IPv6 Security
Protection measures for the next Internet Protocol
As the world's networks migrate to the IPv6 protocol, networking professionals need a clearer understanding of the security risks, threats, and challenges this transition presents. In IPv6 Security, two of the world's leading Internet security practitioners review each potential security issue introduced by IPv6 networking and present today's best solutions.
IPv6 Security offers guidance for avoiding security problems prior to widespread IPv6 deployment. The book covers every component of today's networks, identifying specific security deficiencies that occur within IPv6 environments and demonstrating how to combat them.
The authors describe best practices for identifying and resolving weaknesses as you maintain a dual stack network. Then they describe the security mechanisms you need to implement as you migrate to an IPv6-only network. The authors survey the techniques hackers might use to try to breach your network, such as IPv6 network reconnaissance, address spoofing, traffic interception, denial of service, and tunnel injection.
The authors also turn to Cisco® products and protection mechanisms. You learn how to use Cisco IOS® and ASA firewalls and ACLs to selectively filter IPv6 traffic. You also learn about securing hosts with Cisco Security Agent 6.0 and about securing a network with IOS routers and switches. Multiple examples are explained for Windows, Linux, FreeBSD, and Solaris hosts. The authors offer detailed examples that are consistent with today's best practices and easy to adapt to virtually any IPv6 environment.
Scott Hogg, CCIE® No. 5133, is Director of Advanced Technology Services at Global Technology Resources, Inc. (GTRI). He is responsible for setting the company's technical direction and helping it create service offerings for emerging technologies such as IPv6. He is the Chair of the Rocky Mountain IPv6 Task Force.
Eric Vyncke, Cisco Distinguished System Engineer, consults on security issues throughout Europe. He has 20 years' experience in security and teaches security seminars as a guest professor at universities throughout Belgium. He also participates in the Internet Engineering Task Force (IETF) and has helped several organizations deploy IPv6 securely.
Understand why IPv6 is already a latent threat in your IPv4-only network
Plan ahead to avoid IPv6 security problems before widespread deployment
Identify known areas of weakness in IPv6 security and the current state of attack tools and hacker skills
Understand each high-level approach to securing IPv6 and learn when to use each
Protect service provider networks, perimeters, LANs, and host/server connections
Harden IPv6 network devices against attack
Utilize IPsec in IPv6 environments
Secure mobile IPv6 networks
Secure transition mechanisms in use during the migration from IPv4 to IPv6
Monitor IPv6 security
Understand the security implications of the IPv6 protocol, including issues related to ICMPv6 and the IPv6 header structure
Protect your network against large-scale threats by using perimeter filtering techniques and service provider-focused security practices
Understand the vulnerabilities that exist on IPv6 access networks and learn solutions for mitigating each
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Category: Networking: Security
Covers: IPv6 Security
Introduction
Chapter 1 Introduction to IPv6 Security
Reintroduction to IPv6 3
IPv6 Update 6
IPv6 Vulnerabilities 7
Hacker Experience 8
IPv6 Security Mitigation Techniques 9
Summary
Recommended Readings and Resources
Chapter 2 IPv6 Protocol Security Vulnerabilities
The IPv6 Protocol Header
ICMPv6
ICMPv6 Functions and Message Types
ICMPv6 Attacks and Mitigation Techniques
Multicast Security
Extension Header Threats
Extension Header Overview
Extension Header Vulnerabilities
Hop-by-Hop Options Header and Destination Options Header
IPv6 Extension Header Fuzzing
Router Alert Attack
Routing Headers
RH0 Attack
Preventing RH0 Attacks
Additional Router Header Attack Mitigation Techniques
Fragmentation Header
Overview of Packet Fragmentation Issues
Fragmentation Attacks
Preventing Fragmentation Attacks
Virtual Fragment Reassembly
Unknown Option Headers
Upper-Layer Headers
Reconnaissance on IPv6 Networks
Scanning and Assessing the Target
Registry Checking
Automated Reconnaissance
Speeding Up the Scanning Process
Leveraging Multicast for Reconnaissance
Automated Reconnaissance Tools
Sniffing to Find Nodes
Neighbor Cache
Node Information Queries
Protecting Against Reconnaissance Attacks
Layer 3 and Layer 4 Spoofing
Summary
References
Chapter 3 IPv6 Internet Security
Large-Scale Internet Threats
Packet Flooding
Internet Worms
Worm Propagation
Speeding Worm Propagation in IPv6
Current IPv6 Worms
Preventing IPv6 Worms
Distributed Denial of Service and Botnets
DDoS on IPv6 Networks
Attack Filtering
Attacker Traceback
Black Holes and Dark Nets
Ingress/Egress Filtering
Filtering IPv6 Traffic
Filtering on Allocated Addresses
Bogon Filtering
Bogon Filtering Challenges and Automation
Securing BGP Sessions
Explicitly Configured BGP Peers
Using BGP Session Shared Secrets
Leveraging an IPsec Tunnel
Using Loopback Addresses on BGP Peers
Controlling the Time-to-Live (TTL) on BGP Packets
Filtering on the Peering Interface
Using Link-Local Peering
Link-Local Addresses and the BGP Next-Hop Address
Drawbacks of Using Link-Local Addresses
Preventing Long AS Paths
Limiting the Number of Prefixes Received
Preventing BGP Updates Containing Private AS Numbers
Maximizing BGP Peer Availability
Disabling Route-Flap Dampening
Disabling Fast External Fallover
Enabling Graceful Restart and Route Refresh or Soft Reconfiguration
BGP Connection Resets
Logging BGP Neighbor Activity
Securing IGP
Extreme Measures for Securing Communications Between BGP Peers
IPv6 over MPLS Security
Using Static IPv6 over IPv4 Tunnels Between PE Routers
Using 6PE
Using 6VPE to Create IPv6-Aware VRFs
Customer Premises Equipment
Prefix Delegation Threats
SLAAC
DHCPv6
Multihoming Issues
Summary
References
Chapter 4 IPv6 Perimeter Security
IPv6 Firewalls
Filtering IPv6 Unallocated Addresses
Additional Filtering Considerations
Firewalls and IPv6 Headers
Inspecting Tunneled Traffic
Layer 2 Firewalls
Firewalls Generate ICMP Unreachables
Logging and Performance
Firewalls and NAT
Cisco IOS Router ACLs
Implicit IPv6 ACL Rules
Internet ACL Example
IPv6 Reflexive ACLs
Cisco IOS Firewall
Configuring IOS Firewall
IOS Firewall Example
IOS Firewall Port-to-Application Mapping for IPv6
Cisco PIX/ASA/FWSM Firewalls
Configuring Firewall Interfaces
Management Access
Configuring Routes
Security Policy Configuration
Object Group Policy Configuration
Fragmentation Protection
Checking Traffic Statistics
Neighbor Discovery Protocol Protections
Summary
References
Chapter 5 Local Network Security
Why Layer 2 Is Important
ICMPv6 Layer 2 Vulnerabilities for IPv6
Stateless Address Autoconfiguration Issues
Neighbor Discovery Issues
Duplicate Address Detection Issues
Redirect Issues
ICMPv6 Protocol Protection
Secure Neighbor Discovery
Implementing CGA Addresses in Cisco IOS
Understanding the Challenges with SEND
Network Detection of ICMPv6 Attacks
Detecting Rogue RA Messages
Detecting NDP Attacks
Network Mitigation Against ICMPv6 Attacks
Rafixd
Reducing the Target Scope
IETF Work
Extending IPv4 Switch Security to IPv6
Privacy Extension Addresses for the Better and the Worse
DHCPv6 Threats and Mitigation
Threats Against DHCPv6
Mitigating DHCPv6 Attacks
Mitigating the Starvation Attack
Mitigating the DoS Attack
Mitigating the Scanning
Mitigating the Rogue DHCPv6 Server
Point-to-Point Link
Endpoint Security
Summary
References
Chapter 6 Hardening IPv6 Network Devices
Threats Against Network Devices
Cisco IOS Versions
Disabling Unnecessary Network Services
Interface Hardening
Limiting Router Access
Physical Access Security
Securing Console Access
Securing Passwords
VTY Port Access Controls
AAA for Routers
HTTP Access
IPv6 Device Management
Loopback and Null Interfaces
Management Interfaces
Securing SNMP Communications
Threats Against Interior Routing Protocol
RIPng Security
EIGRPv6 Security
IS-IS Security
OSPF Version 3 Security
First-Hop Redundancy Protocol Security
Neighbor Unreachability Detection
HSRPv6
GLBPv6
Controlling Resources
Infrastructure ACLs
Receive ACLs
Control Plane Policing
QoS Threats
Summary
References
Chapter 7 Server and Host Security
IPv6 Host Security
Host Processing of ICMPv6
Services Listening on Ports
Microsoft Windows
Linux
BSD
Sun Solaris
Checking the Neighbor Cache
Microsoft Windows
Linux
BSD
Sun Solaris
Detecting Unwanted Tunnels
Microsoft Windows
Linux
BSD
Sun Solaris
IPv6 Forwarding
Microsoft Windows
Linux
BSD
Sun Solaris
Address Selection Issues
Microsoft Windows
Linux
BSD
Sun Solaris
Host Firewalls
Microsoft Windows Firewall
Linux Firewalls
BSD Firewalls
OpenBSD Packet Filter
ipfirewall
IPFilter
Sun Solaris
Securing Hosts with Cisco Security Agent 6.0
Summary
References
Chapter 8 IPsec and SSL Virtual Private Networks
IP Security with IPv6
IPsec Extension Headers
IPsec Modes of Operation
Internet Key Exchange (IKE)
IKE Version 2
IPsec with Network Address Translation
IPv6 and IPsec
Host-to-Host IPsec
Site-to-Site IPsec Configuration
IPv6 IPsec over IPv4 Example
Configuring IPv6 IPsec over IPv4
Verifying the IPsec State
Adding Some Extra Security
Dynamic Crypto Maps for Multiple Sites
IPv6 IPsec Example
Configuring IPsec over IPv6
Checking the IPsec Status
Dynamic Multipoint VPN
Configuring DMVPN for IPv6
Verifying the DMVPN at the Hub
Verifying the DMVPN at the Spoke
Remote Access with IPsec
SSL VPNs
Summary
References
Chapter 9 Security for IPv6 Mobility
Mobile IPv6 Operation
MIPv6 Messages
Indirect Mode
Home Agent Address Determination
Direct Mode
Threats Linked to MIPv6
Protecting the Mobile Device Software
Rogue Home Agent
Mobile Media Security
Man-in-the-Middle Threats
Connection Interception
Spoofing MN-to-CN Bindings
DoS Attacks
Using IPsec with MIPv6
Filtering for MIPv6
Filters at the CN
Filters at the MN/Foreign Link
Filters at the HA
Other IPv6 Mobility Protocols
Additional IETF Mobile IPv6 Protocols
Network Mobility (NEMO)
IEEE .16e
Mobile Ad-hoc Networks
Summary
References
Chapter 10 Securing the Transition Mechanisms
Understanding IPv4-to-IPv6 Transition Techniques
Dual-Stack
Tunnels
Configured Tunnels
6to4 Tunnels
ISATAP Tunnels
Teredo Tunnels
6VPE
Protocol Translation
Implementing Dual-Stack Security
Exploiting Dual-Stack Environment
Protecting Dual-Stack Hosts
Hacking the Tunnels
Securing Static Tunnels
Securing Dynamic Tunnels
6to4
ISATAP
Teredo
Securing 6VPE
Attacking NAT-PT
IPv6 Latent Threats Against IPv4 Networks
Summary
References
Chapter 11 Security Monitoring
Managing and Monitoring IPv6 Networks
Router Interface Performance
Device Performance Monitoring
SNMP MIBs for Managing IPv6 Networks
IPv6-Capable SNMP Management Tools
NetFlow Analysis
Router Syslog Messages
Benefits of Accurate Time
Managing IPv6 Tunnels
Using Forensics
Using Intrusion Detection and Prevention Systems
Cisco IPS Version 6.1
Testing the IPS Signatures
Managing Security Information with CS-MARS
Managing the Security Configuration
Summary
References
Chapter 12 IPv6 Security Conclusions
Comparing IPv4 and IPv6 Security
Similarities Between IPv4 and IPv6
Differences Between IPv4 and IPv6
Changing Security Perimeter
Creating an IPv6 Security Policy
Network Perimeter
Extension Headers
LAN Threats
Host and Device Hardening
Transition Mechanisms
IPsec
Security Management
On the Horizon
Consolidated List of Recommendations
Summary
References
1587055945 TOC 11/25/2008
