SLIDE 1
Sa Safer er Si Six IP IPv6 v6 Se Security urity in a Nut utsh shel ell
Joha hann nna a Ull llrich ich
Sa Safer er Si Six IP IPv6 v6 Se Security urity in a Nut - - PowerPoint PPT Presentation
Sa Safer er Si Six IP IPv6 v6 Se Security urity in a Nut - - PowerPoint PPT Presentation
Sa Safer er Si Six IP IPv6 v6 Se Security urity in a Nut utsh shel ell Joha hann nna a Ull llrich ich I think there is a world market for maybe five computers Thomas Watson Reasons nicholsoncartoons.com.au connect.de
SLIDE 2
SLIDE 3
„I think there is a world market for maybe five computers“ Thomas Watson
SLIDE 4
Reasons
connect.de networkworld.com nicholsoncartoons.com.au
Pattern Address class Range A 0 – 127 10 B 129 – 191 110 C 192 – 223 1110 D 224 – 239 1111 E 240 – 255
SLIDE 5
„Computers in the future may […] weigh only 1.5 tons“ Popular Mechanics, 1949
SLIDE 6
in Workshop on Offensive Technologies, 2014
SLIDE 7
SLIDE 8
WHAT IS NEW?
SLIDE 9
Remember the IPv4 Format …
Variable header size Minimal length of 20 byte
IHL
Type of Service Vers.
Total Length Identification
Flag
Fragment Offset Time to Live Protocol Header Checksum Source Address Destination Address 1 3 4
SLIDE 10
IPv6 Header Format
Source Address Traffic Class Flow Label Payload Length Next Header Hop Limit Destination Address
Ver.
1 3 4
SLIDE 11
What happend to …?
IHL
Type of Service Vers.
Total Length Identification
Flag
Fragment Offset Time to Live Protocol Header Checksum Source Address Destination Address 1 3 4 Moved to so-called Extension Headers Extended to 128 bit each Replaced by Payload Length Dropped due to
- verhead in routers
Just renamed to Hop Limit Replaced by Traffic Class
SLIDE 12
IPv6 Header Format
Source Address Traffic Class Flow Label Payload Length Next Header Hop Limit Destination Address
Ver.
1 3 4
SLIDE 13
SECURITY VULNERABILITIES
SLIDE 14
Extension Headers
IPv6 Header IPv6 Extension
Protocol
IPv6 Extension Transport Layer Protocol
Protocol Protocol Protocol
…
- Hop-by-Hop Options Header
- Routing Header
- Destination Options Header
- Fragment Header
SLIDE 15
Internet Control Message Protocol
Address Resolution Protocol IPv4 Internet Control Message Protocol v4 IPv6 Internet Control Message Protocol v6
=
ICMPv6
+
General control messages Neighbor Discovery Protocol
Don‘t block ICMPv6 totally!
+
Stateless Address Autoconfig
SLIDE 16
Router Advertisments
Das ist Netzwerk X. OK. OK. OK. OK.
SLIDE 17
Router Advertisments
Das ist Netzwerk X. OK. OK. OK. OK.
SLIDE 18
Router Advertisements
Das ist Netzwerk Y. OK. OK. OK.
SLIDE 19
Routing Loops
IPv4 network IPv6 network IPv4 A Prefix A IPv4 B Prefix B D: Prefix B (IPv4 A) D: IPv4 A Encapsulation in IPv4 Decapsulation
SLIDE 20
Teredo Server Loop
Indefinite loop
Teredo server Bubble packet Bubble packet
SLIDE 21
Multicast Listener
Node A MLD General Query Attacker Router MLD Report Sent to all router multicast!
… see next talk …
SLIDE 22
PRIVACY VULNERABILITIES
SLIDE 23
IPv6 Addresses
General Format Interface Identifier Modified EUI-Format, Privacy Extension, DHCP, Manually assigned, etc.
Interface Identifier Prefix 64 bit 64 bit
SLIDE 24
Reconaissance
- Source:
Malone D., „Observation of IPv6 Addresses“, 2008
End nodes Routers
SLIDE 25
Reconnaissance
18 446 744 073 709 551 616 Interface Identifier in one /64 Educated guess necessary:
SLIDE 26
Example: Limit search by Reverse DNS
[IPv6 address].ip6.arp NXDOMAIN NOERROR Reverse DNS:
(empty non-terminals)
SLIDE 27
METHODOLOGY
SLIDE 28
SLIDE 29
Countermeasures
SLIDE 30
SLIDE 31
Future Challenges
Addressing Securing the Local Network Reconnaissance
SLIDE 32
Generation Next – Generation Best?
IPv4 as intended IPv4 as known IPv6 as intended IPv6 as known
SLIDE 33
Thank you!
Johanna Ullrich SBA Research jullrich@sba-research.org
Engineering & Technology, August 2012