310 likes | 456 Views
Bert Hubert IPv6 is more of the same, but there are still things to think about http://tinyurl.com/ipv6security Or over IPv6 http://xs.powerdns.com/ipv6-security. IPv6 security aspects. Agenda. Who am I? IPv6: where does it come from? IPv6: more of the same, or, twice the work
E N D
Bert Hubert IPv6 is more of the same, but there are still things to think about http://tinyurl.com/ipv6security Or over IPv6 http://xs.powerdns.com/ipv6-security IPv6 security aspects
Agenda • Who am I? • IPv6: where does it come from? • IPv6: more of the same, or, twice the work • Things to watch out for: • I have IPv6?? (three ways) • End-to-End by default • Equal protection • Privacy issues • Lawful intercept: when the government calls • DNS64
Who am I? • Founder of PowerDNS: Powers 40% of European domain names • Principal Consultant: ”Experts in IT Security – for a more secure society”
PowerDNS • DNS converts ”www.ipv6day.nl” into 145.100.96.6 (or 2001:610:158:960::6!) • PowerDNS is the DNS server of around 30%-50% of all European domains, in use by the largest DNS operators in the world • You 'use' it every day • First DNS server to be able to run from a database • First DNS server with ”easy DNSSEC” • .. every year we find some remaining non-IPv6 safe things, but 3.0 is Complete • I hope.. • 12% of downloads of 3.0 over IPv6!
Fox-IT • Supplies governments, financial institutions and others with IT security training, solutions and services. Around 100 ”nerds, geeks and hackers” • High-end cryptography & security devices • Audits, Forensic investigation • Fighting cybercrime • Replay: Innovative communication analysis tools (full IPv6!) • We don't have IPv6 yet externally! • .. very secure
IPv6, where does it come from? • IPv6 can be delivered natively or via a tunnel • The tunnel in that case runs over Ipv4 • Manual & automatic • Natively can be on a normal (ether)network • Natively can also mean that it arrives serially (to your DSL device or Cable Modem) • To get an IPv4 address, you usually use DHCP • IPv6 has that too, but also automatic address assignment ('you pick an address, and it will be ok')
Our goal in life • If we care about security, we want to know about • what traffic is going where • Block unwanted traffic • Keep an eye out for intrusions • This goes for email, but also for IP traffic • IPv6 is no different
Internet OK! IDS/IPS/Spam appliance Access rules
IPv4 OK! IDS/IPS/Spam appliance Access rules
IPv4 @$#$#$#%$#$$% IDS/IPS/Spam appliance Access rules IPv6
IPv4 IPv6 OK! IDS/IPS/Spam appliance Access rules
IPv6: more of the same • 4 → 6: 50% more! • 32 bits → 128 bits: 300% more! • 7922816251426433759354395033500% more • One server suddenly has three addresses: 200% more! • This sounds trivial, but suddenly the 'rule count' of your firewall, IDS, IPS etc doubles • Previously each server had one 'window on the world', now two • Both need to be filtered and monitored • Can happen without concious action!
Wait, what, I have IPv6? • You do! • Say hi to fe80::92fb:a6ff:fe4a:51da%eth0! • Link-Local • Pretty neat invention: every ethernet device already has a local address! • Not routed, but works on local ethernet segment • Used ”internally” by IPv6 too • Everything that listens on the 'ANY' address listens on this address too! • Not funny, although the impact is only 'local'
Wait, what, I have IPv6? • Many computers will automatically acquire an IPv6 address if a Router Advertiser is present on a segment • Anyone can start one! • Not only your friends • Same goes for 'DHCPv6', but this is similar to 'rogue DHCP servers' for IPv4. • Wonderful way to get your servers to expose themselves over IPv6 • Possibly route the traffic to the world too • → monitor for rogue routers, configure OS to not do this if you don't want it
Wait, what, I have IPv6? • In a laudable effort to spread the use of IPv6, most versions of Microsoft Windows support ”Teredo” • Turned on with a simple command, Windows will open up an IPv4 UDP ”connection” to teredo.ipv6.microsoft.com and give you an IPv6 address • Unless you block UDP port 3544, this ”just works” (straight through NAT too!) • Turned on with a single command • → block UDP/3544 if you want to stop this
Firewalls, access rules • Since the world is going to be dual stack for quite a while, most filtering will have to happen twice • This offers a lot of opportunity for forgetting to update the IPv6 filters • In a few years time, this will be the other way around! • A quite real risk is that existing equipment does not (properly) support IPv6 and that two separate firewall technologies will have to be kept in sync... • → try to automate this or get 'logical' ACLs
Intrusion detection systems • These monitor IP traffic to spot odd things • Problem is.. will they monitor IPv6 tunneled in IPv4 too (no) • You might already have these tunnels • Some exciting IPv6 only content already! • And even if they do, will the same signatures apply? • Http://127.0.0.1/ Traffic on an IPv4 link is odd, but is there a rule for http://[::1]/ too? • Might force an upgrad€ on you • → check release notes & configuration
IPv6: the good stuff • Way more addresses! • Solves the fact that we ran out • In fact, SO many more IP addresses that it becomes feasible to have world routable addresses for office & home use • Currently, everybody uses private space IPv4 addresses • This is a game changer • And potentially very scary!
Current communication model Mail/Chat Server IPv4 Internet Mail/Chat Server NAT Router NAT Router Desktop 10.0.0.23 Desktop 10.0.0.23 ? ?
No way to get from A to A! 10.0.0.23 10.0.0.23
Current ”cloud” communication model IPv4 Internet NAT Router NAT Router Desktop 10.0.0.23 Desktop 10.0.0.23 ? ?
Routable communication model BRING ON THE INNOVATION!!! Desktop 2001:1:2 IPv6 Internet Desktop 2001:2::2
Routable communication model :-( Desktop 2001:1:2 IPv6 Internet Desktop 2001:1::2
Default secure to default insecure • With IPv4 we needed the NAT router in order to make it work • Offered some ”free security” because the outside world can't connect to 10.0.0.23 • And without that router, it would not work • → 'secure' by default • With IPv6, things work just fine without NAT! • Plug it in and it works! • Unfiltered, bidirectional • Makes cool things possible • Makes other things possible too.. • From now on you MUST have a firewall/ACL!
Quality issues • This should solve itself over time • From a programming perspective, IPv6 is a lot like IPv4 but not quite • There are opportunities for messing it up • For example, software with built-in ACL settings that neglects to filter IPv6 traffic • … • Another example, there are Cisco products with hardware based IPv6 filtering • But can't filter packets with ”too much headers”, and forwards them! • → be sure to read release notes!
Privacy issues • IPv6 addresses are often auto-assigned • Route Advertiser says: ”this is the IPv6 prefix for this segment, you pick an address” • How does a local client invent its IPv6 address: Derive it from the MAC address! • Scenario, you work on a confidential project at customer X, you get IPv6 address 2001:67c:e4:2001:200:c5ff:fe5f:2c12 • Now you go home and get 2001:31d:f3:2002:200:c5ff:fe5f:2c12 • Popular websites can now predict that you work at customer X & connect it to your home browsing! • → turn on RFC 4941 support
Legal issues • Telecommunication industry must cooperate with police & government in most countries • Including NL • Lawful intercept • Give government copy of all packets of a suspect or copy of all email sent/received through ISP mailservers • Dataretention • who had what IP address & when • IPv4 is the name of the game right now
Legal issues • Dutch interception regulation defines the internet as: • ”systeem van openbare netwerken die RFC 791 en RFC 792 (IPv.4), RFC 1884 en RFC 1885 (IPv. 6), dan wel een ander Internet Protocol (IP), zoals vastgesteld door de Internet Engineering Task Force (IETF), gebruiken met IP-adressen die door de Internet Corporation for Assigned Names and Numbers (ICANN) officieel zijn toegewezen” • So they thought about it (thanks) • One day police officer will show up with a request for all IPv6 packets too • → talk to Pine ;-)
DNS64/NAT64 • If you want to run single stack for client computers, they only get an IPv6 address • All applications need to be v6 aware, but they still have no way to talk to IPv4 hosts • ”How would they” • DNS64: turn a question for an AAAA, when there is no AAAA, into a question for IPv4 • Return 'magic' IPv6 address that actually connects to an IPv4 address → DNS64 • NAT64 is the technique to translate • PowerDNS has this, will go into production soon
Summarising • IPv6 is more of the same • But not quite • Make sure you have equal protection for IPv4 traffic and IPv6 traffic • Keep this synchronised while going dual stack • IDS/IPS • Keep a careful eye on 'unwanted Ipv6' • Be aware that IPv6 offers 'connectivity by default' instead of 'outgoing connectivity only' • Realise that IPv6 software is 'younger' and read release notes carefully • Think of the legal issues if you are an ISP
Bert Hubert IPv6 is more of the same, but there are still things to think about http://tinyurl.com/ipv6security +31-622440095 Bert.hubert@netherlabs.nl hubert@fox-it.com IPv6 security aspects