Fedv6tf-fhs
0 likes964 views
IPv6 access security provides three main methods for securing first hop connections: IPv6 first hop security, secure neighbor discovery, and 802.1x authentication. These methods help protect against spoofing, man-in-the-middle attacks, and denial of service attacks on IPv6 networks.
![RADIUS802.1X
IP / Layer 3
Supplicant Authenticator
Authentication
Server
Identity
Store
Fundamentals of 802.1X
EAP: EAP-SUCCESS
RADIUS: ACCESS-ACCEPT
[+Authorization Attributes ]
802.1X
RADIUS
EAP
Port-Authorized
802.1X
EAP
Port-Unauthorized
(If authentication fails)
EAP: Extensible Authentication Protocol](https://image.slidesharecdn.com/fedv6tf-fhs-151103154950-lva1-app6891/85/Fedv6tf-fhs-33-320.jpg)
Fedv6tf-fhs
- 1. IPv6 Access SecurityTim Martin CCIE #2020 Solutions Architect 4 Nov. 2015
- 2. Cisco Confidential 2© 2013-2014 Cisco and/or its affiliates. All rights reserved. Agenda • Why IPv6, Why Now • IPv6 Host Asignments • IPv6 First Hop Security • SeND • 802.1x • Alternatives • Summary
- 3. Market Factors Driving IPv6 Adoption IPv6 IPv4 Address Depletion 2011 National IPv6 Strategies STEM Mandate Infrastructure Evolution 4G, DOCSIS 3.0, CGN IPv6 OS, Content & Applications Preferred by App’s & Content RF Mesh (IEEE 802.15.4), PLC (IEEE 1901.2), LTE, Bluetooth LE, 6LoWPAN, RPL
- 4. IPv6 for the Enterprise in 2015 http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/whitepaper_c11-586154.pdf
- 5. Framing the Attack Surface • Layer 2 tyipcally involves Ethernet (switches) or WiFi (controllers) links • Security is only as strong as your weakest link • When it comes to networking, layer 2 can be a relativley weak link Physical Links MAC Addresses IP Addresses Protocols/Ports Application Stream Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Initial Compromise Compromised
- 6. IPv6 Host Address Assingments
- 7. IPv6 Host Portion Address Assignment Similar to IPv4 New in IPv6 Manually configured StateLess Address AutoConfiguration SLAAC EUI64 SLAAC Privacy Extensions Assigned via DHCPv6
- 8. 00 90 27 ff fe 17 fc 0f OUI Device Identifier 00 90 27 17 fc 0f 02 90 27 ff fe 17 fc 0f 0000 00U0 U= 1 = Universel/unique 0 = Local/not unique U bit must be flipped ff fe 00 90 27 17 fc 0f
- 9. IPv6 Privacy Extensions (RFC 4941) • Generated on unique 802 using MD5, then stored for next iteration • Enabled by default in Windows, Android, iOS, Mac OS/X, Linux • Temporary or Ephemeral addresses for client application (web browser) Recommendation: Good for the mobile user, but not for your organization/corporate networks (Troubleshooting and accountability) 2001 DB8 /32 /48 /64 Random Generated Interface ID 0000 1234
- 10. Stable Interface ID Generation (RFC 7217) • RID = hash (Prefix, Net_Iface, DAD_Counter, secret_key) • Generate IID’s that are Stable/Constant for Each Network Interface • IID’s Change As Hosts Move From One Network to Another 10 Implementation of the RID is left to the OS Vendor and MAY differ between Client and Server 2001 DB8 /32 /48 /64 Random ID 0000 1234
- 11. DHCPv6 DHCPv6 Server 2001:db8::feed:1 DHCPv6 Solicit • Source – fe80::1234, Destination - ff02::1:2 • Client UDP 546, Server UDP 547 • Original Multicast Encapsulated in Unicast (Relay) • DUID – Different from v4, used to identify clients • ipv6 dhcp relay destination 2001:db8::feed:1 DHCPv6 Relay DHCPv6 Relay SOLICIT (any servers) ADVERTISE (want this address) REQUEST (I want that address) REPLY (It’s yours)
- 12. Disabling Ephemeral Addressing • Enable DHCPv6 via the M flag • Disable auto configuration via the A bit in option 3 • Enable Router preference to high • Enable DHCPv6 relay interface fastEthernet 0/0 ipv6 address 2001:db8:1122:acc1::1/64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1
- 14. • Catalyst Integrated Security Features (CISF) • Dsniff - Dug Song • Ettercap – source forge IPv4 vulnerabilities & Countermeasures Port Security
- 15. IPv6 Hacking Tool’s • ARP is replaced by Neighbor Discovery Protocol • Nothing authenticated • Static entries overwritten by dynamic ones • Stateless Address Autoconfiguration • rogue RA (malicious or not) • Attack tools are real! • Parasit6 • Fakerouter6 • Alive6 • Scapy6 • …
- 16. IPv6 Snooping IPv6 First Hop Security (FHS) IPv6 FHS RA Guard DHCPv6 Guard Source/Prefix Guard Destination Guard Protection: • Rogue or malicious RA • MiM attacks Protection: • Invalid DHCP Offers • DoS attacks • MiM attacks Protection: • Invalid source address • Invalid prefix • Source address spoofing Protection: • DoS attacks • Scanning • Invalid destination address RA Throttler ND Multicast Suppress Reduces: • Control traffic necessary for proper link operations to improve performance Core Features Advance Features Scalability & Performance Facilitates: • Scale converting multicast traffic to unicast
- 17. Address Exhaustion – Parasite6 • Attacker hacks any victim's DAD attempts • Victim will need manual intervention to configure IP address Src = UNSPEC Dst = Solicited-node multicast A Data = A Query = Does anybody use A? Src = any C’s IF address Dst = A Option = link-layer address of C A B NS NA C
- 18. Misconfiguration • Admin/Intern sends RA’s with false prefix • Enthusiast who has a tunnel broker account • The most frequent threat by non-malicious user B Src = C link-local address Dst = All-nodes Options = prefix BAD RA A C
- 19. Malicious Attack – Floodrouter6 • Flooding RA’s overwhelms the system, OSX, MSFT, ipad/phone, Android B RA, prefix BAD1 A 2 3 5 RA, prefix BAD2 RA, prefix BAD3 RA, prefix BAD4 RA, prefix BAD5 RA, prefix BAD6 C Update: MSFT Addresses Vulnerability in IPv6 Could Allow Denial of Service (2904659) Published: February 11, 2014
- 20. Malicious Attack – Fakerouter6 • Attacker spoofs Router Advertisement with false on-link prefix • MITM, Splash Screen, Capture B Src = B’s link-local address Dst = All-nodes Options = prefix BAD RA A C
- 21. • Port ACL • interface FastEthernet0/2 • ipv6 traffic-filter ACCESS_PORT in deny icmp any any router-advertisement • Feature Based • interface FastEthernet0/2 • ipv6 nd raguard • Policy Based ipv6 snooping policy HOST! security-level guard! ! ! ! ! limit address-count 2 ! device-role node! interface GigabitEthernet1/0/2! ipv6 snooping attach-policy HOST! HOST Device-role RA RA RA RA RA ROUTER Device-role
- 22. IPv6 FHS – DHCPv6 Guard Prevent Rogue DHCP responses from misleading the client DHCP Server DHCP Req. I am a DHCP Server DHCP Client
- 23. • Deep control packet Inspection • Address Glean (ND , DHCP, data) • Address watch • Binding Guard IPv6 FHS – Snooping Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses. Intf IPv6 MAC VLAN State g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying IPv6 Binding Table (RFC6620) IPv6 Source Guard IPv6 Destination Guard Device Tracking
- 24. IPv6 FHS – IPv6 Source Guard Mitigates Address High Jacking, Ensures Proper Prefix Intf IPv6 MAC VLAN State g1/0/10 ::000A 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying g1/0/21 ::0021 0021 200 Active ~Host A NDP or DHCPv6 Host A
- 25. IPv6 Destination Guard • Mitigate prefix-scanning attacks and Protect ND cache • Drops packets for destinations without a binding entry Intf IPv6 MAC VLAN State g1/0/10 ::0001 001A 110 Active g1/0/11 ::001C 001C 110 Stale g1/0/16 ::001E 001E 200 Verifying Forward packet Lookup Table found No Ye s NS 2001:db8::1 Ping 2001:db8::1 Ping 2001:db8::4 Ping 2001:db8::3 Ping 2001:db8::2
- 26. SeND
- 27. Secure Neighbor Discovery – SeND (RFC 3756) • Each device has a RSA key pair • Ultra light check for validity SHA-1 RSA Keys Priv Pub Subnet Prefix Interface Identifier Crypto. Generated Address Signature SeND Messages Modifier Public Key Subnet Prefix CGA Params
- 28. SeND Operation Router R host Certificate Authority CA0 Certificate Authority Certificate C0 Router certificate request Router certificate CR Certificate Path Solicit (CPS): I trust CA0, who are you ? Certificate Path Advertize (CPA): I am R, this is my certificate CR 1 2 3 4 5 6 Verify CR against CA0 7 Start using R as default gateway Router Advertisement
- 29. SeND OS Support • Microsoft Windows 7 or Server 2008 • No native Supplicant • TrustRouter application (not NA/NS) • WinSEND application works with all NDP traffic • Apple Mac • No native Supplicant • TrustRouter application (not NA/NS) • Linux and/or Unix • Easy-SEND • ND-Protector • IPv6-Send-CGA
- 30. 802.1x
- 31. Fundamentals of 802.1X RADIUS802.1X Ethernet / WLAN IP / Layer 3 Windows Native Apple OSX Native Cisco Anyconnect Open 1X Ethernet Switch Router Wireless Controller Access Point Identity Services Engine Network Policy Server Free RADIUS Access Control Server Active Directory Token Server Open LDAP Supplicant Authenticator Authentication Server Identity Store
- 32. RADIUS802.1X Ethernet / WLAN IP / Layer 3 Supplicant Authenticator Authentication Server Identity Store Fundamentals of 802.1X RADIUS: ACCESS-REQUEST RADIUS SERVICE-TYPE: FRAMED EAP: EAP-RESPONSE-IDENTITY Credentials (Certificate / Password / Token) 802.1X EAP EAP RADIUS EAP EAP EAP: Extensible Authentication Protocol
- 33. RADIUS802.1X IP / Layer 3 Supplicant Authenticator Authentication Server Identity Store Fundamentals of 802.1X EAP: EAP-SUCCESS RADIUS: ACCESS-ACCEPT [+Authorization Attributes ] 802.1X RADIUS EAP Port-Authorized 802.1X EAP Port-Unauthorized (If authentication fails) EAP: Extensible Authentication Protocol
- 34. Three proven deployment scenarios Authentication without Access control Minimal impact to users and the network Highly Secure, Good for logical isolation
- 35. Alternatives
- 36. MAC Authentication Bypass MAB 802.1X Timeout EAPoL: EAP Request Identity EAPoL: EAP Request Identity EAPoL: EAP Request Identity Any Packet RADIUS: ACCESS-REQUEST RADIUS Service-Type: Call-Check AVP: 00-10-23-AA-1F-38 RADIUS: ACCESS-ACCEPT MAC Authentication Bypass (MAB) requires a MAC database | MAB may cause delayed network access due to EAP timeout Bypassing “Known” MAC Addresses 00-10-23-AA-1F-38 Authenticator Authentication Server LAN 802.1X No 802.1X Endpoints without supplicant will fail 802.1X authentication! Authentication ServerAuthenticator
- 37. LAN RADIUS Server Cisco ISE Web Server Web Pages: Login, Login Expiry, Auth-Success, Auth-Failure, etc. Settings: Max Sessions, Timeout, Max Fail Attempts, TCP-Port, etc. HTTP(S) LAN RADIUS Server HTTP(S) RADIUS Authenticator Web Pages: Login, Login Expiry, Auth-Success, Auth-Failure Settings: Max Sessions, Timeout, Max Fail Attempts, Banner, etc. Web Authentication Secure alternative to 802.1X Typically meant for Guest user authentication Doesn’t require a supplicant.1X Local Web Authentication (LWA) Central Web Authentication (CWA) IP address prior to authentication Authenticator hosts web pages Separate method like .1X & MAB RADIUS Service-Type: Outbound IP address prior to authentication Central Server hosts web pages .1X / MAB is authorized w URL Centralized administration
- 38. Private VLAN’s 38 • Prevent Node-Node Layer-2 communication • Promiscuous (router port) talks to all other port types • Isolated port can only contact a promiscuous port/s • Community ports can contact their group and promiscuous port/s • DAD ND Proxy • Prevents address conflicts • Internet Edge, Data Center • Reducing attack surface, malware propagation • Service Provider • Client/customer isolation Community Ports Community Ports Isolated Port Promiscuous Port R
- 39. Summary
- 40. § Gain Operational Experience now § Security enforcement is possible § Control IPv6 traffic as you would IPv4 § “Poke” your Provider’s § Lead your OT/LOB’s into the Internet Key Take Away