Security in an IPv6 World - Myth & Reality

Editor's Notes

• #8: Manual TunnelsPreferred over dynamic tunnelsFilter tunnel source/destination and use IPsecIf spoofing, return traffic is not sent to attackerDynamic Tunnels6to4 Relay routers are “open relays”Attackers can guess 6to4 addresses easilyISATAP can have potential MITM attacksAttackers can spoof source/dest IPv4/v6 addressesDon’t blindly allow IPsec or IPv4 Protocol 41 (6in4 tunneled traffic) through the firewall unless you know the tunnel endpointsMany IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite)
• #10: In some other ways IPv6 in fact does support better security:that IPsec can be guaranteed to be supported fosters its use and propagation.The header design in IPv6 is better, leading to a cleaner division between encryption metadata and the encrypted payload, which some analysts consider has improved the IPsec implementation.
• #14: “The denial of service attack can be carried out by forming an IP datagram with a large number of TLV encoded options with random option type identifiers in the hop-by-hop options header.”All the ipv6 nodes on the path need to process the options in this headerThe option TLVs in the hop-by-hop options header need to be processed in orderA sub range of option types in this header will not cause any errors even if the node does not recognize them.There is no restriction as to how many occurences of an option type can be present in the hop-by-hop header.
• #16: Prevent unauthorized LAN accessDisable unused switch portsNetwork Access Control (NAC), Network Admission Control (NAC)IEEE 802.1AE (MACsec), Cisco TrustSecIEEE 802.1XRA Guard (RFC 6105)NDPMonRamondKame rafixdPort SecurityCisco Port-based ACL (PACL)
• #17: Both require LAN access – like rogue RAs
• #18: Both require LAN access – like rogue RAs
• #20: Translation techniques are susceptible to DoS attacksNAT prevents IPsec, DNSSEC, Geolocation and other applications from workingConsuming connection state (CPU resource consumption attack on ALG)Consuming public IPv4 pool and port numbers (pool depletion attack)
• #33: Don’t block FF00::/8 and FE80::/10 – these will block NDP
• #34: Rules 1 and 2 are stateful.  0 is absolutely necessary for ND to work.It might be a little liberal for some folks though - could be bolteddown tighter.Rule 3 is the one I put in so as to actually hear my reply.
• #36: Firewalls have improved their IPv6 capabilities, IPv6 addresses in the GUI, some logs, ability to filter on Extension Headers, Fragmentation, PMTUD, and granular filtering of ICMPv6 and multicastIPv6 firewalls may not have all the same full features as IPv4 firewallsUTM/DPI/IPS/WAF/content filtering features may only work for IPv4Many IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite)IPv6 support varies greatly in modern IPS systemsFew signatures exist for IPv6 packets or you have to build your own using cryptic regular expressions or byte-offset valuesFew Host-based IPS systems support IPv6Desktop AntiVirus software has gotten better at allowing ICMPv6 (RA/RS/NA/NS) packets throughHowever, there are still a handful of popular AV suites that don’t support IPv6There are many IPv6-capable host-based firewalls available depending on the OS you preferLinux: ip6tables (NetFilter), ipfWindows Firewall with Advanced SecurityBSD: pf, ipfw, ipfMac: ipfw, ipfSolaris, HP-UX : ipf
• #38: Many security standards don’t discuss IPv6. However, any guideline related to IP may apply to both versions – many policies are higher levelhttp://www.antd.nist.gov/usgv6/NIST SP 500-273: USGv6 Test Methods: General Description and ValidationGuidance for Labs, November 2009http://www.antd.nist.gov/usgv6/docs/NIST-SP-500-273.v2.0.pdfNIST SP 500-281: USGv6 Testing Program User’s GuideGuidance for vendors and purchasers, August 2010http://www.antd.nist.gov/usgv6/docs/NIST-SP-500-281-v1.3.pdf