Wednesday, July 29, 2015

ipv6 RA security concerns

Here I wanted to discuss some ipv6 RouteAdvertisement concerns. For devices that uses autconf aka SLAAC ( Stateless Auto  Configuration  ) The RouteAdvertisements are crucial. This ( SLAAC ) is the most widely used method for the assignment of ipv6-prefixes for ipv6 enabled  hosts.

Most firewalls support prefixes assignment and default-gateway  detection within the ICMPv6 packets that's used with RT-Advertisements.

The general concept is for the client to solicit or wait for regular advertisements to find the useable ipv6 prefix(es) and gateway information.

1st off the biggest security issues within a ipv6 networks is the  risk of a imposter/spoof of the ipv6 gateway. With in cisco and most other  routers, you have the  means to ensure the preference is set for when you have 2 or more ipv6 gateway and that's  serving the local LAN.

In most IOS it's configurable via the following command on routers or L3 switches.

ipv6 nd  router-prefernce  high | medium | low 

But for  the commercial firewalls,  we don't have this option. Outside of a OpenSourced firewall platform ( pfsense/linux/etc....)  the general router-preference within the RT-advertisement is set to  "medium".

A juniper SRX configuration with aggressive intervals

So what this means;
  • A imposter could hijack your  ipv6 host default gateway
  • A imposter who spoof's your firewall link-local address , could construct a RT-Advertisement and direct all traffic  hijacker
  • Your xposed to a MiTM  attacks
  • A imposter could play-back forged RT-advertisements and disrupt  connectivity
  • A imposter could inject a spoof rt-advertisement with the  default life-time set as zero  hence making that  router inactive

 if you find yourself getting an ipv6 prefix , but with no ipv6-default-gateway, than 9 out of 10 times;  it's a bad router defaultime value set as "0"

Okay  so the only why we can protect our selves,  is to deploy ipv6 spoof protection which is available within  Cisco and Juniper  L2/L3 switches. Now this protection would prevent spoof'ing and protect us from untrusted  ports.

e.g  (  sample cisco 2960S configuration )

int gi 1/0/1
 ipv6 nd raguard attach-policy HOSTONLY-RA
 ipv6 nd inspection attach-policy PROT-ND
 ipv6 snooping attach-policy PROTECT-ipv6-snooping

ip device tracking
ipv6 icmp error-interval 80
ipv6 nd raguard policy HOSTONLY-RA
 match ra prefix-list deny-v6
ipv6 nd inspection policy PROT-ND
 validate source-mac
 sec-level minimum 1
 limit address-count 1
ipv6 nd inspection policy Trust
ipv6 snooping policy PROTECT-ipv6-snooping
 limit address-count 1
 tracking enable
ipv6 snooping policy Trust

The above  will protect  Layer2 access-ports from rouge and spoof'd attacks but this might not be available on a low-end switch or non-Cisco hardware ( i.e dlink, hp, trendnet,etc.....)

Keep these thoughts in mind, that route-advertisements are crucial in a ipv6 network and exposes a high degree of risk if tampered with.

Ken Felix
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix  -----a----t---- socpuppets ---dot---com

    ^     ^
=(  *  * )=
      /  \

No comments:

Post a Comment