IPv6 Security

IPv6 Security Protection measures for the next Internet Protocol As the world's networks migrate to the IPv6 protocol, networking professionals need a clearer understanding of the security risks, threats, and challenges this transition presents. In IPv6 Security, two of the world's leading Internet security practitioners review each potential security issue introduced by IPv6 networking and present today's best solutions. IPv6 Security offers guidance for avoiding security problems prior to widespread IPv6 deployment. The book covers every component of today's networks, identifying specific security deficiencies that occur within IPv6 environments and demonstrating how to combat them. The authors describe best practices for identifying and resolving weaknesses as you maintain a dual stack network. Then they describe the security mechanisms you need to implement as you migrate to an IPv6-only network. The authors survey the techniques hackers might use to try to breach your network, such as IPv6 network reconnaissance, address spoofing, traffic interception, denial of service, and tunnel injection. The authors also turn to Cisco® products and protection mechanisms. You learn how to use Cisco IOS® and ASA firewalls and ACLs to selectively filter IPv6 traffic. You also learn about securing hosts with Cisco Security Agent 6.0 and about securing a network with IOS routers and switches. Multiple examples are explained for Windows, Linux, FreeBSD, and Solaris hosts. The authors offer detailed examples that are consistent with today's best practices and easy to adapt to virtually any IPv6 environment. Scott Hogg, CCIE® No. 5133, is Director of Advanced Technology Services at Global Technology Resources, Inc. (GTRI). He is responsible for setting the company's technical direction and helping it create service offerings for emerging technologies such as IPv6. He is the Chair of the Rocky Mountain IPv6 Task Force. Eric Vyncke, Cisco Distinguished System Engineer, consults on security issues throughout Europe. He has 20 years' experience in security and teaches security seminars as a guest professor at universities throughout Belgium. He also participates in the Internet Engineering Task Force (IETF) and has helped several organizations deploy IPv6 securely. - Understand why IPv6 is already a latent threat in your IPv4-only network - Plan ahead to avoid IPv6 security problems before widespread deployment - Identify known areas of weakness in IPv6 security and the current state of attack tools and hacker skills - Understand each high-level approach to securing IPv6 and learn when to use each - Protect service provider networks, perimeters, LANs, and host/server connections - Harden IPv6 network devices against attack - Utilize IPsec in IPv6 environments - Secure mobile IPv6 networks - Secure transition mechanisms in use during the migration from IPv4 to IPv6 - Monitor IPv6 security - Understand the security implications of the IPv6 protocol, including issues related to ICMPv6 and the IPv6 header structure - Protect your network against large-scale threats by using perimeter filtering techniques and service provider-focused security practices - Understand the vulnerabilities that exist on IPv6 access networks and learn solutions for mitigating each This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks. Category: Networking: Security Covers: IPv6 Security

Scott Hogg, CCIE No. 5133, has been a network computing consultant for more than 17 years. Scott provides network engineering, security consulting, and training services, focusing on creating reliable, high-performance, secure, manageable, and cost-effective network solutions. He has a bachelor's degree in computer science from Colorado State University and a master's degree in telecommunications from the University of Colorado. In addition to his CCIE he has his CISSP (No. 4610) and many other vendor and industry certifications. Scott has designed, implemented, and troubleshot networks for many large enterprises, service providers, and government organizations. For the past eight years, Scott has been researching IPv6 technologies. Scott has written several white papers on IPv6 and has given numerous presentations and demonstrations of IPv6 technologies. He is also currently the chair of the Rocky Mountain IPv6 Task Force and the Director of Advanced Technology Services at Global Technology Resources, Inc. (GTRI), a Cisco Gold partner headquartered in Denver, Colorado. Eric Vynckeis a Distinguished System Engineer for Cisco working as a technical consultant for security covering Europe. His main area of expertise for 20 years has been security from Layer 2 to applications. He has helped several organizations deploy IPv6 securely. For the past eight years, Eric has participated in the Internet Engineering Task Force (IETF) (he is the author of RFC 3585). Eric is a frequent speaker at security events (notably Cisco Live [formerly Networkers]) and is also a guest professor at Belgian Universities for security seminars. He has a master's degree in computer science engineering from the University of Liège in Belgium. He worked as a research assistant in the same university before joining Network Research Belgium, where he was the head of R&D; he then joined Siemens as a project manager for security projects including a proxy firewall. He coauthored the Cisco Press book LAN Switch Security: What Hackers Know About Your Switches. He is CISSP No. 75165.

In>Chapter 1 Introduction to IPv6 Security Reintroduction to IPv6 3 IPv6 Update 6 IPv6 Vulnerabilities 7 Hacker Experience 8 IPv6 Security Mitigation Techniques 9 Summary Recommended Readings and Resources Chapter 2 IPv6 Protocol Security Vulnerabilities The IPv6 Protocol Header ICMPv6 ICMPv6 Functions and Message Types ICMPv6 Attacks and Mitigation Techniques Multicast Security Extension Header Threats Extension Header Overview Extension Header Vulnerabilities Hop-by-Hop Options Header and Destination Options Header IPv6 Extension Header Fuzzing Router Alert Attack Routing Headers RH0 Attack Preventing RH0 Attacks Additional Router Header Attack Mitigation Techniques Fragmentation Header Overview of Packet Fragmentation Issues Fragmentation Attacks Preventing Fragmentation Attacks Virtual Fragment Reassembly Unknown Option Headers Upper-Layer Headers Reconnaissance on IPv6 Networks Scanning and Assessing the Target Registry Checking Automated Reconnaissance Speeding Up the Scanning Process Leveraging Multicast for Reconnaissance Automated Reconnaissance Tools Sniffing to Find Nodes Neighbor Cache Node Information Queries Protecting Against Reconnaissance Attacks Layer 3 and Layer 4 Spoofing Summary References Chapter 3 IPv6 Internet Security Large-Scale Internet Threats Packet Flooding Internet Worms Worm Propagation Speeding Worm Propagation in IPv6 Current IPv6 Worms Preventing IPv6 Worms Distributed Denial of Service and Botnets DDoS on IPv6 Networks Attack Filtering Attacker Traceback Black Holes and Dark Nets Ingress/Egress Filtering Filtering IPv6 Traffic Filtering on Allocated Addresses Bogon Filtering Bogon Filtering Challenges and Automation Securing BGP Sessions Explicitly Configured BGP Peers Using BGP Session Shared Secrets Leveraging an IPsec Tunnel Using Loopback Addresses on BGP Peers Controlling the Time-to-Live (TTL) on BGP Packets Filtering on the Peering Interface Using Link-Local Peering Link-Local Addresses and the BGP Next-Hop Address Drawbacks of Using Link-Local Addresses Preventing Long AS Paths Limiting the Number of Prefixes Received Preventing BGP Updates Containing Private AS Numbers Maximizing BGP Peer Availability Disabling Route-Flap Dampening Disabling Fast External Fallover Enabling Graceful Restart and Route Refresh or Soft Reconfiguration BGP Connection Resets Logging BGP Neighbor Activity Securing IGP Extreme Measures for Securing Communications Between BGP Peers IPv6 over MPLS Security Using Static IPv6 over IPv4 Tunnels Between PE Routers Using 6PE Using 6VPE to Create IPv6-Aware VRFs Customer Premises Equipment Prefix Delegation Threats SLAAC DHCPv6 Multihoming Issues Summary References Chapter 4 IPv6 Perimeter Security IPv6 Firewalls Filtering IPv6 Unallocated Addresses Additional Filtering Considerations Firewalls and IPv6 Headers Inspecting Tunneled Traffic Layer 2 Firewalls Firewalls Generate ICMP Unreachables Logging and Performance Firewalls and NAT Cisco IOS Router ACLs Implicit IPv6 ACL Rules Internet ACL Example IPv6 Reflexive ACLs Cisco IOS Firewall Configuring IOS Firewall IOS Firewall Example IOS Firewall Port-to-Application Mapping for IPv6 Cisco PIX/ASA/FWSM Firewalls Configuring Firewall Interfaces Management Access Configuring Routes Security Policy Configuration Object Group Policy Configuration Fragmentation Protection Checking Traffic Statistics Neighbor Discovery Protocol Protections Summary References Chapter 5 Local Network Security Why Layer 2 Is Important ICMPv6 Layer 2 Vulnerabilities for IPv6 Stateless Address Autoconfiguration Issues Neighbor Discovery Issues Duplicate Address Detection Issues Redirect Issues ICMPv6 Protocol Protection Secure Neighbor Discovery Implementing CGA Addresses in Cisco IOS Understanding the Challenges with SEND Network Detection of ICMPv6 Attacks Detecting Rogue RA Messages Detecting NDP Attacks Network Mitigation Against ICMPv6 Attacks Rafixd Reducing the Target Scope IETF Work Extending IPv4 Switch Security to IPv6 Privacy Extension Addresses for the Better and the Worse DHCPv6 Threats and Mitigation Threats Against DHCPv6 Mitigating DHCPv6 Attacks Mitigating the Starvation Attack Mitigating the DoS Attack Mitigating the Scanning Mitigating the Rogue DHCPv6 Server Point-to-Point Link Endpoint Security Summary References Chapter 6 Hardening IPv6 Network Devices Threats Against Network Devices Cisco IOS Versions Disabling Unnecessary Network Services Interface Hardening Limiting Router Access Physical Access Security Securing Console Access Securing Passwords VTY Port Access Controls AAA for Routers HTTP Access IPv6 Device Management Loopback and Null Interfaces Management Interfaces Securing SNMP Communications Threats Against Interior Routing Protocol RIPng Security EIGRPv6 Security IS-IS Security OSPF Version 3 Security First-Hop Redundancy Protocol Security Neighbor Unreachability Detection HSRPv6 GLBPv6 Controlling Resources Infrastructure ACLs Receive ACLs Control Plane Policing QoS Threats Summary References Chapter 7 Server and Host Security IPv6 Host Security Host Processing of ICMPv6 Services Listening on Ports Microsoft Windows Linux BSD Sun Solaris Checking the Neighbor Cache Microsoft Windows Linux BSD Sun Solaris Detecting Unwanted Tunnels Microsoft Windows Linux BSD Sun Solaris IPv6 Forwarding Microsoft Windows Linux BSD Sun Solaris Address Selection Issues Microsoft Windows Linux BSD Sun Solaris Host Firewalls Microsoft Windows Firewall Linux Firewalls BSD Firewalls OpenBSD Packet Filter ipfirewall IPFilter Sun Solaris Securing Hosts with Cisco Security Agent 6.0 Summary References Chapter 8 IPsec and SSL Virtual Private Networks IP Security with IPv6 IPsec Extension Headers IPsec Modes of Operation Internet Key Exchange (IKE) IKE Version 2 IPsec with Network Address Translation IPv6 and IPsec Host-to-Host IPsec Site-to-Site IPsec Configuration IPv6 IPsec over IPv4 Example Configuring IPv6 IPsec over IPv4 Verifying the IPsec State Adding Some Extra Security Dynamic Crypto Maps for Multiple Sites IPv6 IPsec Example Configuring IPsec over IPv6 Checking the IPsec Status Dynamic Multipoint VPN Configuring DMVPN for IPv6 Verifying the DMVPN at the Hub Verifying the DMVPN at the Spoke Remote Access with IPsec SSL VPNs Summary References Chapter 9 Security for IPv6 Mobility Mobile IPv6 Operation MIPv6 Messages Indirect Mode Home Agent Address Determination Direct Mode Threats Linked to MIPv6 Protecting the Mobile Device Software Rogue Home Agent Mobile Media Security Man-in-the-Middle Threats Connection Interception Spoofing MN-to-CN Bindings DoS Attacks Using IPsec with MIPv6 Filtering for MIPv6 Filters at the CN Filters at the MN/Foreign Link Filters at the HA Other IPv6 Mobility Protocols Additional IETF Mobile IPv6 Protocols Network Mobility (NEMO) IEEE .16e Mobile Ad-hoc Networks Summary References Chapter 10 Securing the Transition Mechanisms Understanding IPv4-to-IPv6 Transition Techniques Dual-Stack Tunnels Configured Tunnels 6to4 Tunnels ISATAP Tunnels Teredo Tunnels 6VPE Protocol Translation Implementing Dual-Stack Security Exploiting Dual-Stack Environment Protecting Dual-Stack Hosts Hacking the Tunnels Securing Static Tunnels Securing Dynamic Tunnels 6to4 ISATAP Teredo Securing 6VPE Attacking NAT-PT IPv6 Latent Threats Against IPv4 Networks Summary References Chapter 11 Security Monitoring Managing and Monitoring IPv6 Networks Router Interface Performance Device Performance Monitoring SNMP MIBs for Managing IPv6 Networks IPv6-Capable SNMP Management Tools NetFlow Analysis Router Syslog Messages Benefits of Accurate Time Managing IPv6 Tunnels Using Forensics Using Intrusion Detection and Prevention Systems Cisco IPS Version 6.1 Testing the IPS Signatures Managing Security Information with CS-MARS Managing the Security Configuration Summary References Chapter 12 IPv6 Security Conclusions Comparing IPv4 and IPv6 Security Similarities Between IPv4 and IPv6 Differences Between IPv4 and IPv6 Changing Security Perimeter Creating an IPv6 Security Policy Network Perimeter Extension Headers LAN Threats Host and Device Hardening Transition Mechanisms IPsec Security Management On the Horizon Consolidated List of Recommendations Summary References