Introduction xix
Chapter 1 Introduction to IPv6 Security 3
Reintroduction to IPv6 3
IPv6 Update 6
IPv6 Vulnerabilities 7
Hacker Experience 8
IPv6 Security Mitigation Techniques 9
Summary 12
Recommended Readings and Resources 13
Chapter 2 IPv6 Protocol Security Vulnerabilities 15
The IPv6 Protocol Header 16
ICMPv6 17
ICMPv6 Functions and Message Types 18
ICMPv6 Attacks and Mitigation Techniques 20
Multicast Security 22
Extension Header Threats 24
Extension Header Overview 24
Extension Header Vulnerabilities 28
Hop-by-Hop Options Header and Destination Options Header 29
IPv6 Extension Header Fuzzing 33
Router Alert Attack 33
Routing Headers 36
RH0 Attack 36
Preventing RH0 Attacks 40
Additional Router Header Attack Mitigation Techniques 42
Fragmentation Header 43
Overview of Packet Fragmentation Issues 43
Fragmentation Attacks 45
Preventing Fragmentation Attacks 47
Virtual Fragment Reassembly 49
Unknown Option Headers 52
Upper-Layer Headers 55
Reconnaissance on IPv6 Networks 55
Scanning and Assessing the Target 56
Registry Checking 56
Automated Reconnaissance 56
Speeding Up the Scanning Process 58
Leveraging Multicast for Reconnaissance 59
Automated Reconnaissance Tools 61
Sniffing to Find Nodes 61
Neighbor Cache 62
Node Information Queries 62
Protecting Against Reconnaissance Attacks 63
Layer 3 and Layer 4 Spoofing 65
Summary 69
References 70
Chapter 3 IPv6 Internet Security 73
Large-Scale Internet Threats 74
Packet Flooding 74
Internet Worms 77
Worm Propagation 78
Speeding Worm Propagation in IPv6 78
Current IPv6 Worms 79
Preventing IPv6 Worms 80
Distributed Denial of Service and Botnets 80
DDoS on IPv6 Networks 81
Attack Filtering 81
Attacker Traceback 82
Black Holes and Dark Nets 84
Ingress/Egress Filtering 85
Filtering IPv6 Traffic 85
Filtering on Allocated Addresses 85
Bogon Filtering 87
Bogon Filtering Challenges and Automation 90
Securing BGP Sessions 90
Explicitly Configured BGP Peers 92
Using BGP Session Shared Secrets 92
Leveraging an IPsec Tunnel 93
Using Loopback Addresses on BGP Peers 93
Controlling the Time-to-Live (TTL) on BGP Packets 94
Filtering on the Peering Interface 97
Using Link-Local Peering 97
Link-Local Addresses and the BGP Next-Hop Address 99
Drawbacks of Using Link-Local Addresses 101
Preventing Long AS Paths 102
Limiting the Number of Prefixes Received 103
Preventing BGP Updates Containing Private AS Numbers 103
Maximizing BGP Peer Availability 103
Disabling Route-Flap Dampening 104
Disabling Fast External Fallover 104
Enabling Graceful Restart and Route Refresh or Soft Reconfiguration 104
BGP Connection Resets 105
Logging BGP Neighbor Activity 106
Securing IGP 106
Extreme Measures for Securing Communications Between BGP Peers 106
IPv6 over MPLS Security 107
Using Static IPv6 over IPv4 Tunnels Between PE Routers 108
Using 6PE 109
Using 6VPE to Create IPv6-Aware VRFs 109
Customer Premises Equipment 110
Prefix Delegation Threats 113
SLAAC 114
DHCPv6 114
Multihoming Issues 119
Summary 122
References 122
Chapter 4 IPv6 Perimeter Security 127
IPv6 Firewalls 128
Filtering IPv6 Unallocated Addresses 128
Additional Filtering Considerations 133
Firewalls and IPv6 Headers 133
Inspecting Tunneled Traffic 134
Layer 2 Firewalls 135
Firewalls Generate ICMP Unreachables 136
Logging and Performance 136
Firewalls and NAT 136
Cisco IOS Router ACLs 138
Implicit IPv6 ACL Rules 142
Internet ACL Example 143
IPv6 Reflexive ACLs 147
Cisco IOS Firewall 149
Configuring IOS Firewall 150
IOS Firewall Example 153
IOS Firewall Port-to-Application Mapping for IPv6 157
Cisco PIX/ASA/FWSM Firewalls 158
Configuring Firewall Interfaces 159
Management Access 161
Configuring Routes 162
Security Policy Configuration 164
Object Group Policy Configuration 168
Fragmentation Protection 172
Checking Traffic Statistics 173
Neighbor Discovery Protocol Protections 174
Summary 177
References 177
Chapter 5 Local Network Security 181
Why Layer 2 Is Important 181
ICMPv6 Layer 2 Vulnerabilities for IPv6 182
Stateless Address Autoconfiguration Issues 183
Neighbor Discovery Issues 187
Duplicate Address Detection Issues 190
Redirect Issues 193
ICMPv6 Protocol Protection 195
Secure Neighbor Discovery 196
Implementing CGA Addresses in Cisco IOS 198
Understanding the Challenges with SEND 199
Network Detection of ICMPv6 Attacks 199
Detecting Rogue RA Messages 199
Detecting NDP Attacks 201
Network Mitigation Against ICMPv6 Attacks 201
Rafixd 202
Reducing the Target Scope 203
IETF Work 203
Extending IPv4 Switch Security to IPv6 204
Privacy Extension Addresses for the Better and the Worse 205
DHCPv6 Threats and Mitigation 208
Threats Against DHCPv6 210
Mitigating DHCPv6 Attacks 211
Mitigating the Starvation Attack 211
Mitigating the DoS Attack 211
Mitigating the Scanning 213
Mitigating the Rogue DHCPv6 Server 213
Point-to-Point Link 213
Endpoint Security 215
Summary 215
References 216
Chapter 6 Hardening IPv6 Network Devices 219
Threats Against Network Devices 220
Cisco IOS Versions 220
Disabling Unnecessary Network Services 222
Interface Hardening 223
Limiting Router Access 224
Physical Access Security 224
Securing Console Access 225
Securing Passwords 225
VTY Port Access Controls 226
AAA for Routers 229
HTTP Access 230
IPv6 Device Management 233
Loopback and Null Interfaces 233
Management Interfaces 234
Securing SNMP Communications 235
Threats Against Interior Routing Protocol 239
RIPng Security 241
EIGRPv6 Security 242
IS-IS Security 244
OSPF Version 3 Security 247
First-Hop Redundancy Protocol Security 255
Neighbor Unreachability Detection 255
HSRPv6 257
GLBPv6 260
Controlling Resources 262
Infrastructure ACLs 263
Receive ACLs 265
Control Plane Policing 265
QoS Threats 269
Summary 277
References 277
Chapter 7 Server and Host Security 281
IPv6 Host Security 281
Host Processing of ICMPv6 282
Services Listening on Ports 284
Microsoft Windows 284
Linux 284
BSD 285
Sun Solaris 285
Checking the Neighbor Cache 285
Microsoft Windows 286
Linux 286
BSD 287
Sun Solaris 287
Detecting Unwanted Tunnels 287
Microsoft Windows 287
Linux 290
BSD 291
Sun Solaris 292
IPv6 Forwarding 292
Microsoft Windows 293
Linux 293
BSD 294
Sun Solaris 294
Address Selection Issues 295
Microsoft Windows 296
Linux 297
BSD 297
Sun Solaris 297
Host Firewalls 297
Microsoft Windows Firewall 298
Linux Firewalls 301
BSD Firewalls 303
OpenBSD Packet Filter 304
ipfirewall 306
IPFilter 310
Sun Solaris 312
Securing Hosts with Cisco Security Agent 6.0 313
Summary 316
References 317
Chapter 8 IPsec and SSL Virtual Private Networks 319
IP Security with IPv6 320
IPsec Extension Headers 320
IPsec Modes of Operation 322
Internet Key Exchange (IKE) 322
IKE Version 2 324
IPsec with Network Address Translation 324
IPv6 and IPsec 325
Host-to-Host IPsec 326
Site-to-Site IPsec Configuration 328
IPv6 IPsec over IPv4 Example 329
Configuring IPv6 IPsec over IPv4 329
Verifying the IPsec State 332
Adding Some Extra Security 337
Dynamic Crypto Maps for Multiple Sites 338
IPv6 IPsec Example 339
Configuring IPsec over IPv6 340
Checking the IPsec Status 343
Dynamic Multipoint VPN 349
Configuring DMVPN for IPv6 351
Verifying the DMVPN at the Hub 353
Verifying the DMVPN at the Spoke 359
Remote Access with IPsec 361
SSL VPNs 368
Summary 373
References 374
Chapter 9 Security for IPv6 Mobility 377
Mobile IPv6 Operation 378
MIPv6 Messages 379
Indirect Mode 381
Home Agent Address Determination 381
Direct Mode 382
Threats Linked to MIPv6 385
Protecting the Mobile Device Software 386
Rogue Home Agent 386
Mobile Media Security 386
Man-in-the-Middle Threats 387
Connection Interception 388
Spoofing MN-to-CN Bindings 389
DoS Attacks 390
Using IPsec with MIPv6 390
Filtering for MIPv6 392
Filters at the CN 395
Filters at the MN/Foreign Link 398
Filters at the HA 402
Other IPv6 Mobility Protocols 406
Additional IETF Mobile IPv6 Protocols 407
Network Mobility (NEMO) 409
IEEE 802.16e 411
Mobile Ad-hoc Networks 411
Summary 413
References 413
Chapter 10 Securing the Transition Mechanisms 417
Understanding IPv4-to-IPv6 Transition Techniques 417
Dual-Stack 417
Tunnels 419
Configured Tunnels 420
6to4 Tunnels 423
ISATAP Tunnels 428
Teredo Tunnels 430
6VPE 434
Protocol Translation 437
Implementing Dual-Stack Security 439
Exploiting Dual-Stack Environment 440
Protecting Dual-Stack Hosts 443
Hacking the Tunnels 444
Securing Static Tunnels 447
Securing Dynamic Tunnels 449
6to4 450
ISATAP 453
Teredo 455
Securing 6VPE 459
Attacking NAT-PT 459
IPv6 Latent Threats Against IPv4 Networks 460
Summary 462
References 463
Chapter 11 Security Monitoring 467
Managing and Monitoring IPv6 Networks 467
Router Interface Performance 468
Device Performance Monitoring 469
SNMP MIBs for Managing IPv6 Networks 469
IPv6-Capable SNMP Management Tools 471
NetFlow Analysis 472
Router Syslog Messages 478
Benefits of Accurate Time 481
Managing IPv6 Tunnels 482
Using Forensics 483
Using Intrusion Detection and Prevention Systems 485
Cisco IPS Version 6.1 486
Testing the IPS Signatures 487
Managing Security Information with CS-MARS 489
Managing the Security Configuration 493
Summary 495
References 496
Chapter 12 IPv6 Security Conclusions 499
Comparing IPv4 and IPv6 Security 499
Similarities Between IPv4 and IPv6 499
Differences Between IPv4 and IPv6 501
Changing Security Perimeter 501
Creating an IPv6 Security Policy 503
Network Perimeter 504
Extension Headers 504
LAN Threats 505
Host and Device Hardening 505
Transition Mechanisms 506
IPsec 506
Security Management 506
On the Horizon 506
Consolidated List of Recommendations 508
Summary 511
References 511
Index 512