Swisscom: Testing von IPv6 Security Devices

IPv6
Testing IPv6 Security Devices

Swiss IPv6 Council
Christoph Weber
Version 1.0 / 24.02.2014

about me
• Christoph Weber
First Hack was more the 30 years ago.
• worked nine years for a large ISP in Switzerland for
the development team data center, network and
security
‐ integration IPv6 in the data center environment
‐ IPv4 + IPv6 Security
‐ IPv4 old world routing / switching
• Now working as security analyst and engineer in a
security operation center.

WARNING !
• Do it in your test environment, especially if
you want to keep your job!
• ALL information's are for internal and testing
purpose only !
• we are NOT responsible for any abuse use of
this information's !
• maybe it is against your local law!
• It may crash perhaps "your" network or
server!

agenda
•
•
•
•
•
•
•
•

IPv6 security requirements
Security threats
Test case
Test environment
Tools and some practical tests
Results
Conclusion
Q&A (at the end of the 2nd presentation)

Types of Security Devices Testing
• Performance testing (not covered)
‐ New session/sec
‐ Speed with 10000 rules
‐ Delay / Jitter
• Usability (not covered)
‐ Administration
‐ Rule upload
‐ Easy to use / handling
• Security (this presentation)
‐ Filtering options
‐ Detection
‐ IPv6 self protection

Is this a IPv6 Security Problem ?
• Log entry:
3411206; 4Feb2014;
6:03:03;aaa.bbb.ccc.4;log;accept;inbound;Lan1;;VP
N-1 & FireWall-1;300;{81CBF2C9-3D89-4C85-A0C5E58D7ED842A4};;SIT;xxx.yyy.zzz.132;;192.88.99.1;;
41;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
aaa.bbb.ccc.4 is the IP of the Firewall
xxx.yyy.zzz.132 is a public IPv4 in the DMZ

• Traffic outgoing to 192.88.99.1

Customer says
• Customer response to the demand about
IPv6 in IPv4 tunneling traffic:

Answer
• YES, it is a security problem !
• RFC 3068
An Anycast Prefix for 6to4 Relay Routers
.
2.4 6to4 Relay anycast address An IPv4 address used
to reach the nearest 6to4 Relay Router, as defined
in this memo. The address corresponds to host
number 1 in the 6to4 Relay anycast prefix,
192.88.99.1.

• RFC 7123
-> Security Implications of IPv6 on IPv4 Networks

IPv6 Security requirement
• Mostly heard from the customer:
‐ the same „Security level“ as in IPv4 !
‐ NO additional equipment
‐ NO additional resources
• But:
‐ is this still enough ?
‐ new and more attacking vectors !
‐ new requirements for IPv4 !

IPv4
IPv4 +
Tunnel

Tunnel

Dual Stack
Tunnel +
Dual Stack
IPv6 +
Tunnel

IPv6

IPv6 Security dreams and wishes
• Security devices can handle IPv6 and IPv4 and any IPv4 in IPv6
and IPv6 in IPv4 and ….
• Filter extension headers
• Filter any protocols
• Filter possibility for «any» fields in the packet
• Allows only „good“ packets
• Self defending
• intelligent devices
• …
never ending list

Firewalling IPv6 packet options
Link layer (L2)  type verification (Ethertype 0x86DD) and version (6)
matching
• Filtering of traffic class (filtering unwanted data channel)
‐ remove unwanted QOS Flags (zeroing)
‐ match if not equal zero
• Filtering of flow label  (filtering unwanted data channel)
‐ eliminate unwanted flowlabels
‐ match if not equal Zero
• Filtering of payload length
• Filtering for “hop limit” field
‐ for some neighbor discovery and autoaddress packets (=255)
•

Firewall rules IPv6 packet options
• Next header filtering
‐ any type of next header (256 Types)
‐ a max amount of next header
‐ a defined order of next headers
• On each option header type
‐ matching of any header type specific
fields (different on each option header
type)

IDS / IPS dreams
• IPv6 packet anomaly detection
• Deep packet inspection in IPv6 and all kind of
tunnels (6in6, 4in6, 6in4, 4in4)
• Reassembling of fragmented IPv6 streams
• One box and ruleset for ALL

Spam / Antivirus / DDoS
• Same SPAM functionality like in IPv4
• Antivirus function in IPv6 and IPv4
• DDoS protection for both IPv4/IPv6
• For all
‐ Correlation of IPv4 and IPv6 attacks
‐ a configuration for both stacks

Many other dreams, but..
•
•
•
•
•
•
•

Are all this dreams really necessary ?
Possible ?
Manageable ?
Useful ?
Make they sense ?
How big is the speed / performance impact
is this only my dream ?

draft‐gont‐opsec‐ipv6‐firewall‐reqs‐00
• New IETF Draft from
Fernando Gont
Requirements for IPv6
Firewalls

IPv6 Testcenters
The «official» ones

NIAP
•

http://www.techopedia.com/definition/24850/national‐information‐assurance‐partnership‐niap

USGV6
• http://www‐x.antd.nist.gov/usgv6/index.html

Security threats
Know the Attacks

Security threats
• Define the IPv6 security threats
• Classify the threats
• Sort threats by relevance, impact, …
related in your environment
• Watch for NEW upcoming threats

• Know the OLD IPv4 threats

Threats
• Sample: „ICMPv6 packet too big tunneling“
Titel

ICPMv6 packet too big tunnelling / flooding

T

Description

Angriffsszenario:
Da für eine richtige Funktionsweise von IPv6 und der MTU auf allen Nodes/Firewall/Router ICMPv6 Too Big (Type
2) erlaubt sein muss, kann diese Art von ICMPv6 Messages dazu verwendet werden trotz Firewall und anderen
Devices, einen Tunnel von Intern nach Extern oder Umgekehrt aufzubauen, oder mit diesen ICMPv6 Paketen die
Netze über Firewalls/Filterdevices hinweg zu fluten.
Auswirkungen:
Bypass von Firewall / Security Filtern /
unbekannte Kommunikation via ICMPv6 Too Big Tunnels
ICMPv6 flooding ins interne Netz
Lösung
Security Devices , die nur ICMPv6 Antwort Pakete durchlassen, für die sie auch einen Verbindungsaufbau Versuch
(SYN – Packet) dazu haben. Eine Art Statefull Tabelle.
Links:

Referenz

RFC 4443

Test environment & case
Testlab & test scenarios

Define test cases / test environment
• for any security threat it is necessary to create a test case.
• Build test environment ‐> based on your the requirements
• Determine the test tools

Lab Overview

Define test case
Basic setup
• Traffic sniffing on the wire.
attacker’s side, and on target side.
b)

2 Types of tests
a) Function of the security device
b) Attacking the security device

a)

Define Testcase
• Write test case for
each security threat
with all sub cases.
• Define test case very
detailed and clearly,
for a clear testing
and
comprehensibility
• recycle test cases

Write down the results
• Results must be documented !!
• Required information
‐ Device type, serial number, software version
‐ Date / Time / Tester
‐ Results / capture‐files / screenshots /
all info / references to external documents
‐ Results and summary (PASS/FAIL/Part. PASS)
‐ Overall Status / Next Steps

Test case sample
Samples form the real live

Cisco ACL‘s
• IPv6 is not IPv4 !
• Know the difference between IPv4 and IPv6
• Watch for CPU impact and rule length

implicit deny rule
Difference between
• IPv4
deny ip any any
• IPv6
permit icmp any any nd‐na
permit icmp any any nd‐ns

deny ip any any

implicit deny Rule
•

Main question: filter all the same ?

a) permit icmp any any echo-request
b) permit icmp any any 128
c) permit icmp any any 128 0

a) and b) are the same
They don‘t filter on the code level
c) Allows only type 128 code 0

ACL for the lab
Test with differed ACL are required
Version  “echo‐request”

Version “Type /  Code”

IPv6 access‐list ICMP‐TEST‐IN
permit icmp any any echo‐request
deny ipv6 any any log

IPv6 access‐list ICMP‐TEST‐IN
permit icmp any any 128 0
deny ipv6 any any log

Impact / Solution
• What have we done in the IPv4 ruleset ?
Mostly filtering «ICMP echo‐request»
• On some Cisco devices, huge impact to the CPU, if
filtering “code” options
Example: Cisco 6500
• do your best, but do it !

Firewall config (Sample Fortinet)
• Predefined objects ? „ALL_ICMP6“

• Read the documentations and/or ask the vendor, what
each field means.
• One of the questions is:
what is, if one field is empty ?
Example „Code“
(here it means „ALL“)

Sample „packet to big“
• Create packet and send (manual way)

Tools
• SCAPY (Use: release 2.2.0 DEV)
Python tool for easy creating single packet
http://www.secdev.org/projects/scapy/
• THC‐Tools
IPv6 Attacking tools
https://www.thc.org/thc‐ipv6/
• IPv6 Toolkit
Tool for testing IPv6
http://www.si6networks.com/tools/ipv6toolkit/
• ft6
Tool for IPv6 Firewall testing
http://www.idsv6.de/en/index.html
• ostinato
packet crafter/traffic generator
http://code.google.com/p/ostinato/

THC‐Tool firewall6
root@blubberli:/home/trilobit/software/thc/thc‐ipv6‐2.5# ./firewall6 eth0 fd42:caff:ee42:: 80
Starting firewall6: mode TCP against fd42:caff:ee42::1 port 80
Run a sniffer behind the firewall to see what passes through
Test  1: plain sending                  TCP‐SYN‐ACK received
Test  2: plain sending with data        TCP‐SYN‐ACK received
Test  3: IPv4 ethernet type             FAILED ‐ no reply
Test  4: hop‐by‐hop hdr (ignore option) FAILED ‐ no reply
Test  5: dst hdr (ignore option)        FAILED ‐ no reply
Test  6: hop‐by‐hop hdr router alert    FAILED ‐ no reply
Test  7: 3x dst hdr (ignore option)     FAILED ‐ no reply
Test  8: 130x dst hdr (ignore option)   FAILED ‐ no reply
Test  9: atomic fragment                FAILED ‐ no reply
Test 10: 2x atomic fragment (same id)   FAILED ‐ no reply
Test 11: 2x atomic fragment (diff id)   FAILED ‐ no reply
Test 18: 2kb dst hdr                    FAILED ‐ no reply
Test 19: 2kb dst + dst hdr              FAILED ‐ no reply
Test 20: 32x 2kb dst hdr                FAILED ‐ no reply

More then 38 different tests.
Unclear, what each test exactly
does (you must look at the
code)

Flooding IPv6 advertise
root@ipv6-craft:/home/trilobit/software/thc/thc-ipv6-2.1# ./flood_advertise6 bond0
Starting to flood network with neighbor advertisements on bond0 (Press Control-C to
end, a dot is printed for every 100 packet):
...................................................................................
...................................................................................
...................................................................................
................................................................................^C
MX240 LOG (Active)
Jan 9 14:06:14 lab-zb0303-rt-mx240-2-re0 l2ald[1549]: L2ALD_MAC_LIMIT_REACHED_IFBD:
Limit on learned MAC addresses reached for ae2.10__VPLS-VLAN-10-LDP__ flags [0x
6b] state [0x
0]; current count is 1024
Jan 9 14:06:18 lab-zb0303-rt-mx240-2-re0 jddosd[1570]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol MLP:packets is violated at fpc 1 for 1 times, started at 2012-11-20
21:03:31 CET, last seen at 2012-11-20 21:03:31 CET
Jan 9 14:06:23 lab-zb0303-rt-mx240-2-re0 jddosd[1570]: DDOS_PROTOCOL_VIOLATION_SET:
Protocol NDPv6:aggregate is violated at fpc 1 for 1 times, started at 2012-11-20
21:03:31 CET, last seen at 2012-11-20 21:03:31 CET
Jan 9 14:06:56 lab-zb0303-rt-mx240-2-re0 l2ald[1549]: L2ALD_MAC_LIMIT_RESET_IF:
Resumed adding MAC addresses learned by ae2.10__VPLS-VLAN-10-LDP__ flags [0x 6b]
state [0x
0]; current count is 1023
After 5 Min
Jan 9 14:11:18 lab-zb0303-rt-mx240-2-re0 jddosd[1570]: DDOS_PROTOCOL_VIOLATION_CLEAR:
Protocol MLP:packets has returned to normal. Violated at fpc 1 for 1 times, from
2012-11-20 21:03:31 CET to 2012-11-20 21:03:31 CET
Jan 9 14:11:23 lab-zb0303-rt-mx240-2-re0 jddosd[1570]: DDOS_PROTOCOL_VIOLATION_CLEAR:
Protocol NDPv6:aggregate has returned to normal. Violated at fpc 1 for 1 times,
from 2012-11-20 21:03:31 CET to 2012-11-20 21:03:31 CET

Solicitate flooding
root@ipv6-craft:/home/trilobit/software/thc/thc-ipv6-2.1#
fake_solicitate6 bond0 3ffe:10:1:10::1
Starting solicitation of 3ffe:10:1:10::1 (Press Control-C to end)
^C
Target Device:
root@lab-zb0303-rt-mx240-2-re0> show ipv6 neighbors
IPv6 Address
Linklayer Address State
3ffe:10:10:14::1
00:10:db:ff:10:01 stale
3ffe:10:10:114::1
00:10:db:ff:10:01 delay
3ffe:10:11:14::1
00:10:db:ff:10:01 reachable
3ffe:10:11:114::1
00:10:db:ff:10:01 stale
fe80::211:22ff:fe33:4455
00:11:22:33:44:55 stale
fe80::211:22ff:fe33:4488
00:11:22:33:44:88 stale
fe80::218:ff:fe00:b0ec
00:18:00:00:b0:ec stale
fe80::218:ff:fe01:c660
00:18:00:01:c6:60 stale
fe80::218:ff:fe03:7859
00:18:00:03:78:59 stale
fe80::218:ff:fe04:6255
00:18:00:04:62:55 stale
fe80::218:ff:fe04:691b
00:18:00:04:69:1b stale
fe80::218:ff:fe04:74a3
00:18:00:04:74:a3 stale
fe80::218:ff:fe06:982f
00:18:00:06:98:2f stale
.
<‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐8< ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐>

Exp Rtr Secure Interface
1182 yes no
ae3.3010
0
yes no
ae3.3011
0
yes no
ae3.3020
1194 yes no
ae3.3021
424 no no
ae2.10
1198 no no
lsi.1048823
1094 no no
ae2.10
1072 no no
ae2.10
1095 no no
ae2.10
1095 no no
ae2.10
1074 no no
ae2.10
1073 no no
ae2.10
1094 no no
ae2.10

Neighbor flooding
•

System CPU nearly 100%

root@lab‐zb0303‐rt‐mx240‐2‐re0> show system processes summary
last pid: 33300;  load averages:  1.39,  1.88,  1.40  up 55+03:15:28    15:10:43
148 processes: 3 running, 130 sleeping, 15 waiting
Mem: 662M Active, 92M Inact, 267M Wired, 951M Cache, 214M Buf, 5169M Free
Swap: 8192M Total, 8192M Free
PID USERNAME   THR PRI NICE   SIZE    RES STATE    TIME   WCPU COMMAND
1134 root         1 132    0  4928K  3112K RUN      9:36 92.94% eventd
11 root         1 171   52     0K    16K RUN    1271.7  0.73% idle

•

Logfile of the MX

Log Entries on the MX240
Jan  9 15:15:14  lab‐zb0303‐rt‐mx240‐2‐re0 /kernel: Nexthop index allocation
failed: regular index space exhausted
Jan  9 15:15:14  lab‐zb0303‐rt‐mx240‐2‐re0 fpc1 tsec_receive: .le1, failed to
allocate packet buffer
Jan  9 15:15:15  lab‐zb0303‐rt‐mx240‐2‐re0 last message repeated 10 times

Neighbor Flooding
• Routing Entries
{master}[edit]
root@lab‐zb0303‐rt‐mx240‐2‐re0# run show ipv6 neighbors | count
Count: 523053 lines
root@lab‐zb0303‐rt‐mx240‐2‐re0> show route forwarding‐table vpn L3VPN1 summary
Routing table: L3VPN1.inet
Internet:
user:          2 routes
perm:          5 routes
intf:          8 routes
dest:         13 routes
Routing table: L3VPN1.iso
ISO:
perm:          1 routes
Routing table: L3VPN1.inet6
Internet6:
user:          3 routes
perm:          4 routes
intf:         26 routes
dest:         523056 routes
{master}

Neighbor flooding
Jan 12 14:48:01  lab‐zb0305‐rt‐mx80‐1‐re0 rpd[1278]: bgp_hold_timeout:3967: NOTIFICATION sent to 10.100.100.4 (Internal AS
65000): code 4 (Hold Timer Expired Error), Reason: holdtime expired for 10.100.100.4 (Internal AS 65000), socket buffer
sndcc: 91 rcvcc: 0 TCP state: 4, snd_una: 3569673048 snd_nxt: 3569673139 snd_wnd: 16384 rcv_nxt: 3958755043 rcv_adv:
3958771427, hold timer out 90s, hold timer remain 0s
Jan 12 14:48:55  lab‐zb0305‐rt‐mx80‐1‐re0 rpd[1278]: bgp_pp_timeout: peer 3ffe:10:11:116::1+52922 (proto) timed out waiting
for OPEN
Jan 12 14:48:55  lab‐zb0305‐rt‐mx80‐1‐re0 rpd[1278]: bgp_pp_timeout:5572: NOTIFICATION sent to 3ffe:10:11:116::1+52922
(proto): code 4 (Hold Timer Expired Error), socket buffer sndcc: 0 rcvcc: 0 TCP state: 4, snd_una: 2890450339 snd_nxt:
2890450339 snd_wnd: 16384 rcv_nxt: 2714040868 rcv_adv: 2714057252
Jan 12 14:48:56  lab‐zb0305‐rt‐mx80‐1‐re0 rpd[1278]: bgp_hold_timeout:3967: NOTIFICATION sent to 10.100.100.1 (Internal AS
65000): code 4 (Hold Timer Expired Error), Reason: holdtime expired for 10.100.100.1 (Internal AS 65000), socket buffer
Jan 12 14:49:00  lab‐zb0305‐rt‐mx80‐1‐re0 jddosd[1361]: DDOS_PROTOCOL_VIOLATION_CLEAR: Protocol MLP:packets has
returned to normal. Violated at fpc 0 for 3 times, from 2013‐01‐12 14:44:00 CET to 2013‐01‐12 14:44:00 CET
Jan 12 14:49:01  lab‐zb0305‐rt‐mx80‐1‐re0 rpd[1278]: bgp_hold_timeout:3967: NOTIFICATION sent to 10.10.116.1 (External AS
65001): code 4 (Hold Timer Expired Error), Reason: holdtime expired for 10.10.116.1 (External AS 65001), socket buffer
Jan 12 14:49:01  lab‐zb0305‐rt‐mx80‐1‐re0 bfdd[1259]: BFDD_TRAP_SHOP_STATE_DOWN: local discriminator: 25, new state:
down, interface: irb.3021, peer addr: 10.10.116.1
Jan 12 14:53:25  lab‐zb0305‐rt‐mx80‐1‐re0 eventd[1068]: SYSTEM_ABNORMAL_SHUTDOWN: System abnormally shut down
Jan 12 14:53:25  lab‐zb0305‐rt‐mx80‐1‐re0 eventd[1068]: SYSTEM_OPERATIONAL: System is operational
Jan 12 14:53:25  lab‐zb0305‐rt‐mx80‐1‐re0 savecore: writing core to vmcore.1
Jan 12 14:53:25  lab‐zb0305‐rt‐mx80‐1‐re0 /kernel: platform_early_bootinit: MX‐PPC Series Early Boot Initialization
Jan 12 14:53:25  lab‐zb0305‐rt‐mx80‐1‐re0 /kernel: mxppc_set_re_type: hw.board.type is MX80
Jan 12 14:53:25  lab‐zb0305‐rt‐mx80‐1‐re0 /kernel: mxppc_set_re_type: REtype:78, model:mx80, model:MX80, i2cid:2447
Jan 12 14:53:25  lab‐zb0305‐rt‐mx80‐1‐re0 /kernel: WDOG initialized
Jan 12 14:53:25  lab‐zb0305‐rt‐mx80‐1‐re0 /kernel: Copyright (c) 1996‐2012, Juniper Networks, Inc.
Jan 12 14:53:25  lab‐zb0305‐rt‐mx80‐1‐re0 /kernel: All rights reserved.

ostinato
• Open source tool
packet crafter/traffic generator
(Windows/Linux/OS X/BSD)

ostinato
Sample: IPv6/ICMP
be careful with default values
WRONG !

IPv6 Security devices
now and in the future
• They support IPv6
‐> but on different levels
• Vendors are working on it.
‐> Some very hard, others…..
• Request features
‐> ask for new implementations
• Interact with the vendors
‐> tell him your ideas

• Find and know the limits of your security
device !

questions ?

christoph.weber@swisscom.com

Tools
Security warning and disclaimer:
using this tools it‘s maybe against your local law or company policy !
Function

Tools

Scanning/Surveillance:

halfscan6, nmap, Scan6, Strobe

Covert Channel/Backdoor:

relay6, 6tunnel, nt6tunnel, netcat6, VoodooNet, etc.

Port Bouncing:

relay6, nt6tunnel, ncat, and asybo

Denial of Service (DOS):

6tunneldos, 6To4DDos, Imps6‐tools

Packet‐Level attack toolkits:

isic6, spak6, THC‐6, IPv6‐Tools

Packet‐Crafting:

scapy, sendIP, Packit, Spack, OSTINATO

IRC Zombies/Bots:

Eggdrop, Supybot, etc.

Sniffer:

snort, tcpdump, snoop, wireshark, tshark etc.

Firewall Testing

ft6

Pen Testing Tool:

Metasploit

terminology
•
•
•
•
•
•
•
•
•
•
•

Node: Device that implements IPv6
Router: Node that forwards IPv6 Packets
Host: Any Node, that isn‘t a router
Upper Layer: Protocol layer above ipv6
Link: Medium or communication Facility over with nodes can
communicate at the link layer
Neighbors: Nodes attached on the same link
Interface: A Node‘s attachment to a link
Address: IPv6 Layer identification for an interface
Packet: IPv6 header + payload
Link MTU: Link Maximum Transmission Unit
Path MTU: Maximum link MTU of all links in a path between source und
destination node‘s

Swisscom: Testing von IPv6 Security Devices

More Related Content

What's hot (20)

Similar to Swisscom: Testing von IPv6 Security Devices (20)

More from Swiss IPv6 Council (15)

Recently uploaded (20)

Swisscom: Testing von IPv6 Security Devices