IPv6 INFRASTRUCTURE SECURITY WORKSHOP SESSION 10 BUILDING IPv6 INFRASTRUCTURE NETWORK SECURITY

IPv6 INFRASTRUCTURE SECURITY WORKSHOP SESSION 10 BUILDING IPv6 INFRASTRUCTURE NETWORK SECURITY Alastair JOHNSON July 2013

INTRODUCTION This module will cover network infrastructure security relating to: Rogue Router Advertisements and protection DHCPv6 vs. Router Advertisements Cryptographically Generated Addresses (CGA) and Secure Neighbor Discovery (SeND) VPN Leakage in Dual Stack Hosts Using Link Local Addressing only 3

AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 4

RECAP In Session 9 we covered topics that include: General network element infrastructure security practices and what they re used for What the different planes in a router are, how and why they must be protected Threats from IPv6 in a network Issues arising from IPv4 shortage and how those may impact operators Device security Transition technology issues 5

AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 6

ROGUE ROUTER ADVERTISEMENTS FINDING A DEFAULT ROUTER Every host needs to find a default router Unlike in IPv4 where default routers are either manually configured, or configuration information is provided via DHCP, in IPv6 a host must discover its default router(s) using Router Advertisement information Any routers out there? (Router Solicitation) Hello host! I m a router (Solicited Router Advertisement) Hello everyone! I m a router (Router Advertisement) 7

ROGUE ROUTER ADVERTISEMENTS THE ROUTER ADVERTISEMENT The link-local IP address of the router So we know where to send traffic not on-link Stuff about the link (like default hop limit) How long I should assume you are a router (Router Lifetime) What addresses exist on this link? (Global addresses or ULA) And whether there are any DHCP servers! We make sure we hear from you regularly, just in case you go away So we can assign our addresses automatically And how long are they valid for ROUTER ADVERTISMENT Src: fe80::2aa:00ff:fe99:9999 Dst: ff02::1 Hop Limit: 255 Default Hop Limit: 64 Managed: 1 Other: 1 Router Lifetime: 1800s Source Link-Layer Address: 00-AA-00-99-99-99 Prefix: 2001:db8:: /64 On-link, Autonomous Valid: 30days Preferred: 7 days 8

ROGUE ROUTER ADVERTISEMENTS STATELESS ADDRESS AUTOCONFIGURATION Once a host hears about a Router Advertisement it can assign itself an address by adding the interface ID to the prefix advertised in the RA A host could also use DHCPv6 to be assigned an address Hello everyone! I m a router You can use 2001:DB8::/64 I want to be 2001:DB8::1234:1234:AABB:BBAA Does anyone else have that address? 9

ROGUE ROUTER ADVERTISEMENTS IMPACT OF ROGUE ROUTER ADVERTISEMENTS Router Advertisements are an implicit requirement for IPv6 networking to function correctly In a perfect network, only the configured routers for a segment will generate and send Router Advertisements as configured by the operators In the imperfect world that we live in, we need to be aware of the potential for rogue Router Advertisements Accidental RAs could be sent by a misconfigured host on the network Or by a misconfigured router (e.g. old router config restored; two VLANs have been bridged; someone has brought a home CPE into the office) Or by someone malicious, deliberately wanting to cause problems on the network RTR ADV IPV4 DEFAULT ROUTER RTR ADV IPV6 DEFAULT ROUTER 10

ROGUE ROUTER ADVERTISEMENTS PROTECTING FROM ROGUE ROUTER ADVERTISEMENTS There are two general approaches that can be taken to protect from Rogue Router Advertisements in your network 1. Filter Router Advertisements at the network access edge (L2 switch, DSLAM, WiFi access point) 2. Monitor for unauthorised RAs and react when they are seen (automatic or manual process) Router Advertisement Guard (RA-Guard) as defined in RFC6105 describes an implementation that filters our RA-Guard messages on access ports on a L2 access device An alternative approach for devices that do not support RA-Guard is to use L3 filter on your access ports: filter ra-guard { term block-ra { from { icmp-type router-advertisement; } then discard; term default { then accept; } } } ipv6 access-list ra-guard deny icmp any any 134 permit ip any any ipv6-filter 134 create entry 10 create match next-header ipv6-icmp icmp-type router-advt action drop 11

AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 12

DHCPv6 vs. ROUTER ADVERTISEMENTS Stateless Address Autoconfiguration (SLAAC) allows devices in IPv6 networks to automatically configure themselves and start networking functions However it is device driven and non-deterministic by operators IPv6 also supports DHCP functionality approximately equivalent to IPv4, which can be beneficial to operators that want to: Have deterministic configuration behavior of devices Assign more configuration parameters to the devices than RA supports Have IPv6 and IPv4 networks behave equivalently Need specific functionality that is only available in DHCPv6 such as Circuit Identifier information Want to use IPv6 Prefix Delegation to assign Prefixes to downstream devices/routers Continuously poll for configuration information 13

DHCPv6 vs. ROUTER ADVERTISEMENTS DIFFERENCES BETWEEN DHCPv4 AND DHCPv6 In IPv4, DHCP configured devices would start the DHCP discover process when the network interface is ready (up and plumbed) In IPv6, the DHCPv6 process may start when the interface is up if the device is configured to do so Or a device may wait for a Router-Advertisement to be seen, with the M-bit set to 1 This allows IPv6 Routers to tell hosts attaching to the network to start and use DHCPv6 for IPv6 addressing DHCPv6 does not contain information about default routers, unlike DHCPv4 Instead Router Advertisements are used for this This means an IPv6 network must use both DHCPv6 and Router Advertisements in conjunction 14

DHCPv6 vs. ROUTER ADVERTISEMENTS WHEN TO USE DHCPv6? Many operators want to have IPv6 look and feel like IPv4, and thus use DHCPv6 for consistency between the two address families DHCPv4 Option 82 (Relay Agent Information: Circuit-ID, Remote-ID) behavior can be replicated with DHCPv6 Option 18 (Interface-ID) and Option 37 (Remote-ID) which allows for deterministic behavior based on DHCPv6 relay information Centralized DHCP pool behavior can be used for assignment of addresses, including logging which device had what address and when Specific configuration information such as DNS servers, TR-069 ACS servers, etc can be provided at network attachment in the DHCPv6 messaging It s very common to find the deployment of DHCPv6 into enterprise environments and broadband operator environments where DHCPv4 was used extensively for network management and AAA purposes In smaller environments (small business, home networks, etc) the use of SLAAC is probably preferred Home CPE should support both DHCPv6 and SLAAC to cover both use cases 15

DHCPv6 VS. ROUTER ADVERTISEMENTS DHCPv6 IN BROADBAND EXAMPLE Subnet A Subnet B Routed Gateway Access Node (LDRA) BNG RADIUS DHCPv6 SOLICIT IA_PD-Option, (IA_NA-Option), DNS-Servers Option DHCPv6 ADVERTISE IA_PD-Option + Prefix, (IA_NA) DHCPv6 REQUEST IA_PD-Option, (IA_NA-Option), DNS-Servers Option DHCPv6 REPLY IA_PD-Option + Prefix, (IA_NA) LDRA Insert Option-18/37 information RADIUS Access-Request User-Name, Password, Service-Name VSA Service-Type=Framed RADIUS Access-Accept Delegated-IPv6-Prefix, IPv6-DNS, (IPv6-Address) Anti-spoofing installed Router Advertisement 16

AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 17

SECURE NEIGHBOR DISCOVERY (SeND) IPv6 Neighbor Discovery has no authentication mechanism built into it The closest thing to authentication is that you are attached to the same network segment Basically, blind trust This leads to Neighbor Discovery being vulnerable to a number of hijacking issues Covered some of these yesterday Very similar to the ways in which ARP is vulnerable in IPv4 Secure Neighbor Discovery (SeND) is defined in RFC3971 and specifies a mechanism to secure neighbor discovery messaging These extensions are to NDP to provide a mechanism for using CGAs, and only accepting/sending secured NS/NA messages on an interface While it was defined some time ago, it is not particularly widely deployed yet Still further work to be done in making SeND truly usable Some operators are now experimenting with it 18

SECURE NEIGHBOR DISCOVERY (SeND) CRYPTOGRAPHICALLY GENERATED ADDRESSES (CGA) CGAs are IPv6 addresses generated from a cryptographic hash of a public key and other parameters A node generating a CGA must first obtain an RSA public/private key pair, then using the public key, the subnet prefix, and a modifier a SHA-1 hash is performed to generate an interface identifier. This identifier result is appended to the subnet prefix to form a 128-bit CGA CGA generation is a one-time occurrence on a system (typically at boot, or at configuration of SeND on that interface) Generate RSA keys Modifier + Pub Key + Subnet prefix = CGA Many calculation operations required at the router Scaling problem? SeND-NS Certificate distribution may be used for these messages (with trust anchors) SeND-NA SeND-RS SeND-RA 19

SECURE NEIGHBOR DISCOVERY WHAT S THE USE CASE? 1. Security on common L2 infrastructure One operator has spoken about using SeND for peering interfaces (i.e. towards IXPs) to ensure their peering adjacencies are formed with trusted neighbors that have not been spoofed or hijacked 2. Security for network management infrastructure One operator has spoken about using SeND for their cable modem management interfaces (CM to L3PE) to ensure that they are speaking to legitimate cable modems that have not been tampered with or compromised If the Cable Modem cannot form a valid CGA and form secure neighbor adjacency, the CM will not be able to attach to the network and receive configuration, and thus all downstream services will be blocked 20

AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 21

VPN LEAKAGE IN DUAL STACK HOSTS An interesting problem with dual stack services being deployed is that some VPN clients do not handle the separation of traffic properly One example of this is DNS traffic: Windows will prefer to use IPv6 DNS servers if it knows about them (e.g. via DHCPv6 configuration information) When a VPN is established, usually new DNS servers are provided to the client in order to resolve addresses within the intranet network The client should use these DNS servers, or connectivity within the internal network may not be possible (e.g. split horizon DNS rules, internal-only zones) If the VPN is not IPv6 or dual stack, with appropriate IPv6 DNS server information, Windows preference for IPv6 DNS servers will lead it to continue to query the IPv6 DNS servers! If the VPN client doesn t block connectivity on the IPv6 path, DNS resolution may fail I found this out the hard way VPN clients seem to be getting better at managing this, either by blocking IPv6 connectivity altogether, or by enforcing DNS priority to use the IPv4 DNS servers Thinking about IPv6 on your corporate VPNs is probably a good idea 22

AGENDA 1. Recap 2. Rogue Router Advertisements 3. DHCPv6 vs. Router Advertisements 4. CGA and SeND 5. VPN Leakage in Dual Stack Hosts 6. Use of Link Local Addressing only 23

USE OF LINK LOCAL ADDRESSING ONLY In a service provider backbone network, is there a need to number network interfaces with global unicast addresses? Some operators took this approach in IPv4 by using RFC1918 address space Traceroute could/would break Address uniqueness could be a problem, particularly with B2B/B2C interfaces Some networks are effectively hiding their core with MPLS today anyway, so they are completely invisible to transit traffic IPv6 Link Local Addressing is designed to be unique to an IP interface, so address collisions are not a problem Routing protocols often use LLA for NEXT_HOP information ICMPv6 also knows how to correctly source ICMPv6 messaging from a valid scope address on the node Traceroute shouldn t break draft-opsec-lla-only 24

USE OF LINK LOCAL ADDRESSING ONLY Therefore, it seems in a hypothetical case it would be possible to use LLA only within the service provider network What are the benefits? Infrastructure numbering becomes relatively simple Reduced threat horizon due to reduced GUA configuration on the node (IACLs become much less complex) Core will still transport packets, traceroute will still work, but interfaces do not consume GUA Configuration can be simplified as addresses don t need to be configured on interfaces (using SLAAC) What are the disadvantages? Interface troubleshooting can become a problem Must remember to ping fe80::1%gi-1/3/37 instead of 2001:db8::1:3:37 Traceroute output becomes less informative since all hops look the same (loopback vs. interface specific responses) Interface IP addressing will change when the interface MAC/interface-identifier changes (e.g. hardware replacement) Traffic engineering/strict path approaches will not work (e.g. RSVP-TE strict LSPs with FRR) 25

USE OF LINK LOCAL ADDRESSING ONLY IS IT A GOOD IDEA? Analysis is still ongoing It s theoretically possible, and is an interesting idea The ex-network operations guy in me says don t do this at 3am you ll regret it 26