Support using ipv6-send-cga Linux package. (http://code.google.com/p/ipv6-send-cga/). ⢠Brocade. â None that I know of. 4/9/2012 www.salientfed.com. 22 ...
Agenda • Why do we even need SeND? • Some other Mitigations • IPv6 Secure Neighbor Discovery (SeND) Overview • SeND support on routers • SeND support on end-points (hosts) • SeND demo
4/9/2012
www.salientfed.com
2
Why do we even need SeND?? • Neighbor Discovery is in the clear, trusting and open – All hosts trust each other – All hosts trust routers – All routers trust hosts – How is this different than ARP?? (it’s not)
4/9/2012
www.salientfed.com
3
IPv6 Attacks on the Local Segment • Man-in-the-Middle Attacks during neighbor advertisement/solicitation – Parasite6 – THC-IPv6 – Spoofs every NS sent out by any host
Who has fe80:1:2:3:4? Ooo! Ooo! That’s me!
4/9/2012
My IPv6: fe80:1:2:3:4
www.salientfed.com
4
IPv6 Attacks on the Local Segment, cont • Denial of Service (DoS) or Session Hijacking using a Rogue Router – Fake_router6 and/or flood_router6 – THC-IPv6 – Acts like a router with highest priority – Floods route tables and interface address config
Is there an IPv6 router? DoS!
Oh, and here’s a million RAs!
Me! I am, use me!
IPv6 Attacks on the Local Segment, cont • Denial of Service (DoS) with IP conflicts – Dos-new-ip6– THC-IPv6 – Always responds to a Duplicate Address Detection (DAD) with a positive – Hosts will never be able to address their link-local or Global address
Hey, anyone have this address? Yes, I own that one, try again! OK, what about this one? Yep, got that one too! 4/9/2012
www.salientfed.com
6
IPv6 Attacks on the Local Segment, cont • Denial of Service (DoS) with Neighbor floods – Flood_advertise6 – THC-IPv6 – Floods all hosts on a network with bogus neighbor advertisements – Performance on host IPv6 neighbor tables will degrade and cause a DoS
I feel bloated NA for fe80::2
NA for fe80::3
NA for fe80::4 4/9/2012
www.salientfed.com
7
IPv6 Attacks on the Local Segment, cont • IPv6 Exploitation and Fuzzing attacks – fuzz6, exploit6, denial6 – THC-IPv6 – Runs a series of fuzzing and link-local exploitation attacks on hosts
Ouch! Stop it! IPv6 --- Fuzz!
IPv6 --- Exploit!
IPv6 --- Deny! 4/9/2012
www.salientfed.com
8
Some other Mitigations other than SeND • There’s always 802.1x – Layer 2 authentication only and it only protects once (or upon re-authentication) – Layer 2 and 3 addresses are still “in the clear” – Usually requires some sort of AAA server
• Router Advertisement Guard (RA Guard) – Only protects an interface from a rogue RA, not traffic from NA and NS badness – RA Guard implementations are still confused when there are extension headers (see draft-ietf-v6ops-raguard-implementation-00) 4/9/2012
www.salientfed.com
9
Some other Mitigations other than SeND • RA Guard Issues – As stated by Fernando Gont, “some implementations of RA-Guard have been found to be prone to circumvention by employing IPv6 Extension Headers” – Fragment Header and Destination Options – Diagram from Gont below
4/9/2012
Company Confidential | www.salientfed.com |
10
What is SeND? • A Public-Key Infrastructure (PKI) system implemented with Cryptographically-Generated Addresses (CGA) RFC 3971 and RFC 3972 – All host and router link-local and Global Unicast addresses are generated per CGA specification – All NDP traffic is CGA signed and authenticated – A centralized Certificate Authority (CA) is used (can be a CA on the router or using a Microsoft CA) – ICMPv6 Certification Path message added to the mix – The NONCE flag is used to protect against DoS from all non-authenticated hosts
4/9/2012
www.salientfed.com
11
SeND in Real-time CA Router/Server
Request Certificate Request Certificate
Segment Router Certificate Received
4/9/2012
www.salientfed.com
12
SeND in Real-time CA Router/Server
Segment Router
Router Solicitation w/ RSA signed
Router Advertisement w/ RSA signed
4/9/2012
www.salientfed.com
13
SeND in Real-time CA Router/Server
Segment Router Certification Path Solicitation Neighbor Solicitation w/ RSA signed
Certification Path Advertisement
4/9/2012
www.salientfed.com
14
SeND in Real-time CA Router/Server
Je ne’comprends pas!
Segment Router Neighbor Advertisement w/ RSA signed All Done with CGA Hello? Anyone?
With “ipv6 nd secured fullsecure” enabled 4/9/2012
SeND support on Routers • Cisco support for SeND, CGA and Certificate Authority with IPextensions – IOS 12.4-24(T) + • Caveat!! Only on T and M trains on ISR routers • Another Caveat!! NO SUPPORT on new ASR router platforms! (please complain here)
• Juniper JUNOS support – Yes, deployable across JUNOS 9.3+ see here
• HP Procurve support (A & E series) – None
• Huawei Technologies – Support using ipv6-send-cga Linux package (http://code.google.com/p/ipv6-send-cga/)
• Brocade – None that I know of
4/9/2012
www.salientfed.com
22
SeND support on Hosts • Microsoft Windows 7 or Server 2008 – None natively Complain here – TrustRouter application Win7-32bit - RAs (no support for NA/NS) – WinSEND application works with all NDP traffic • Won the German IPv6 Council Application Award for 2011
• Apple Macintosh – None natively Complain here – TrustRouter application for Mac OS X - RAs (no support for NA/NS)
WinSEND • Application runs as a service, with a management interface • Licensed from HPI in Germany
4/9/2012
www.salientfed.com
24
Current issues with SeND • A Patent exists (US 2008/0307516 A1) • Certificate expirations – Can be 1 year – Difficult to maintain if not doing auto-enrollment
• Little client saturation – Linux support (e.g. Easy-SEND) – Win 7 (e.g. WinSEND)
• Dynamic DNS (for CGA addressing) impacts unknown – Microsoft has CGA addressing for DHCPv6 w/ Dynamic DNS
• SeND support on mobile & VoIP platforms non-existent 4/9/2012
www.salientfed.com
25
Well, is it Deployable in the Enterprise? • Short Answer Yes! • Long answer Yes, but follow our guidance: – Be mindful of your CA (e.g. when certs expire) • We recommend 3 years for certs, but if you insist on 1 year you better have a process!
– Monitor SeND and CGA failures and/or issues using SNMP Traps – Recommend having a “safe-zone” for a SeND disaster scenario (if doing “full secure mode”) • A locked room with an interface attached to the local segment router with no 802.1x or SeND 4/9/2012
www.salientfed.com
26
Now for the Demo! • All virtual VirtualBox – Ubuntu 11.04 with Dynamips and Dynagen – Segment Router: Cisco 7206 router with IOS 12.424(T) – CA Router: Cisco 7206 router with IOS 12.4-24(T) – A simulated host (Cisco router) – Ubuntu Linux host without SeND running
4/9/2012
www.salientfed.com
27
Questions?
www.SalientFed.com
Resources • Cisco’s IPv6 First Hop Security Page: http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6first_hop_security.html • IPv6 SeND Wikipedia: http://en.wikipedia.org/wiki/Secure_Neighbor_Discovery_Protocol
AbstractâThis paper discusses how to extend service discovery mechanisms to support a scalable querying and indexing system that addresses security ...
Based Encryption schemes, makes it possible to secure communications with un- known services ..... ware like a smartcard provided by the certification authority.
We finally compare .... check the validity of the passenger's credit card number before agreeing to ..... within the European project MOSQUITO [17] middleware.
[1] S. Trabelsi, J. C. Pazzaglia, and Y. Roudier, âEnabling secure discovery in a pervasive environmentâ, SPC 2006, 3rd International Conference on. Security in ...
... Communications and Security. Contents. 19.1 Introduction and Motivations ........................................................................................ 568. 19.2 State of the Art ..
+SAP Labs France. 805 Avenue du Dr .... such landscape, where mobility is the usage, clients and servers should protect themselves .... In order to manage file.
Mar 7, 2008 - deployment environment (LAN, wireless or ad-hoc communications, Internet, VPN, etc.) ... With the emergence of new dynamic networks, discovery ... relationship and established secure channels between each another.
2by. H. 2impact, under the low-density conditions prevailing in the interstellar medium, is poorly known . Measurements in shock tubes (Jacobs, G iedt & Cohen.
Bridge port using a DB9-to-RJ45 console cable. B. Configure a workstation with an address in the 192.168.1.0/24 range and connect it to the. MSM bridge port.
2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential. JMB. 1 ...... V - Virtual, Ac - Accounted towards access control limit,. M - SSM Mapping) ... U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel. Y - Joined ...
First Phase of the transition, deploy 6PE/6VPE. â« SPs with IPv4 Backbone: 6RD. FREE a french SP deployed IPv6 in 5 Weeks from a 6to4 stack! â« Carrier Grade ...
... sensor nodes can cooperate with each other by sharing acquired data. ... developed by the European Telecommunications Standards Institute (ETSI) M2M group .... The structure of the M2M infrastructure was split into five parts: (i) devices,.
Introduction. Introduction. In order to be as close as possible to what was the truth, history must be based on proven facts. Authenticated documents dated from ...
B. interface. C. global configuration. D. manager. Answer: A. Section: (none) .... What is indicated by this entry in the IP route table of an HP ProCurve .... What is the free trial period for HP ProCurve Manager Plus version 3.0? ..... What are the
want a piece of the American dream like everybody else. The large majority of people want to live that way." (...) But critics of Newhall's plans point out that much ...
tta ch e s to. 4. 8. '' - 6. 0. '' d e ck s. ⢠Lu m b e r R e q u ire d. 4. 8. '' (tw o. - 2. '' x. 4. '' x. 8. ') ⢠Lu m b e r R e q u ire d. 6. 0. '' (o n e. - 2. '' x. 4. '' x. 8. ') ⢠C o n e cta a. 4.
ou BYOD. Schéma de la table de routage. R3# show ipv6 route. IPv6 Routing Table - default - 8 entries. Codes: C - Connected, L - Local, S - Static, U - Per-user ...
Jan 2, 2013 - bone instability), Luc Revardel (who taught me the basics of IPv6 Testing Automation), Greg Boland, ... Linux is the best platform to test and support all the IPv6 Services. ..... So today the question is no more if we need to move to I
Mobile IP, defined in an IETF standard (RFC 3775), allows mobile devices to move around without breaking their existing connections an increasingly important ...
ad-hoc network based on IPv6 and to deliver right specification to industry. ... a node has Internet connectivity (i.e. link-local address and global address).