Skip navigation
Cisco Learning Home > Network Sheriff > 2009 > February > 20
Currently Being Moderated

IPv6 Security

Posted by Jimmy Ray Purser on Feb 20, 2009 12:01:15 PM

It doesn't take a CSI level investigator to figure out real quick that I am a Star Trek fan. Actually Inspector Clouseau could have figured that out by the end of the movie. By the way, is it just me or does the Steve Martin version just mega ****? If that movie was a dinosaur it would be called M. Suckosaurous.

 

Anyway...

 

I am currently reading William Shatner's 10th autobiography, "Up Til Now" It is very good and the writing style makes it a real hoot to read. Thru his history of acting, nearly every time he took a new role his agent said, "This one will make you a star" and of course it didn't...the story continued. I immediately thought of the broken promises we have heard IT. Things like:

- ZIF slots will give you unlimited upgradability on PCs

- Apple is dead

- The Internet is a passing fad

- Fiber to the desktop is the future

- IPv6 will finally secure the Internet end to end

Now admittedly, most of these promises were made by some goober analyst couldn't tell the difference between a Cat5e cable and router even if you spotted them the first three letters. But the IPv6 promise is spoken be many IT folks as well. Let's address this notion of IPv6 security first off. Will IPv6 finally secure the Internet? It COULD shift the security risk to other places, but truthfully my guess is that it will do little. Here are a few IPv6 quick facts:

- Is IPv6 cool? Big time! As cool as the Star Trek IV statement, "Nu-Cle-er Weselz"

- Are we running out of IPv4 address? Yes! Very fast. Most of Asia is on IPv6 already

- Is there a shortage of IPv6 professionals? Wholly smokes yes! Great career path!

- IPv6 has built in IPSEC so it is secure right? Yes it does BUT it is NOT mandatory to use it. Mando to have it, just not mando to use it.

- I heard the TechWiseTV did a great viewers choice show on IPv6. Why yes we did! I am a huge believer in IPv6. We did one of my favorite shows on this at http://www.cisco.com/go/techwisetv

 

Anyway, you get the idea. Some attacks on IPv6 will certainly change. The old main stay recon method of port scanning and IP address discovery will have to change. Consider that just a simple 64 bit network range is 4 billion times the size of the entire IPv4 range, this will never do. Unless you have an extra 18446744073709551616 packets to spare and that is if you are spotted the first 64 bits since an IPv6 address space is 128 bits. Yowza! Plus tools like NMAP work on IPv6 but it does not have the ability to send raw IPv6 packets so you are limited. We need a different method.

 

First off, understand that IPv6 is low on the priority scale for hackers and security researchers. IPv4 is keeping everyone purdy darn busy right now! The more IPv6 is attacked the more we appreciate the flexibility we have with IPv6. These attacks are the things I have tested and verified in my lab here in the tundra; The CodeCave.

 

Of course anytime I coexist IPv4 and IPv6 on the same wires, all of the IPv4 attacks still work, PLUS older application layer attacks, rogues and flooding are also still a pain in the **** for any network admin.

 

In the IPv6 hacking Tool shed, it is time to reach for IPv6 Attack Tool Kit by Van Hauser.

http://freeworld.thc.org/thc-ipv6/ other good tools are:

- Netcat6 http://www.deepspace6.net/projects/netcat6.html

- Metasploit which is fantastic for scanning Vista machines. http://www.metasploit.com/

 

But I am going to focus on IPv6 Attack Tool since it is so darn flexible.

 

- ICMPv6 attacks via NDP. Neighbor Discovery Protocol is a stateless method of config'ing a IPv6 address on a device. When a client is looking for an address on the network it has to determine the network prefix first. So it sends out a Router Solicitation (RS) multicast to all routers to get the prefix. Knowing that behavior, I can use the IPv6 Attack Tool Kit to mine this info. On my Linux hacktop I fire up Alive6 to send ICMPv6 probes and listen for the results with the command:

  1. alive6 eth1

alive: fd04:0000:0000:0000:1365:2D2E:0023:54EE

Found 1 systems alive

 

Now at this point, I can do one of three things:

- Be a whank and start a DOS attack

- Be a thief and do a Man in the Middle attack

- Be outta here and go have a Newcastle and some fried chicken

 

Let's look at options one and two since three is the easiest choice.

 

- DOS Attack. After a client sends out the RS and receives the network prefix, it sends out a Network Solicitation (NS) packet as part of the Duplicate Address Detection (DAD) with it's proposed IP address to all clients to see if this address is being used. You can then simply reply to this with a Network Advertisement (NA) packet saying that the address is being used. Lather, Rinse and Repeat until satisfied. I like to use the tool DoS-New-ip6 for this little trick.

 

- Man in The Middle (MiTM) Attack. This on a twist on the first one. Instead of replying with a NA packet stating the address is in use, simply reply back with your MAC and now your machine is in the middle. Just remember to forward the traffic to the intended target so you can listen in. IPv6 Attack Tools are the king here. You can use either Redir6 (my fav) or parasite6 which is close to a old school ARP MiTM attack.

 

Sounds familiar right? Of course you can monitor the communication between clients with tools like NDPWatch, NDPMon, DDADDOS. But that is the same thing we did in IPv4. Take advantage of IPSEC in IPv6. That would stop these base level attacks. Plus, if you can, jump into to IPv6 with little transition, that is like Club Med man. Now I know that is going to be tough, but do not look at IPv4-IPv6 transition tools/dual stacking as permanent fixtures on your network. They increase your attack surface to hackers. Use 'um and loss 'um or you carry all the IPv4 baggage with you along with IPv6. A great website to read up on IPv6 is http://go6.net/ or the super awesome book by Patrick Grossetete called "Deploying IPv6" by Cisco Press.

 

As Networking Professionals I think it is a very solid career path to understand IPv6 better then we know IPv4. There is a huge market for IPv6 folks today. The majority of our client machine are already supporting IPv6 (get to know Microsoft Teredo: http://www.symantec.com/avcenter/reference/Teredo_Security.pdf ), which means that is an ingress point into our networks right now. Time for me to run! Star Trek NG is coming on the Sci-Fi channel!! oh wait... oh man...this is one with Wesley Crusher in it...maybe I'll watch Day's of Our Life with my wife instead...

 

Jimmy Ray Purser

 

Trivia File Transfer Protocol

IPv4? IPv6? what happen to version 1-3 and version 5? Did we switch while I was sleeping in? Actually, IP versions 0-3 where the development versions used by Vint Cerf and Bob Kahn in the mid to late 70's. IPv4 was finalized in 1981. IPv5 was assigned to a project called Internet Steam Protocol (ST) which eventually found its way into MPLS. IPv6 was called TUBA, NG, TP/IX and Simple Internet Protocol Plus until final becoming just IPv6. IPv9 was a April Fools joke played by the IETF in 1994. Because if you've ever been to a IETF meeting or read an RFC, humor abounds....

Comments (1)