You are previewing IPv6 Security.
O'Reilly logo
IPv6 Security

Book Description

IPv6 Security

Protection measures for the next Internet Protocol

As the world’s networks migrate to the IPv6 protocol, networking professionals need a clearer understanding of the security risks, threats, and challenges this transition presents. In IPv6 Security, two of the world’s leading Internet security practitioners review each potential security issue introduced by IPv6 networking and present today’s best solutions.

IPv6 Security offers guidance for avoiding security problems prior to widespread IPv6 deployment. The book covers every component of today’s networks, identifying specific security deficiencies that occur within IPv6 environments and demonstrating how to combat them.

The authors describe best practices for identifying and resolving weaknesses as you maintain a dual stack network. Then they describe the security mechanisms you need to implement as you migrate to an IPv6-only network. The authors survey the techniques hackers might use to try to breach your network, such as IPv6 network reconnaissance, address spoofing, traffic interception, denial of service, and tunnel injection.

The authors also turn to Cisco® products and protection mechanisms. You learn how to use Cisco IOS® and ASA firewalls and ACLs to selectively filter IPv6 traffic. You also learn about securing hosts with Cisco Security Agent 6.0 and about securing a network with IOS routers and switches. Multiple examples are explained for Windows, Linux, FreeBSD, and Solaris hosts. The authors offer detailed examples that are consistent with today’s best practices and easy to adapt to virtually any IPv6 environment.

Scott Hogg, CCIE® No. 5133, is Director of Advanced Technology Services at Global Technology Resources, Inc. (GTRI). He is responsible for setting the company’s technical direction and helping it create service offerings for emerging technologies such as IPv6. He is the Chair of the Rocky Mountain IPv6 Task Force.

Eric Vyncke, Cisco Distinguished System Engineer, consults on security issues throughout Europe. He has 20 years’ experience in security and teaches security seminars as a guest professor at universities throughout Belgium. He also participates in the Internet Engineering Task Force (IETF) and has helped several organizations deploy IPv6 securely.

  • Understand why IPv6 is already a latent threat in your IPv4-only network

  • Plan ahead to avoid IPv6 security problems before widespread deployment

  • Identify known areas of weakness in IPv6 security and the current state of attack tools and hacker skills

  • Understand each high-level approach to securing IPv6 and learn when to use each

  • Protect service provider networks, perimeters, LANs, and host/server connections

  • Harden IPv6 network devices against attack

  • Utilize IPsec in IPv6 environments

  • Secure mobile IPv6 networks

  • Secure transition mechanisms in use during the migration from IPv4 to IPv6

  • Monitor IPv6 security

  • Understand the security implications of the IPv6 protocol, including issues related to ICMPv6 and the IPv6 header structure

  • Protect your network against large-scale threats by using perimeter filtering techniques and service provider–focused security practices

  • Understand the vulnerabilities that exist on IPv6 access networks and learn solutions for mitigating each

  • This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

    Category: Networking: Security

    Covers: IPv6 Security

    Table of Contents

    1. Copyright
      1. Dedications
    2. About the Authors
    3. About the Technical Reviewers
    4. Acknowledgments
    5. Icons Used in This Book
      1. Command Syntax Conventions
    6. Introduction
    7. Goals and Methods
    8. Who Should Read This Book
    9. How This Book Is Organized
    10. 1. Introduction to IPv6 Security
      1. Reintroduction to IPv6
      2. IPv6 Update
      3. IPv6 Vulnerabilities
      4. Hacker Experience
      5. IPv6 Security Mitigation Techniques
      6. Summary
      7. Recommended Readings and Resources
    11. 2. IPv6 Protocol Security Vulnerabilities
      1. The IPv6 Protocol Header
        1. ICMPv6
          1. ICMPv6 Functions and Message Types
          2. ICMPv6 Attacks and Mitigation Techniques
        2. Multicast Security
      2. Extension Header Threats
        1. Extension Header Overview
        2. Extension Header Vulnerabilities
        3. Hop-by-Hop Options Header and Destination Options Header
          1. IPv6 Extension Header Fuzzing
          2. Router Alert Attack
        4. Routing Headers
          1. RH0 Attack
          2. Preventing RH0 Attacks
          3. Additional Router Header Attack Mitigation Techniques
        5. Fragmentation Header
          1. Overview of Packet Fragmentation Issues
          2. Fragmentation Attacks
          3. Preventing Fragmentation Attacks
          4. Virtual Fragment Reassembly
        6. Unknown Option Headers
        7. Upper-Layer Headers
      3. Reconnaissance on IPv6 Networks
        1. Scanning and Assessing the Target
          1. Registry Checking
          2. Automated Reconnaissance
        2. Speeding Up the Scanning Process
          1. Leveraging Multicast for Reconnaissance
          2. Automated Reconnaissance Tools
          3. Sniffing to Find Nodes
          4. Neighbor Cache
          5. Node Information Queries
        3. Protecting Against Reconnaissance Attacks
      4. Layer 3 and Layer 4 Spoofing
      5. Summary
      6. References
    12. 3. IPv6 Internet Security
      1. Large-Scale Internet Threats
        1. Packet Flooding
        2. Internet Worms
          1. Worm Propagation
          2. Speeding Worm Propagation in IPv6
          3. Current IPv6 Worms
          4. Preventing IPv6 Worms
        3. Distributed Denial of Service and Botnets
          1. DDoS on IPv6 Networks
          2. Attack Filtering
          3. Attacker Traceback
          4. Black Holes and Dark Nets
      2. Ingress/Egress Filtering
        1. Filtering IPv6 Traffic
        2. Filtering on Allocated Addresses
        3. Bogon Filtering
        4. Bogon Filtering Challenges and Automation
      3. Securing BGP Sessions
        1. Explicitly Configured BGP Peers
        2. Using BGP Session Shared Secrets
        3. Leveraging an IPsec Tunnel
        4. Using Loopback Addresses on BGP Peers
        5. Controlling the Time-to-Live (TTL) on BGP Packets
        6. Filtering on the Peering Interface
        7. Using Link-Local Peering
          1. Link-Local Addresses and the BGP Next-Hop Address
          2. Drawbacks of Using Link-Local Addresses
        8. Preventing Long AS Paths
        9. Limiting the Number of Prefixes Received
        10. Preventing BGP Updates Containing Private AS Numbers
        11. Maximizing BGP Peer Availability
          1. Disabling Route-Flap Dampening
          2. Disabling Fast External Fallover
          3. Enabling Graceful Restart and Route Refresh or Soft Reconfiguration
          4. BGP Connection Resets
        12. Logging BGP Neighbor Activity
        13. Securing IGP
        14. Extreme Measures for Securing Communications Between BGP Peers
      4. IPv6 over MPLS Security
        1. Using Static IPv6 over IPv4 Tunnels Between PE Routers
        2. Using 6PE
        3. Using 6VPE to Create IPv6-Aware VRFs
      5. Customer Premises Equipment
      6. Prefix Delegation Threats
        1. SLAAC
        2. DHCPv6
      7. Multihoming Issues
      8. Summary
      9. References
    13. 4. IPv6 Perimeter Security
      1. IPv6 Firewalls
        1. Filtering IPv6 Unallocated Addresses
        2. Additional Filtering Considerations
          1. Firewalls and IPv6 Headers
          2. Inspecting Tunneled Traffic
          3. Layer 2 Firewalls
          4. Firewalls Generate ICMP Unreachables
          5. Logging and Performance
        3. Firewalls and NAT
      2. Cisco IOS Router ACLs
        1. Implicit IPv6 ACL Rules
        2. Internet ACL Example
        3. IPv6 Reflexive ACLs
      3. Cisco IOS Firewall
        1. Configuring IOS Firewall
        2. IOS Firewall Example
        3. IOS Firewall Port-to-Application Mapping for IPv6
      4. Cisco PIX/ASA/FWSM Firewalls
        1. Configuring Firewall Interfaces
        2. Management Access
        3. Configuring Routes
        4. Security Policy Configuration
        5. Object Group Policy Configuration
        6. Fragmentation Protection
        7. Checking Traffic Statistics
        8. Neighbor Discovery Protocol Protections
      5. Summary
      6. References
    14. 5. Local Network Security
      1. Why Layer 2 Is Important
      2. ICMPv6 Layer 2 Vulnerabilities for IPv6
        1. Stateless Address Autoconfiguration Issues
        2. Neighbor Discovery Issues
        3. Duplicate Address Detection Issues
        4. Redirect Issues
      3. ICMPv6 Protocol Protection
        1. Secure Neighbor Discovery
        2. Implementing CGA Addresses in Cisco IOS
        3. Understanding the Challenges with SEND
      4. Network Detection of ICMPv6 Attacks
        1. Detecting Rogue RA Messages
        2. Detecting NDP Attacks
      5. Network Mitigation Against ICMPv6 Attacks
        1. Rafixd
        2. Reducing the Target Scope
        3. IETF Work
        4. Extending IPv4 Switch Security to IPv6
      6. Privacy Extension Addresses for the Better and the Worse
      7. DHCPv6 Threats and Mitigation
        1. Threats Against DHCPv6
        2. Mitigating DHCPv6 Attacks
          1. Mitigating the Starvation Attack
          2. Mitigating the DoS Attack
          3. Mitigating the Scanning
          4. Mitigating the Rogue DHCPv6 Server
      8. Point-to-Point Link
      9. Endpoint Security
      10. Summary
      11. References
    15. 6. Hardening IPv6 Network Devices
      1. Threats Against Network Devices
      2. Cisco IOS Versions
      3. Disabling Unnecessary Network Services
        1. Interface Hardening
      4. Limiting Router Access
        1. Physical Access Security
        2. Securing Console Access
        3. Securing Passwords
        4. VTY Port Access Controls
        5. AAA for Routers
        6. HTTP Access
      5. IPv6 Device Management
        1. Loopback and Null Interfaces
        2. Management Interfaces
        3. Securing SNMP Communications
      6. Threats Against Interior Routing Protocol
        1. RIPng Security
        2. EIGRPv6 Security
        3. IS-IS Security
        4. OSPF Version 3 Security
      7. First-Hop Redundancy Protocol Security
        1. Neighbor Unreachability Detection
        2. HSRPv6
        3. GLBPv6
      8. Controlling Resources
        1. Infrastructure ACLs
        2. Receive ACLs
        3. Control Plane Policing
      9. QoS Threats
      10. Summary
      11. References
    16. 7. Server and Host Security
      1. IPv6 Host Security
        1. Host Processing of ICMPv6
        2. Services Listening on Ports
          1. Microsoft Windows
          2. Linux
          3. BSD
          4. Sun Solaris
        3. Checking the Neighbor Cache
          1. Microsoft Windows
          2. Linux
          3. BSD
          4. Sun Solaris
        4. Detecting Unwanted Tunnels
          1. Microsoft Windows
            1. Detecting 6to4 Tunnels
            2. Detecting ISATAP Tunnels
            3. Detecting Teredo Tunnels
          2. Linux
          3. BSD
          4. Sun Solaris
        5. IPv6 Forwarding
          1. Microsoft Windows
          2. Linux
          3. BSD
          4. Sun Solaris
        6. Address Selection Issues
          1. Microsoft Windows
          2. Linux
          3. BSD
          4. Sun Solaris
      2. Host Firewalls
        1. Microsoft Windows Firewall
        2. Linux Firewalls
        3. BSD Firewalls
          1. OpenBSD Packet Filter
          2. ipfirewall
          3. IPFilter
        4. Sun Solaris
      3. Securing Hosts with Cisco Security Agent 6.0
      4. Summary
      5. References
    17. 8. IPsec and SSL Virtual Private Networks
      1. IP Security with IPv6
        1. IPsec Extension Headers
        2. IPsec Modes of Operation
        3. Internet Key Exchange (IKE)
          1. IKE Version 2
        4. IPsec with Network Address Translation
        5. IPv6 and IPsec
      2. Host-to-Host IPsec
      3. Site-to-Site IPsec Configuration
        1. IPv6 IPsec over IPv4 Example
          1. Configuring IPv6 IPsec over IPv4
          2. Verifying the IPsec State
          3. Adding Some Extra Security
          4. Dynamic Crypto Maps for Multiple Sites
        2. IPv6 IPsec Example
          1. Configuring IPsec over IPv6
          2. Checking the IPsec Status
        3. Dynamic Multipoint VPN
          1. Configuring DMVPN for IPv6
          2. Verifying the DMVPN at the Hub
          3. Verifying the DMVPN at the Spoke
      4. Remote Access with IPsec
      5. SSL VPNs
      6. Summary
      7. References
    18. 9. Security for IPv6 Mobility
      1. Mobile IPv6 Operation
      2. MIPv6 Messages
        1. Indirect Mode
        2. Home Agent Address Determination
        3. Direct Mode
      3. Threats Linked to MIPv6
        1. Protecting the Mobile Device Software
        2. Rogue Home Agent
        3. Mobile Media Security
        4. Man-in-the-Middle Threats
        5. Connection Interception
        6. Spoofing MN-to-CN Bindings
        7. DoS Attacks
      4. Using IPsec with MIPv6
      5. Filtering for MIPv6
        1. Filters at the CN
        2. Filters at the MN/Foreign Link
        3. Filters at the HA
      6. Other IPv6 Mobility Protocols
        1. Additional IETF Mobile IPv6 Protocols
        2. Network Mobility (NEMO)
        3. IEEE 802.16e
        4. Mobile Ad-hoc Networks
      7. Summary
      8. References
    19. 10. Securing the Transition Mechanisms
      1. Understanding IPv4-to-IPv6 Transition Techniques
        1. Dual-Stack
        2. Tunnels
          1. Configured Tunnels
          2. 6to4 Tunnels
          3. ISATAP Tunnels
          4. Teredo Tunnels
          5. 6VPE
        3. Protocol Translation
      2. Implementing Dual-Stack Security
        1. Exploiting Dual-Stack Environment
        2. Protecting Dual-Stack Hosts
      3. Hacking the Tunnels
        1. Securing Static Tunnels
        2. Securing Dynamic Tunnels
          1. 6to4
          2. ISATAP
          3. Teredo
        3. Securing 6VPE
      4. Attacking NAT-PT
      5. IPv6 Latent Threats Against IPv4 Networks
      6. Summary
      7. References
    20. 11. Security Monitoring
      1. Managing and Monitoring IPv6 Networks
        1. Router Interface Performance
        2. Device Performance Monitoring
          1. SNMP MIBs for Managing IPv6 Networks
          2. IPv6-Capable SNMP Management Tools
            1. Multi-Router Traffic Grapher
            2. CiscoWorks LAN Management Solution
            3. HP OpenView Network Node Manager Smart Plug-in
          3. NetFlow Analysis
        3. Router Syslog Messages
        4. Benefits of Accurate Time
      2. Managing IPv6 Tunnels
      3. Using Forensics
      4. Using Intrusion Detection and Prevention Systems
        1. Cisco IPS Version 6.1
        2. Testing the IPS Signatures
      5. Managing Security Information with CS-MARS
      6. Managing the Security Configuration
      7. Summary
      8. References
    21. 12. IPv6 Security Conclusions
      1. Comparing IPv4 and IPv6 Security
        1. Similarities Between IPv4 and IPv6
        2. Differences Between IPv4 and IPv6
      2. Changing Security Perimeter
      3. Creating an IPv6 Security Policy
        1. Network Perimeter
        2. Extension Headers
        3. LAN Threats
        4. Host and Device Hardening
        5. Transition Mechanisms
        6. IPsec
        7. Security Management
      4. On the Horizon
      5. Consolidated List of Recommendations
      6. Summary
      7. References