1©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDSecureNeighborDiscovery(SEND):RFC3756•SENDcomponents•Certificationpaths—anchoredontrustedparties,expectedtocertifytheauthorityoftherouters•CryptographicallyGeneratedAddresses(CGA)—IPv6addresseswheretheinterfaceidentifierisgeneratedbycomputingacryptographicone-wayhashfunctionfromapublickeyandauxiliaryparameters•RSAsignatureoption—usedtoprotectallallmessagesrelatingtoneighborandrouterdiscovery•TimestampandnonceNDoptions—usedtopreventreplayattacks2©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDIPv4BroadcastAmplification:SmurfICMPREQD=160.154.5.255S=172.18.1.2160.154.5.0AttempttoOverwhelmWANLinktoDestinationICMPREPLYD=172.18.1.2S=160.154.5.19ICMPREPLYD=172.18.1.2S=160.154.5.18ICMPREPLYD=172.18.1.2S=160.154.5.17ICMPREPLYD=172.18.1.2S=160.154.5.16ICMPREPLYD=172.18.1.2S=160.154.5.15ICMPREPLYD=172.18.1.2S=160.154.5.14172.18.1.23©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDIPv6andBroadcasts•TherearenobroadcastaddressesinIPv6•BroadcastaddressfunctionalityisreplacedwiththeappropriatelinklocalmulticastaddressLinkLocalAllNodesMulticast—FF02::1LinkLocalAllRoutersMulticast—FF02::24©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDIPv6andOtherAmplificationVectors•SpecificmentionismadeinICMPv6RFCthatnoICMPerrormessageshouldbegeneratedinresponsetoapacketwithamulticastdestinationaddress•TheexceptionsarethepackettoobigmessageandtheparameterproblemICMPmessages•RFC2463Section2.4(e.2)ImplementIngressFilteringOfPacketswithIPv6MulticastSourceAddressesPacketswIPv4McastDestAddressandAboveICMPPacketTypes5©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDIPv4RoutingAttacks•TheprimarypurposeofIPv4routingattacksaretodisrupt/corruptrouterpeeringorroutinginformation•Anattackermustbeableto:SourcepacketswhicharedeliveredtotherouterunderattackAttachtothenetworkandactasapartoftheroutingdomain6©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDIPv6RoutingAttacks•Theexactsamepurpose,requirementsandprotectionareapplicableinIPv6routing•BGP,ISIS,EIGRPnochange:anMD5authenticationoftheroutingupdate•OSPFv3haschangedandpulledMD5authenticationfromtheprotocolandinsteadissupposedtorelyontransportmodeIPsec•RIPngalsoreliesonIPsec•IPv6routingattackbestpracticesUsetraditionalauthenticationmechanismsonBGPandIS-ISUseIPsectosecureprotocolssuchasOSPFv3andRIPng7©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDVirusesandWormsinIPv6•Purevirusesdon’tchangeinIPv6buthybridandpurewormsdoHybridsandpurewormstodayrelyinInternetscanningtoinfectotherhosts,thisisn’tfeasibleasshownearlierinthispresentationAtonemillionpacketspersecondonaIPv6subnetwith10,000hostsitwouldtakeover28yearstofindthefirsthosttoinfect•WormdeveloperswilladapttoIPv6butpurerandomscanningwormswillbemuchmoreproblematicfortheattacker;bestpracticesaroundwormdetectionandmitigationfromIPv4remain8©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDIPv6AttackswithStrongIPv4Similarities•SniffingWithoutIPsec,IPv6isnomoreorlesslikelytofallvictimtoasniffingattackthanIPv4•ApplicationlayerattacksEvenwithIPsec,themajorityofvulnerabilitiesontheInternettodayareattheapplicationlayer,somethingthatIPsecwilldonothingtoprevent•RoguedevicesRoguedeviceswillbeaseasytoinsertintoanIPv6networkasinIPv4•Man-in-the-MiddleAttacks(MITM)WithoutIPsec,anyattacksutilizingMITMwillhavethesamelikelihoodinIPv6asinIPv4•FloodingFloodingattacksareidenticalbetweenIPv4andIPv6IPv6SECURITYBESTPRACTICESEC-200311232_05_2005_c1999©2005CiscoSystems,Inc.Allrightsreserved.10©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDCandidateBestPractices•Implementprivacyextensionscarefully•Filterinternal-useIPv6addressesattheenterpriseborderrouters•Filterunneededservicesatthefirewall•SelectivelyfilterICMPDeterminewhichICMPv6messagesarerequired•Determinewhatextensionheaderswillbeallowedthroughtheaccesscontroldevice•EnsureadequateIPv6fragmentationfilteringcapabilities•DenyIPv6fragmentsdestinedtoaninternetworkingdevicewhenpossible•Dropallfragmentswithlessthan1280octets(exceptthelastone)11©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDCandidateBestPractices(Cont.)•Usecryptographicprotectionswherecritical•Usestaticneighborentriesforcriticalsystems•UsetraditionalauthenticationmechanismsonBGPandIS-IS•UseIPsectosecureprotocolssuchasOSPFv3andRIPng•UseIPv6hoplimitstoprotectnetworkdevices•UsestatictunnelingratherthandynamictunnelingENFORCINGASECURITYPOLICYSEC-200311232_05_2005_c1121212©2005CiscoSystems,Inc.Allrightsreserved.13©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDIOSIPv6AccessControlListsWhenUsedforTrafficFiltering,IPv6StandardAccessControlLists(ACL)OfferstheFollowingFunctions:•Canfiltertrafficbasedonsourceanddestinationaddress•Ca