SO YOUR IPV6 IS PUBLICNOW WHAT? BY JOE SULLIVAN JOLIET JUNIOR - - PowerPoint PPT Presentation

so your ipv6 is public now what
SMART_READER_LITE
LIVE PREVIEW

SO YOUR IPV6 IS PUBLICNOW WHAT? BY JOE SULLIVAN JOLIET JUNIOR - - PowerPoint PPT Presentation

Oct 05, 2023 559 likes •842 views

SO YOUR IPV6 IS PUBLICNOW WHAT? BY JOE SULLIVAN JOLIET JUNIOR COLLEGE, PROFESSOR APRIL 27 TH 2017 CCNP, Palo Alto ACE, CCNA Video, CCNA Voice, CVNS, CVNR, CCNA Collaboratjon, H.E. IPv6 Sage, Linux Essentjals, ECSVRv1, ECSERv2, CCNA

slide-1
SLIDE 1

SO YOUR IPV6 IS PUBLIC…NOW WHAT?

BY JOE SULLIVAN JOLIET JUNIOR COLLEGE, PROFESSOR APRIL 27TH 2017

CCNP, Palo Alto ACE, CCNA Video, CCNA Voice, CVNS, CVNR, CCNA Collaboratjon, H.E. IPv6 Sage, Linux Essentjals, ECSVRv1, ECSERv2, CCNA Security, CCAI, CWTS

slide-2
SLIDE 2

Background

  • IPv4 as a free pool has been depleted as of September 24, 2015, people can apply on the

waitlist for unmet requests htups://www.arin.net/resources/request/waitjng_list.html

  • Conservatjon of IPv4 addresses began early on with the introductjon of VLSM and private

address RFC 1918.

  • Since private addresses are used NAT has been in place to accommodate. Quickly we have

found that this model necessitates a performance degradatjon and is challenging to work with real-tjme services and end-to-end applicatjons.

Source: htups://www.arin.net/resources/request/waitjng_list.html

slide-3
SLIDE 3

EXPLORING MYTHS: NAT SECURITY

  • NAT didn’t provide security. NAT actually hindered security by hindering Geolocatjon,

DNSSEC and IPsec.

  • Reality is that stateful fjrewalls have provided security. The purpose of the stateful packet

inspectjon is to remember which packets lefu the network and provide a mapping to the return traffjc fmags or headers.

(NAT Overview clipping source: ) htup://www.cisco.com/c/en/us/support/docs/ip/network-address-translatjon-nat/6209-5.html

slide-4
SLIDE 4

DEPLOYMENT MODELS

  • ISP’s have been resourceful in obtaining new address spaces in IPv6. Comcast has been startjng since

2011 and has a deployment model in place. (Source: htup://corporate.comcast.com/comcast- voices/ipv6-deployment-technology)

  • Comcast for instance, is very proactjve by deployment of Natjve dual stack, which means a customer

gets both IPv6 and IPv4 addresses. Avoids the use of tunneling and NAT.

  • Natjve Dual stack avoids breaking or slowing applicatjons and maintains a faster broadband internet

without the complicatjons of NAT.

  • With the removal of NAT, new tools have been developed to deploy address prefjx's to customers, we

will look at a Dual stack device running Prefjx Delegatjon (PD) along with local link device issued with a / 64 and using SLAAC

slide-5
SLIDE 5

IPV6 DEPLOYMENT

  • This research is not intended to detract from IPv6 merits, but merely to shed light on important

deployment scenarios.

  • IPv6 is difgerent than IPv4 this we understand. There are several atuacks that exist in both IPv4 and IPv6

such as:

  • Applicatjon layer atuacks such as: cross-site scriptjng and sql injectjon.
  • Rogue devices such as, WiFi, Router with higher priority, and fmooding and DoS atuacks.
  • Man in-the-middle atuacks
  • Redirectjon, Spoofjng, False advertjsements
slide-6
SLIDE 6

BACKGROUND ON IPV6 STRUCTURE

  • Link Local: FE80::7ADA:6EFF:FE5B:ACE0
  • Global Unicast: 2010:AB8:0:1:7ADA:6EFF:FE5B:B478
  • Mulitcast Groups: Joined group address(es):
  • FF02::1
  • FF02::2
  • FF02::A
slide-7
SLIDE 7

INVESTIGATIVE TOOLS USED

  • KALI
  • THC-IPV6(8)

htups://manned.org/thc-ipv6.8

  • Investjgatjon focused on IPv6 Prefjx

Delegatjon security concerns

slide-8
SLIDE 8

NETWORK ATTACKS

New neighbor found, possible gateway atuack successful

slide-9
SLIDE 9

FLOOD ROUTERS

Flood_router6 successful

  • Quickly send thousands of routers as

neighbors within seconds we had thousands.

  • Memory atuack on router.
slide-10
SLIDE 10

FRAGMENTATION ATTACK ON FIREWALL

  • High CPU usage
  • Investjgate fjrewall probe
slide-11
SLIDE 11

PRINT ROUTER INFORMATION

  • Informatjon on Adjacency's
slide-12
SLIDE 12

ASSESS DEVICE CAPABILITIES

  • Scans devices system services
  • Accessible through the WAN
slide-13
SLIDE 13

FIREWALL PROBING

  • Snifger Detectjon packets
  • Scanning for systems responses
  • Fragmentatjon and Maximum Segment

size atuacks

slide-14
SLIDE 14

PROBE ROUTER

  • Send a series of known exploits to a

intermediate device.

  • Actjvely probing devices.
slide-15
SLIDE 15

NEIGHBOR DISCOVERY

  • NMAP discovers about 1 discovery

every second.

  • Host machines do not start at ::1 and

work upward

  • At /64 or 18 quad trillion hosts this can

take years for full discovery.

  • Once you go to a corrupt site they will

have your address, so you stjll need a fjrewall.

slide-16
SLIDE 16

ATTACKS INSIDE LAN REMAIN DEVASTATING

  • Raises concerns for businesses.
  • With dual stack, an administrator has

to defend both protocols. The logical footprint efgectjvely doubles.

slide-17
SLIDE 17

HOW TO PLAN FOR IPV6

Start with ARIN htups://www.arin.net/resources/ipv6_plan ning.html Check with ISP for compatjble modems to

  • btain best performance. For example,

htup://mynewmodemcomcast.net/ Get IPv6 Certjfjed for Free with Hurricane Electric (free T-shirt at Sage level) htups://ipv6.he.net/certjfjcatjon/ Research guidelines htups://www.apnic.net/community/ipv6-p rogram/ipv6-bcp/

slide-18
SLIDE 18

BASIC STEPS BEFORE CONSIDERATION OF IPV6 DEPLOYMENT

(SOURCE: HTTP ://BLOGS.CISCO.COM/SMALLBUSINESS/3-STEPS-FOR-PREPARING-YO UR-NETWORK-FOR-IPV6 )

  • 1. Audit to include routers and switches as well as security

appliances, fjrewalls, and intrusion preventjon systems.

  • 2. Gradually migrate your core networking components then all
  • f your endpoints, don’t forget applicatjons that run on PC’s
  • 3. Ensure outward facing services are IPv6 Compliant.
  • Audit existjng infrastructure for

compliance.

  • Make a planned migratjon
  • Validate external services
slide-19
SLIDE 19

IMPLICATIONS FOR DUAL STACK DEVICES

  • IPv6 has an abundance of hosts and exhibits an inherent “herd mentality” for protectjon.
  • Once discovered a host is directly communicable unless fjrewall rules are provisioned.
  • For IoT devices protectjon will lie solely in the front-end device protectjng it. Due to low batuery

consumptjon and singular purpose design they leave litule in the way of security.

  • Provisioning systems for Dual-Stack does require a router or security device appropriate for each

protocol.

  • Multjcast traffjc is detrimental to switches, recommendatjons are to have storm control and multjcast

routjng provisioned.

  • Devices inside the LAN may sufger severely from atuacks. Workstatjons should have fjrewalls and IoT

devices require protectjon of hardware fjrewall at L2.

  • Direct reachability for IPv6 is possible without a stateful fjrewall, ensure one is operatjonal
slide-20
SLIDE 20

FINDINGS

  • Gettjng back to Comcast provisioning a natjve dual stack over DOCSIS. The logic of the move is that

during our growing pains to IPv6 from our depleted IPv4 state, content providers have not readily adopted IPv6. Websites may draw on both IPv4 and IPv6 content.

  • Having a dual-stack confjguratjon allows us to see an Internet page with both protocols. Miss one

protocol and the content changes.

  • There are browser add-ons to check for dual

protocol support on websites (see link).

  • Supportjng both protocols is

necessary untjl every service provider and website transitjons to IPv6.

htups://chrome.google.com/webstore/detail/ipvfoo/ecanpcehfgngcegjmadlcijfolapggal?hl=en

slide-21
SLIDE 21

FINDINGS CONTINUED

  • DNS lookups return both protocol
  • ptjons.
  • AAAA record (the DNS A record for

IPv6). If it exists, it tries using IPv6, falling back to the A record and IPv4

slide-22
SLIDE 22

IDENTIFIERS OF IPV6 WEBSITES

  • Logo may be included on a website to

show IPv6 compliance, such as: World IPv6 Launch htup://www.worldipv6launch.org/

  • Test your IPv6:

htup://ipv6test.google.com/

slide-23
SLIDE 23

SETUP FIREWALL FOR NEW PROTOCOL

  • Certjfjed IPv6 Ready devices for small

business: htups://www.ipv6ready.org/

slide-24
SLIDE 24

WAN SIDE BUSINESS CLASS SERVICES

  • Fragmented Packet Inspectjon and reorder
  • IPv6 DoS mitjgatjon
  • Tunneled packet inspectjon at tunnel endpoint
  • Stateful packet inspectjon
  • Stateful packet inspectjon for IPv4-to-IPv6 originatjons
  • ACL pertaining to extension header informatjon
  • Port to Applicatjon mapping.
  • Firewall Alerts, Audit trails, system logging, netglow
  • Router hardening for routjng protocols
  • Multjcast thresholds
  • Neighbor Advertjsement, Cryptographically Generated

Addresses using SEcure Neighbor Discovery (SEND)

slide-25
SLIDE 25

LAN SIDE BUSINESS CLASS IPV6 PRECAUTIONS

  • Stateful packet failover, FHRP
  • Control plane policing per-user microfmow
  • Use of Protocol Independent Multjcast V2 and Multjcast

Listener Discovery V2

  • Use of General Prefjx names to simplify deployment.
  • Standard fare:
  • DHCP snooping
  • QoS mechanisms
  • Load budget under dual protocol environment, consider multj-

protocol aggregatjon

slide-26
SLIDE 26

SCANNING VALIDATION TOOLS

Home Tools for IPv6 htup://www.subnetonline.com/pages/ipv6- network-tools/online-ipv6-tracepath.php htup://www.ipv6scanner.com/cgi-bin/main .py

slide-27
SLIDE 27

ADDITIONAL RESOURCES

router confjgurations.txt