2. Agenda
◦ Introduction
◦ IPv6
background
◦ How
we
got
here
◦ Advantages
of
IPv6
◦ IPvX interesting
facts
◦ IPv6
and
the
Federal
Government
◦ How
do
IPv6
threats
differ
from
IPv4
threats
◦ Specific
IPv6
Threats
◦ Are
you
ready
to
defend
IPv6
threats?
◦ IPv6
threat
detection
and
mitigation
◦ Q&A
2
3. Introduction
◦ About
me
◦ KimberSystems,
LLC
◦ Supported
multiple
USG
entities:
USDA,
GSA,
DOC,
FBI,
DOD
◦ Background
in
security,
networking,
and
data
centers
◦ Focused
on
cybersecurity,
cloud,
and
threat
intelligence
3
4. IPv6
Background
◦ How
we
got
here
◦ IPv4
is
a
REALLY
old
protocol
(1980)
◦ We
are
running
out
of
usable
IPv4
addresses
◦ Advantages
of
IPv6
◦ Extremely
large
address
space
◦ Autoconfiguration /
network
management
◦ Jumbograms
◦ No
fragmentation
◦ Unique
addressing
◦ Security:
IPSec
built-‐in
4
5. Just
How
Big
is
IPv6?
◦ IPv4 has
32
bits,
allowing
approximately
4.3
billion
addresses.
Not
even
enough
to
give
a
unique
address
to
each
human
being
on
Earth.
◦ IPv6 has
128
bits,
allowing
340,282,366,920,938,000,000,000,000,000,000,000,000 (340
undecillion)
unique
addresses.
◦ 79,228,162,514,264,229,685,068,130,493 IPv4
Internets
can
fit
into
IPv6
address
space.
◦ IPv6
could
provide
each
and
every
square
micrometer
of
the
earth’s
surface
with
5,000
unique
addresses.
What’s
a
micrometer?
About
one
tenth
the
diameter
of
a
droplet
of
fog!
5
7. IPvX Interesting
Facts
◦ IPv4
depleted
in
early
2011
◦ IPv6
is
still
less
than
1%
of
all
Internet
traffic
◦ Windows
7,
Windows
8,
OS
X,
and
Linux
can
all
suffer
from
IPv6
attacks
that
are
invisible
to
IPv4
◦ Standard
subnet
size
for
IPv6
is
a
/64
(18,446,744,073,709,551,616
addresses)
◦ 6in4
traffic
is
identified
as
IP
protocol
41
7
8. IPv6
and
the
Federal
Government
◦ Required
backbone
move
to
IPv6
by
2008
(OMB
memo
05-‐22)
◦ Required
move
as
per
OMB
memo
from
Federal
CIO
dated
September
2010
◦ Upgrade
public/external
facing
servers
and
services
(e.g.
web,
email,
DNS,
ISP
services,
etc.)
to
operationally
use
native
IPv6
by
the
end
of
FY
2012
◦ Upgrade
internal
client
applications
that
communicate
with
public
Internet
servers
and
supporting
enterprise
networks
to
operationally
use
native
IPv6
by
the
end
of
FY
2014
◦ 29%
complete
(September
2013)
◦ Why
aren’t
we
moving
faster?
◦ Challenges
8
9. IPv6
and
the
Federal
Government
Completed
USG
IPv6
Enabled
Domains
1,318
Domains
tested
on
4
September
2013
9
10. IPv6
CND
Challenges
◦ It
won’t
solve
or
mitigate
current
cyber
threats
(e.g.
SQLi,
buffer
overflows,
XSS,
spear
phishing,
etc.)
◦ Shadow
networks
/
latent
threat
◦ NDP
spoofing
◦ SLAAC
attacks
◦ Privacy
(no
NAT)
◦ If
using
Privacy
IPv6
addresses
it
may
create
challenges
in
attribution,
incident
response,
forensic
analysis,
firewall
policies,
etc.
10
11. IPv6
CND
Challenges
◦ New
approaches
to
management,
troubleshooting,
administration,
etc.
◦ Vulnerability
scanning
◦ Deep
packet
inspection
◦ Don’t
know
you’re
running
it
◦ Threat
detection
models
aren’t
current/configured
for
IPv6
threats
◦ Analysts
may
not
understand
the
protocol
11
12. IPv6
Threats
◦ They
are
real
and
bad
guys
are
leveraging
IPv6
◦ Under
the
radar
◦ Tunneling
(e.g.
Teredo)
◦ Multiple
addresses
for
single
host
◦ Detection
infrastructure
not
ready
to
support
◦ Rest
of
the
threat
community
isn’t
focused
on
it
◦ You
think
it
doesn’t
matter
12
13. IPv6
Threat
Ready?
NOPE!
◦ Tools
aren’t
ready
◦ Analysts
aren’t
ready
◦ Threat
intelligence
still
focused
on
IPv4
◦ Blackholes
◦ IP
reputation
services
BYOD
over
IPv6
– the
perfect
storm!
13
15. NDP
Spoofing
NDP
(Neighbor
Discovery
Protocol)
is
the
new
ARP
(in
this
example)
◦ An
attacker
can
spoof
an
address
by
snooping
a
Neighbor
Solicitation
◦ Attacker
then
conducts
attack
via
Neighbor
Advertisement
◦ Similar
to
ARP
poisoning
by
advertising
L2
address
15
23. SLAAC
Attack
Rogue
Router
Announcements
(RA)
as
being
able
to
route
IPv6
traffic
◦ Host
that
is
configured
to
use
IPv6
(most
current
operating
systems)
will
begin
to
route
traffic
to
the
RA
host;
no
verification/authorization
◦ SuddenSix attack
(SLAAC
attack):
https://github.com/Neohapsis/suddensix
23
27. Teredo Tunneling
◦ Like
most
things,
it
wasn’t
designed
to
be
bad
◦ Can
be
used
for
legitimate
purposes
◦ Built
into
Microsoft
products
◦ IPv6
tunneling
across
NAT
boundaries
◦ Doesn’t
require
firewall
to
support
IPv6
or6to4
◦ IPv4
over
UDP
27
29. IPv6
Threat
Detection
Similar
to
IPv4
◦ Smart
analysts
◦ Know
your
traffic
◦ Know
what
you’re
looking
for
◦ Protocol
41
◦ Tunneling
?
◦ Upgrade/update
your
detection
mechanisms
◦ Don’t
trust
v4
rules
to
detect
v6
traffic;
regardless
of
what
your
vendors
say
◦ Talk
to
your
vendors
29
30. Things
to
Consider
◦ Do
you
know
how
many
or
which
of
your
hosts
are
using
IPv6?
◦ How
many
of
your
blackhole and
block
lists
have
IPv6
entries?
◦ Do
all
of
your
logging
devices
and
infrastructure
log
IPv6
correctly
(frequently
truncated)?
◦ Hosts
with
multiple
IPv6
addresses;
can
send
spam/badness
from
many
addresses
◦ 2002::/16
6to4
tunnel
prefix
◦ Don’t block ICMP;
needed for
MTU
discovery
◦ You have to
wrap addresses in
brackets because of
“:”
e.g.
scp file.txt
[2001::1]
30
31. Q&A
For
more
information:
John
F.
McClure
◦ john@kimbersystems.com
◦ (202)
630-‐0726
◦ @johnmcclure00
◦ linkedin.com/in/johnmcclure
KimberSystems,
LLC
◦ kimbersystems.com
◦ @KimberSystems
◦ linkedin.com/company/kimbersystems-‐llc
◦ facebook.com/KimberSystems
31