security impacts of security impacts of abusing ipv6
play

Security Impacts of Security Impacts of Abusing IPv6 Extension - PowerPoint PPT Presentation

Mar 13, 2024 •29 likes •689 views

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

  1. Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science

  2. Bio ● Independent IT Security analyst/researcher. ● MPhil Univ. of Cambridge, PhD NTUA, etc. ● Over 20 years of diverse Information T echnology experience. ● Instructor and software developer, etc. ● More than 25 technical publications in various IT fields. This is my 2nd Black Hat. ● Member of the Centre for Strategic Cyberspace + Security Science non-profit organisation. ● E-mail: antonios.atlasis@cscss.org

  3. Agenda ● Introduction ● The IPv6 Extension Headers ● Abusing IPv6 Extension Headers ● T ested scenarios – Results ● Security impacts of abusing IPv6 Extension Headers - Demo ● Proposed countermeasures ● Conclusions

  4. IPv6 Wordwide Deployment APNIC 17% LACNIC 15% RIPE NCC15% AfriNIC 12% ARIN 10%. Source : https://labs.ripe.net/Members/mirjam/networks-with-ipv6-one-year-later

  5. IPv6 @ the Gates ● 6th June of 2012, the IPv6 world launch day. ● “IPv6-ready” products, such as Operating Systems, Networking Devices, Security Devices, etc.

  6. What does a new protocol introduce? ● New features, new capabilities, ... ● but also new potential vulnerabilities and hence, new attack vectors (hackers/crackers joy). ● IPv6 is around for many years, but it has not been tested operationally yet.

  7. Security Implications of Attacking a Network Protocol? ● A Layer-7 protocol: Only this protocol is affected. ● A Layer-3 protocol: ALL the above protocols are affected (can be disastrous).

  8. IPv6 Potential Security Issues ● T wo categories: – Issues known from the IPv4 era, solved in IPv4 but re-appear in IPv6. Example: Fragmentation overlapping. – Issues new to IPv6 introduced due to its new features.

  9. IPv6 New Features ● It is not just the huge address space. ● One of the most significant changes: The introduction of the IPv6 Extension Headers .

  10. The IPv4 vs the IPv6 Header Version IHL Type of Service T otal Length Identification x D M Fragment Offset TTL Protocol Header Checksum v4 v4 Source Address Destination Address IP Options (optional) V Traffic C Flow Label Payload length Next Hop Limit v6 v6 IPv6 Source Address IPv6 Destination Address IPv6 Extension headers have been introduced to IPv6 Extension headers support any extra functionality, if required.

  11. An IPv6 vs an IPv4 Datagram IPv4 Header Layer 4 Layer 4 IPv4 protocol Payload datagram header IPv6 Header ... Layer 4 Layer 4 Extension Header Extension protocol Payload IPv6 1 Header n Next Header value = header Next Header value Next Header datagram Extension Header 1 = Extension value = Layer Header 2 4 Header Multiple Multiple of 8-octets of 8-octets

  12. The IPv6 Extension Headers (RFC 2460) ● Hop-by-Hop Options ● Routing ● Fragment ● Destination Options ● Authentication ● Encapsulating Security Payload ● All (but the Destination Options header) SHOULD occur at most once. ● Later, more were added.

  13. Recommended IPv6 Extension Headers Order ● IPv6 header ● Hop-by-Hop Options header ● Destination Options header ● Routing header ● Fragment header ● Authentication header ● Encapsulating Security Payload header ● Destination Options header (for options to be processed only by the final destination of the packet.) ● Upper-layer header

  14. Abuse of IPv6 Extension Headers ● T wo Extension Headers will be tested here: – the Destination Options Header – and the Fragment Extension header ● In some of the tested scenarios other IPv6 Extension Headers can also be used.

  15. The Destination Options Header

  16. The IPv6 Fragment Header ● The M bit, the Identification number and the Offset have moved here from the main header. ● The DF bit has been totally removed.

  17. Abusing IPv6 Extension Headers ● RFCs describe the way that IPv6 Extension Headers has to or should be used. ● In either case, this does not mean that the vendors make RFC compliant products. ● RFCs do not specify how the OS should react in a different case → increase the ambiguity → if exploited properly, can lead to various security flaws.

  18. The Lab Environment attacker Scapy scripts ICMPv6 Echo Request as payload Windows Server 2008 Windows 7 OpenBSD Ubuntu Windows 8 Centos 6.3 FreeBSD 9 Ubuntu 5.1/5.2 10.04 12.04 fed0::5/64 fed0::2008/64 fed0::7/64 fed0::8/64 fed0::10/64 fed0::6/64 fed0::52/64 fed0::9/64 fed0::12/64

  19. Basic Groups of T ested Scenarios ● More than one occurrences of various extension headers in atomic fragments. ● Nested fragments (that is, ...fragmented fragments). ● Sending the upper-layer protocol header at a fragment other than the 1st one. ● Creating overlapping extension headers (3 cases will be examined). ● Transfer of arbitrary data at the IP level (fragmented or not).

  20. 1. Multiple Occurrences of Various Extension Headers in an Atomic Fragment Three (3) Fragment Extension Headers Four (4) Destination Options Headers

  21. 1. Multiple Occurrences of Various Extension Headers in an Atomic Fragment send(IPv6(src=sip, dst=dip) \ /IPv6ExtHdrDestOpt() \ /IPv6ExtHdrDestOpt() \ / IPv6ExtHdrDestOpt() \ /IPv6ExtHdrFragment ( offset=0 , m=0 ) \ /IPv6ExtHdrFragment(offset=0 , m=0 ) \ /IPv6ExtHdrDestOpt() \ /IPv6ExtHdrFragment(offset=0 , m=0 ) \ /ICMPv6EchoRequest())

  22. 1. Multiple Occurrences of Various Extension Headers in an Atomic Fragment ● Such a packet SHOULD NOT exist, but how the OS should react?. ● Results: – OpenBSD was the only one that does not accept such a malformed packet. – Similar results even if only one type of an Extension Header is repeated more than once.

  23. 2. Nested Fragments

  24. 2. Nested Fragments ipv6_1=IPv6(src=sip, dst=dip, plen=8*2) frag2=IPv6ExtHdrFragment(offset=0, m=0, id= myid2 , nh=44 ) for i in range(0, no_of_fragments): frag1=IPv6ExtHdrFragment(offset=i, m=1, id=myid , nh=44 ) packet=ipv6_1/frag1/frag2 send(packet) frag1=IPv6ExtHdrFragment(offset=no_of_fragments, m=1, id=myid , nh=44 ) frag2=IPv6ExtHdrFragment(offset=0, m=0, id=myid2 , nh=58 ) packet=ipv6_1/frag1/frag2 send(packet) ipv6_1=IPv6(src=sip, dst=dip, plen=8*(length+1)) frag1=IPv6ExtHdrFragment(offset=no_of_fragments+1, m=0, id=myid , nh=44 ) packet=ipv6_1/frag1/icmpv6 send(packet)

  25. 2. Nested Fragments ● There is no reason for a legitimate user to create nested fragments. ● Results: – The three Windows and the two Ubuntu systems respond back with an ICMPv6 Echo Reply message. – Centos 6.3, FreeBSD and OpenBSD don't. – Different behaviour between Centos and Ubuntu 10.04, although they use the same kernel.

  26. 3. Upper-layer Protocol Header at a Fragment other than the 1st Fragment

  27. 3. Upper-layer Protocol Header at a Fragment other than the 1st Fragment packet1 = IPv6(src=sip, dst=dip) \ /IPv6ExtHdrFragment(offset=0, m=1) \ /IPv6ExtHdrDestOpt(nh=60) packet2 = IPv6(src=sip, dst=dip) \ /IPv6ExtHdrFragment(offset=1, m=1) \ /IPv6ExtHdrDestOpt(nh=58) packet3 = IPv6(src=sip, dst=dip) \ /IPv6ExtHdrFragment( offset=2 , m=0, nh=58) \ / ICMPv6EchoRequest (cksum=csum, data=payload1) send(packet1) send(packet2) send(packet3)

  28. 3. Upper-layer Protocol Header at a Fragment other than the 1st Fragment ● OpenBSD, the two Ubuntu and the three Windows hosts accept the datagrams. ● FreeBSD 9 and Centos 6.3 don't.

  29. 4.Mixing Extension Headers and Sending the Upper-Layer Protocol Header at a Fragment other than the 1st ● A combination of the 1st (mixing multiple extension headers) and the 3rd (sending the upper layer header at a fragment other than the 1st) scenarios.

  30. 4.Mixing Extension Headers and Sending the Upper-Layer Protocol Header at a Fragment other than the 1st packet1 = IPv6(src=sip, dst=dip) \ /IPv6ExtHdrFragment(offset=0, m=1) \ / IPv6ExtHdrDestOpt(nh=60) \ Five (5) Destination /IPv6ExtHdrDestOpt(nh=60) \ Option headers! /IPv6ExtHdrDestOpt(nh=60) \ /IPv6ExtHdrDestOpt(nh=60) \ /IPv6ExtHdrDestOpt(nh=58) packet2 = IPv6(src=sip, dst=dip) \ /IPv6ExtHdrFragment( offset=5 , m=0, nh=58) \ / ICMPv6EchoRequest (cksum=csum, data=payload1) send(packet1) Layer 4 header at the 2nd fragment send(packet2)

  31. 4.Mixing Extension Headers and Sending the Upper-Layer Protocol Header at a Fragment other than the 1st ● Only FreeBSD 9 does not accept such packets. ● All the others (included OpenBSD that discards such combinations in atomic fragments) DO accept them.

  32. Creating Overlapping Extension headers ● This is a layer-3 overlapping, not an overlapping known from IPv4. ● Case 1: The 3rd fragment overlaps the 2nd. ● Case 2: The 3rd fragment overlaps the 1st.

  33. 5. Creating Overlapping Extension headers Case 1 packet1 = IPv6(src=sip, dst=dip) \ /IPv6ExtHdrFragment(offset=0, m=1) \ /IPv6ExtHdrDestOpt(nh=58) packet2 = IPv6(src=sip, dst=dip) \ /IPv6ExtHdrFragment( offset=1 , m=1, nh=58) \ /IPv6ExtHdrDestOpt(nh=58) packet3 = IPv6(src=sip, dst=dip) \ /IPv6ExtHdrFragment( offset=1, m=0 , nh=58) \ /ICMPv6EchoRequest(cksum=csum, data=payload1) send(packet1) send(packet2) send(packet3)

  34. 5. Creating Overlapping Extension headers Case 1 ● Centos 6.3 and Ubuntu 10.04 accept the malformed packets (“old” linux kernel).

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data

HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data

HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data Security February 2016 Data Security Impacts Design and Delivery of Big Data Projects Data Security frequently is a leading Role Security Impacts

545 views • 23 slides
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions Security of IPv6

625 views • 33 slides
Extreme Geomagnetic Storm Societal Impacts Presented at: Electric Infrastructure Security Summit

Extreme Geomagnetic Storm Societal Impacts Presented at: Electric Infrastructure Security Summit

Extreme Geomagnetic Storm Societal Impacts Presented at: Electric Infrastructure Security Summit London September 20, 2010 Bronius Cikotas Member, Board of Advisors Electric Infrastructure Security Council 7104 Roxanne Road, Alexandria VA ,

201 views • 18 slides
EXPECTED CLIMATE IMPACTS EXPECTED CLIMATE IMPACTS Agriculture: Agriculture: impacts on food

EXPECTED CLIMATE IMPACTS EXPECTED CLIMATE IMPACTS Agriculture: Agriculture: impacts on food

EXPECTED CLIMATE IMPACTS EXPECTED CLIMATE IMPACTS Agriculture: Agriculture: impacts on food security impacts on food security Natural resources: Natural resources: water, energy, water, energy, Health Health

794 views • 44 slides
Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

A Comparative Security Evaluation for IPv4 and IPv6 Addresses Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security Scanning the Internet for profit, ethically. 2 Why do we need to know this? IPv6

279 views • 16 slides
IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction to WLCG & IPv6 IPv6 security & threats IPv6 protocol attacks Issues for site network & security teams Issues for sys admins

501 views • 34 slides
Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi, G. Leclanche, E. Vyncke, R. Anfinsen Status -00 posted on 25 January 2013 Some comments on the list (see later) Problem Statement

378 views • 10 slides
Possible impacts of non-Schengen Laurens Schautteet, Trade Facilitation, Customs and Security

Possible impacts of non-Schengen Laurens Schautteet, Trade Facilitation, Customs and Security

Possible impacts of non-Schengen Laurens Schautteet, Trade Facilitation, Customs and Security Committee meeting, 22 March, Lisbon Table of contents 1. Schengen Area 2. Refugee crisis impact on Schengen 3. Cost of non-Schengen to the EU 4.

272 views • 12 slides
v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations draft-savola-v6ops-security-overview-00.txt Pekka Savola, CSC/FUNET Overview Overview Look at different kinds of issues IPv6 protocol Transition mechanisms in general

853 views • 10 slides
The Program, Implementation, and Features Outline Why protect CUI? Impacts to National

The Program, Implementation, and Features Outline Why protect CUI? Impacts to National

The Program, Implementation, and Features Outline Why protect CUI? Impacts to National Security Existing Agency Policy and Procedure Protection Today An Information Security Reform Protection defined What we protect

391 views • 38 slides
IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda Introduction to Integralis IPv6 Security Concerns Questions Private & Confidential Continuous Secure Service Delivery Governance,

336 views • 21 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
Agricultural productivity and food security in the lower Mekong Basin: impacts of climate change

Agricultural productivity and food security in the lower Mekong Basin: impacts of climate change

Agricultural productivity and food security in the lower Mekong Basin: impacts of climate change and options for adaptation Dr Mohammed Mainuddin CSIRO Land and Water, Canberra, Australia Presentation at the 1 st Meeting of Climate Change

540 views • 29 slides
Climate Change Impacts on Agriculture and Food Security Implications for Developing Climate

Climate Change Impacts on Agriculture and Food Security Implications for Developing Climate

Climate Change Impacts on Agriculture and Food Security Implications for Developing Climate Resilient Agriculture Programs Uganda CCVA Lessons: Design, Implementation and Stakeholder Engagement Patricia Caffrey Uganda CCVA Team Leader and

821 views • 47 slides
How Work Impacts Benefits Kendra Berry Supervising Community Work Incentives Coordinator

How Work Impacts Benefits Kendra Berry Supervising Community Work Incentives Coordinator

How Work Impacts Benefits Kendra Berry Supervising Community Work Incentives Coordinator Indiana Works 866-968-7842 Social Security 2 Types of Social Security Disability Benefits: - Social Security Disability Insurance - Supplemental

283 views • 27 slides
Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The University of Tokyo / Laboratoire dInformatique de Paris 6 Summary IPv6 Mobile IPv6 Security and Mobile IPv6 Protections by

669 views • 50 slides
Decentralized and Opportunistic Multicasting of Information Streams D. Gunawardena T.

Decentralized and Opportunistic Multicasting of Information Streams D. Gunawardena T.

ACM MOBICOM 2011 SCOOP: Decentralized and Opportunistic Multicasting of Information Streams D. Gunawardena T. Karagiannis A. Proutiere Microsoft Research Microsoft Research KTH E. Santos-Neto M. Vojnovic British Columbia Microsoft

630 views • 35 slides
CS519: Computer Networks Lecture 3, Part 2: Feb 16, 2004 IP Forwarding Table Best-match rules

CS519: Computer Networks Lecture 3, Part 2: Feb 16, 2004 IP Forwarding Table Best-match rules

CS519: Computer Networks Lecture 3, Part 2: Feb 16, 2004 IP Forwarding Table Best-match rules revisited CS519 Select matching FIB entry with longest prefix If multiple matching FIB entries have the same prefix size, then any may be

624 views • 11 slides
Hop, Skip, Jump Implementing a concurrent interpreter with Promises Timothy Jones Victoria

Hop, Skip, Jump Implementing a concurrent interpreter with Promises Timothy Jones Victoria

Hop, Skip, Jump Implementing a concurrent interpreter with Promises Timothy Jones Victoria University of Wellington tim@ecs.vuw.ac.nz January 14, 2015 Background This Talk Implementing a fully asynchronous JavaScript application Using

1.42k views • 63 slides
Routing in Networks of Varying Connectivity Andrew Grundy amg@cs.nott.ac.uk

Routing in Networks of Varying Connectivity Andrew Grundy amg@cs.nott.ac.uk

Routing in Networks of Varying Connectivity Andrew Grundy amg@cs.nott.ac.uk http://cs.nott.ac.uk/~amg Supervisors: Dr Milena Radenkovic Prof Uwe Aickelin 1 Overview The Problem Domain Existing Solutions My Work The

449 views • 21 slides
Strong Formulations for the Survivable Network Design with Hop Constraints Problem A. Ridha

Strong Formulations for the Survivable Network Design with Hop Constraints Problem A. Ridha

Strong Formulations for the Survivable Network Design with Hop Constraints Problem A. Ridha Mahjoub 1 , Luidi Simonetti 2 , Eduardo Uchoa 2 1 Universit e Paris-Dauphine mahjoub@lamsade.dauphine.fr 2 Universidade Federal Fluminense

934 views • 49 slides
The Data Link Layer Bits are just bits. With only a physical layer, System A has no way to tell

The Data Link Layer Bits are just bits. With only a physical layer, System A has no way to tell

32 PART I Networking Basics weather station. More realistic devices use duplex mode , where all systems can send or receive with equal facility. This is often further distinguished as half-duplex (the system can send and receive, but not at the

161 views • 13 slides
IASP 560 Final Group Project | Slides LOUIS ESCO T O JO Y GEORGE EMMANUEL SEF A

IASP 560 Final Group Project | Slides LOUIS ESCO T O JO Y GEORGE EMMANUEL SEF A

IASP 560 Final Group Project | Slides LOUIS ESCO T O JO Y GEORGE EMMANUEL SEF A BRIAN STEINER A GUIDE TO SIGPLOIT A Raspberry Pi 4 A Linux OS SigPloit 2 Exploring the inherent vulnerabilities in SS7 technology

177 views • 16 slides
CS 356: Computer Network Architectures Lecture 11: Dynamic Routing: Routing Information Protocol

CS 356: Computer Network Architectures Lecture 11: Dynamic Routing: Routing Information Protocol

CS 356: Computer Network Architectures Lecture 11: Dynamic Routing: Routing Information Protocol Chap. 3.3.1, 3.3.2 Xiaowei Yang xwy@cs.duke.edu Today Dynamic Routing Routing Information Protocol IP tunnels Tunnels A

880 views • 41 slides

More recommend