Implementing Cisco IOS Network Security (IINS) Foundation Learning Guide, Second Edition (2013)
Part II: Protecting the Network Infrastructure
Chapter 6. Securing the Data Plane in IPv6 Environments
IPv6 shares some of the same security concerns and considerations as IPv4. Some IPv6-specific vulnerabilities and threats make it unique as it relates to your considerations and strategy to protect IPv6 infrastructures and services. In this chapter, you learn how to do the following:
• Explain the need for IPv6 from the general perspective of the transition to IPv6 from IPv4
• List and describe the fundamental features of IPv6, as well as enhancements when compared to IPv4
• Analyze the IPv6 addressing scheme, components, and design principles and configure IPv6 addressing
• Describe the IPv6 routing function
• Evaluate how common and specific threats affect IPv6
• Develop and implement a strategy for IPv6 security
The Need for IPv6
The IPv4 address space provides approximately 4.3 billion addresses. Of that address space, approximately 3.7 billion addresses are actually assignable. The other addresses are reserved for special purposes such as multicasting, private address space, loopback testing, and research.
An IPv6 address is a 128-bit binary value, which can be displayed as 32 hexadecimal digits, as shown in Figure 6-1. It provides 3.4 × 1038 IP addresses. This version of IP addressing should provide sufficient addresses for future Internet growth needs—enough to allocate the equivalent of the entire IPv4 address space to every person on the planet. Another analogy to show the enormity of the IPv6 address pool is to think that there are 667,712,614,478,140,039 addresses available per square meter of the Earth’s surface, including ocean surface.
Figure 6-1. Comparing IPv4 and IPv6 Addresses
So, What Ever Happened to IPv5?
Well, IPv5 never existed. In the late 1970s, a set of protocols were defined to create the Internet Stream Protocol (ST), which was to be used, instead of IP, for streaming. The protocol was never introduced. However, the second iteration of ST (ST-II) used Internet Protocol version 5 to distinguish itself from regular IP. Though ST was never known as IPv5, IETF decided to stay away from this nomenclature to avoid confusion.
According to an unofficial Cisco TAC statistic, in fall 2011, about 5 percent of networks running on Cisco equipment had IPv6 in production. More formal statistics can be found at Réseaux IP Européens Network Coordination Centre, or RIPE NCC (http://www.ripe.net/). As one of four regional Internet registries that supply and administer IP addresses, it has some interesting statistics. According to RIPE NCC, in 2012 about 7.5 percent of networks worldwide were running IPv6. The largest penetration was in the Asia-Pacific region with close to 11 percent. The lowest percentage of networks running IPv6 was in North America at 5 percent. Interestingly, it’s in North America that the highest number of IPv4 Class A addresses can be found. (Source: RIPE NCC, https://labs.ripe.net/Members/emileaben/interesting-graph-networks-with-ipv6-over-time.)
Google is also tracking the IPv6 adoption rate on the Internet. As of July 2012, Google was reporting that 0.78 percent of all traffic it was seeing was IPv6. (Source: http://www.google.com/intl/en/ipv6/statistics/.)
If you are interested in finding the IPv6 penetration rate in your country, visit http://v6asns.ripe.net/v/6 or http://www.google.com/ipv6/statistics.html#tab=per-country-ipv6-adoption.
In 2012, there were approximately 2.3 billion Internet users around the world. Between 2000 and 2011, there was a 480 percent growth of the Internet. In February 2011, IANA announced the allocation of the last few blocks of /8 address spaces.
The Internet will be transformed after IPv6 fully replaces IPv4. IPv4 address exhaustion is an imminent fact. Nevertheless, IPv4 will not disappear overnight. Rather, it will coexist with and then gradually be replaced by IPv6.
These facts are augmented by the tremendous increase of mobile and consumer devices connecting to the public Internet. The consumerization of IT services is an ongoing trend, where business workers use their consumer and mobility devices to access corporate networks. It is expected that by 2013, there will be 1 billion internet-connected devices. These trends, along with application trends, have driven peer-to-peer communications and more demand for a larger IP address space. The next wave is machine-to-machine (M2M) communications, smart grids, networked security cameras and motion sensors, connected home appliance, and so on.
The change from IPv4 to IPv6 has already begun, particularly in Europe and the Asia-Pacific region. These areas are exhausting their allotted IPv4 addresses, which makes IPv6 all the more attractive and necessary. Some countries, such as Japan, are aggressively adopting IPv6. The European Union is moving toward IPv6, and China is considering building new networks that are dedicated for IPv6. In 2008, the U.S. government mandated all federal agencies to demonstrate IPv6 connectivity over their backbone networks and that their public-facing web sites be IPv6 ready by Sept. 30, 2012.
Other IPv4 weaknesses affect the need for IPv6. IPv4 was designed without a number of modern-day network requirements for security, device roaming, quality of service, address depletion, and others. Incorporating additional features in IPv4 has been costly in terms of complexity and flexibility.
The supporting cast of IPv4 protocols and solutions that manage address scarcity (Network Address Translation [NAT], Dynamic Host Configuration Protocol [DHCP], variable-length subnet mask [VLSM], and classless interdomain routing [CIDR]) are good examples of added complexity and lower performance due to an unplanned event such as IP address space depletion.
Security is one of those requirements. The push for peer-to-peer communications, where each peer has a public address, demands security controls that work end to end and are initiated by the IP hosts themselves. IP Security (IPsec) was introduced to solve the problem of the inherent lack of security in IPv4 transmission.
Quality of service (QoS) was also an area neglected by IPv4. Resource Reservation Protocol (RSVP) and other protocols were introduced to provide QoS.
Mobility is not built in to IPv4. Mobile IP is required to deploy a roaming approach to IP addressing and service continuity.
IPv6 Features and Enhancements
IPv6 is a powerful enhancement to IPv4. Several features in IPv6 offer functional improvements. What IP developers learned from using IPv4 suggested changes to better suit current and probable network demands:
• Larger address space: A larger address space includes several enhancements:
• Improved global reachability and flexibility
• Aggregation of prefixes that are announced in routing tables
• Multihoming to several ISPs
• Autoconfiguration that can include data link layer addresses in the address space
• Plug-and-play options
• Public-to-private readdressing end to end without address translation
• Simplified mechanisms for address renumbering and modification
• Simpler header: A simpler header offers several advantages over IPv4:
• Better routing efficiency for performance and forwarding-rate scalability
• No broadcasts and thus no potential threat of broadcast storms
• No requirement for processing checksums
• Simpler and more efficient extension header mechanisms
• Flow labels or per-flow processing with no need to open the transport inner packet to identify the various traffic flows
• Mobility and security: Mobility and security help ensure compliance with Mobile IP and IPsec standards functionality. Mobility enables people with mobile network devices—many with wireless connectivity—to move around in networks. Mobile IP is an Internet Engineering Task Force (IETF) standard that is available for both IPv4 and IPv6, enabling mobile devices to move without breaks in established network connections. Because IPv4 does not automatically provide this kind of mobility, you must add it with additional configurations.
• In IPv6, mobility is built in, which means that any IPv6 node can use mobility when necessary. The routing headers of lPv6 make mobile IPv6 much more efficient than Mobile IPv4 for end nodes.
• IPsec is the IETF standard for IP network security, available for both IPv4 and IPv6. Although the functionalities are essentially identical in both environments, IPsec is mandatory in IPv6. IPsec can be used transparently on every IPv6 host without additional software, making the IPv6 Internet potentially more secure. IPsec also requires keys for each party, which implies a global key deployment and distribution.
• Transition richness: There are several ways to incorporate existing IPv4 capabilities with the added features of lPv6:
• One approach is to implement a dual-stack method, with both IPv4 and IPv6 configured on the interface of a network device.
• Tunneling is another technique that will become more prominent as the adoption of IPv6 grows. There are various IPv6-over-IPv4 tunneling methods. Some methods require manual configuration, while others are more automatic.
Cisco IOS Release 12.3(2)T and later also include Network Address Translation Protocol Translation (NAT-PT) between IPv6 and IPv4. This translation allows direct communication between hosts that use different versions of the IP protocol.
The new IPv6 header is simpler than the IPv4 header, in the following ways:
• Half of the previous IPv4 header fields are removed. This enables simpler processing of the packets, enhancing the performance and routing efficiency.
• All fields are aligned to 64 bits, which enables direct storage and access in memory by fast lookups.
• No checksum occurs at the IP layer, and no recalculation is performed by the routers. Error detection is done by the link layer and transport layer.
IPv6 header enhancements improve hardware-based processing, which provides scalability of the forwarding rate for the next generation of high-speed networks.
IPv6 uses a different approach from IPv4 to manage optional information in the header. It defines extension headers that form a chain of headers linked by the Next Header field that is contained in each extension header. This approach provides efficiency gains over IPv4 in the way that options and special functions are packaged. It enables a faster forwarding rate and leaves the router with less work to do for each packet.
IPv4 Versus IPv6 Header Fields
With IPv4, the Fragmentation field is always present in the header regardless of whether the packet is fragmented or not. With IPv6, such field would appear only if the functionality is needed.
All extension headers are daisy-chained, each header pointing to the next header until they reach the transport layer data, as shown in Figure 6-2. This arrangement allows an IPv6 packet to be customized with features and functionality.
Figure 6-2. Daisy-chaining IPv6 Extension Headers
A good example of extension headers is the routing header (RH) in IPv6. It can be used to implement the source routing function that is widely known in IPv4, where the packet lists the intermediary hosts that it will visit before arriving at its final destination. If the Next Header field is equal to 0, the next header is a Hop-by-Hop field. This header contains information that must be examined by each node on the path.
A second routing header, with a value of 2, has been defined for use with IPv6 Mobility. It is formatted similarly to the type 0 routing header, except that it only carries one intermediate hop.
All IPv6 hosts, including end stations, process the RH.
Stateless Address Autoconfiguration
Stateless address autoconfiguration is an important feature of IPv6. It allows serverless basic configuration of the nodes and easy renumbering. It uses the Neighbor Discovery Protocol (NDP), which is based on ICMP version 6 (ICMPv6) protocol messaging, a topic we will discuss next. NDP replaces Address Resolution Protocol (ARP), and multicast replaces broadcast.
Stateless address autoconfiguration uses the information in the router advertisement messages to configure the node. The prefix included in the router advertisement is used as the /64 prefix for the node address. The other 64 bits are obtained by the dynamically created interface identifier, which, in the case of Ethernet, is the modified extended universal identifier 64-bit (EUI-64) format.
Router advertisements are sent periodically. When a host boots, it needs to have its address in the early stage of the boot process, as illustrated in Figure 6-3. Instead of waiting for the next router advertisement to get the information to configure its interfaces, a node sends a router solicitation message asking the routers on the network to reply immediately with a router advertisement so that the node can immediately autoconfigure. All the routers respond with a normal router advertisement message with the all-nodes multicast address as the destination address.
Figure 6-3. IPv6 - Stateless Autoconfiguration
Autoconfiguration enables plug-and-play configuration of an lPv6 device, which allows devices to connect themselves to the network without any configuration from an administrator and without any servers, such as DHCP servers. This key feature enables deployment of new devices on the Internet, such as smartphones, wireless devices, home appliances, and other consumer devices.
The NDP functions therefore include:
• Router, prefix, and parameter discovery
• Address autoconfiguration and resolution
• Duplicate address detection
IPv6 Network Discovery Protocol (NDP) replaces IPv4 Address Resolution Protocol (ARP). NDP is a messaging protocol that relies on ICMPv6 and facilitates the discovery of neighboring devices over a network.
Internet Control Message Protocol Version 6
ICMPv6 is similar to ICMP version 4 (ICMPv4) in that it enables nodes to make diagnostic tests and report problems. Table 6-1 lists the differences between ICMPv4 and ICMPv6.
Table 6-1. ICMPv4 and ICMPv6 Message Types
Like ICMPv4, ICMPv6 implements two kinds of messages: error messages, such as “destination unreachable,” “packet too big,” or “time exceeded,” and informational messages, such as “echo request” and “echo reply.”
ICMPv4 is often blocked by security policies in corporate firewalls because of known attacks that are based on ICMP. ICMPv6 can be subject to similar attacks; however, there are substantial changes to its scope. The responsibilities of IMCPv6 go beyond mere messaging, and into address resolution and assignment, router discovery, and Mobile IP.
IPv6 General Features
IPv6 has many advantages over IPv4, such as
• A large address space makes global reachability possible from every IPv6 node.
• Autoconfiguration is essential for deploying many appliances. It would not be possible, practically, to manually configure IP addresses. You need some autoconfiguration mechanism that scales. DHCP may not be the right way to manage millions of clients.
• IPsec is mandated in the architecture.
• NAT includes end-to-end security in networks by requiring that you trust the end devices.
• Mobile IPv6 improves routing efficiency over IPv4.
• IPv6 is the same as IPv4 in QoS and header compression features. Both areas benefited from the work on IPv6. The IPv6 header compresses better than the IPv4 header because there are fewer fields.
• Other features are equivalent, except for a few details, such as scoped addresses (defined below) in multicast, or the concept of stateless DHCP where only static parameters are provided by the DHCP server.
RFC 4007 defines scoped addresses as follows: “Internet Protocol version 6 includes support for addresses of different ‘scope’; that is, both global and non-global (e.g., link-local) addresses.”
Table 6-2 summarizes the general features and benefits of IPv6 and compares them to IPv4.
Table 6-2. IPv4 and IPv6 Compared
Transition to IPv6
The transition from IPv4 does not require upgrades on all nodes at the same time. Many transition mechanisms enable smooth integration of IPv4 and IPv6. Other mechanisms that allow IPv4 nodes to communicate with IPv6 nodes are available. All of these mechanisms are applied to different situations. Tunnels are established manually, semiautomatically, or automatically:
• GRE (not discussed)
• VPN (not discussed)
• Tunnel broker (proxying)
The three most common techniques to transition from IPv4 to IPv6 are as follows:
• Dual stack: Dual stack is an integration method in which a node has implementation and connectivity to both an IPv4 network and an IPv6 network. As a result, the node and its corresponding routers have two protocol stacks, as shown in Figure 6-4.
• Tunneling: There are several tunneling techniques available:
• Manual IPv6-over-IPv4 tunneling: An integration method in which an IPv6 packet is encapsulated within the IPv4 protocol. This method requires dual-stack routers.
• Dynamic 6to4 tunneling: A method that automatically establishes the connection of IPv6 islands through an IPv4 network, typically the Internet. The 6to4 tunneling method dynamically applies a valid, unique IPv6 prefix to each IPv6 island, which enables the fast deployment ofIPv6 in a corporate network without address retrieval from the ISPs or registries.
• Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunneling: An automatic overlay tunneling mechanism that uses the underlying IPv4 network as a data link layer for IPv6. ISATAP tunnels allow individual IPv4 or IPv6 dual-stack hosts within a site to communicate with other such hosts on a virtual link, creating an IPv6 network using the IPv4 infrastructure.
• Teredo tunneling: An IPv6 transition technology that provides host-to-host automatic tunneling instead of gateway tunneling. It is used to pass unicast IPv6 traffic when dual-stacked hosts (hosts that are miming both IPv6 and IPv4) are located behind one or multiple IPv4 NATs.
• Proxying and translation (NAT-PT): A translation mechanism that sits between an IPv6 network and an IPv4 network. The job of the translator is to translate IPv6 packets into IPv4 packets and vice versa.
Figure 6-4. IPv6-in-IPv4 Tunnel
IPv6 addresses are, at first, the most noticeable change compared to IPv4. Not only are IP addresses going from 32 bits to 128 bits, but how addresses are represented and how they are classified are also new. There are different types of IPv6 addresses and different representations.
IPv6 Address Representation
IPv6 addresses are 128 bits long. Addresses are represented as a series of eight 16-bit hexadecimal fields that are separated by colons. The A, B, C, D, E, and F in hexadecimal fields are not case sensitive. A typical IPv6 address would therefore look like 2001:cb7:46 d1:0:0:8a2e:370:7334.
Here are some ways to shorten the writing of IPv6 addresses:
• The leading zeros in a field are optional, so 010F = 10F and 0000 = 0.
• Successive fields of zeros can be represented as a double colon (::), but only once in an address. An address parser is able to identify the number of missing zeros by separating the two parts and filling in zeros until the 128 bits are completed. But if two double colons are placed in the address, there is no way to identify the size of each block of zeros. Therefore, only one double colon is possible in a valid IPv6 address.
The use of the double-colon technique makes many addresses very small. For example, FF01:0:0:0:0:0:0:1 becomes FF01::1, as shown in Figure 6-5. The “unspecified” address is written as a double colon (::), because it contains only zeros. The loopback address, 0:0:0:0:0:0:0:1, is represented by ::1.
Figure 6-5. Examples of IPv6 Address Representation in Their Long Form and Shortened Form
Figure 6-5 shows the use of the double colon to represent multiple contiguous 16-bit chunks of zeros in an IPv6 address. The second representation that is shown in Figure 6-5 is incorrect—the double colon (::) notation can appear only once in an address, because multiple uses may make the address ambiguous. In the example, the parser cannot tell whether the missing bits (four 16-bit sections) are apportioned with 16 at the first double colon and 48 at the last double colon or some other combination.
IPv6 addresses are presented with a prefix. The high-order bits of an IPv6 address represent the network. All the host addresses of one network would have the same first few bits. These first few network bits, n bits, are called the “prefix.” We use /n to denote a prefix n bits long. If an address is presented with 2001:cb7::/32, it means that the first 32 bits belong to the network and that the other 96 bits belong to subnet and host addresses.
IPv6 Address Types
IPv6 supports three types of addresses:
• Address is for a single interface
• IPv6 has several types (for example, global, reserved, link-local, and site-local)
• Enables more efficient use of the network
• Uses a larger address range
• One-to-nearest (allocated from unicast address space)
• Multiple devices share the same address
• All anycast nodes should provide uniform service
• Source devices send packets to anycast address
• Routers decide on closest device to reach that destination
• Suitable for load balancing and content delivery services
Unicast and multicast work the same as with IPv4. As for anycast, think of it as a shared secondary address. As an example, think of a network topology with two routers as potential default gateways deserving the same subnet. In IPv4, a host would be configured to point to one of the two gateways. If the selected gateway is no longer available, a reconfiguration of the host would be necessary for it to start using the other gateway on the network. In IPv6, however, the two routers would be configured with the same anycast address, in addition to their own unicast address. A host would send its packets to the anycast address, and either router could provide the service.
Because there are no broadcasts with IPv6, there is no need for a broadcast address.
Each address type has specific rules regarding its construction and use, as discussed next.
IPv6 Unicast Addressing
IPv6 unicast addresses can be aggregated with prefixes of arbitrary bit length, similar to IPv4 addresses under classless interdomain routing (CIDR).
There are several types of unicast addresses in IPv6, including global addresses, site-local addresses (deprecated), unique local addresses, and link-local addresses. There are also some special-purpose subtypes of global unicast, such as the unspecified address, loopback address, and IPv6 addresses with embedded IPv4 addresses. Additional address types or subtypes could be defined in the future.
IPv6 address types have the following patterns:
• Global: Starts with 2000::/3 and assigned by the Internet Assigned Numbers Authority (IANA)
• Reserved: Used by the IETF
• Private: Link local (starts with FE80::/10)
• Loopback: (::1)
• Unspecified: (::)
A single interface may be assigned multiple IPv6 addresses of any type: unicast, anycast, or multicast. IPv6 addressing rules are covered by multiple RFCs, including RFC 4291.
IPv6 Global Unicast and Anycast Addresses
Global unicast addresses correspond to the principal use of IPv6 addresses for generic global IPv6 traffic and consume the most important part of the address space.
The structure of a global unicast address, shown in Figure 6-6, is as follows:
• A global routing prefix, typically a /48 assigned to a site, is a structure that enables aggregation upward, eventually to the ISP
• A subnet ID used to identify links within a site, typically 16 bits
• A 64-bit interface ID to identify the interface of the node
Figure 6-6. IPv6-in-IPv4 Tunnel
IPv6 has the same address format for global unicast and for anycast addresses. Every IPv6-enabled interface contains at least one loopback address (::1/128) and one link-local address. Optionally, every interface can have multiple unique local and global addresses.
Examples of global addresses can be found in RFC 3587, “IPv6 Global Unicast Address Format.” The structure that is proposed in that document provides for aggregation of routing prefixes to limit the number of entries in the global routing table. An example of aggregation is shown inFigure 6-7.
Figure 6-7. Example of IPv6 Address Aggregation
All IPv6-enabled interfaces must have a link-local address.
Link-local addresses are used for addressing on a single link, so they have a scope that is limited to the link. Link-local addresses are dynamically created on all IPv6 interfaces by using a specific link-local prefix, FE80::/10, and a 64-bit interface identifier, as shown in Figure 6-8.
Figure 6-8. Link-Local Address
Link-local addresses are used for automatic address configuration, neighbor discovery, and router discovery. They are also used by many routing protocols.
Link-local addresses can serve as a way to connect devices on the same local network without requiring global or unique local addresses. When communicating with a link-local address, you must specify the outgoing interface because every interface is connected to FE80::/10.
IPv6 has a 128-bit address space, but 64 bits are used for the host number on the subnet. A better way to look at the address space is to say that IPv6 supports 264 subnets, and each subnet can have a practically unlimited number of hosts. In any case, there are more than enough networks and hosts for the future.
A multicast scope is new in IPv6. Multicast is used in the context of one-to-many. A multicast address identifies a group of interfaces. Traffic that is sent to a multicast address is sent to multiple destinations at the same time. An interface may belong to any number of multicast groups. Multicast is used in the core of many functions in IPv6.
Multicast addresses are defined by the prefix FF00::/8, as shown in Figure 6-9.
Figure 6-9. Multicast Address
The second octet defines the flags and the scope of the multicast address. Flags are defined as “0RPT,” and these conditions apply:
• 0 is reserved and must equal 0.
• R stands for “rendezvous point” and is almost always set to 0.
• P indicates “prefix dependency” and is almost always set to 0.
• T is the “temporary” bit. For a temporary multicast address, T equals 1. For a permanent multicast address, T equals 0.
If R equals 1, P and T must also equal 1.
The scope parameters are used to specify in which part of the network address is valid and unique. Some addresses are unique only on the local network, while others are globally unique. Table 6-3 provides definitions of scope.
Table 6-3. IPv6 Scope Parameters and Definitions
For example, a multicast address starting with FF02::/16 is a permanent multicast address with a link-local scope.
The lower 112 bits of the multicast address constitute the multicast group ID.
Multicast is frequently used in IPv6 and replaces broadcast. There is no broadcast in IPv6. There is no Time to Live (TTL) in IPv6 multicast. The scoping is defined inside the address.
The multicast addresses FF00:: to FF0F:: are reserved. Inside that range, the following addresses are assigned:
• FF02::1: All nodes on the link-local scope
• FF02::2: All routers on the link-local scope
• FF02::9: All Routing Information Protocol (RIP) routers on the link
• FF02::1: FFXX:XXXX: solicited-node
• FF05::101: All Network Time Protocol (NTP) servers on the site-local scope
• FF0X::103: Rwhod (rwho plus ruptime daemon)
• FF0X::102: Silicon Graphics Dogfight (Internet game)
• FF0X::127: Cisco RP announce (multicast rendezvous point)
• FF0X::128: Cisco RP discovery
• FF05::1:3: All DHCP servers in site
Assigning IPv6 Global Unicast Addresses
Interface identifiers in IPv6 addresses are used to identify interfaces on a link. They can also be thought of as the “host portion” of an IPv6 address. Interface identifiers are required to be unique on a specific link. Interface identifiers are always 64 bits and can be dynamically derived from a Layer 2 media and encapsulation.
There are several ways to assign an IPv6 address to a device:
• Static assignment using a manual interface ID
• Static assignment using an EUI-64 interface ID
• Stateless autoconfiguration
• DHCP for IPv6 (DHCPv6)
Manual Interface Assignment
One way to statically assign an IPv6 address to a device is to manually assign both the prefix (network) and interface ID (host) portion of the IPv6 address. To configure an IPv6 address on a Cisco router interface and enable IPv6 processing on that interface, use the ipv6 address ipv6-address prefix-length command in interface configuration mode.
Example 6-1 shows how to enable IPv6 processing on the interface and configure an address based on the directly specified bits.
Example 6-1. Manually Assigning an IPv6 Address to a Router Interface
R1(config)# interface fa 0/0
R1(config-if)# ipv6 address 2001:0DB8:2222:7272::72/64
In Example 6-1, the IPv6 address could have been configured without the leading 0 in the second most significant hexadecimal field, as shown here:
R1(config-if)# ipv6 address 2001:DB8:2222:7272::72/64
EUI-64 Interface ID Assignment
Another way to statically assign an IPv6 address is to configure the prefix (network) portion of the IPv6 address and derive the interface ID (host) portion from the Layer 2 MAC address of the device, which is known as the EUI-64 interface ID. You will see later in this chapter how the 48-bit MAC address is expanded to provide a 64-bit interface ID.
To configure an IPv6 address for an interface and enable IPv6 processing on the interface using an EUI-64 interface ID in the low-order 64 bits of the address (host), use the ipv6 address ipv6-prefix/prefix-length eui-64 command in interface configuration mode.
Example 6-2 assigns the IPv6 address 2001:ODB8:0:1::/64 to Ethernet interface 0 and uses an EUI-64 interface ID in the low-order 64 bits of the address.
Example 6-2. Configuring the Prefix Portion for an EUI-64 Interface ID Assignment
R1(config)# interface fa 0/0
R1(config-if)# ipv6 address 2001:0DB8:0:1::/64 eui-64
Autoconfiguration, as the name implies, is a mechanism that automatically configures the IPv6 address of a node. In IPv6, it is assumed that non-PC devices, as well as computer terminals, will be connected to the network. The autoconfiguration mechanism was introduced to enable plug-and-play networking of these devices, to help reduce administration overhead.
DHCP for IPv6 enables DHCP servers to pass configuration parameters such as IPv6 network addresses to IPv6 nodes. It offers the capability of automatic allocation of reusable network addresses and additional configuration flexibility. This protocol is a stateful counterpart to IPv6 stateless address autoconfiguration, and can be used separately or concurrently with IPv6 stateless address autoconfiguration to obtain configuration parameters.
IPv6 EUI-64 Interface Identifier
The 64-bit interface identifier in an IPv6 address identifies a unique interface on a link. A link is a network medium over which network nodes communicate using the data link layer. The interface identifier can also be unique over a broader scope. In many cases, an interface identifier is the same as, or is based on, the data link layer (MAC) address of an interface. As in IPv4, a subnet prefix in IPv6 is associated with one link.
Interface identifiers in global unicast and other IPv6 address types must be 64 bits long and can be constructed in the 64-bit EUI-64 format. As shown in Figure 6-10, this format expands the 48-bit MAC address to 64 bits by inserting “FFFE” into the middle 16 bits. The EUI-64 format interface ID is derived from the 48-bit link layer (MAC) address by inserting the hexadecimal number FFFE between the upper 3 bytes (Organizationally Unique Identifier [OUI] field) and the lower 3 bytes (serial number) of the link layer address. To ensure that the chosen address is from a unique Ethernet MAC address, the seventh bit in the high-order byte is inverted (equivalent to the IEEE G/L bit) to indicate the uniqueness of the 48-bit address. To make sure that the chosen address is from a unique Ethernet MAC address, the U/L bit is set to 0 for global scope (1 for local scope).
Figure 6-10. Creating an EUI-64 Format Interface ID
IPv6 and Cisco Routers
Cisco IOS Software Release 12.2(2)T and later are IPv6-ready. As soon as you configure basic IPv4 and IPv6 on the interface, the interface is dual-stacked and the router forwards IPv4 and IPv6 traffic on that interface.
There are two basic steps to activate IPv6 on a router. First, you must activate IPv6 traffic forwarding on the router, and then you must configure each interface that requires IPv6. By default, IPv6 traffic forwarding is disabled on a Cisco router.
To activate IPv6 traffic forwarding between interfaces, you must configure the global command ipv6 unicast-routing:
R1(config)# ipv6 unicast-routing
This command enables the forwarding of IPv6 datagrams.
The ipv6 address command can configure a global IPv6 address:
R1(config-if)# ipv6 address ipv6prefix/prefix-length eui-64
The link-local address is automatically configured when an address is assigned to the interface. You must specify the entire 128-bit IPv6 address or specify to use the 64-bit prefix by using the EUI-64 option, as shown in Example 6-2.
IPv6 Address Configuration Example
You can completely specify the IPv6 address or compute the host identifier (rightmost 64 bits) from the EUI-64 identifier of the interface. In Example 6-3, the IPv6 address of the interface is configured using the EUI-64 format, based on the topology shown in Figure 6-11.
Figure 6-11. Topology of IPv6 Networks for Example 6-3
Example 6-3. Configuring and Verifying a Router for EUI-64 Interface ID Assignment
R1(config)# ipv6 unicast-routing
R1(config)# interface fa0/0
R1(config-if)# ipv6 address 2001:db8:c18:1::/64 eui-64
R1# show ipv6 interface fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::218:B9FF:FE21:9278
Global unicast address(es):
2001:DB8:c18:1:218:B9FF:FE21:9278, subnet is 2000:1:2:3::/64
Joined group address(es):
MTU is 1500 bytes
Alternatively, you can completely specify the entire IPv6 address to assign a router interface an address using the ipv6 address ipv6-address/prefix-length command in interface configuration mode.
Routing Considerations for IPv6
IPv6 uses longest-prefix match routing just like CIDR does for IPv4. CIDR will be covered in Chapter 8, “Access Control Lists for Threat Mitigation.”
Many of the common routing protocols have been modified to manage longer IPv6 addresses and different header structures. The following updated routing protocols are currently available:
• RIPng (RFC 2080)
• OSPFv3 (RFC 2740)
• IS-IS for IPv6
• MP-BGP4 (RFC 2545/2858)
• EIGRP for IPv6
This book discusses static routing and RIPng. IPv6 routing is discussed in greater detail in Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide: Foundation Learning for the ROUTE 642-902 Exam by Diane Teare.
You can use and configure IPv6 static routing in the same way you would with IPv4. There is an IPv6-specific requirement per RFC 2461 that a router must be able to determine the link- local address of each of its neighboring routers to ensure that the target address of a redirect message identifies the neighbor router by its link-local address. This requirement means that using a global unicast address as a next-hop address with IPv6 routing is not recommended.
Routing protocols use the link-local address as a source for exchanging routing updates, and this link-local address is actually used as next-hop address.
The Cisco IOS global command to enable IPv6 is ipv6 unicast-routing. You must enable IPv6 unicast routing before an IPv6-capable routing protocol or an IPv6 static route will work.
Routing Information Protocol next generation (RIPng) (RFC 2080) is a distance-vector routing protocol with a limit of 15 hops that uses split horizon and poison reverse to prevent routing loops. RIPng includes the following features:
• Based on IPv4 RIP version 2 (RIPv2) and is similar to RIPv2
• Uses IPv6 for transport
• Includes the IPv6 prefix and next-hop IPv6 address
• Uses the multicast group FF02::9, the all-RIP-routers multicast group, as the destination address for RIP updates
• Sends updates on UDP port 521
• Supported by Cisco IOS Release 12.2(2)T and later
Revisiting Threats: Considerations for IPv6
The good news, if this can be considered good, is that when considering the TCP/IP protocol stack, the Internet layer (Open Systems Interconnection [OSI] network layer) is the only difference between IPv4 and IPv6. Therefore, when the transition to IPv6 occurs, the layers above and below IPv6 will remain the same. If your web application is vulnerable to attacks in an IPv4 environment, it will also be vulnerable to attacks when IPv6 is used. This means that the threat and vulnerability landscape is similar between the two protocol stacks.
IPv4 and IPv6 are both datagram protocols, and there are many similarities between the two headers. Both headers still have a version, a quality of service (QoS) marking field, a payload length field, a counter to detect how far the packet has traveled, the value of the next upper-layer protocol, and of course a pair of addresses. Therefore, in general, many types of attacks are similar between IPv4 and IPv6, as listed below. For some attack types, additional information is provided.
• Not so easy in IPv6 due to large address space
• Scanners will make router trigger NDP, wasting CPU and resources
• Attack tools exist today (Parasit6, Fakerouter6, Scapy6, others)
• Viruses and worms
• Scanning will probably use alternative techniques
• Application layer attacks
• Same implications
• Peer-to-peer nature of IPv6 augments the problem
• Unauthorized access
• Man-in-the-middle attacks
• Still a possibility
• Myth: mandatory IPsec resolves the issue
• Reality: IPsec is a mandatory part of the stack, but you still have to configure it
• Sniffing or eavesdropping
• Denial of service (DoS) attacks
• Spoofed packets: forged addresses and other fields
• Still a possibility
• Bogons (bogus IP addresses) a reality today
• Attacks against routers and other networking devices
• Attacks against the physical or data link layers
However, there is also some bad news. IPv6 is a bit different and, as such, there are threats that have been slightly changed by the fact that IPv6 does things slightly differently than IPv4. The following is a list of threats that are only slightly modified by IPv6:
• LAN-based attacks (NDP)
• Attacks against DHCP or DHCPv6
• DoS against routers (hop-by-hop extension headers rather than router alerts)
• Fragmentation (IPv4 routers performing fragmentation versus IPv6 hosts using a fragment extension header)
• Packet amplification attacks (IPv4 uses broadcast; IPv6 uses multicast)
As far as the protocol is concerned, IPv6 is no more or less secure than IPv4, but the IPv6 protocol is unique and has its own security considerations. The fields within the IPv6 header that are unique to IPv6 include the flow label and extension headers.
Even though IPv6 does not significantly transform the IP header, there will be attacks unique to IPv6.
Following is a list of threats that are unique to IPv6 networks:
• Reconnaissance and scanning worms: Brute-force discovery is more difficult.
• Attacks against ICMPv6: ICMPv6 is a required component of IPv6.
• Extension header (EH) attacks: EHs need to be accurately parsed.
• Autoconfiguration: NDP attacks are simple to perform.
• Attacks on transition mechanisms: Migration techniques are required by IPv6.
• Mobile IPv6 attacks: Devices that roam are susceptible to multiple vulnerabilities.
• IPv6 protocol stack attacks: Because of the code freshness of IPv6, bugs in the protocol stack exist.
IPv6 introduces the following difficulties or vulnerabilities:
• Training and planning
• Lack of knowledge, poor planning even for basic security controls (example: weak ingress filtering, or no filtering at all)
• End nodes are exposed to many threats:
• Address configuration parameters: Rogue configuration parameters
• Address initialization: Denial of address insertion
• Address resolution: Address stealing
• Default gateway discovery: Rogue routers
• Neighbor reachability tracking: Rogue neighbor status
• Header extensions
• Hosts process routing headers (RH)
• Header extensions can be exploited (example: routing header for source routing and reconnaissance)
• Amplification attacks based on routing header
The reliance of IPv6 on multicasting and ICMPv6 makes those protocols subject to multiple exploits to implement DoS, man-in-the-middle, and spoofing attacks, such as:
• Multicasting facilitates reconnaissance (example: FF02::1 is all hosts, FF02::2 is all routers).
• ICMPv6 is a vehicle for autoconfiguration, subject to spoofing and multiple exploits.
The built-in tunneling capabilities of IPv6 become a vulnerability when not properly controlled. Tunnels are inherently covert channels that will very likely be passed through by firewalls that do not support IPv6 or do not have a strong IPv6 filtering mechanism. Something similar happens with other network security controls such as intrusion prevention systems (IPS). Tunneling is pervasive and sometimes automatic in IPv6, so it does not take much to initiate an unwanted tunnel that could be invisible to your security controls. As an example, Teredo runs over IPv4 UDP port 41 and could also run over any UDP port. Also, most IPv4/IPv6 transition mechanisms have no authentication built in.
Dual stacking represents another issue. You might think IPv6 is not present in your network, but most operating systems support it and enable it by default. A fully protected IPv4 host can be exploited if IPv6 is a weak link. Specific dual-stacking vulnerabilities include the following:
• IPv6 is on by default in most operating systems. You may have it on and not know that it’s running.
• Applications can be subject to attack on both IPv6 and IPv4.
• The network is only as secure as the least secure stack.
Examples of Possible IPv6 Attacks
In Figure 6-12, the attacker manipulates the routing header to create a traffic loop. DoS attacks can be performed using this feedback loop to consume resources or amplify the packets that are sent to a victim. RH0 packets could be created with a list of embedded IPv6 addresses. The packet would be forwarded to every system in the list before finally being sent to the destination address. If the embedded IPv6 addresses in an RH0 packet were two systems on the Internet listed numerous times, it could cause a type of feedback loop.
Figure 6-12. Traffic Loop from Exploiting Routing Header
In Figure 6-13, the attacker abuses NDP by using a router to amplify a network scan. The router sends Neighbor Solicitation (NS) messages to all the hosts in the LAN segment, using the all-nodes multicast address.
Figure 6-13. Network Scan from Exploiting NDP
By combining multiple techniques, attackers can accomplish stealth attacks that result in trust exploitation and information theft. Figure 6-14 illustrates an attack that combines dual-stacked hosts, which are subject to rogue router advertisements. This type of attack could exploit the routing header (RH) to pivot using multiple hops; and by using automatic tunnels, it could stealthily go through firewalling and IPS sensors.
Figure 6-14. Combo Attack on IPv6
The attacker gains a foothold in the IPv4 network. The compromised host sends rogue router advertisements, triggering unwilling dual-stacked hosts to obtain an IPv6 address. These compromised hosts could trigger an automatic Teredo tunnel, which would go unnoticed by the firewall. The attacker can also use the routing header to pivot around multiple hosts in the internal network before sending traffic out.
The same best current practices for protecting IPv4 networks are still appropriate for IPv6. Standard perimeter security architecture still applies to IPv6 as it does to IPv4. Filtering at the edge and trying to protect the interior are still the order of the day. The network architecture model of core, distribution, and access will still be the way that IPv6 networks are designed. Many of the same protection mechanisms that are used in IPv4 networks will be adapted to work on IPv6. The same operational guidelines and forensic search also apply to IPv6.
The following list summarizes additional guidelines for IPv6 security. Some of these guidelines will be discussed in more detail in other chapters of this book, such as IPv6 access lists in Chapter 8 and IPv6 aware intrusion prevention in Chapter 11, “Intrusion Prevention Systems.”
• Ingress filtering is key:
• Deny Bogon addresses.
• Filter multicast packets at your perimeter based on their scope.
• Permit only packets that have as a destination address your allocated block of addresses or multicast group address or your link-local address for NDP.
• Granularly filter ICMPv6 messages at the perimeter (remember, ICMPv6 is needed for protocol operations such as NDP).
• Drop RH0 packets and unknown extension headers at the perimeter and throughout the interior of the network.
• Favor dual stack as the transition mechanism, but secure each protocol equally.
• Control the use of tunneling:
• Configure manual tunnels if possible.
• Do not allow tunnels through the perimeter unless required.
• Consider current and future security enhancements:
• Secure NDS (SeND) from RFC 3971 provides a cryptographic method to Neighbor Discovery.
• RA Guard, from RFC 6105, is an alternative and complement to SeND, filtering at Layer 2.
In this chapter, you learned about the need for IPv6. You saw that IPv6 offers more benefits than IPv4, including a larger address space, easier address aggregation, and integrated security.
A review of the IPv6 addressing scheme revealed that IPv6 address are 128 bits long, with a 48-bit global prefix, a 16-bit subnet ID, and a 64-bit interface identifier. You saw how EUI-64 addresses are derived from the MAC address. You also saw that network addresses could be assigned statically, through a stateless configuration, or through DHCPv6.
You learned that IPv6 is not automatically enabled on Cisco IOS 12.2(2)T and later; to turn it on, you have to use the ipv6 unicast-routing command, and to assign an IPv6 address to an interface, you have to use the ipv6 address interface command. You also saw that Cisco supports all major IPv6 routing protocols: RIPng, OSPFv3, and EIGRP.
The chapter also discussed the transition from IPv4 to IPv6 using dual stacks, tunneling, and possibly NAT-PT. After the overview of IPv6’s general characteristics, you learned how common and specific threats could affect IPv6, and how to develop and implement a strategy for IPv6 security.
For additional information, refer to these resources:
Cisco Systems, Inc. Cisco IOS IPv6 Configuration Guide, Release 12.4, Implementing IPv6 Addressing and Basic Connectivity, http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.html
Cisco Systems, Inc. IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation (v1.0), http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf
RFC 2464, “Transmission of IPv6 Packets over Ethernet Networks,” http://www.ietf.org/rfc/rfc2464.txt
RFC 3146, “Transmission of IPv6 Packets over IEEE 1394 Networks,” http://www.ietf.org/rfc/rfc3146.txt
RFC 3587, “IPv6 Global Unicast Address Format,” http://www.ietf.org/rfc/rfc3587.txt
RFC 4007, “IPv6 Scoped Address Architecture,” http://www.ietf.org/rfc/rfc4007.txt
RFC 4291, “IP Version 6 Addressing Architecture,” http://tools.ietf.org/html/rfc4291
Use the questions here to review what you learned in this chapter. The correct answers are found in the Appendix, “Answers to Chapter Review Questions.”
1. Which global command enables IPv6 on a Cisco router?
a. ipv6 transition
b. ipv6 routing
c. ipv6 unicast-routing
d. ipv6 anycast
2. Which are advantages of IPv6 over IPv4? (Choose two.)
a. Larger address space
b. Complex header
d. Efficient broadcast
3. Which of the following functions is unique to ICMPv6, as compared to ICMPv4?
a. Router discovery
b. Connectivity checks
c. Informational/error messaging
d. Fragmentation requiring notification
4. Which is not a valid IPv6 address?
5. Which IPv6 address types can be acquired automatically by an IPv6 host?
a. Global unicast address
b. Anycast address
c. Multicast address
d. Link-local address
e. All of the above
6. Which IPv6 feature or component, when unprotected, is more likely to result in covert channels that go undetected by firewalls?
a. Routing header
b. 6to4 transition deployments
7. Which IPv4-to-IPv6 transition technology is implemented as a translation mechanism?
a. Dynamic 6to4 tunnels
b. Dual stacking
8. Choose two threats that result directly from the use of the routing header alone in IPv6?
a. Denial of service
b. Confidentiality exploits
c. Advanced reconnaissance
d. Worm amplification
9. Which of the following is a valid EUI-64 address for MAC 0021.8661.9D8B?
10. Which of the following is an IPv6 routing protocol?
c. EIGRP for IPv6