- Overview of threats
- Address Spoofing
- Security Tools
- RA filtering
- Rogue DHCPv6 server
- IDS / IPS
Overview of threats
IPv4, ARP and DHCP are succeptible to many Layer 2 threats. These are well-known and there are tools for effectively mitigating many of these attacks. IPv6 is succeptible to many of the same threats, albeit in a slightly different form. Although IPv6 does not use ARP, it is still susceptible to the same MAC hijacking attacks. Likewise, it is still possible to setup rogue DHCPv6 servers, and rogue routers. Unfortunately, layer 2 security hasn't yet caught up with IPv6. There is no IPv6 equivalent of dynamic ARP inspection or DHCP snooping.
IPv6 does not use ARP; it uses the Neighbor Discovery Protocol (NDP). NDP is a subset of ICMPv6; see RFC 4861 for specifics. RFC 3756: IPv6 Neighbor Discovery (ND) Trust Models and Threats has a thorough discussion of threats against the Neighbor Discovery Protocol (NDP). For a laundry list of potential IPv6 security issues, consult RFC 4942: IPv6 Transition/Coexistence Security Considerations.
For information on Layer 2 IPv6 protection, see RFC 4864: Local Network Protection for IPv6.
There was a comprehensive presentation on IPv6 security at Cisco Networkers 2009.
Disabling Privacy Addresses
Windows XP, Vista, and 7, OS X 10.7, iOS 4, Android 4, and OpenBSD 5.3 enable privacy addresses by default. Privacy addresses are intended to obscure the user's identity. As such, they can make complying with University security policy more difficult, and it is recommended that network administrators disable them when possible.
To disable privacy addresses, run this as an Administrator from a command window:
Alternatively, setting the registry key HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\GlobalParams\UseTemporaryAddresses to 0 should disable privacy addresses.
To disable privacy addresses, run this as an Administrator from a command window:
Mac OS X 10.7 ("Lion")
OS X 10.7 enabled privacy addresses by default. To disable them permanently, edit
/etc/sysctl.conf and set:
If you want to disable privacy addresses without a reboot, you can use sysctl to disable privacy addresses for the current session. Note that privacy addresses will be re-enabled on the next reboot unless you edit sysctl.conf as described above:
Apple's iOS (used on iPads, iPhones, and iPod Touches) enables privacy addresses as of version 4.3. There is no way to disable privacy addresses on these devices, short of disabling autoconfiguration entirely (turn off the A flag in the Router Advertisement).
Android 4.0 enables privacy addresses. There is no way to disable privacy addresses on these devices, short of disabling autoconfiguration entirely (turn off the A flag in the Router Advertisement).
OSes considering enabling Privacy Addresses by default
Ubuntu (see this bug id) is considering enabling privacy addresses by default.
To enable IPv6 unicast RPF on Cisco devices, issue the following commands:
Please note that IPv6 uRPF checking is performed in software on many Cisco devices.
Enforce EUI-64 Addresses
The Cisco ASA/PIX/FWSM can enforce EUI-64 addressing. That is, they can enfore that the embedded MAC address in an EUI-64 host identifier matches the MAC address for incoming packets. To enable this feature:
See the Cisco Security Appliance Command Line Configuration Guide and FWSM documentation for more information.
In some situations, Windows Vista and 7 can create IPv6-over-IPv4 tunnels automatically. To disable these tunneling protocols, run the following:
Windows 2008 R2 can set group policy for Windows 7 to disable these. Set the policy in Computer Configuration -> Policies -> Administrative Templates -> Network -> TCP/IP Settings -> IPv6 Transition Technologies. More information can be found in this article.
Some firewall administrators block all incoming ICMP packets for IPv4. This practice will break IPv6. ICMPv6 performs many more functions that ICMPv4. These include Path MTU discovery, Router Discovery, Neighbor Discovery, Mobile IPv6, multicast management, and address reconfiguration. As such, certain ICMPv6 messages must be allowed to pass through firewalls. RFC 4890 provides guidelines for filtering ICMPv6.
Peter Bieringer, Status of Open Source and commercial IPv6 firewall implementations
ICANN SAC-016: Testing Firewalls for IPv6 and EDNS0 Support - http://www.icann.org/committees/security/sac016.htm (should also include DNS-over-TCP)
ICANN SAC-021: Survey of IPv6 Support Among Commercial Firewalls - http://www.icann.org/committees/security/sac021.pdf
Windows XP / 2003
Windows XP SP2's built-in firewall supports IPv6, as does Windows Server 2003 SP1.
XP's firewall can't set different rules for IPv4 and IPv6. For example, you can't only open a port for IPv4, or only block ICMP echo requests for IPv6.
Windows XP cannot scope rules using IPv6. For example, you can't open a port only to a specific IPv6 subnet:
Windows Vista, 2008 and 7
Windows Vista, 7 and 2008 support IPv6 in their built-in firewalls. They allow IPv6 scopes in exceptions. They allow different rulesets for ICMPv4 and ICMPv6.
ESET Personal Firewall version 3 and higher support IPv6.
F-Secure Client Security 7.1.2 supports IPv6.
Norton Personal Firewall does not support IPv6.
Symantec Endpoint Security
The University licenses Symantec Endpoint Protection (SEP) for employee and student use. SEP includes the Symantec Client Firewall, which does not support IPv6 (although Symantec claims it will support IPv6 in the next version). By default, the Symantec Client Firewall will block all incoming and outgoing IPv6 traffic. When you install Symantec Endpoint Protection suite on Windows Vista, it will disable Vista's built-in firewall (which supports IPv6). Thus, installing Symantec Endpoint Protection Suite on Windows Vista breaks IPv6.
If you want to use Symantec Endpoint Protection Suite and have IPv6 working, you should not install the firewall component of Symantec Endpoint Protection Suite. In this case, you will need to use Windows' built-in firewall for both IPv4 and IPv6. In the SEP installer, select a Custom installation. In the "Custom Setup" screen deselect the "Firewall and Intrusion Prevention" feature. See below:
If you have already installed Symantec Endoint Protection and wish to disable the Symantec Firewall, you will need to do the following on Windows Vista:
- Open the Control Panel and select "Programs and Features."
- Select Symantec Endpoint Protection and click <Change> at the top of the window. This will launch the Symantec Endpoint Protection installer.
- In the installer, click the Modify radio button and click <Next>.
- Deselect the "Firewall and Intrustion Detection" option and click <Next>. When the installer is done, click <Finish>.
Uninstalling the Symantec Client Firewall should reenable the Windows Firewall. To verify that the Windows Firewall is running, open the Control Panel and select "Security Center." The Firewall section should be green. Click on the down arrow to check that Windows Firewall is enabled:
Mac OS X
See this page.
Mac OS X Server
OS X Server's GUI admin tool (Server Admin) does not support IPv6. Further, Server Admin will overwrite any IPv6 firewall rules. To use the IPv6 firewall on OS X Server:
Configure Server Admin to leave IPv6 rules alone. Edit
/etc/ipfilter/ip_address_groups.plist and change:
Then go to http://blog.atariwiki.strotmann.de/roller/cas/entry/managing_the_macos_x_ipv6 and download and install the ip6fw script package.
RedHat 5.x does not support stateful IPv6 firewalling, as it ships with an older kernel. This feature was introduced in the 2.6.20 kernel.
Ubunutu uses the ufw (Ubuntu Firewall). To enable IPv6, edit
/etc/default/ufw and set:
Ubuntu 7.04 and later support stateful IPv6 firewalling
Solaris 10 6/06 includes IPv6 support in ipfilter.
Firewall Builder 3.0 supports IPv6.
Cisco ASA, PIX and FWSM running 7.0 support IPv6. IPv6 failover is supported as of version 8.3. The PIX and FWSM do not support IPv6 in bridging mode (only in routed mode). The ASA, as of version 8.2 supports both bridged ("transparent") and routed mode. The ADSM configuration tool does supports IPv6 as of version 8.2. The FWSM only supports IPv6 in software.
The IOS firewall got IPv6 support in version 12.3(7)T.
IOS VACLs do not support IPv6 (reference)
Juniper NetScreen supports IPv6 as of 5.4.0, but there are numerous bugs until 6.2.0r1cu4.0.
RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls - http://tools.ietf.org/html/rfc4890
Recommended Simple Security Capabilities in Customer Premises Equipment for Providing Residential IPv6 Internet Service - RFC 6092
NSA Router Security Configuration Guide Supplement - Security for IPv6 - http://www.nsa.gov/ia/_files/routers/I33-002R-06.pdf
NSA Firewall Design Considerations for IPv6 - http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/ipv6/I733-041R-2007.pdf
NIST Special Publication 500-267, "A Profile for IPv6 in the U.S. Government - Version 1.0" - http://www.antd.nist.gov/usgv6/usgv6-v1-draft2.pdf, section 6.12 has requirements for Network Protection Devices.
IPv6 RA guard - http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01
Firewall Product Certification
The Nokia 290, 390 and 590 are IPv6 Ready Phase-2 certified.
Sample Firewall Configurations
CERT has provided sample ip6tables (Linux) and Windows Vista firewall configurations, based on RFC 4890.
Cymru provides templates for IPv6 bogon filtering.
This is an IOS ACL snippet to implement RFC 4890:
thc-ipv6 has a variety of canned attack tools for IPv6.
Nessus got IPv6 support in version 3.2.
nmap has IPv6 support, but with several limitations.
Clients (generally) configure IPv6 addresses and populate their router tables based on IPv6 Router Advertisements (RAs). (I say generally because machines can be configured to ignore RAs.) These RAs are normally unauthenticated, so it's possible that a malicious agent with access to your LAN could cause clients to reconfigure their addresses and route their traffic through a router outside of your control. It is important that prevent bogus RAs from entering your LAN. Alternatively, if an attacker sends a constant stream of bogus RAs, this can cause a denial-of-service on some OSes, as the kernel must consume memory and CPU cycles to process the RAs. Cisco IOS and ASA were vulnerable to this attack until January 2011 (see this security announcement for the ASA, and this one for IOS). Microsoft Windows (XP and newer) are vulnerable to this attack as well.
The IETF discusses this issue in RFC 6104: Rogue IPv6 Router Advertisement Problem Statement.
For more information, see the talk "IPv6 Autoconfguration: Plug & Play Dream or Security Nightmare" (slides here, and video here) by David Farmer at the Winter 2008 Internet2 Joint Techs meeting.
Several vendors support blocking rogue Router Advertisements:
Cisco 3560/3560E, 3750/3750E, 4000, 6000, and Nexus-7000 series switches can be configured to block RAs on specific ports. Sample configuration:
Prior to IOS 12.2(50)SE, this feature required licensing Advanced IP Services. As of IOS 12.2(50)SE, this feature is present in IP Base. Consult the Cisco IOS IPv6 Command Reference for complete syntax on ipv6 traffic-filter and ipv6 access-list.
Newer version of IOS support RA Guard without IPv6 Port ACLs. See http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html for configuration documentation.
As of IOS 12.2(33)SXI4, Catalyst 6500 switches support RA guard in hardware.
As of IOS 12.2(54)XO on the Catalyst 4948E switch.
The HP Procurve 2920, 3500, 3500yl, E3800, 5400zl, 6200yl, 6600, and 8200zl switches can block Router Advertisements. Firmware K.14.09 or newer is required to configure a static port IPv6 ACL (The E3800 requires KA15.09). See the HP ProCurve IPv6 Configuration Guide for configuration guidelines. Sample configuration using a static port ACL:
As of K.15, an alternative syntax can be used:
The 3com 4200G, 4500G, 4800G, and 5500G switches can filter router advertisments (using an IPv6 port ACL). The switches require fairly recent firmware to support IPv6 ACLs:
On Juniper switches, this ACL should block RAs:
Rogue DHCPv6 server
To prevent rogue DHCPv6 servers, you should block DHCPv6 traffic on unneeded ports. DHCPv6 uses TCP and UDP ports 546 and 547.
IDS / IPS
Snort got much improved IPv6 support in version 2.8.4. Specifically, IPv6 support was added to Frag3 and all application preprocessors (SMTP, FTP/Telnet, DCE/RPC, SSL, DNS, Portscan).
End-to-End Network Security: Defense-in-Depth, Cisco Press, 2008. Chapter 11 discusses IPv6. It's available for free via the University Library's Safari subscription.
IPv6 Security, Cisco Press, 2008. Avaiable online via Safari.