IPv6 security aspects Bert Hubert

IPv6 is more of the same, but there are still things to think about

http://tinyurl.com/ipv6securityOr over IPv6

http://xs.powerdns.com/ipv6-security

Agenda Who am I? IPv6: where does it come from? IPv6: more of the same, or, twice the work Things to watch out for:

I have IPv6?? (three ways) End-to-End by default Equal protection Privacy issues Lawful intercept: when the government calls

DNS64

Who am I?

Founder of PowerDNS: Powers 40% of European domain names

Principal Consultant: ”Experts in IT Security – for a more secure society”

PowerDNS DNS converts ”www.ipv6day.nl” into 145.100.96.6

(or 2001:610:158:960::6!) PowerDNS is the DNS server of around 30%-50%

of all European domains, in use by the largest DNS operators in the world

You 'use' it every day First DNS server to be able to run from a database First DNS server with ”easy DNSSEC” .. every year we find some remaining non-IPv6 safe

things, but 3.0 is Complete I hope..

12% of downloads of 3.0 over IPv6!

Fox-IT Supplies governments, financial institutions

and others with IT security training, solutions and services. Around 100 ”nerds, geeks and hackers”

High-end cryptography & security devices Audits, Forensic investigation Fighting cybercrime Replay: Innovative communication analysis

tools (full IPv6!) We don't have IPv6 yet externally!

.. very secure

IPv6, where does it come from?

IPv6 can be delivered natively or via a tunnel The tunnel in that case runs over Ipv4 Manual & automatic

Natively can be on a normal (ether)network Natively can also mean that it arrives serially (to your

DSL device or Cable Modem) To get an IPv4 address, you usually use DHCP IPv6 has that too, but also automatic address

assignment ('you pick an address, and it will be ok')

Our goal in life

If we care about security, we want to know about

what traffic is going where Block unwanted traffic Keep an eye out for intrusions

This goes for email, but also for IP traffic IPv6 is no different

Access rules

IDS/IPS/Spam appliance

Internet

OK!

Access rules

IDS/IPS/Spam appliance

IPv4

OK!

Access rules

IDS/IPS/Spam appliance

IPv4

@$#$#$#%

$#$$%

IPv6

IPv6

Access rules

IDS/IPS/Spam appliance

IPv4

OK!

IPv6: more of the same 4 → 6: 50% more! 32 bits → 128 bits: 300% more!

7922816251426433759354395033500% more

One server suddenly has three addresses: 200% more!

This sounds trivial, but suddenly the 'rule count' of your firewall, IDS, IPS etc doubles

Previously each server had one 'window on the world', now two

Both need to be filtered and monitored Can happen without concious action!

Wait, what, I have IPv6? You do! Say hi to fe80::92fb:a6ff:fe4a:51da%eth0!

Link-Local Pretty neat invention: every ethernet device

already has a local address! Not routed, but works on local ethernet

segment Used ”internally” by IPv6 too

Everything that listens on the 'ANY' address listens on this address too!

Not funny, although the impact is only 'local'

Wait, what, I have IPv6? Many computers will automatically acquire an IPv6

address if a Router Advertiser is present on a segment

Anyone can start one! Not only your friends

Same goes for 'DHCPv6', but this is similar to 'rogue DHCP servers' for IPv4.

Wonderful way to get your servers to expose themselves over IPv6

Possibly route the traffic to the world too → monitor for rogue routers, configure OS to not do

this if you don't want it

Wait, what, I have IPv6? In a laudable effort to spread the use of IPv6,

most versions of Microsoft Windows support ”Teredo”

Turned on with a simple command, Windows will open up an IPv4 UDP ”connection” to teredo.ipv6.microsoft.com and give you an IPv6 address

Unless you block UDP port 3544, this ”just works” (straight through NAT too!)

Turned on with a single command → block UDP/3544 if you want to stop this

Firewalls, access rules Since the world is going to be dual stack for

quite a while, most filtering will have to happen twice

This offers a lot of opportunity for forgetting to update the IPv6 filters

In a few years time, this will be the other way around!

A quite real risk is that existing equipment does not (properly) support IPv6 and that two separate firewall technologies will have to be kept in sync...

→ try to automate this or get 'logical' ACLs

Intrusion detection systems These monitor IP traffic to spot odd things Problem is.. will they monitor IPv6 tunneled in

IPv4 too (no) You might already have these tunnels

Some exciting IPv6 only content already!

And even if they do, will the same signatures apply?

Http://127.0.0.1/ Traffic on an IPv4 link is odd, but is there a rule for http://[::1]/ too?

Might force an upgrad€ on you → check release notes & configuration

IPv6: the good stuff

Way more addresses! Solves the fact that we ran out

In fact, SO many more IP addresses that it becomes feasible to have world routable addresses for office & home use

Currently, everybody uses private space IPv4 addresses

This is a game changer And potentially very scary!

Current communication model

Desktop10.0.0.23

Desktop10.0.0.23

Mail/ChatServer

Mail/ChatServer

IPv4 Internet

NAT Router NAT Router

? ?

No way to get from A to A!

10.0.0.23 10.0.0.23

Current ”cloud” communication model

Desktop10.0.0.23

Desktop10.0.0.23

IPv4 InternetNAT Router NAT Router

? ?

Routable communication model

Desktop2001:1:2

Desktop2001:2::2

IPv6 Internet

BRING ON THE INNOVATION!!!

Routable communication model

Desktop2001:1:2

Desktop2001:1::2

IPv6 Internet

:-(

Default secure to default insecure

With IPv4 we needed the NAT router in order to make it work

Offered some ”free security” because the outside world can't connect to 10.0.0.23

And without that router, it would not work → 'secure' by default

With IPv6, things work just fine without NAT!

Plug it in and it works!

Unfiltered, bidirectional Makes cool things possible

Makes other things possible too.. From now on you MUST have a firewall/ACL!

Quality issues

This should solve itself over time From a programming perspective, IPv6 is a lot like IPv4

but not quite There are opportunities for messing it up For example, software with built-in ACL settings that

neglects to filter IPv6 traffic …

Another example, there are Cisco products with hardware based IPv6 filtering

But can't filter packets with ”too much headers”, and forwards them!

→ be sure to read release notes!

Privacy issues IPv6 addresses are often auto-assigned

Route Advertiser says: ”this is the IPv6 prefix for this segment, you pick an address”

How does a local client invent its IPv6 address: Derive it from the MAC address!

Scenario, you work on a confidential project at customer X, you get IPv6 address 2001:67c:e4:2001:200:c5ff:fe5f:2c12

Now you go home and get

2001:31d:f3:2002:200:c5ff:fe5f:2c12 Popular websites can now predict that you work at

customer X & connect it to your home browsing! → turn on RFC 4941 support

Legal issues Telecommunication industry must cooperate

with police & government in most countries Including NL

Lawful intercept Give government copy of all packets of a

suspect or copy of all email sent/received through ISP mailservers

Dataretention who had what IP address & when

IPv4 is the name of the game right now

Legal issues Dutch interception regulation defines the internet

as: ”systeem van openbare netwerken die RFC

791 en RFC 792 (IPv.4), RFC 1884 en RFC 1885 (IPv. 6), dan wel een ander Internet Protocol (IP), zoals vastgesteld door de Internet Engineering Task Force (IETF), gebruiken met IP-adressen die door de Internet Corporation for Assigned Names and Numbers (ICANN) officieel zijn toegewezen”

So they thought about it (thanks) One day police officer will show up with a request

for all IPv6 packets too → talk to Pine ;-)

DNS64/NAT64

If you want to run single stack for client computers, they only get an IPv6 address

All applications need to be v6 aware, but they still have no way to talk to IPv4 hosts

”How would they” DNS64: turn a question for an AAAA, when there is

no AAAA, into a question for IPv4 Return 'magic' IPv6 address that actually connects

to an IPv4 address → DNS64 NAT64 is the technique to translate PowerDNS has this, will go into production soon

Summarising IPv6 is more of the same

But not quite Make sure you have equal protection for IPv4 traffic

and IPv6 traffic Keep this synchronised while going dual stack IDS/IPS

Keep a careful eye on 'unwanted Ipv6' Be aware that IPv6 offers 'connectivity by default'

instead of 'outgoing connectivity only' Realise that IPv6 software is 'younger' and read

release notes carefully Think of the legal issues if you are an ISP

IPv6 security aspects

Bert Hubert

IPv6 is more of the same, but there are still things to think about

http://tinyurl.com/ipv6security

+31-622440095Bert.hubert@netherlabs.nl

hubert@fox-it.com