IPv6 Security

IPv6 Security   Protection measures for the next Internet Protocol   As the world’s networks migrate to the IPv6 protocol, networking professionals need a clearer understanding of the security risks, threats, and challenges this transition presents. In IPv6 Security, two of the world’s leading Internet security practitioners review each potential security issue introduced by IPv6 networking and present today’s best solutions.   IPv6 Security offers guidance for avoiding security problems prior to widespread IPv6 deployment. The book covers every component of today’s networks, identifying specific security deficiencies that occur within IPv6 environments and demonstrating how to combat them.   The authors describe best practices for identifying and resolving weaknesses as you maintain a dual stack network. Then they describe the security mechanisms you need to implement as you migrate to an IPv6-only network. The authors survey the techniques hackers might use to try to breach your network, such as IPv6 network reconnaissance, address spoofing, traffic interception, denial of service, and tunnel injection.   The authors also turn to Cisco® products and protection mechanisms. You learn how to use Cisco IOS® and ASA firewalls and ACLs to selectively filter IPv6 traffic. You also learn about securing hosts with Cisco Security Agent 6.0 and about securing a network with IOS routers and switches. Multiple examples are explained for Windows, Linux, FreeBSD, and Solaris hosts. The authors offer detailed examples that are consistent with today’s best practices and easy to adapt to virtually any IPv6 environment.   Scott Hogg, CCIE® No. 5133, is Director of Advanced Technology Services at Global Technology Resources, Inc. (GTRI). He is responsible for setting the company’s technical direction and helping it create service offerings for emerging technologies such as IPv6. He is the Chair of the Rocky Mountain IPv6 Task Force.   Eric Vyncke, Cisco Distinguished System Engineer, consults on security issues throughout Europe. He has 20 years’ experience in security and teaches security seminars as a guest professor at universities throughout Belgium. He also participates in the Internet Engineering Task Force (IETF) and has helped several organizations deploy IPv6 securely.   Understand why IPv6 is already a latent threat in your IPv4-only network Plan ahead to avoid IPv6 security problems before widespread deployment Identify known areas of weakness in IPv6 security and the current state of attack tools and hacker skills Understand each high-level approach to securing IPv6 and learn when to use each Protect service provider networks, perimeters, LANs, and host/server connections Harden IPv6 network devices against attack Utilize IPsec in IPv6 environments Secure mobile IPv6 networks Secure transition mechanisms in use during the migration from IPv4 to IPv6 Monitor IPv6 security Understand the security implications of the IPv6 protocol, including issues related to ICMPv6 and the IPv6 header structure Protect your network against large-scale threats by using perimeter filtering techniques and service provider—focused security practices Understand the vulnerabilities that exist on IPv6 access networks and learn solutions for mitigating each     This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.   Category: Networking: Security Covers: IPv6 Security

Table of Contents:
In>Chapter 1 Introduction to IPv6 Security Reintroduction to IPv6 3 IPv6 Update 6 IPv6 Vulnerabilities 7 Hacker Experience 8 IPv6 Security Mitigation Techniques 9 Summary Recommended Readings and Resources Chapter 2 IPv6 Protocol Security Vulnerabilities The IPv6 Protocol Header     ICMPv6         ICMPv6 Functions and Message Types         ICMPv6 Attacks and Mitigation Techniques     Multicast Security Extension Header Threats     Extension Header Overview     Extension Header Vulnerabilities     Hop-by-Hop Options Header and Destination Options Header         IPv6 Extension Header Fuzzing         Router Alert Attack     Routing Headers         RH0 Attack         Preventing RH0 Attacks         Additional Router Header Attack Mitigation Techniques     Fragmentation Header         Overview of Packet Fragmentation Issues         Fragmentation Attacks         Preventing Fragmentation Attacks         Virtual Fragment Reassembly     Unknown Option Headers     Upper-Layer Headers Reconnaissance on IPv6 Networks     Scanning and Assessing the Target         Registry Checking         Automated Reconnaissance     Speeding Up the Scanning Process         Leveraging Multicast for Reconnaissance         Automated Reconnaissance Tools         Sniffing to Find Nodes         Neighbor Cache         Node Information Queries     Protecting Against Reconnaissance Attacks Layer 3 and Layer 4 Spoofing Summary References Chapter 3 IPv6 Internet Security Large-Scale Internet Threats     Packet Flooding     Internet Worms         Worm Propagation         Speeding Worm Propagation in IPv6         Current IPv6 Worms         Preventing IPv6 Worms     Distributed Denial of Service and Botnets         DDoS on IPv6 Networks         Attack Filtering         Attacker Traceback         Black Holes and Dark Nets Ingress/Egress Filtering     Filtering IPv6 Traffic     Filtering on Allocated Addresses     Bogon Filtering     Bogon Filtering Challenges and Automation Securing BGP Sessions     Explicitly Configured BGP Peers     Using BGP Session Shared Secrets     Leveraging an IPsec Tunnel     Using Loopback Addresses on BGP Peers     Controlling the Time-to-Live (TTL) on BGP Packets     Filtering on the Peering Interface     Using Link-Local Peering         Link-Local Addresses and the BGP Next-Hop Address         Drawbacks of Using Link-Local Addresses     Preventing Long AS Paths     Limiting the Number of Prefixes Received     Preventing BGP Updates Containing Private AS Numbers     Maximizing BGP Peer Availability         Disabling Route-Flap Dampening         Disabling Fast External Fallover         Enabling Graceful Restart and Route Refresh or Soft Reconfiguration         BGP Connection Resets     Logging BGP Neighbor Activity     Securing IGP     Extreme Measures for Securing Communications Between BGP Peers IPv6 over MPLS Security     Using Static IPv6 over IPv4 Tunnels Between PE Routers     Using 6PE     Using 6VPE to Create IPv6-Aware VRFs Customer Premises Equipment Prefix Delegation Threats     SLAAC     DHCPv6 Multihoming Issues Summary References Chapter 4 IPv6 Perimeter Security IPv6 Firewalls     Filtering IPv6 Unallocated Addresses     Additional Filtering Considerations         Firewalls and IPv6 Headers         Inspecting Tunneled Traffic         Layer 2 Firewalls         Firewalls Generate ICMP Unreachables         Logging and Performance     Firewalls and NAT Cisco IOS Router ACLs     Implicit IPv6 ACL Rules     Internet ACL Example     IPv6 Reflexive ACLs Cisco IOS Firewall     Configuring IOS Firewall     IOS Firewall Example     IOS Firewall Port-to-Application Mapping for IPv6 Cisco PIX/ASA/FWSM Firewalls     Configuring Firewall Interfaces     Management Access     Configuring Routes     Security Policy Configuration     Object Group Policy Configuration     Fragmentation Protection     Checking Traffic Statistics     Neighbor Discovery Protocol Protections Summary References Chapter 5 Local Network Security Why Layer 2 Is Important ICMPv6 Layer 2 Vulnerabilities for IPv6     Stateless Address Autoconfiguration Issues     Neighbor Discovery Issues     Duplicate Address Detection Issues     Redirect Issues ICMPv6 Protocol Protection     Secure Neighbor Discovery     Implementing CGA Addresses in Cisco IOS     Understanding the Challenges with SEND Network Detection of ICMPv6 Attacks     Detecting Rogue RA Messages     Detecting NDP Attacks Network Mitigation Against ICMPv6 Attacks     Rafixd     Reducing the Target Scope     IETF Work     Extending IPv4 Switch Security to IPv6 Privacy Extension Addresses for the Better and the Worse DHCPv6 Threats and Mitigation     Threats Against DHCPv6     Mitigating DHCPv6 Attacks         Mitigating the Starvation Attack         Mitigating the DoS Attack         Mitigating the Scanning         Mitigating the Rogue DHCPv6 Server Point-to-Point Link Endpoint Security Summary References Chapter 6 Hardening IPv6 Network Devices Threats Against Network Devices Cisco IOS Versions Disabling Unnecessary Network Services     Interface Hardening Limiting Router Access     Physical Access Security     Securing Console Access     Securing Passwords     VTY Port Access Controls     AAA for Routers     HTTP Access IPv6 Device Management     Loopback and Null Interfaces     Management Interfaces     Securing SNMP Communications Threats Against Interior Routing Protocol     RIPng Security     EIGRPv6 Security     IS-IS Security     OSPF Version 3 Security First-Hop Redundancy Protocol Security     Neighbor Unreachability Detection     HSRPv6     GLBPv6 Controlling Resources     Infrastructure ACLs     Receive ACLs     Control Plane Policing QoS Threats Summary References Chapter 7 Server and Host Security IPv6 Host Security     Host Processing of ICMPv6     Services Listening on Ports         Microsoft Windows         Linux         BSD         Sun Solaris     Checking the Neighbor Cache         Microsoft Windows         Linux         BSD         Sun Solaris     Detecting Unwanted Tunnels         Microsoft Windows         Linux         BSD         Sun Solaris     IPv6 Forwarding         Microsoft Windows         Linux         BSD         Sun Solaris     Address Selection Issues         Microsoft Windows         Linux         BSD         Sun Solaris Host Firewalls     Microsoft Windows Firewall     Linux Firewalls     BSD Firewalls         OpenBSD Packet Filter         ipfirewall         IPFilter     Sun Solaris Securing Hosts with Cisco Security Agent 6.0 Summary References Chapter 8 IPsec and SSL Virtual Private Networks IP Security with IPv6     IPsec Extension Headers     IPsec Modes of Operation     Internet Key Exchange (IKE)         IKE Version 2     IPsec with Network Address Translation     IPv6 and IPsec Host-to-Host IPsec Site-to-Site IPsec Configuration     IPv6 IPsec over IPv4 Example         Configuring IPv6 IPsec over IPv4         Verifying the IPsec State         Adding Some Extra Security         Dynamic Crypto Maps for Multiple Sites     IPv6 IPsec Example         Configuring IPsec over IPv6         Checking the IPsec Status     Dynamic Multipoint VPN         Configuring DMVPN for IPv6         Verifying the DMVPN at the Hub         Verifying the DMVPN at the Spoke Remote Access with IPsec SSL VPNs Summary References Chapter 9 Security for IPv6 Mobility Mobile IPv6 Operation MIPv6 Messages     Indirect Mode     Home Agent Address Determination     Direct Mode Threats Linked to MIPv6     Protecting the Mobile Device Software     Rogue Home Agent     Mobile Media Security     Man-in-the-Middle Threats     Connection Interception     Spoofing MN-to-CN Bindings     DoS Attacks Using IPsec with MIPv6 Filtering for MIPv6     Filters at the CN     Filters at the MN/Foreign Link     Filters at the HA Other IPv6 Mobility Protocols     Additional IETF Mobile IPv6 Protocols     Network Mobility (NEMO)     IEEE .16e     Mobile Ad-hoc Networks Summary References Chapter 10 Securing the Transition Mechanisms Understanding IPv4-to-IPv6 Transition Techniques     Dual-Stack     Tunnels         Configured Tunnels         6to4 Tunnels         ISATAP Tunnels         Teredo Tunnels         6VPE     Protocol Translation Implementing Dual-Stack Security     Exploiting Dual-Stack Environment     Protecting Dual-Stack Hosts Hacking the Tunnels     Securing Static Tunnels     Securing Dynamic Tunnels         6to4         ISATAP         Teredo     Securing 6VPE Attacking NAT-PT IPv6 Latent Threats Against IPv4 Networks Summary References Chapter 11 Security Monitoring Managing and Monitoring IPv6 Networks     Router Interface Performance     Device Performance Monitoring         SNMP MIBs for Managing IPv6 Networks         IPv6-Capable SNMP Management Tools         NetFlow Analysis     Router Syslog Messages     Benefits of Accurate Time Managing IPv6 Tunnels Using Forensics Using Intrusion Detection and Prevention Systems     Cisco IPS Version 6.1     Testing the IPS Signatures Managing Security Information with CS-MARS Managing the Security Configuration Summary References Chapter 12 IPv6 Security Conclusions Comparing IPv4 and IPv6 Security     Similarities Between IPv4 and IPv6     Differences Between IPv4 and IPv6 Changing Security Perimeter Creating an IPv6 Security Policy     Network Perimeter     Extension Headers     LAN Threats     Host and Device Hardening     Transition Mechanisms     IPsec     Security Management On the Horizon Consolidated List of Recommendations Summary References

About the Author :
Scott Hogg, CCIE No. 5133, has been a network computing consultant for more than 17 years. Scott provides network engineering, security consulting, and training services, focusing on creating reliable, high-performance, secure, manageable, and cost-effective network solutions. He has a bachelor’s degree in computer science from Colorado State University and a master’s degree in telecommunications from the University of Colorado. In addition to his CCIE he has his CISSP (No. 4610) and many other vendor and industry certifications. Scott has designed, implemented, and troubleshot networks for many large enterprises, service providers, and government organizations. For the past eight years, Scott has been researching IPv6 technologies. Scott has written several white papers on IPv6 and has given numerous presentations and demonstrations of IPv6 technologies. He is also currently the chair of the Rocky Mountain IPv6 Task Force and the Director of Advanced Technology Services at Global Technology Resources, Inc. (GTRI), a Cisco Gold partner headquartered in Denver, Colorado.   Eric Vynckeis a Distinguished System Engineer for Cisco working as a technical consultant for security covering Europe. His main area of expertise for 20 years has been security from Layer 2 to applications. He has helped several organizations deploy IPv6 securely. For the past eight years, Eric has participated in the Internet Engineering Task Force (IETF) (he is the author of RFC 3585). Eric is a frequent speaker at security events (notably Cisco Live [formerly Networkers]) and is also a guest professor at Belgian Universities for security seminars. He has a master’s degree in computer science engineering from the University of Liège in Belgium. He worked as a research assistant in the same university before joining Network Research Belgium, where he was the head of R&D; he then joined Siemens as a project manager for security projects including a proxy firewall. He coauthored the Cisco Press book LAN Switch Security: What Hackers Know About Your Switches. He is CISSP No. 75165.