth0!
Link-Local Pretty neat invention: every ethernet device
already has a local address! Not routed, but works on local ethernet
segment Used ”internally” by IPv6 too
Everything that listens on the 'ANY' address listens on this address too!
Not funny, although the impact is only 'local'
Wait, what, I have IPv6? Many computers will automatically acquire an IPv6
address if a Router Advertiser is present on a segment
Anyone can start one! Not only your friends
Same goes for 'DHCPv6', but this is similar to 'rogue DHCP servers' for IPv4.
Wonderful way to get your servers to expose themselves over IPv6
Possibly route the traffic to the world too → monitor for rogue routers, configure OS to not do
this if you don't want it
Wait, what, I have IPv6? In a laudable effort to spread the use of IPv6,
most versions of Microsoft Windows support ”Teredo”
Turned on with a simple command, Windows will open up an IPv4 UDP ”connection” to teredo.ipv6.microsoft.com and give you an IPv6 address
Unless you block UDP port 3544, this ”just works” (straight through NAT too!)
Turned on with a single command → block UDP/3544 if you want to stop this
Firewalls, access rules Since the world is going to be dual stack for
quite a while, most filtering will have to happen twice
This offers a lot of opportunity for forgetting to update the IPv6 filters
In a few years time, this will be the other way around!
A quite real risk is that existing equipment does not (properly) support IPv6 and that two separate firewall technologies will have to be kept in sync...
→ try to automate this or get 'logical' ACLs
Intrusion detection systems These monitor IP traffic to spot odd things Problem is.. will they monitor IPv6 tunneled in
IPv4 too (no) You might already have these tunnels
Some exciting IPv6 only content already!
And even if they do, will the same signatures apply?
Http://127.0.0.1/ Traffic on an IPv4 link is odd, but is there a rule for http://[::1]/ too?
Might force an upgrad€ on you → check release notes & configuration
IPv6: the good stuff
Way more addresses! Solves the fact that we ran out
In fact, SO many more IP addresses that it becomes feasible to have world routable addresses for office & home use
Currently, everybody uses private space IPv4 addresses
This is a game changer And potentially very scary!
Current communication model
Desktop10.0.0.23
Desktop10.0.0.23
Mail/ChatServer
Mail/ChatServer
IPv4 Internet
NAT Router NAT Router
? ?
No way to get from A to A!
10.0.0.23 10.0.0.23
Current ”cloud” communication model
Desktop10.0.0.23
Desktop10.0.0.23
IPv4 InternetNAT Router NAT Router
? ?
Routable communication model
Desktop2001:1:2
Desktop2001:2::2
IPv6 Internet
BRING ON THE INNOVATION!!!
Routable communication model
Desktop2001:1:2
Desktop2001:1::2
IPv6 Internet
:-(
Default secure to default insecure
With IPv4 we needed the NAT router in order to make it work
Offered some ”free security” because the outside world can't connect to 10.0.0.23
And without that router, it would not work → 'secure' by default
With IPv6, things work just fine without NAT!
Plug it in and it works!
Unfiltered, bidirectional Makes cool things possible
Makes other things possible too.. From now on you MUST have a firewall/ACL!
Quality issues
This should solve itself over time From a programming perspective, IPv6 is a lot like IPv4
but not quite There are opportunities for messing it up For example, software with built-in ACL settings that
neglects to filter IPv6 traffic …
Another example, there are Cisco products with hardware based IPv6 filtering
But can't filter packets with ”too much headers”, and forwards them!
→ be sure to read release notes!
Privacy issues IPv6 addresses are often auto-assigned
Route Advertiser says: ”this is the IPv6 prefix for this segment, you pick an address”
How does a local client invent its IPv6 address: Derive it from the MAC address!
Scenario, you work on a confidential project at customer X, you get IPv6 address 2001:67c:e4:2001:200:c5ff:fe5f:2c12
Now you go home and get
2001:31d:f3:2002:200:c5ff:fe5f:2c12 Popular websites can now predict that you work at
customer X & connect it to your home browsing! → turn on RFC 4941 support
Legal issues Telecommunication industry must cooperate
with police & government in most countries Including NL
Lawful intercept Give government copy of all packets of a
suspect or copy of all email sent/received through ISP mailservers
Dataretention who had what IP address & when
IPv4 is the name of the game right now
Legal issues Dutch interception regulation defines the internet
as: ”systeem van openbare netwerken die RFC
791 en RFC 792 (IPv.4), RFC 1884 en RFC 1885 (IPv. 6), dan wel een ander Internet Protocol (IP), zoals vastgesteld door de Internet Engineering Task Force (IETF), gebruiken met IP-adressen die door de Internet Corporation for Assigned Names and Numbers (ICANN) officieel zijn toegewezen”
So they thought about it (thanks) One day police officer will show up with a request
for all IPv6 packets too → talk to Pine ;-)
DNS64/NAT64
If you want to run single stack for client computers, they only get an IPv6 address
All applications need to be v6 aware, but they still have no way to talk to IPv4 hosts
”How would they” DNS64: turn a question for an AAAA, when there is
no AAAA, into a question for IPv4 Return 'magic' IPv6 address that actually connects
to an IPv4 address → DNS64 NAT64 is the technique to translate PowerDNS has this, will go into production soon
Summarising IPv6 is more of the same
But not quite Make sure you have equal protection for IPv4 traffic
and IPv6 traffic Keep this synchronised while going dual stack IDS/IPS
Keep a careful eye on 'unwanted Ipv6' Be aware that IPv6 offers 'connectivity by default'
instead of 'outgoing connectivity only' Realise that IPv6 software is 'younger' and read
release notes carefully Think of the legal issues if you are an ISP
IPv6 security aspects
Bert Hubert
IPv6 is more of the same, but there are still things to think about
http://tinyurl.com/ipv6security