Securing the Data Plane in IPv6
Environments

© 2012 Cisco and/or its affiliates. All rights reserved.

1


Contents
In this chapter, you learn how to do the following:
• Explain the need for IPv6 from the general perspective of the transition to IPv6 from IPv4
• List and describe the fundamental features of IPv6, as well as enhancements when compared to IPv4
• Analyze the IPv6 addressing scheme, components, and design principles and configure IPv6 addressing
• Describe the IPv6 routing function
• Evaluate how common and specific threats affect IPv6
• Develop and implement a strategy for IPv6 security

© 2012 Cisco and/or its affiliates. All rights reserved.

2


The Need for IPv6

© 2012 Cisco and/or its affiliates. All rights reserved.

3


IPv6 Features and Enhancements
IPv6 is a powerful enhancement to IPv4. Several features in IPv6 offer functional improvements. What IP developers

learned from using IPv4 suggested changes to better suit current and probable network demands:
• Larger address space:
• Simpler header:
• Mobility and security:
ã Transition richness:

â 2012 Cisco and/or its affiliates. All rights reserved.

4


IPv6 Headers
The new IPv6 header is simpler than the IPv4 header, in the following ways:
• Half of the previous IPv4 header fields are removed. This enables simpler processing of the packets, enhancing the
performance and routing efficiency.
• All fields are aligned to 64 bits, which enables direct storage and access in memory by fast lookups.
• No checksum occurs at the IP layer, and no recalculation is performed by the routers. Error detection is done by the
link layer and transport layer.

© 2012 Cisco and/or its affiliates. All rights reserved.

5


Stateless Address Autoconfiguration

© 2012 Cisco and/or its affiliates. All rights reserved.

6



IPv4 and IPv6 Compared

© 2012 Cisco and/or its affiliates. All rights reserved.

7


Transition to IPv6
• Manually
• IPv6-in-IPv4
• GRE (not discussed)
• VPN (not discussed)

ã Semiautomatically
ã Tunnel broker (proxying)

ã Automatically
ã 6to4
ã ISATAP
ã Teredo

â 2012 Cisco and/or its affiliates. All rights reserved.

8


IPv6 Address Representation

© 2012 Cisco and/or its affiliates. All rights reserved.


9


IPv6 Address Types
• Unicast
• Address is for a single interface
• IPv6 has several types (for example, global, reserved, link-local, and site-local)

• Multicast
• One-to-many
• Enables more efficient use of the network
• Uses a larger address range

• Anycast
• One-to-nearest (allocated from unicast address space)
• Multiple devices share the same address
• All anycast nodes should provide uniform service
• Source devices send packets to anycast address
• Routers decide on closest device to reach that destination
ã Suitable for load balancing and content delivery services

â 2012 Cisco and/or its affiliates. All rights reserved.

10


IPv6 Unicast Addressing
IPv6 address types have the following patterns:
• Global: Starts with 2000::/3 and assigned by the Internet Assigned Numbers Authority (IANA)

• Reserved: Used by the IETF
• Private: Link local (starts with FE80::/10)
ã Loopback: (::1)
ã Unspecified: (::)

â 2012 Cisco and/or its affiliates. All rights reserved.

11


IPv6 Global Unicast and Anycast Addresses

© 2012 Cisco and/or its affiliates. All rights reserved.

12


Link-Local Addresses

Multicast Addresses

© 2012 Cisco and/or its affiliates. All rights reserved.

13


Assigning IPv6 Global Unicast Addresses
There are several ways to assign an IPv6 address to a device:

• Static assignment using a manual interface ID

• Static assignment using an EUI-64 interface ID
• Stateless autoconfiguration
ã DHCP for IPv6 (DHCPv6)

â 2012 Cisco and/or its affiliates. All rights reserved.

14


IPv6 EUI-64 Interface Identifier

© 2012 Cisco and/or its affiliates. All rights reserved.

15


IPv6 Address Configuration Example
R1(config)# ipv6 unicast-routing
R1(config)# interface fa0/0
R1(config-if)# ipv6 address 2001:db8:c18:1::/64 eui-64
R1# show ipv6 interface fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::218:B9FF:FE21:9278
Global unicast address(es):
2001:DB8:c18:1:218:B9FF:FE21:9278, subnet is 2000:1:2:3::/64
Joined group address(es):
FF02::1:FF21:9278
FF02::1
FF02::2
MTU is 1500 bytes

<output omitted>

© 2012 Cisco and/or its affiliates. All rights reserved.

16


Routing Considerations for IPv6
• Static
• RIPng (RFC 2080)
• OSPFv3 (RFC 2740)
ã IS-IS for IPv6
ã MP-BGP4 (RFC 2545/2858)
ã EIGRP for IPv6

â 2012 Cisco and/or its affiliates. All rights reserved.

17


Revisiting Threats: Considerations for IPv6
In general, many types of attacks are similar between IPv4 and IPv6, as listed below. For some attack types,
additional information is provided.

•

•

Reconnaissance


–

Not so easy in IPv6 due to large address space

–

Scanners will make router trigger NDP, wasting CPU and resources

–

Attack tools exist today (Parasit6, Fakerouter6, Scapy6, others)

Viruses and worms

–

•

Scanning will probably use alternative techniques

Application layer attacks

–

Same implications

–

Peer-to-peer nature of IPv6 augments the problem


© 2012 Cisco and/or its affiliates. All rights reserved.

18


Revisiting Threats: Considerations for IPv6
• Unauthorized access
• Man-in-the-middle attacks

–

Still a possibility

–

Myth: mandatory IPsec resolves the issue

–

Reality: IPsec is a mandatory part of the stack, but you still have to configure it

• Sniffing or eavesdropping
• Denial of service (DoS) attacks
• Spoofed packets: forged addresses and other fields
• Still a possibility
• Bogons (bogus IP addresses) a reality today

• Attacks against routers and other networking devices
• Attacks against the physical or data link layers


© 2012 Cisco and/or its affiliates. All rights reserved.

19


Revisiting Threats: Considerations for IPv6
However, there is also some bad news. IPv6 is a bit different and, as such, there are threats that have been slightly changed by the fact that IPv6 does things slightly
differently than IPv4. The following is a list of threats that are only slightly modified by IPv6:

• LAN-based attacks (NDP)
• Attacks against DHCP or DHCPv6
• DoS against routers (hop-by-hop extension headers rather than router alerts)
• Fragmentation (IPv4 routers performing fragmentation versus IPv6 hosts using a fragment extension header)
• Packet amplification attacks (IPv4 uses broadcast; IPv6 uses multicast)

© 2012 Cisco and/or its affiliates. All rights reserved.

20


List of threats that are unique to IPv6 networks
• Reconnaissance and scanning worms: Brute-force discovery is more difficult.
• Attacks against ICMPv6: ICMPv6 is a required component of IPv6.
• Extension header (EH) attacks: EHs need to be accurately parsed.
• Autoconfiguration: NDP attacks are simple to perform.
• Attacks on transition mechanisms: Migration techniques are required by IPv6.
• Mobile IPv6 attacks: Devices that roam are susceptible to multiple vulnerabilities.
• IPv6 protocol stack attacks: Because of the code freshness of IPv6, bugs in the protocol stack exist

© 2012 Cisco and/or its affiliates. All rights reserved.


21


IPv6 introduces the following difficulties or vulnerabilities
• Training and planning
• Lack of knowledge, poor planning even for basic security controls (example: weak ingress filtering, or no filtering at all)

• End nodes are exposed to many threats:
• Address configuration parameters: Rogue configuration parameters
• Address initialization: Denial of address insertion
• Address resolution: Address stealing
• Default gateway discovery: Rogue routers
• Neighbor reachability tracking: Rogue neighbor status

• Header extensions
• Hosts process routing headers (RH)
• Header extensions can be exploited (example: routing header for source routing and reconnaissance)
ã Amplification attacks based on routing header

â 2012 Cisco and/or its affiliates. All rights reserved.

22


Examples of Possible IPv6 Attacks

Traffic Loop from Exploiting Routing Header

•

•

The attacker manipulates the routing header to create a traffic loop.

•
•
•

RH0 packets could be created with a list of embedded IPv6 addresses.

DoS attacks can be performed using this feedback loop to consume resources or amplify the packets that are sent
to a victim.

The packet would be forwarded to every system in the list before finally being sent to the destination address.
If the embedded IPv6 addresses in an RH0 packet were two systems on the Internet listed numerous times, it
could cause a type of feedback loop.

© 2012 Cisco and/or its affiliates. All rights reserved.

23


Network Scan from Exploiting NDP

•

The attacker abuses NDP by using a router to amplify a network scan.

•


The router sends Neighbor Solicitation (NS) messages to all the hosts in the LAN segment, using the all-nodes
multicast address.

© 2012 Cisco and/or its affiliates. All rights reserved.

24


Combo Attack on IPv6

© 2012 Cisco and/or its affiliates. All rights reserved.

25