Child pages
  • IPv6 security
Skip to end of metadata
Go to start of metadata

Overview of threats

IPv4, ARP and DHCP are succeptible to many Layer 2 threats. These are well-known and there are tools for effectively mitigating many of these attacks. IPv6 is succeptible to many of the same threats, albeit in a slightly different form. Although IPv6 does not use ARP, it is still susceptible to the same MAC hijacking attacks. Likewise, it is still possible to setup rogue DHCPv6 servers, and rogue routers. Unfortunately, layer 2 security hasn't yet caught up with IPv6. There is no IPv6 equivalent of dynamic ARP inspection or DHCP snooping.

IPv6 does not use ARP; it uses the Neighbor Discovery Protocol (NDP). NDP is a subset of ICMPv6; see RFC 4861 for specifics. RFC 3756: IPv6 Neighbor Discovery (ND) Trust Models and Threats has a thorough discussion of threats against the Neighbor Discovery Protocol (NDP). For a laundry list of potential IPv6 security issues, consult RFC 4942: IPv6 Transition/Coexistence Security Considerations.

For information on Layer 2 IPv6 protection, see RFC 4864: Local Network Protection for IPv6.

Joe St. Sauver, of University of Oregon, gave an excellent overview of IPv6 security at the Winter 2009 Internet2 Joint Techs meeting. A video of the talk is also available.

There was a comprehensive presentation on IPv6 security at Cisco Networkers 2009.

Address Spoofing

Disabling Privacy Addresses

Windows XP, Vista, and 7, OS X 10.7, iOS 4, Android 4, and OpenBSD 5.3 enable privacy addresses by default. Privacy addresses are intended to obscure the user's identity. As such, they can make complying with University security policy more difficult, and it is recommended that network administrators disable them when possible.

Windows XP

To disable privacy addresses, run this as an Administrator from a command window:

netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set privacy state=disabled

Alternatively, setting the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\GlobalParams\UseTemporaryAddresses to 0 should disable privacy addresses.

Windows Vista

To disable privacy addresses, run this as an Administrator from a command window:

netsh interface ipv6 set global randomizeidentifiers=disabled
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface ipv6 set privacy disabled

Mac OS X 10.7 ("Lion")

OS X 10.7 enabled privacy addresses by default. To disable them permanently, edit /etc/sysctl.conf and set:

net.inet6.ip6.use_tempaddr=0

And reboot.

If you want to disable privacy addresses without a reboot, you can use sysctl to disable privacy addresses for the current session. Note that privacy addresses will be re-enabled on the next reboot unless you edit sysctl.conf as described above:

sysctl -w net.inet6.ip6.use_tempaddr=0

iOS

Apple's iOS (used on iPads, iPhones, and iPod Touches) enables privacy addresses as of version 4.3. There is no way to disable privacy addresses on these devices, short of disabling autoconfiguration entirely (turn off the A flag in the Router Advertisement).

Android

Android 4.0 enables privacy addresses. There is no way to disable privacy addresses on these devices, short of disabling autoconfiguration entirely (turn off the A flag in the Router Advertisement).

OSes considering enabling Privacy Addresses by default

Ubuntu (see this bug id) is considering enabling privacy addresses by default.

Unicast RPF

To enable IPv6 unicast RPF on Cisco devices, issue the following commands:

ip cef
ipv6 cef
ipv6 verify unicast reverse-path

Please note that IPv6 uRPF checking is performed in software on many Cisco devices.

Enforce EUI-64 Addresses

The Cisco ASA/PIX/FWSM can enforce EUI-64 addressing. That is, they can enfore that the embedded MAC address in an EUI-64 host identifier matches the MAC address for incoming packets. To enable this feature:

ipv6 enforce-eui64 <interface_name>

See the Cisco Security Appliance Command Line Configuration Guide and FWSM documentation for more information.

Tunneling

In some situations, Windows Vista and 7 can create IPv6-over-IPv4 tunnels automatically. To disable these tunneling protocols, run the following:

netsh interface 6to4 set state state=disabled
netsh interface teredo set state disable
netsh interface isatap set state disabled
netsh interface httpstunnel set interface state=disabled

Windows 2008 R2 can set group policy for Windows 7 to disable these. Set the policy in Computer Configuration -> Policies -> Administrative Templates -> Network -> TCP/IP Settings -> IPv6 Transition Technologies. More information can be found in this article.

Firewalls

ICMPv6 filtering

Some firewall administrators block all incoming ICMP packets for IPv4. This practice will break IPv6. ICMPv6 performs many more functions that ICMPv4. These include Path MTU discovery, Router Discovery, Neighbor Discovery, Mobile IPv6, multicast management, and address reconfiguration. As such, certain ICMPv6 messages must be allowed to pass through firewalls. RFC 4890 provides guidelines for filtering ICMPv6.

Product Support

Peter Bieringer, Status of Open Source and commercial IPv6 firewall implementations

ICANN SAC-016: Testing Firewalls for IPv6 and EDNS0 Support - http://www.icann.org/committees/security/sac016.htm (should also include DNS-over-TCP)

ICANN SAC-021: Survey of IPv6 Support Among Commercial Firewalls - http://www.icann.org/committees/security/sac021.pdf

Windows XP / 2003

Windows XP SP2's built-in firewall supports IPv6, as does Windows Server 2003 SP1.

XP's firewall can't set different rules for IPv4 and IPv6. For example, you can't only open a port for IPv4, or only block ICMP echo requests for IPv6.

Windows XP cannot scope rules using IPv6. For example, you can't open a port only to a specific IPv6 subnet:

Windows Vista, 2008 and 7

Windows Vista, 7 and 2008 support IPv6 in their built-in firewalls. They allow IPv6 scopes in exceptions. They allow different rulesets for ICMPv4 and ICMPv6.

Misc Windows

ESET Personal Firewall version 3 and higher support IPv6.

F-Secure Client Security 7.1.2 supports IPv6.

Norton Personal Firewall does not support IPv6.

Symantec Endpoint Security

The University licenses Symantec Endpoint Protection (SEP) for employee and student use. SEP includes the Symantec Client Firewall, which does not support IPv6 (although Symantec claims it will support IPv6 in the next version). By default, the Symantec Client Firewall will block all incoming and outgoing IPv6 traffic. When you install Symantec Endpoint Protection suite on Windows Vista, it will disable Vista's built-in firewall (which supports IPv6). Thus, installing Symantec Endpoint Protection Suite on Windows Vista breaks IPv6.

If you want to use Symantec Endpoint Protection Suite and have IPv6 working, you should not install the firewall component of Symantec Endpoint Protection Suite. In this case, you will need to use Windows' built-in firewall for both IPv4 and IPv6. In the SEP installer, select a Custom installation. In the "Custom Setup" screen deselect the "Firewall and Intrusion Prevention" feature. See below:

If you have already installed Symantec Endoint Protection and wish to disable the Symantec Firewall, you will need to do the following on Windows Vista:

  1. Open the Control Panel and select "Programs and Features."
  2. Select Symantec Endpoint Protection and click <Change> at the top of the window. This will launch the Symantec Endpoint Protection installer.
  3. In the installer, click the Modify radio button and click <Next>.
  4. Deselect the "Firewall and Intrustion Detection" option and click <Next>. When the installer is done, click <Finish>.

Uninstalling the Symantec Client Firewall should reenable the Windows Firewall. To verify that the Windows Firewall is running, open the Control Panel and select "Security Center." The Firewall section should be green. Click on the down arrow to check that Windows Firewall is enabled:

Mac OS X

See this page.

Mac OS X Server

OS X Server's GUI admin tool (Server Admin) does not support IPv6. Further, Server Admin will overwrite any IPv6 firewall rules. To use the IPv6 firewall on OS X Server:

Configure Server Admin to leave IPv6 rules alone. Edit /etc/ipfilter/ip_address_groups.plist and change:

Then go to http://blog.atariwiki.strotmann.de/roller/cas/entry/managing_the_macos_x_ipv6 and download and install the ip6fw script package.

RedHat Linux

RedHat 5.x does not support stateful IPv6 firewalling, as it ships with an older kernel. This feature was introduced in the 2.6.20 kernel.

Ubuntu Linux

Ubunutu uses the ufw (Ubuntu Firewall). To enable IPv6, edit /etc/default/ufw and set:

IPV6=yes

Ubuntu 7.04 and later support stateful IPv6 firewalling

Solaris 10

Solaris 10 6/06 includes IPv6 support in ipfilter.

Misc

Firewall Builder 3.0 supports IPv6.

m0n0wall supports IPv6 as of version 1.3.

Hardware

Cisco ASA, PIX and FWSM running 7.0 support IPv6. IPv6 failover is supported as of version 8.3. The PIX and FWSM do not support IPv6 in bridging mode (only in routed mode). The ASA, as of version 8.2 supports both bridged ("transparent") and routed mode. The ADSM configuration tool does supports IPv6 as of version 8.2. The FWSM only supports IPv6 in software.

The IOS firewall got IPv6 support in version 12.3(7)T.

IOS VACLs do not support IPv6 (reference)

Juniper NetScreen supports IPv6 as of 5.4.0, but there are numerous bugs until 6.2.0r1cu4.0.

Firewall Standards

RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls - http://tools.ietf.org/html/rfc4890

Recommended Simple Security Capabilities in Customer Premises Equipment for Providing Residential IPv6 Internet Service - RFC 6092

NSA Router Security Configuration Guide Supplement - Security for IPv6 - http://www.nsa.gov/ia/_files/routers/I33-002R-06.pdf

NSA Firewall Design Considerations for IPv6 - http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/ipv6/I733-041R-2007.pdf

NIST Special Publication 500-267, "A Profile for IPv6 in the U.S. Government - Version 1.0" - http://www.antd.nist.gov/usgv6/usgv6-v1-draft2.pdf, section 6.12 has requirements for Network Protection Devices.

IPv6 RA guard - http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01

Firewall Product Certification

The Nokia 290, 390 and 590 are IPv6 Ready Phase-2 certified.

DOD-approved firewalls

Sample Firewall Configurations

CERT has provided sample ip6tables (Linux) and Windows Vista firewall configurations, based on RFC 4890.

Cymru provides templates for IPv6 bogon filtering.

IOS sample

This is an IOS ACL snippet to implement RFC 4890:

ipv6 access-list RFC4890
    permit icmp any any echo-reply
    permit icmp any any echo-request
    permit icmp any any 1 3
    permit icmp any any 1 4
    permit icmp any any packet-too-big
    permit icmp any any time-exceeded
    permit icmp any any parameter-problem
    permit icmp any any mld-query
    permit icmp any any mld-reduction
    permit icmp any any mld-report
    permit icmp any any nd-na
    permit icmp any any nd-ns
    permit icmp any any router-solicitation

Security Tools

thc-ipv6 has a variety of canned attack tools for IPv6.

Metaspolit has IPv6 support as of version 3.2.

ndpmon is the IPv6 equivalent of arpwatch. There are sample configurations in the wiki.

Nessus got IPv6 support in version 3.2.

nmap has IPv6 support, but with several limitations.

scapy, a scriptable packet injection system, has IPv6 support. See this presentation for more details.

RA filtering

Clients (generally) configure IPv6 addresses and populate their router tables based on IPv6 Router Advertisements (RAs). (I say generally because machines can be configured to ignore RAs.) These RAs are normally unauthenticated, so it's possible that a malicious agent with access to your LAN could cause clients to reconfigure their addresses and route their traffic through a router outside of your control. It is important that prevent bogus RAs from entering your LAN. Alternatively, if an attacker sends a constant stream of bogus RAs, this can cause a denial-of-service on some OSes, as the kernel must consume memory and CPU cycles to process the RAs. Cisco IOS and ASA were vulnerable to this attack until January 2011 (see this security announcement for the ASA, and this one for IOS). Microsoft Windows (XP and newer) are vulnerable to this attack as well.

The IETF discusses this issue in RFC 6104: Rogue IPv6 Router Advertisement Problem Statement.

For more information, see the talk "IPv6 Autoconfguration: Plug & Play Dream or Security Nightmare" (slides here, and video here) by David Farmer at the Winter 2008 Internet2 Joint Techs meeting.

Several vendors support blocking rogue Router Advertisements:

Cisco

Cisco 3560/3560E, 3750/3750E, 4000, 6000, and Nexus-7000 series switches can be configured to block RAs on specific ports. Sample configuration:

ipv6 access-list BlockRA
 deny icmp any any router-advertisement
 permit ipv6 any any

interface GigabitEthernet1/0/1
 ipv6 traffic-filter BlockRA in

Prior to IOS 12.2(50)SE, this feature required licensing Advanced IP Services. As of IOS 12.2(50)SE, this feature is present in IP Base. Consult the Cisco IOS IPv6 Command Reference for complete syntax on ipv6 traffic-filter and ipv6 access-list.

RA Guard

Newer version of IOS support RA Guard without IPv6 Port ACLs. See http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html for configuration documentation.

As of IOS 12.2(33)SXI4, Catalyst 6500 switches support RA guard in hardware.

As of IOS 12.2(54)XO on the Catalyst 4948E switch.

HP

The HP Procurve 2920, 3500, 3500yl, E3800, 5400zl, 6200yl, 6600, and 8200zl switches can block Router Advertisements. Firmware K.14.09 or newer is required to configure a static port IPv6 ACL (The E3800 requires KA15.09). See the HP ProCurve IPv6 Configuration Guide for configuration guidelines. Sample configuration using a static port ACL:

ipv6 access-list "ra-guard"
	10 deny icmp any any router-advertisement
	20 permit ipv6 any any
exit

...

interface [PORT or TRUNK] ipv6-access-group ra-guard in

As of K.15, an alternative syntax can be used:

[no] ipv6 ra-guard ports <port-list> [log]

3com

The 3com 4200G, 4500G, 4800G, and 5500G switches can filter router advertisments (using an IPv6 port ACL). The switches require fairly recent firmware to support IPv6 ACLs:

Switch Model

Required Firmware

4200G

3.02.01

4500G

4500G s3q05_02_00s56(s168)

4800G

4800G-CMW520-R2202

5500G

3.03.02

Juniper

On Juniper switches, this ACL should block RAs:

term block-ra {
    from {
        icmp-type router-advertisement;
    }
    then {
        discard;
    }
}

Rogue DHCPv6 server

To prevent rogue DHCPv6 servers, you should block DHCPv6 traffic on unneeded ports. DHCPv6 uses TCP and UDP ports 546 and 547.

Cisco

ipv6 access-list DHCPv6_Filter
 deny udp any eq 547 any eq 546
 permit ipv6 any any
!

IDS / IPS

Snort got much improved IPv6 support in version 2.8.4. Specifically, IPv6 support was added to Frag3 and all application preprocessors (SMTP, FTP/Telnet, DCE/RPC, SSL, DNS, Portscan).

Cisco IPS got IPv6 support in version 6.2 with the E3 engine. More information can be found in this blog post.

Resources

End-to-End Network Security: Defense-in-Depth, Cisco Press, 2008. Chapter 11 discusses IPv6. It's available for free via the University Library's Safari subscription.

IPv6 Security, Cisco Press, 2008. Avaiable online via Safari.