John,

Yes, you should be concerned because as soon as you have a single host (desktop, laptop, tablet, ...) whose Operating System has IPv6 enabled by default (which means all of them except Black Berry & XP), then, a LOCAL attack can be mounted using IPv6 link-local addresses (which are always present).

The rogue RA attack will work in an IPv4-only network by enabling IPv6 on all devices and attracting all IPv6 destinations (Gmail, WIkipedia, ...) through the rogue router. A Man-in-the-middle attack can then be mounted with  the help of tunnels.

The only kind of attack against which your IPv4-only network is protected are the remote IPv6 attacks.

Please note that this is not a sign that IPv6 is bad or insecure, it is simply a sign that security policies must be augmented even in IPv4-only network. For example, you need to augment your vulnerability scanning by adding IPv6 scanning NOW.

I hope it helps

-éric

Hi,

I was hoping for your thoughts on selecting an IPv6 prefix for a large organisation with Internet connectivity so as not to compromise security. I have seen various posts and articles on the topic. Is the current recommendation to deploy global on every network device, including deep within your core network behind your Internet facing firewall?

Thanks

Sean

Sean

May I suggest to post your question in a generic IPv6 thread? This one is dedicated to security :-)

But, in short, "it depends"... Most deployments start with the Internet facing edge (web / email /VPN servers which is the most critical issue) then moving to the inside network/intranet starting indeed with the core, then distribution then access (it is safer to do this in this order usually and you gain experience without disrupting anything)

-éric

I don't think I framed my question properly. This was in relation to a greenfield IPv6 site. Many of my IPv4 colleagues think that deploying global IPv6 to every device is a security risk. Their argument is that in theory hackers could route to these addresses from the internet.

They are used to deploying RFC 1918 IPv4 addresses on enterprise networks. They therefore think that the equivalent IPv6 solution is to use ULA addresses and then NAT these to a global address in order to reach the Internet.

I'll do some further research.

Edited by S. Evershed

Yet another classical question :-)

First, please note that NAT (while being often colocated with a firewall) offers nearly no security (after all most of the botnet members are being a home router doing NAT -- CodeRed, Nimda have been replaced by more sophisticated attacks). NAT makes security even harder: writing ACL is more complex and audit-trail is either impossible or way too long.

Second, as you know, RFC 1918 address and ULA does not prevent 'by magic' any communication with the outside. There are a lot of packets on the Internet whose source address is RFC 1918 or ULA... My point is that even with those addresses, a security policy MUST be enforced at the perimeter of your network.

So, NAT makes thing more complex hence less secure. But, of course, esp for enterprise network, please use a network firewall (plus IPS, ...) to block some traffic based on layer-3 or layer-4 information such as addresses.

A promise of IPv6 is to make network cleaner and easier (hence safer) to operate thanks to the absence of NAT. So, think twice before using NAT for IPv6.

If you really want to make your life miserable, then you can use NAT for IPv6 on ASA (even overloading, i.e. all your zillions of internal IPv6 addresses mapped to a single 'public' IPv6 address). Again, not recommended.

To be honest, this is a frequent question. It will take some time for your security dept to swallow it and to digest the above answer 

Many of my IPv4 colleagues think that NAT provides security through network  obfuscation. However it was never designed for that purpose and as you say it's doesn't really work that way.

Thanks for the feedback Eric.

Bear in mind that there isn't really any NAT66, so while you can hide ULA's behind an application proxy just as in v4, you can't expect to reliably translate from a ULA to a global v6 address, not in a multivendor environment, unlike v4.  Plus a lot of even fairly recent operating systems make silly address choices if they see both ULA and global addresses.  So your ULA-only hosts with only internal communications are OK, but the rest of your v6 network breaks, unless you spend a lot of time tuning your address prefix policy tables.

Really, tell folks to just use global unicast addresses and learn to like it.

-- Jim Leinweber, WI State Lab of Hygiene

Carlos,

Please note that blocking IPv6 traffic is not really the right thing to do. You will spend a lot of energy to implement it (see below) and some applications may fail (by default Windows and others try to use IPv6 link-local communication). Moreover, in a couple of years, you will force to reverse the setting by embracing IPv6.

In short, blocking IPv6 is not a short-term fix, it is more a waste of time ;-) Rather deploy IPv6 or at least configure your network to block IPv6 attacks (RA guard for instance in your switches).

There are basically two ways to prevent any IPv6 traffic in your network:

1. configure all hosts to disable the IPv6 protocol stack (or only tunnels);
2. try to block all layer-2 frames which are IPv6, on Ethernet and WiFi networks, this requires a MAC ACL denying 0x86DD frames. This is not easy to do on most switches as IPv6 is routed normally and you cannot drop those packets (then apply an IPv6 ACL with deny any any). This approach will not block the automatic tunnels (so block also IPv4 protocol 41 and UDP/3544).

You may also want to use IDS/IPS to detect any non-compliant host/switch configuration because this will be a long 'mouse and cat' game.

Good luck :-)

[Retyping the whole reply after this $*%! system failed to accept my reply ]

Hi Jim

Nice to read from you again and thanks for participating in the webcast! 

Cisco has implemented 'undetermined-transport' years before RFC 7112 in order to block those too-long-extension-header packets. Of course, as it is a data-plane feature, it is heavily depending on the existing HW hence not available on every switches... The missing platforms keep me awake at night sometimes... A real threat.

Regarding the regression tests, I am unsure and cannot reply to you. I know for sure that Cisco Product Security Incident Response Team is aware and usually they are pretty efficient to fix bug and to prevent them to occur in other places/time.

Point taken for white papers as well

Thanks again for your interest and looking forward to meeting you at Cisco Live in a couple of weeks

Cheers

-éric

Jim,

I have not done the tests you mention in my lab (there are not so many users using IPsec VPN between IOS & ASA :-) ), so, I can only partially reply to your question.

Indeed, IOS VTI (native IPsec without GRE) does not support one protocol family inside the other one. Using Flex VPN or DMVPN allow you to do this mix but not supported by the ASA.

Regarding IETF RFC, my reading is that a single IKE/ISAKMP session can negotiate two pairs of IPsec SA: one for IPv4 and one for IPv6. Very similar to a single tunnel.

Of course, for site to site, DMVPN & FlexVPN allow for a single GRE tunnel which can be used to transport both IPv4 and IPv6. This is what Cisco employees have at home ;-) and it works fine.

Sorry for this partial reply

-éric