1 / 20

IPv6 Autoconfiguration Plug & Play Dream or Security Nightmare

IPv6 Autoconfiguration Plug & Play Dream or Security Nightmare. Review of IPv6 Autoconfig. Defined in RFC 2461 All hosts implicitly have an IPv6 Link-Local address for each interface they have Host “I have a NIC, therefore I am” FE08::(EIU-64)

kalia-rogers
Download Presentation

IPv6 Autoconfiguration Plug & Play Dream or Security Nightmare

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 AutoconfigurationPlug & Play Dream or Security Nightmare

  2. Review of IPv6 Autoconfig • Defined in RFC 2461 • All hosts implicitly have an IPv6 Link-Local address for each interface they have • Host “I have a NIC, therefore I am” • FE08::(EIU-64) Simple Corollary: therefore, a host without a NIC, is a non-entity

  3. Review of IPv6 Autoconfig • Other network information obtained from the Router(s) on the local network • Host “Is there a router in the house” • ICMPv6 Type 133 – Router Solicitation • Router “I’m a router and here are the prefixs you can use” optionally “, and go talk to the DHCPv6 server” • ICMPv6 Type 134 – Router Advertisement

  4. Review of IPv6 Autoconfig • The host combines the prefix information with a host address portion to form an IPv6 Address • Multiple Types of Host Addresses

  5. IPv6 Address Types • Stateless (EUI-64) • RFC 2462 • Privacy Extensions (pseudorandom) • RFC 3041 • Stateful (DHCPv6) • RFC 3315

  6. So what’s the problem? • Well do you know the devices that says it’s the router is really suppose to be the router? • If you get multiple answers (which you can) which is the right one?

  7. So what’s the problem? • It could be a miss-configured host • LINUX, Widows, or what ever • Maybe with a tunnel that it want to HELP! other people use • More scary, could be a BAD guy claiming to be a router • Trying to setup a man-in-the-middle attack

  8. But I’m not running IPv6! • Are you sure? • OSes are coming with IPv6 by default • Windows Vista • Mac OSX • Many LINUX • Many other UNIX

  9. But I’m not running IPv6! • So you probably have hosts asking for an IPv6 router on your network right now • All you need is a missconfigured host or a bad guy on your network and your hosts are doing IPv6

  10. What about SEND?IPv6 Secure Neighbor Discovery • RFC 3971 • It will Secure this, and more! • But!!!! • There are not many, if any, implementations • Certs & PKI • Do I need to say more

  11. What about SEND?IPv6 Secure Neighbor Discovery • Will work in a well controlled mostly closed network • Not the definition of your typical University Network • Probably not workable on a visitor or guest network even if your primary network is securable in this way

  12. A Solution • Block IPv6 Router Advertisements on ingress to access switch port for hosts • Can be done today with Cisco 3750, 3750-E, 3560, and 3560-E switches • IOS 12.2(25)SED Advanced IP Services (only) or greater code • I tested on 3750s with 12.2(40)SE AdvIPServ

  13. IOS Config Snip ipv6 access-list v6_Access_IN deny icmp any any router-advertisement permit ipv6 any any interface GigabitEthernet1/0/1 switchport access vlan 247 ipv6 traffic-filter v6_Access_IN in

  14. A Different Problem • I said “Advanced IP Services” • The upgrade from “IP Base” is $6,995 list per switch • We have about 3500 – 3750G-24TS • This is about $24M list • We’re talking to to the 3750 Business Unit at Cisco

  15. Other Solutions • Turn off IPv6 on your host if your not using it • Not a great solution • Not a solution at all, if you need/want to do IPv6 • But can you really insure that you have done this

  16. Other Solutions • Monitor for bogus IPv6 Router Advertisements • Ala XArp type IPv4 ARP monitoring software • IPv6 Routers would be perfect device to do this, track the other router • maybe even do an SMNP trap – maybe not

  17. Talk to you Switch Vendor • We all need to be talking to our Vendors • Talk to them about how you want IPv6 to work 1,2, or 3 years from now • Make IPv6 a requirement in all your purchases • Test the features

  18. IPv6 Support Priority List for Vendors • Basic Functionality – you can pass IPv6 at all • Security – Comparable security feature to IPv4 • IPv6 manageability • Full IPv4 feature parity

  19. IPv6 Access Switch Features • IPv6 Aware Layer2 ACLs • DHCPv6 Snooping • IPv6 Neighbor Discovery Validation • MLD2 Snooping • IPv6 Aware QOS features

  20. Conclusion • Start thinking about IPv6 as part of your normal network • Think about it in the same ways as IPv4 • However, take the opportunity to rethink how you are doing your normal networking • Talk to your Vendors early and often

More Related