securing ipv6 neighbor discovery and slaac in access
play

Securing IPv6 neighbor discovery and SLAAC in access networks - PowerPoint PPT Presentation

Oct 16, 2023 •431 likes •663 views

Securing IPv6 neighbor discovery and SLAAC in access networks through SDN Daniel Nelle, dnelle@uni-potsdam.de Thomas Scheffler, thomas.scheffler@htw-berlin.de ANRW 2019, Montreal, July 22nd 2019 Outline Security issues in ICMPv6 Stateless

  1. Securing IPv6 neighbor discovery and SLAAC in access networks through SDN Daniel Nelle, dnelle@uni-potsdam.de Thomas Scheffler, thomas.scheffler@htw-berlin.de ANRW 2019, Montreal, July 22nd 2019

  2. Outline Security issues in ICMPv6 Stateless Autoconfiguration Secure Neighbor Discovery Monitoring NDP using an SDN controller Building a Host Cache Handling Neighbor Discovery Tests & Performance Known limitations Lessons learned and Outlook Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 2 / 21

  3. ICMPv6 ICMPv6 is central for the deployment and use of IPv6. It provides a number of functions that, either did not exist in IPv4, or where provided through other protocols: • Stateless Address Autoconfiguration and Router Discovery • Layer 2-address resolution through the ICMPv6 Neighbour Discovery Protocol (NDP) - IPv4 uses ARP. • Determination of reachability and parameters of the transmission path: Echo Request/Response, Path MTU Discovery. • Management of multicast group membership through Multicast Listener Discovery and Multicast Router Discovery. IPv4 uses IGMP. Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 3 / 21

  4. Address Autoconfiguration • Address Autoconfiguration automatically assigns IPv6 addresses to hosts. This allows hosts in a network to communicate without explicit configuration. • There exist two methods for address configuration. Stateless autoconfiguration is the default: • Stateless Autoconfig: In order to build a valid IP address, the host uses available prefix information (e.g. from the Router Discovery Process) and subsequently tests this address for uniqueness, using Duplicate Address Detection (DAD). • DHCPv6: The stateful mechanism provides additional capabilities. DHCPv6 is not used as widely as in IPv4, still uses link-local IPv6 addresses. Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 4 / 21

  5. Stateless Address Autoconfiguration • Autoconfiguration is used only for hosts, not for routers. • IPv6 addresses have an associated lifetime: • Valid addresses are preferred. • Addresses, that soon expire are in the state deprecated. Latter addresses will not be used for new connections - existing connections will continue to work. • Duplicate Address Detection: After an address has been generated, it is in the state tentative. • Its uniqueness on the link is verified through a Neighbour Solicitation Message. If this address already exists on the local subnet, the owner of this address sends a respective Neighbour Advertising Message and address autoconfiguration is aborted. Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 5 / 21

  6. Stateless Address Autoconfiguration Duplicate Address Detection Host A Host B IP: A (tentative) IP: B ICMP-Type: 135 Src: 0 (::), Dest: Solicited Node A, Target: A ✲ • The generated IPv6 address must be unique. If is already used in the network, it must not be assigned to the interface. • Given the large address space and the particular address generation mechanism this is a very unlikely event. Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 6 / 21

  7. Problem statement: • Any host can send arbitrary ICMPv6 messages! • Duplicate Address Detection can easily be exploited for DoS-attacks. • Router Advertisements and Neighbor Solicitation messages can be spoofed (think ARP-Spoofing in IPv4). Host A Attacker IP: A (tentative) IP: B ICMP-Type: 135 Src: 0 (::), Dest: Solicited Node A, Target: IP A ✲ ICMP-Type: 136 Src: IP A, Dest: Multicast AllNodes, Target: A ✛ The attacker falsely and repeatedly answers the DAD-Request from Host A. Host A can not access the network. Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 7 / 21

  8. Interworking problem between ICMPv6 and IPsec IKE The IPv6 security architecture proposed the use of IPsec AH, for the protection of ICMPv6 traffic. However, there exists a Bootstrap-problem for address configuration! • Using IKE for the establishment of a Security Association (SA) requires the hosts to have a valid IP address. • IPsec itself is able to protect Unicast und Multicast traffic, but SAs can only be established for Unicast traffic through IKE. The following ICMPv6 messages would need to use manually configured SAs: • Router & Neighbor Solicitations • Router & Neighbor Advertisements Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 8 / 21

  9. Securing Neighbor Discovery using SEND In 2005 the SEcure Neighbor Discovery (SEND) protocol had been designed to protect against various NDP attacks (RFC 3971): • SEND uses cryptographically generated addresses, which bind the IP address to the generating node. • The protocol has been designed to be compatible with IPv6 address autoconfiguration. but: • Very limited practical experience (only marginal OS support). • Implementations where vulnerable against resource exhaustion attacks. Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 9 / 21

  10. How we got here... • IPv6 NDP security issues widely discussed in 2004-2014 timeframe: • Active exploits: THC-IPV6-ATTACK-TOOLKIT https://github.com/vanhauser-thc/thc-ipv6 • Router advertisement guard (RFC6105) • Security Implications of IPv6 Fragmentation with IPv6 ND (RFC6980) • ... • Using Intrusion Detection Systems (IDS) to detect abnormal NDP traffic: • Implementation of IPv6 specific dissectors for Snort 2.9 (2012) & 3.0 (2019) https://redmine.cs.uni-potsdam.de/projects/ Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 10 / 21

  11. Monitoring NDP using an SDN controller Benefits of SDN over IDS deployment: • Works in Ethernet-switched environments. • Potentially cheaper and easier to deploy and maintain. But why stop at monitoring? • SDN controller can actively insert and filter messages. • Steer known good traffic to fast-path, screen problematic protocols/traffic only. • Rapid iteration and fine tuning of software-defined functions. • Provide monitoring and alerting functionality through northbound interface. Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 11 / 21

  12. ndp_proxy • Intelligent, selective NDP proxy using the RYU Framework • Uses Duplicate Address Detection messages as authentication hooks • Creates, updates and deletes entries in a host cache • Interacts with NDP by dropping, forwarding or generating packets • Acts as MAC-learning switch for IPv4 • Implements Router Advertisement Guard (RFC 6105) • Forwards known good traffic via fast-path by inserting flow rules with different priorities: • Catch all < Known MAC < Unknown IPv6 < NDP < Known IPv6 • Manages flow rules: handles EventOFPPacketIn and EventOFPFlowRemoved events • No changes to IPv6 protocols or host and router implementations required Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 12 / 21

  13. Architecture proxy_runner • proxy_runner runs app, inheritance cascade flood_checker facilitates concurrent execution of modules ra_sender • flood_checker monitors ports by tracking requests/second cache_manager • ra_sender broadcasts Router Advertisements at configurable intervals ndp_proxy • cache_manager iterates over cache and triggers ndp_proxy_controller ndp_proxy_pcap_writer actions (probing, deletion, ...) if conditions are met • ndp_proxy main component REST .pcap Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 13 / 21

  14. Populating the Host Cache Yes! No. A A B IP A MAC A IP A MAC A IP B MAC B B' IP B MAC B B NS from :: Does anybody have address B? NS from :: Does anybody have address B? • Host B performs DUD and sends NS with source set to the unspecified address ( :: ) • If no entry for that IP exists, a cache entry is created. • If an entry exists, a NA is generated, causing Host B’s DUD to fail. It needs to chose another address. No cache entry is created and Host B’ is unable to communicate. Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 14 / 21

  15. Handling IPv6 Neighbor Discovery 1. Cache Cache 2. IP A MAC A STALE IP A MAC A STALE IP B MAC B ACTIVE IP B MAC B PENDING B A B A Where is IP B? IP B at MAC B! Where is IP B? IP B at MAC B! Flow Table Flow Table Action SRC DST Action SRC DST - - - Allow B A • App checks if Host A is in cache, sets Host B’s entry to pending and forwards NS. • Host B’s NA is also checked against the cache. If Host B is valid, a rule allowing communication from B to A is inserted. The cache entry is set to active and the NA is forwarded to Host A. • The NDP process is used to keep track of activity. Entries remaining in PENDING will trigger probing before being deleted. Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 15 / 21

  16. Regular Traffic 1. Cache Cache 2. IP A MAC A ACTIVE IP A MAC A ACTIVE IP B MAC B ACTIVE IP B MAC B STALE A B A B Packet to A. Packet to A. Packet to B. Packet to B. Flow Table Flow Table Action SRC DST Action SRC DST Allow A B Allow A B Allow B A • First packet is presented to app because there is no flow rule. • If A is in cache, packet will be forwarded, the cache entry for A set to ACTIVE and a flow rule allowing communication from A to B installed. • Subsequent packets do not take the detour through the app. • Same from Host B to Host A. Thomas Scheffler Secure NDP & SLAAC 22. 7. 2019 16 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scaling IPv6 Neighbor Discovery Ben Mack-Crane ( ben.mackcrane@huawei.com ) Overview of Neighbor

Scaling IPv6 Neighbor Discovery Ben Mack-Crane ( ben.mackcrane@huawei.com ) Overview of Neighbor

Scaling IPv6 Neighbor Discovery Ben Mack-Crane ( ben.mackcrane@huawei.com ) Overview of Neighbor Discovery Protocol IPv6 nodes on the same LAN use Neighbor Discovery (RFC4861) to to find routers and discover link and network parameters,

310 views • 10 slides
IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

Outline IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer Science and IPv6 Autoconfiguration Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw

783 views • 11 slides
Securing Neighbor Discovery the wormhole attack centralized and decentralized wormhole

Securing Neighbor Discovery the wormhole attack centralized and decentralized wormhole

Securing Neighbor Discovery the wormhole attack centralized and decentralized wormhole detection mechanisms Security and Cooperation in Wireless Networks Georg-August University Gttingen Introduction many wireless networking

639 views • 32 slides
On Optimal Neighbor Discovery Philipp H. Kindt philipp.kindt@tum.de SIGCOMM19, Beijing CH

On Optimal Neighbor Discovery Philipp H. Kindt philipp.kindt@tum.de SIGCOMM19, Beijing CH

On Optimal Neighbor Discovery Philipp H. Kindt philipp.kindt@tum.de SIGCOMM19, Beijing CH 918/5-1 - Slotless Neighbor Discovery Neighbor Discovery in MANETs Pairwise Groupwise Pairwise in Groups Realizing Neighbor Discovery

747 views • 19 slides
Improving Neighbor Discovery with Slot Index Improving Neighbor Discovery with Slot Index

Improving Neighbor Discovery with Slot Index Improving Neighbor Discovery with Slot Index

Improving Neighbor Discovery with Slot Index Improving Neighbor Discovery with Slot Index Synchronization Synchronization Shuaizhao Jin , Zixiao Wang , Wai Kay Leong , Ben Leong , Yabo Dong , Dongming Lu Zhejiang

712 views • 46 slides
Benchmarking Neighbor Discovery Problems Bill Cerveny March 12,

Benchmarking Neighbor Discovery Problems Bill Cerveny March 12,

Benchmarking Neighbor Discovery Problems Bill Cerveny March 12, 2013 History Suggested by Ron Bonica at IETF 85 BMWG meeKng Neighbor Discovery (ND)

284 views • 10 slides
Deploying IPv6 in OpenStack Environments Shannon McFarland - CCIE #5245 Distinguished Engineer

Deploying IPv6 in OpenStack Environments Shannon McFarland - CCIE #5245 Distinguished Engineer

Deploying IPv6 in OpenStack Environments Shannon McFarland - CCIE #5245 Distinguished Engineer Cloud Platform &amp; Services Group @eyepv6 Agenda General OpenStack + IPv6 Stuff Tenant IPv6 Address Assignment: SLAAC, Stateless

872 views • 51 slides
Securing Future Growth: Getting Ready for IPv6 NOW! ICANN41, 23 rd June 2011 Singapore Miwa

Securing Future Growth: Getting Ready for IPv6 NOW! ICANN41, 23 rd June 2011 Singapore Miwa

Securing Future Growth: Getting Ready for IPv6 NOW! ICANN41, 23 rd June 2011 Singapore Miwa Fujii &lt;miwa@apnic.net&gt; Senior IPv6 Program Specialist, APNIC About Internet Protocol (IP) On the Internet you are nothing but IP addresses

295 views • 17 slides
IPv6 Jyh-Cheng Chen Department of Computer Science and Institute of Communications Engineering

IPv6 Jyh-Cheng Chen Department of Computer Science and Institute of Communications Engineering

IPv6 Jyh-Cheng Chen Department of Computer Science and Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw http://www.cs.nthu.edu.tw/~jcchen Outline IPv6 Header IPv6 Addressing IPv6 Neighbor

582 views • 31 slides
Order of Presentations Team Topic 206-2 Evil neighbors - Securing the IPv6 Link-Layer 206-1

Order of Presentations Team Topic 206-2 Evil neighbors - Securing the IPv6 Link-Layer 206-1

Order of Presentations Team Topic 206-2 Evil neighbors - Securing the IPv6 Link-Layer 206-1 IPFS - Interplanetary Filesystem 205-1 BlockCars 205-2 SSL Strip Attack - Downgrade HTTPS to HTTP 201-1 CoAP - 8-Bit uCs also deserve to REST

1.41k views • 117 slides
Measuting IPv6 Network Quality 1 dual-stack node discovery Table 1: IPv6 prefixes extracted

Measuting IPv6 Network Quality 1 dual-stack node discovery Table 1: IPv6 prefixes extracted

Measuting IPv6 Network Quality 1 dual-stack node discovery Table 1: IPv6 prefixes extracted prefix prefix use 2004/06 2004/08 2005/01 2001::/16 Aggregatable Global Unicast 6,585 6,665 4,394 3ffe::/16 6bone 1,762 1,459 291

401 views • 6 slides
Introduction to IPv6 - II Building your IPv6 network Alvaro Vives | 27 June 2017 | Workshop on

Introduction to IPv6 - II Building your IPv6 network Alvaro Vives | 27 June 2017 | Workshop on

Introduction to IPv6 - II Building your IPv6 network Alvaro Vives | 27 June 2017 | Workshop on Open Source Solutions for the IoT Contents IPv6 Protocols and Autoconfiguration - ICMPv6 - Path MTU Discovery (PMTU-D) - NDP -

879 views • 32 slides
Eduardo Barasal Morales Tiago Jun Nakamura Natal, RN | 23/08/17 IPv6 on the last mile with PPPoE

Eduardo Barasal Morales Tiago Jun Nakamura Natal, RN | 23/08/17 IPv6 on the last mile with PPPoE

Eduardo Barasal Morales Tiago Jun Nakamura Natal, RN | 23/08/17 IPv6 on the last mile with PPPoE - tutorial Agenda Motivation PPPoE SLAAC DHCPv6-PD Experiment Motivation IPv4 address exhaustion Improve the

625 views • 29 slides
RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address

RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address

RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address Auto Configuration Prof. Anja Feldmann, Philipp S. Tiesel, Thorben Krger, Apoorv Shukla IPv6 Scoped Address Architecture IPv6 addresses have

679 views • 19 slides
In the IP of the Beholder: Strategies for Active IPv6 Topology Discovery Robert Beverly * , Ram

In the IP of the Beholder: Strategies for Active IPv6 Topology Discovery Robert Beverly * , Ram

In the IP of the Beholder: Strategies for Active IPv6 Topology Discovery Robert Beverly * , Ram Durairajan , David Plonka , Justin Rohrer * Naval Postgraduate School University of Oregon Akamai Technologies October 31, 2018

746 views • 46 slides
The Approach for IPv4-only users to access IPv6-only

The Approach for IPv4-only users to access IPv6-only

The Approach for IPv4-only users to access IPv6-only Content dra$-sun-behave-v4tov6-00 IETF 87-Berlin, July 2013 Chongfeng.

397 views • 11 slides
Container Networking Gaetano Borgione Gaetano Borgione Sr. Staff Engineer @ VMware Sr. Staff

Container Networking Gaetano Borgione Gaetano Borgione Sr. Staff Engineer @ VMware Sr. Staff

Container Networking Gaetano Borgione Gaetano Borgione Sr. Staff Engineer @ VMware Sr. Staff Engineer Gaetano Borgione Senior Staff Engineer Cloud Native Applications VMWare SDN Technologies @ PLUMgrid Data Center Networking @ Cisco

680 views • 57 slides
Metrics and Best Practices for Host-based Access Control to Ensure System Integrity and

Metrics and Best Practices for Host-based Access Control to Ensure System Integrity and

Metrics and Best Practices for Host-based Access Control to Ensure System Integrity and Availability Urpo Kaila, Marco Passerini and Joni Virtanen CSC Tieteen tietotekniikan keskus Oy CSC IT Center for Science Ltd. Outline

374 views • 35 slides
DUNE Host Lab Responsibilities Stu Fuess / Scientific Computing Division 2019 ICAC 15 October

DUNE Host Lab Responsibilities Stu Fuess / Scientific Computing Division 2019 ICAC 15 October

DUNE Host Lab Responsibilities Stu Fuess / Scientific Computing Division 2019 ICAC 15 October 2019 DISCLAIMER What is presented here is a summary of internal Fermilab discussions Starting point for discussions with the broader

455 views • 16 slides
Wireless Networks L ecture 21: Wireless and the Internet Peter Steenkiste CS and ECE, Carnegie

Wireless Networks L ecture 21: Wireless and the Internet Peter Steenkiste CS and ECE, Carnegie

Wireless Networks L ecture 21: Wireless and the Internet Peter Steenkiste CS and ECE, Carnegie Mellon University Peking University, Summer 2016 1 Peter A. Steenkiste Outline The Internet 102 Wireless and the Internet Mobility:

160 views • 15 slides
Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of

655 views • 43 slides
9/30/2013 Conflict of Interest Statement Behavioral Interventions for Hot 2 Flashes. The

9/30/2013 Conflict of Interest Statement Behavioral Interventions for Hot 2 Flashes. The

9/30/2013 Conflict of Interest Statement Behavioral Interventions for Hot 2 Flashes. The author of this presentation has no financial or commercial conflicts of interest pertinent to this 1 presentation within the last 12 months. GARY R.

409 views • 5 slides
FlexFS: A Flexible Flash File System for MLC NAND Flash Memory Sungjin Lee , Keonsoo Ha, Kangwon

FlexFS: A Flexible Flash File System for MLC NAND Flash Memory Sungjin Lee , Keonsoo Ha, Kangwon

FlexFS: A Flexible Flash File System for MLC NAND Flash Memory Sungjin Lee , Keonsoo Ha, Kangwon Zhang, Jihong Kim, and Junghwan Kim* School of Computer Science and Engineering Seoul National University * Samsung Advanced Institute of Technology

852 views • 53 slides
How to Scan 35mm Slides Make sure the scanner cable is plugged into the iMacs USB port. 1 Tie

How to Scan 35mm Slides Make sure the scanner cable is plugged into the iMacs USB port. 1 Tie

DIGITAL MEDIA LAB at the new lenox public library How to Scan 35mm Slides Make sure the scanner cable is plugged into the iMacs USB port. 1 Tie scanner cable is cream-colored. 2 Turn the scanner on by pressing the power button. Tie power

195 views • 8 slides

More recommend